Abstract
The recently adopted Sanctions Directive harmonises definitions and penalties for violations of restrictive measures with the aim of ensuring that criminal law can be used to enforce international sanctions in the European Union. It has also made violations of restrictive measures a predicate offence of money laundering. In parallel, the anti-money laundering (AML) framework is undergoing a significant reform, which includes the adoption of the first AML Regulation (previous legal acts being directives) containing AML duties of obliged entities as well as the establishment of an EU AML Authority. Also, for the first time, due diligence obligations as regards international sanctions will be included among these duties. The combined reading of the Sanctions Directive and the AML Regulation indicates that those duties will be even greater, which will have an outstanding impact on obliged entities, in particular of the financial sector. In fact, the extent of those obligations would justify calling enforcement of sanctions the third pillar of the AML framework. Yet, this aspect – and its consequences – remained fully under the radar of the legislative process. The objective of this article is, first, to examine the role of the AML framework in the enforcement of international sanctions, especially after the Sanctions Directive and the AML Regulation start to be applied and, second, to analyse the impact of including enforcement of international sanctions in the AML framework, on the entities subject to its duties and other actors affected by this framework.
Keywords
Introduction
Two significant pieces of legislation were adopted in late Spring of 2024, towards the end of the mandate of the current European Parliament. 1 The aim of one of them – the Sanctions Directive 2 – was to ensure harmonised criminalisation of violations of international sanctions, or, as referred to in the Directive, of restrictive measures throughout the EU. The other one – the first anti-money laundering (AML) Regulation, 3 after a long succession of directives and part of the larger package of legislation reforming this area – directly regulates the duties of obliged entities, in particular of the financial sector, as to prevention of money laundering and financing of terrorism.
These two instruments were developed seemingly (as will be demonstrated below) in disconnect and resulted from different considerations, even if the finalisation of their adoption process coincided. Yet, both instruments do have a very significant connection, which, as it appears, remained under the radar in the course of the legislative process, despite having significant consequences.
Firstly, the new anti-money laundering (AML) Regulation imposes on obliged entities significant due diligence duties as to compliance with international sanctions. Secondly, and maybe even more importantly, the Sanctions Directive contains a small amendment to another instrument, which is part of the AML framework, 4 namely the Directive on combating money laundering by criminal law (Criminal Law AML Directive), adding violations of restrictive measures to the list of predicate offences of money laundering. While the lists of predicate offences of money laundering as a criminal offence and for the purposes of the preventive framework respectively have remained distinct so far, 5 the above-mentioned AML reform removes this differentiation, and the new Regulation will henceforth use the definition of money laundering contained in the Criminal Law AML Directive. The combination of these changes results in all violations of restrictive measures becoming predicate offences of money laundering for the purposes of criminal repression as well as for the purposes of the preventive framework.
The impact of these changes is very significant as the due diligence duties of obliged entities will increase exponentially, which will also affect – in particular because of the risk-oriented approach of the AML framework – their customers, not necessarily operating with assets subject to sanctions. Such an increase of duties for the financial industry 6 can be interpreted as being part of a larger trend of transferring difficult enforcement tasks to the private sector (which includes, but is not limited to the expansion of the AML legislation). 7 However, this change is taking place with surprisingly little debate on the matter. It will be demonstrated below that the involvement of the AML framework in enforcement of international sanctions after this reform will reach such a degree that it merits being recognised as the third pillar of the AML framework next to the money laundering and the countering of terrorism financing, while it is not even mentioned as one of the objectives of the AML Regulation in Article 1 defining the subject matter.
The objective of this article is in the first place to examine these new instruments, in particular the Sanctions Directive and the AML Regulation as well as their connection, and to analyse the extent to which the AML framework will be used in enforcement of economic sanctions. By achieving this objective, the article will demonstrate how the enforcement of economic sanctions has become the third pillar of the AML framework, even if the legislation does not highlight this change, nor was it subject to scrutiny in the legislative process. The second objective of this article is to demonstrate the substantial impact those changes will have on the entities subject to its duties, on individuals and businesses concerned by AML measures and on the realisation of policy goals of economic sanctions. The article will also show how from these changes a paradigm shift results as AML framework will be now used for enforcement of goals that go beyond preventing ‘dirty money’ 8 from entering licit economy, which so far was the aim of the AML regime. 9
The article will start by examining the new design of the enforcement of international sanctions through criminal law after the adoption of the Sanctions Directive and its impact on the definition of money laundering (Section II). It will then analyse the reform of the AML framework and the extent of the preventive duties that will be applicable to laundering proceeds of violations of restrictive measures (Section III) and also explore the due diligence provisions regarding the enforcement of sanctions in the AML Regulation (Section IV). Finally, the article will examine the consequences of obliging relevant entities to investigate potential laundering of assets deriving from the violations of international sanctions and it will provide critical reflection on the lack of proper highlighting of this aspect of the new AML framework as well as the lack of proper debate about its consequences in the legislative process (Section V).
Towards criminal law enforcement of restrictive measures in the EU
While the sanctions (aka restrictive measures) 10 against Russia imposed after its invasion of Crimea in 2014 were relatively limited, the level of economic consequences inflicted on the Russian Federation and selected citizens in the aftermath of its aggression against Ukraine in 2022 and the illegal annexation of some of its regions is fundamentally different. The scope of these measures has greatly increased and they now form part of a comprehensive EU economic response to Russia’s war on Ukraine. The sanctions imposed as a response to Russia’s annexation of Crimea could be qualified as ‘smart sanctions’, i.e. sanctions that target particular individuals, companies, sectors or goods, in order to avoid unnecessarily affecting the population. However, as it has been argued, more recently, sanctions have evolved to become much broader measures. 11 In the words of the President of the EU Commission, Ursula von der Leyen: ‘Our sanctions are eroding sharply Russia’s economic base, slashing any prospect to modernise it’. 12 These sanctions’ aims are to: ‘reduce the Kremlin’s ability to finance the war; impose clear economic and political costs on Russia’s political elite; diminish Russia’s economic base’. 13 Sanctions have been regularly added and the most recent package at the moment of writing is number 14. 14
Currently, EU sanctions imposed on Russia comprise measures targeting particular individuals, 15 certain industries, 16 or include measures affecting selected territories (i.e., Crimea and the annexed Russian controlled territories). 17 Arguably the broadest impact, in terms of numbers of affected population, is caused by the financial sanctions that exclude Russia from the classic capital markets and means of inter-banking transfers (SWIFT). 18 So far, sanctions against Russia can be considered as the ‘most comprehensive ones the EU has ever adopted autonomously’. 19
Despite the intensity of those sanctions, it remains questionable as to whether the goal of eroding Russia’s economic base is being achieved, as numerous sources point out that Russia adapted to sanctions and redirected its economy so that it can avoid their consequences. 20 Furthermore, instances of circumventing those sanctions have been discovered, particularly through third countries. For instance, that is the case of the Indian ever-growing export of refined products derived from Russian oil, such as diesel, which, once refined, are no longer considered to be Russian, and can therefore be sold to EU operators. 21 A sharp increase can also be observed in the EU exports of ‘high priority items’ to West and Central Asian countries, such as the United Arab Emirates, Kazakhstan and Kyrgyzstan, which are linked with the dual-use advanced technologies, and are suspected to be thereafter re-exported to Russia. 22 As a result, in a recent sanction package, the EU has increasingly focused on export restrictions towards third countries’ companies that have been found to help Russia to circumvent such restrictions. 23
The Russian aggression against Ukraine gave a new momentum to the issue of sanctions, but the EU has obviously been applying them before that conflict. 24 There are many different types of sanctions and sanctions’ regimes, which can be categorised according to the perspective of their objectives (counter-terrorism, counter-proliferation, and conflict-resolution sanctions), according to their source (e.g., imposed by states or by international organisations), or types of applied measures (embargos, import/export restrictions, targeted sanctions such as travel bans). 25 Moreover, sanctions can be imposed against state actors – that is so in the case of Iran and of North Korea 26 – as well as non-state actors, such as against ISIL/Da’esh and Al-Qaeda. 27 Also, sanctions can include other economic measures, like freezing of funds and prohibiting EU citizens and entities from making resources available to those listed under the sanctions regime.
The impact of international economic sanctions largely depends on their effective enforcement. Already, previous sets of sanctions, e.g. against Cuba, Sudan or North Korea, faced difficulties and, in particular, banks were penalised for helping to circumvent them. 28 As pointed out by the EU Commission, inconsistent enforcement of EU restrictive measures undermines their efficacy and ultimately the objectives of the EU’s external action. 29 Yet, restrictive measures have to rely on a decentralised implementation and enforcement system, with Member States primarily responsible for ensuring their effectiveness and for punishing their violations. 30
Penalties for breaches of restrictive measures may not only affect persons or entities subject to those measures. In the past, large banks were subject to high financial penalties for such breaches. For instance, in 2015 Deutsche Bank was fined US$258 million by the US regulators for breaching sanctions against Syria and Iran. 31 In the same year, BNP Paribas was fined US$140 million for transactions through the US financial system on behalf of Sudanese, Iranian and Cuban entities in breach of sanctions against these countries. 32 It is worth noting that these cases took place in the United States, 33 but in view of the reaction of the EU Member States to the Russian aggression in Ukraine, the interest of EU Member States in efficient enforcement of those sanctions has only been growing.
A closer examination of some of the national laws reveals that breaches of international economic sanctions are not always considered to be criminal offences, and in some Member States the violation of EU restrictive measures can only lead to administrative penalties. 34 Often, when criminalised, offences are covered by different special laws: for example, in Germany (§ 18 and § 19 Foreign Trade and Payments Act, AWG), Luxembourg (Articles 58-61 Law of 27 June 2018 on exportation control in Luxembourg), or Poland (Arts 100, 101, 103 of Fiscal Penal Code). Furthermore, French law does not have such a direct provision within its Criminal Code, 35 and the Bill aimed at introducing it has been in the legislative process for many years with no result. 36 It is clear that the lack of such a uniform criminalisation results in the possibility of unequal enforcement and diminishes the efficiency of sanctions across the EU, which undermines the credibility of the EU’s action. In order to respond to this deficiency, in December 2022 the EU Commission presented a proposal for a directive aiming to approximate the definition of criminal offences and penalties for the violation of EU restrictive measures. 37
The proposal was followed by the unanimous adoption by the EU Council of a decision adding violation of restrictive measures to the list of areas of particularly serious crime, also known as ‘EU crimes’, laid down in Article 83(1) of the Treaty on the Functioning of the EU (TFEU), which the EU has the competence to harmonise. 38 This provision enables the EU legislature to establish minimum rules concerning the definition of criminal offences and sanctions within the listed areas of crime. By amending it in that way the EU acquired the competence to legislate in the matter.
The legislative process, urged on by the international political context, went relatively quickly, the Council adopted its general approach on 9 June 2023 and the adoption of the EU Parliament’s position in the following July marked the beginning of interinstitutional negotiations, which were finalised with a political agreement in December 2023. The Directive was adopted on 24 April 2024 and entered into force twenty days after its publication in the Official Journal of the EU. 39 Member States are now required to transpose it into their national legislation by 20 May 2025. 40
The Directive includes in Article 3 (1) an exhaustive list of criminal offences related to violation of EU restrictive measures that must be criminalised. 41 In addition, inciting, aiding and abetting the commission of the criminal offences referred to in the Directive, as well as the attempt to commit such offences, should also be criminalised. As regards mens rea, Member States should ensure that this conduct constitutes a criminal offence when committed with intent, while for one offence, namely trading in goods or services whose import, export, sale, purchase, transfer, transit or transport is prohibited or restricted, liability for commission with serious negligence should also be provided. The EU Commission had originally proposed to include, more generally, the liability for serious negligence, which would have resulted in creating an overall duty of vigilance against circumvention of sanctions and would have created a significant risk to the EU citizens. The Council, however, preferred to exclude such an option, while the Parliament – on the contrary – favoured an even broader criminalisation than the Commission opting for criminalisation that extended to simple negligence. 42 As a result, the final compromise limits the liability almost exclusively to intentional violations. The final text offers also a possibility to the Member States to exclude criminal liability where the subject of the underlying offence has a value of less than EUR 10,000. 43
As for other instruments harmonising certain types of crimes, it is the task of the Member States to provide criminal penalties, which must be effective, proportionate and dissuasive. 44 The Directive, like other instruments of this kind, limits the Member States’ discretion by providing minimum maximum penalties. Article 5 of the Directive requires that violations of restrictive measures, which are to be considered criminal offences listed in Article 3, be punished at least with imprisonment. 45 More importantly – and this will be of great importance for potential liability for money laundering of assets deriving from violations of restrictive measures – Member States must take the necessary measures to ensure that violations of most of the offences listed in Article 3(1) are punishable by a maximum prison sentence of at least 5 years, if they involve funds or economic resources of a value of at least EUR 100,000. 46 Also, according to the Directive, circumvention of restrictive measures by failing to comply with certain reporting obligations should be punishable by a maximum prison sentence of at least 1 year. 47
The fact that the Directive defines those offences and harmonises the level of penalties matters to the anti-money laundering framework already now, and will have even more significant impact once the AML Regulation starts applying.
Already now on the repressive side, the Criminal Law AML Directive of 2018 requires Member States to consider as criminal offences different courses of conduct concerning property derived from ‘criminal activity’. The term ‘criminal activity’ is defined with reference to a list of offences, which, before the adoption of the Sanctions Directive, did not contain an offence of circumvention of sanctions (Article 2 (1)). However, the same definition also contains a general clause that includes any other offence not listed in that Article if it is ‘punishable, in accordance with national law, by deprivation of liberty or a detention order for a maximum of more than one year or, as regards Member States that have a minimum threshold for offences in their legal systems, any offence punishable by deprivation of liberty or a detention order for a minimum of more than six months’. 48 This rule means that any national provisions aimed at punishing violations of sanctions that fulfil this penalty threshold constitute predicate offences of AML and thus money laundering related to the property derived from such violations would constitute a criminal offence.
Once it enters into force, the Sanctions Directive will have a significant impact on these rules as it provides an amendment to the Criminal Law AML Directive adding to the list of predicate offences ‘violation of Union restrictive measures’ (Article 18). It means that all the offences that are described by the Sanctions Directive in its Article 3 – upon their implementation into national law – will be included as predicate offences in the repressive framework that combats money laundering by criminal law means. As the Member States will have 12 months to implement the Sanctions Directive, at the latest by May 2025 laundering funds proceeding from the violation of sanctions as described by the Sanctions Directive should constitute the offence of money laundering.
The harmonising effect of Articles 3 and 5 of the Sanctions Directive and of the inclusion of violations of sanctions as predicate offences by Article 18 will have even more important consequences for the preventive side of AML. In order to demonstrate those consequences, it is necessary to examine the AML framework and its reform more closely, which will be done in the next section.
The preventive AML framework and enforcement of international sanctions
The current preventive AML framework, composed of two main Directives: 2015/849 and 2018/843 49 known also as 4th and 5th money laundering Directives respectively, has already had its expiry date set in three years from now (i.e. July 2024) due to the just-adopted reform. While the previously mentioned Criminal Law AML Directive will remain in place, the 4th Directive (as amended by the 5th) will be replaced by a new set of Acts. The two aspects that the 4th Directive regulates – the preventive duties of obliged entities and the supervision setting – will be separated, with the AML Regulation (AMLR) regulating the former and the AML Directive (AMLD) 50 providing for the latter. Adopted on the same day of 31 May 2024, the AMLR will start to apply on 10 July 2027 and the Member States will have three years for the implementation of the AMLD. 51 The framework will also be enhanced institutionally with the establishment of the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA), 52 with its seat in Frankfurt. 53 The AMLA should assume most of its tasks and powers in accordance with the AMLA Regulation by mid-2025 and direct supervision of selected obliged entities should commence in 2028. 54
The impact of all changes described above will be gradual and it will take place in three periods. First, financial institutions are now already obliged to fulfil preventive obligations in the Member States where offences that penalise violations of restrictive measures fulfil the punishment criteria (i.e., maximum of more than one year imprisonment threshold). This results from the current definition of money laundering for the purposes of the preventive framework. Although it includes a much shorter list of predicate offences than the definition for the purposes of the criminal AML framework (only 5 types of offences as compared with 22 types in the Criminal Law AML Directive), it contain virtually the same general clause, which includes all offences that national law punishes with a maximum of more than one year of imprisonment. 55
Second, from the moment the Sanctions Directive is implemented, it will to some extent harmonise the penalties, which means that certain courses of conduct will be subject to penalties that fulfil the just-mentioned general clause’s criteria of predicate offence and hence trigger the preventive duties of financial institutions. In both periods these duties will have to be executed according to the preventive framework in place, namely defined by the 4th and 5th AML Directive.
Third, a more fundamental change will take place when the AMLR starts to apply (10 July 2027). As of that date, not only will the preventive duties of financial institutions have to be executed according to the new AMLR, but also all violations of restrictive measures as described in the Sanctions Directive will become predicate offences regardless of the level of penalties foreseen by that Directive or provided for in national law, due to the above-explained incorporation of the criminal law definition of money-laundering into the preventive framework. 56
What is really striking is how these significant changes occur not only without much fanfare – neither in the acts themselves nor in the related policy documents – but also with virtually no debate on the extent of their impact. The new Sanctions Directive, which in fact triggers the main change through its Article 18 introducing ‘violation of Union restrictive measures’ as a predicate offence of money laundering, does not mention at any point that its objective is to put the whole AML preventive apparatus to the task of enforcing restrictive measures. Recital 37 – the only one related to this issue – solely states, in essence, what Article 18 says anyway. The Explanatory Memorandum does not provide much more explanation beyond stating the fact that the consequence of Article 18 is that ‘money laundering as described in Article 3 of Directive (EU) 2018/1673 involving property derived from the criminal offences covered by this Directive constitutes a criminal offence’. 57
The AMLR is also silent as to the implications of including preventive duties as regards violation of restrictive measures aka financial sanctions. In fact, enforcement of financial sanctions will enter into the scope of AML preventive duties in two ways: (1) through the prevention of money-laundering of proceeds of violations of sanctions, and (2) through a number of provisions that were included in the AMLR and which create direct duties regarding the enforcement of sanctions as such (as opposed to money-laundering of their proceeds). These two aspects will be analysed in turn.
AML compliance duties applicable to violations of international sanctions
The preventive framework in its current setting consists of a number of due diligence duties aimed at verification of the person that is undertaking a business relationship with concerned entities and the nature of concerned entities as well as of reporting duties. The entities bound by these duties are credit and financial institutions, as well as natural or legal persons in the exercise of their professional activities, such as auditors, external accountants and tax advisors, notaries (in the context of financial or real estate transactions), estate agents, providers of gambling services as well as other persons trading in goods when the sums of cash involved are EUR 10,000 or more. 58
Including violations of restrictive measures as a predicate offence implies that a suspicion that the assets are somehow linked to assets subject to sanctions will trigger those duties. Breaches of those duties result in sanctions, which are provided for in national law. The Directive requires that at least certain violations – such as breaches of the customer due diligence and suspicious transaction reporting duties – be punishable if they are serious, repeated, or systematic. 59
To understand the extent of these obligations for financial institutions – and their impact on the compliance duties – the compliance model adopted by the AML preventive framework is highly relevant. The initial approach introduced in the 1990s with the first AML Directive was a rule-based assessment. Since the 3rd AML Directive a new risk-based approach is applicable, which was kept by the 4th and 5th Directives. According to this approach, the risk assessment is conducted in concreto (although according to a list of criteria defined by the supervisory authorities). The obliged entities must design an AML model which prevents the use of financial structures for money laundering and adopt a risk management process to identify and manage money laundering risks in a flexible and less predictable (for the offenders) way. From 2027 at the latest, prevention of laundering of proceeds of violations of restrictive measures will also have to be included in those models.
The AML framework is subject to significant criticism about its inefficiency notwithstanding the high-level and cost-generating duties and its institutional setting. 60 The extension of that system fostered also professionals who engage in ‘regulatory creep’ and are agile in fulfilling AML duties, while assuring the interests of their entities and not necessarily the fulfilment of the AML policy objectives. 61 The risk of disproportionately affecting legitimate clients has been pointed out, while dexterous money-launderers can elude the framework’s constraints. 62 Furthermore, proliferation of crypto-assets proved to be a challenge for this framework. Despite amendments made by the 5th AML Directive, not all possible scenarios of involvement of such assets were covered. 63 This issue is of considerable importance in the context of sanctions, as the use of crypto-assets has been highlighted as one of the methods of circumventing restrictive measures. 64
Criticism of the framework, mainly the ineffectiveness of cooperation and coordination between national supervisors and financial intelligence units (FIUs) in tackling cross-border financial crime, 65 as well as lacunae regarding the crypto-assets, led the EU Commission to propose, in 2021, the above-mentioned just adopted package of new legal instruments. 66
The main modification introduced in the new framework is the change of the legal instrument to a Regulation, which comes after a succession of five directives. The Commission explains this choice by the lack of directly applicable rules and due to the differing interpretations of the directives, which resulted in a fragmented approach to regulation and supervision along national lines, contrary to the requirements of an integrated internal market. 67 A directly applicable set of rules at EU level is also needed in order to allow and facilitate direct EU-level supervision by the AMLA. 68 Otherwise, direct supervision would be hampered by the need for the AMLA to apply 27 differing national legislations, comparable to the situation of the ECB within the Single Supervisory Mechanism (SSM), which is prone to complexity and inconsistency. 69 The adoption of a regulation means that the rules will be directly applicable and Member States will not have (even limited) discretion while implementing them.
As to the content of the AMLR and its philosophy, the difference is not revolutionary in comparison with the 4th and 5th AML Directives. The rules on due diligence, reporting duties and penalties for non-compliance stay in place. Some rules become more detailed, such as the scope of identity details that must be collected for customer identification purposes, 70 the information that must be obtained to verify the purpose of business relationships, 71 the definition of beneficial ownership, 72 and the reporting arrangements for discrepancies in beneficial ownership information, including exemptions thereto. 73 These may limit, to some extent, the risk-based approach with the financial institutions getting instructions that are more precise. For instance, the list of information details that must be collected for the identification of natural and legal persons will be a mandatory minimum list. 74
The AMLR will still be accompanied by a directive (AMLD), mainly governing the organisation of the institutional AML system at national level, taking into account the need for flexibility for Member States in this area. 75 The AMLD strengthens supervision by clarifying the tasks and powers of supervisors to ensure that they all have the instruments to take adequate remedial actions, and by establishing colleges of supervisors and mechanisms to improve supervisory cooperation in relation to institutions operating across borders. 76 It also enhances the cooperation between FIUs by clarifying their tasks and powers and laying down a framework for joint analyses of suspicious transactions or activities linked to different jurisdictions. 77 On top of this framework, the AMLA will be responsible for overseeing and coordinating the work of national supervisors and FIUs, and it will assume direct supervisory competence over a limited number of credit and financial institutions with high cross-border activities and a high money laundering/terrorism financing risk profile. 78
Overall, what will result from the reform is a complex system of compliance, with significant duties imposed on obliged entities, which become more detailed and with a strengthened supervision framework. The whole system will now have to be applied to also detect potential attempts at laundering – a concept that is already broadly construed 79 – assets that seem to derive from violations of restrictive measures (which are themselves quite numerous as provided by Article 3 of the Sanctions Directive).
Enforcement of international sanctions in the AMLR
Besides the above examined duties concerning combating money laundering, the AMLR provides obligations which directly concern enforcement of – as the AMLR refers to them – targeted financial sanctions, a term different than “restrictive measures”, but significantly overlapping. Yet, a careful analysis demonstrates that their inclusion did not take place according to a well-thought out policy plan, as it lacks coherence and seems to be oblivious to the consequences for the affected actors. One may notice, however, that this inclusion may be a result of recognising an already existing compliance reality: obliged entities do include sanctions compliance in their due diligence processes due to incumbent obligations. However, its addition into the AMLR will have a significant impact on the duties of obliged entities and will bring about the risks of sanctions in the case of failure to fulfil them, which, in consequence, will also affect business and individual customers of obliged entities.
First of all, it appears as though the legislative processes concerning both instruments – the Sanctions Directive and the AMLR – were disconnected, despite the obvious influence of one over the other. This is visible in particular in the terms used. While the Sanctions Directive concerns ‘Union restrictive measures’, which are understood to be ‘restrictive measures adopted by the Union on the basis of Article 29 TEU or Article 215 TFEU’ 80 , the AMLR speaks of ‘targeted financial sanctions’, which means ‘both asset freezing and prohibitions to make funds or other assets available, directly or indirectly, for the benefit of designated persons and entities pursuant to Council Decisions adopted on the basis of Article 29 of the Treaty on European Union and Council Regulations adopted on the basis of Article 215 of the Treaty on the Functioning of the European Union’. 81 While one can clearly see that the second definition is narrower, it does not attempt to make a link with the Sanctions Directive. What is more, at no point does the AMLR even acknowledge the existence of the Sanctions Directive. Only Recital 37 uses the term ‘restrictive measures’, but even there without any reference to the Sanctions Directive.
The AMLR contains provisions concerning targeted financial sanctions, providing for different duties of the obliged entities in that respect, but they seem to be included in the Regulation with a striking lack of consistency. Article 9 (1) AMLR states that the main duty of obliged entities is to have in place policies, procedures and controls in order to ensure compliance with the AMLR and with the other relevant AML provisions. The Article states two particular objectives of these policies, procedures and controls, of which one reads as follows: ‘in addition to the obligation to apply targeted financial sanctions, mitigate and manage the risks of non-implementation and evasion of targeted financial sanctions’. Article 10 (1) AMLR adds that ‘[o]bliged entities shall take appropriate measures, proportionate to the nature of their business, including its risk and complexity, and size, to identify and assess the risks of money laundering and terrorist financing to which they are exposed, as well as the risks of non-implementation and evasion of targeted financial sanctions’.
These two provisions could suggest that ensuring enforcement of targeted financial sanctions is one of the key objectives of the AMLR. However, the title of the AMLR – Regulation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing – does not mention this objective. Nor is it mentioned in Article 1 stating the subject matter of this new piece of legislation. 82
These objectives are clearly not coordinated with the rules spelled out in Articles 9 and 10 AMLR. The combined reading of these provisions gives the impression that the legislators of the AMLR could not decide whether it should only regulate the AML preventive duties, or whether it should concern the broader compliance function (even if it would be contrary to the purpose of this legislation). It seems as though there was recognition of the fact that there is a problem with enforcement of sanctions, in particular with the fact that it is left to the Member States to take care of, and the EU legislature tried to regulate it through the back door. The fact that the legislation was negotiated during the Russian aggression of Ukraine was certainly not without influence. The formal explanation for including enforcement of sanctions is given in Recital 33 of the Regulation and refers in particular to FATF (Financial Action Task Force) recommendations (without citing them precisely). FATF did indeed issue such recommendations in 2021, but they were linked to proliferation financing, which constitutes only a part of the spectrum of sanctions currently in application. 83
A closer examination of the three versions of the AMLR, prepared as an initial position before the beginning of the trialogue, reveals the discrepancies between the institutions, which may – to some extent – explain why the final text contains some provisions on the enforcement of sanctions. The original proposal of the EU Commission did include the above-described duties of Articles 9 and 10 (in Articles 7 and 8 of that version), but limited itself to that and the Council’s General Approach changed little in that respect. On the contrary, the EU Parliament opted for a much stronger presence of the enforcement of sanctions, including suggesting the addition to Article 1 on the subject matter of the Regulation of point (aa) ‘the measures to be applied by obliged entities to mitigate and manage the risks of non-implementation and evasion of targeted financial sanctions’. Furthermore, the EU Parliament proposed numerous amendments, which would have led to a much stronger presence of the enforcement of sanctions in the Regulation, for instance: Recitals 23, 23a, 24a, and articles 16 (1) (ca) and (2a), 21a, 37a, which demonstrate that the EU Parliament considered that aspect a more essential element of AMLR. 84 A good example of that approach is Recital 6b on the opportunities for money laundering offered by virtual worlds. That Recital clearly indicates the three-pronged thinking about the duties prescribed by this Regulation: AML, combating financing terrorism and enforcement of sanctions. 85
The final text omits most of the EU Parliament’s amendments as regards targeted financial sanctions (including the one on virtual worlds), but it does include – besides the duties of Articles 9 and 10 stemming already from the original proposal 86 – several more provisions concerning the enforcement of sanctions. An important change in comparison with the original proposal is that while the original proposal’s provisions on sanctions focused on those sanctions which were meant to counter proliferation financing, the final text does not contain that limitation. 87 The impact of this change on the industry is more than significant as proliferation sanctions form only a relatively limited part of the whole scope of sanctions, which are now all included in the duties of obliged entities.
The provisions added to the final text concern in particular the compliance function stating that ‘implementation of targeted financial sanctions’ must also be part of the obligations of a compliance officer (Article 11 AMLR). They are included in the customer due diligence measures, 88 comprising the exclusion from the use of simplified due diligence in the case of suspicion of attempting to circumvent or evade targeted financial sanctions, 89 as well as in the duties concerning ongoing monitoring. 90 The AMLR also provides a provision on temporary measures towards customers subject to United Nations’ financial sanctions (e.g., particular duties on keeping records of transactions). 91 Finally, an interesting provision – which looks as if the three-pronged approach was applied – concerns identification by the EU Commission of third countries with ‘compliance weaknesses in their national AML/CFT regimes’, where assessments take into account: ‘compliance weaknesses in the effectiveness of the third country’s AML/CFT system in addressing money laundering or terrorist financing risks or in its system to assess and mitigate risks of non-implementation or evasion of United Nations’ financial sanctions relating to proliferation financing’. 92 All these provisions were added into the final text in the trialogue process.
Enforcement of international sanctions as the third pillar of the AML enforcement framework
In sum, the combination of the new Sanctions Directive and the new AML legislation will result in a significant amount of complex compliance duties linked to combating numerous types of violations of EU restrictive measures, which are already ample and diverse. This merits the recognition of enforcement of international sanctions as the third pillar of the AML framework (together with combating money laundering and financing of terrorism as its first and second pillars respectively).
These changes will bring about significant consequences for the obliged entities, in particular for the financial sector as well as for the clients – individual and businesses – which are subject to AML measures. The impact of the changes examined above on obliged entities will manifest itself in two ways: not only will those changes substantially increase their compliance duties, but they will also significantly increase potential liability, including for criminal offences.
Regarding the increase in potential liability, as already mentioned above, financial institutions may become liable for violations of restrictive measures. It is also possible that financial institutions may become liable for the offence of money laundering as provided for in Article 3 (1) of the Criminal Law AML Directive. 93 Penalties in both scenarios may be of a criminal or administrative nature (most EU Member States provide for criminal liability, although the German legal system in particular will only consider administrative liability for legal persons) and must also apply where the lack of supervision or control by the entities’ authorities allowed an employee to commit intentional violations for the benefit of the entity. 94 Such liability may also extend to aiding and abetting. 95
As to the preventive duties, the financial sector was already obliged to comply with the restrictive measures aka targeted financial sanctions. However, compliance with those duties was – relatively – straightforward. It came down to verifying whether the identity of the person in question matched the sanctions list, and if so, informing the competent authority (e.g., the ministry of finance and potentially the financial supervisory authority) while freezing the assets. 96 However, the AML compliance duties are much more complex requiring verification of a customer’s identity and, in some circumstances, verification of the origin of funds, as well as the origin of wealth (know-your-customer). 97 These obligations require complex verifications aimed at determining the risk of money laundering or terrorism financing associated with the customer and business relationship, with a view to implementing the customer acceptance policy as well as the suitable standard of ongoing due diligence, in particular transaction monitoring. 98 The addition of money laundering of assets deriving from violations of restrictive measures to the list will require additional investigations, while it may be very difficult for the financial institutions to acquire sufficient certainty in order for the risks to be eliminated.
For instance, when a business customer of a financial institution receives incoming payments from other businesses, the financial institution may verify the reason for those payments based on invoices issued by its customer. However, if those invoices relate to services of which the real substance is hard to verify (such as consulting or advisory services, as opposed to a delivery of goods that can be substantiated on the basis of more concrete documentation such as shipping documents or customs declarations), it may be difficult to verify whether the services are legitimate, or whether they are invoiced to a middleman company that is part of a larger chain of actors in different jurisdictions, set up to move the proceeds from sales by a company in a jurisdiction that does not enforce financial sanctions (e.g., countries that do not impose sanctions on Russia or so-called ‘laundromat countries’ for Russian crude oil). 99 Financial institutions may also face difficulties with regard to businesses involved in the production, sale, brokerage or export of dual-use items, consisting of items, including software and technology, which can be used for both civil and military purposes. 100 To ascertain that the funds and transactions are not related to breaches of financial sanctions, financial institutions would need to investigate whether the persons concerned have obtained the necessary authorisations and whether required export formalities have been complied with.
Suspicions of money laundering of such assets will trigger the mandatory reference to the competent FIU. 101 Furthermore, breaches of the compliance duties are also punished with penalties that can be criminal or administrative in nature. The 4th AML Directive, currently in force, provides for such penalties, 102 and after the reform they can be found in Section 4 of Chapter IV of the new AML Directive. 103
This panorama of potential liability demonstrates how broad the liability risks are for the obliged entities and these risks will require a reaction from the obliged entities, in particular from the financial sector, in order to limit those risks. This will certainly generate additional costs, which are already significant.
Not only will obliged entities have to increase their compliance efforts by strengthening due diligence analysis, but the above-mentioned difficulties in ensuring that the assets are not linked to violations of sanctions, may result in de-risking strategies, which are detrimental not only to the financial institutions, as they may cause them to lose potentially viable clients, but also to the persons concerned. Such strategies will necessarily imply that, among those that are going to be excluded from the financial institutions’ services, there will be individuals or entities which are not in violation of restrictive measures or do not engage in laundering proceedings of such violations, but where the bank cannot get sufficient assurance that this is not the case.
As a result, European financial institutions will have to forgo potentially viable business opportunities, while those measures might disproportionally affect innocent clients affecting their different rights, in particular the freedom to conduct a business. Being unnecessarily flagged as an individual or entity constituting a money-laundering risk might end up in insolvency if the company is unable to get new loans on time.
The above analysis begs the question whether the objective of crippling the Russian economy is effectively achieved through those measures, or whether they are rather jeopardising the EU economy instead, which is already affected by the war on its doorstep. One may consider, however, that such measures are necessary for achieving broader political objectives, such as the assurance that the restrictive measures are strictly enforced. It is certainly not the intention of this article to question those objectives. What is striking, however, is that neither during the legislative process of adopting the Sanctions Directive, nor in the course of the AML reform, was there any debate on the implications that the combination of those instruments would bring, their results for the European economy and the potential balancing of various interests involved.
What can be observed instead is a result which will create significant compliance costs and create liability risks for EU obliged entities, in particular financial institutions. It is also likely to affect innocent EU companies, and – in consequence – deprive those institutions of viable business opportunities.
It could be said that there is maybe nothing new in the expansion of the AML framework, it has been expanding ever since its creation. Such expansion has been marked by a continuous widening of the circle of obliged entities to encompass a growing variety of business types, such as providers of gambling services, 104 as well as auction houses, art dealers, digital wallet providers and virtual currency exchange services. 105 Likewise, the notion of money laundering itself has been progressively widened, by expanding the list of criminal activities which qualify as a predicate offence. Moreover, despite initially originating from efforts against drug trafficking, 106 the rise of political concern about terrorism and related financial flows, following the attacks of 11 September 2001 in the US and more recent terrorist attacks in Europe, brought an alignment of AML and countering financing of terrorism (CFT) frameworks, blurring the lines between the two. 107
Consequently, some scholars started to point out the gradual expansion and intensification of AML regulations in recent years. In particular, since its first appearance, AML has witnessed an extraordinary growth in legislative and institutional efforts, 108 expanding from a preventive AML regulatory regime to a criminal law approach, 109 leading to a continuous enlargement of compliance obligations imposed on financial institutions and other obliged entities. 110
There is, however, a significant difference between the previous extensions and this one, which allows to treat the above examined change as a paradigm shift. The AML framework was designed to eliminate from the market the proceeds of crime, the so called ‘dirty money’. 111 The inclusion of countering terrorism financing remained in that logic as terrorist acts as such will constitute crime once committed: outcomes of terrorist attacks constitute offences on their own (murder, bodily harm, etc.). To the contrary, the assets subject to international sanctions are not ‘dirty’ in the same way as they do not proceed from crime. There are political reasons for subjecting those assets to sanctions, which – as already said – this article by no means questions. To make the violation of sanctions a crime has also its reasons, which is their effective enforcement. However, this does not mean that these assets are a product of crime in the same way as proceeds of drug trafficking, extortion, corruption or fraud. In that sense, using the AML framework for enforcing restrictive measures result in extending the purposes of that framework beyond its original notion changing effectively its philosophy.
What is also worrying is that this change of philosophy in the application of the AML preventive framework was not accompanied by a public debate and a reflection on its consequences in the run-up to the adoption of the above-examined legislation. According to democratic standards, such a debate seems indispensable for such an important shift in approach. Hence, if one speaks of AML expansion in that context, the addition of enforcement of restrictive measures is furthermore a silent AML expansion. Contrary to the inclusion of countering of terrorism financing, this objective is nowhere to be found in the title of the new instrument or its subject matter in Article 1 AMLR. Whether these changes will be beneficial for the effective enforcement of sanctions is unknown, as no impact assessment was prepared in that respect.
The inclusion into the AML framework of enforcement of international sanctions can be seen as part of a broader trend to transfer to private actors difficult enforcement tasks. 112 Recent regulatory developments suggest a trend that policymakers increasingly leverage private actors and their capacities to achieve different policy objectives. Examples of areas that saw such an increase in the role of private actors are often linked with technology, e.g., combating illicit content online, 113 gathering electronic evidence for criminal investigations, 114 or combating child pornography. 115 Such phenomenon is inter alia motivated by limited enforcement capacities of public authorities due to limited resources, the intricacy of financial operations, the amount of data that needs to be processed in short time or complex new technologies involved. 116
In the context of AML, an example of such a tendency, beyond the one subject to this analysis, is the increase of duties of obliged entities to combat environmental crime. 117 What is common to those examples is that the role of the private actor is usually understated, while the consequences of transferring the power to private actors, for those private actors themselves, for individuals’ rights and for achieving policy objectives, are not sufficiently thought through. This trend would imply a changing structure and finality of both compliance and enforcement, where private actors are co-investigators and co-enforcers of public policies. Yet, it is unclear how these enforcement dynamics would be controlled, either through constraints and balances stemming from fundamental rights, or through adequate judicial protection mechanisms. 118
While private actors – financial institutions – were already responsible for implementation of international sanctions, the employment of the much more complex AML framework and the risk-based assessment method results in that the financial institutions will have a much larger role to play with results – as explained above – detrimental to the individuals or businesses concerned by those measures that may find it difficult to question the decisions of the financial institutions.
Concluding remarks
Once the Sanctions Directive is implemented by the Member States, there will be two parallel enforcement regimes against the circumvention of sanctions. Offences described by that directive will be punished through the criminal justice system using its apparatus. In parallel the AML framework will be used to enforce restrictive measures (and targeted financial sanctions) and combat potential laundering of assets deriving from violations of restrictive measures.
It is highly probable that the latter preventive system will be of more significance. While the justice system might produce more publicised cases, it will necessarily act with delay. However, the preventive duties of the financial sector constitute a mechanism of ongoing control of financial flows. Due to the considerations examined above, it is not yet clear whether it will effectively ensure more effective enforcement of restrictive measures or whether it will, to a large extent, represent a burdensome reality for obliged entities. The AML Regulation provides a review only in 2032. While it will only start applying in 2027, obliged entities will have to prepare in advance for those new duties in order to assure compliance in due time. It is thus necessary that the impact of the changes analysed in this article is scrutinised, which may require a consultation process earlier than in 2032. Further academic research on these matters seems also necessary.
The idea of employing the private sector to achieve a complex policy objective is certainly not limited to the problem of international sanctions. However, as regards the use of the AML framework for the enforcement of sanctions, the lack of transparency concerning the implications of the newly adopted legislation is particularly striking. There may be very good reasons for employing the AML compliance system to combat circumvention of sanctions linked to the current conflict with Russia or any other policy objective resulting from the interests of the EU and its Member States. It may well be also that private actors, i.e., financial institutions in this case, are best placed to ensure those objectives through compliance regimes. However, what is not in accordance with EU values and what should be avoided is imposing such duties through the back door without any examination or democratic debate to determine whether that is truly the case and without an analysis of the consequences of such a significant expansion affecting the EU economy.
Footnotes
Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.
Funding
The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This article is part of the efforts of the National Centre of Excellence in FinTech of the University of Luxembourg, which was funded in part by the Luxembourg National Research Fund (FNR), grant reference NCER22/IS/16570468/NCER-FT.
