The FATF[1] has just issued its evaluation report on the AML/CFT system in France. It is considered positive, i.e. at the level of best practices. Indeed, apart from a few “gaps” that are not considered significant (in particular the scope of financial institutions), the report confirms the quality of the elements put in place at the legislative and supervisory level. This does not mean that money laundering is less common in France than elsewhere; it mainly means that the framework provided to taxpayers allows them to put in place an appropriate and effective system (in the light of our current knowledge). This framework allows us to have reasonable assurance that we will launder less than elsewhere.

At a time when Europe is setting up an ambitious plan around 6 Pillars[2] (priorities), it is interesting to ask whether there is still a long way to go before we comply with the next regulatory developments[3] .

While the projects underway are not in themselves revolutions, the collection of data is becoming sufficiently significant for the CNIL to warn of the need to properly manage the data collected[4] .

We propose firstly to summarise the Gafi recommendations (and yes, everything is not yet perfect…) and secondly to identify the main components of the future AML/CFT regulation.

1.   The gafi report: very good but can still do better

Our aim is not to provide an exhaustive review of the FATF report, which is sufficiently precise and structured to make it easy to read for anyone interested in the details.

Our objective is to highlight the main points for improvement, which will surely one day result in an evolution of the regulation, in order to fully understand the spirit of the system.

Moreover, we strongly recommend reading this report to anyone joining an AML/CFT team: indeed, this report deals with all the structural components of the system[5] , most of which are not the subject of any remarks by the FATF. An excellent way to review your knowledge of what is expected!

1.1.   Points of attention on customer knowledge

The FATF considers the customer due diligence monitoring system to be fully satisfactory. However, there are some areas for improvement:

  • On Politically Exposed Persons (PEPs):
    • Review the scope of persons close to the EPP and in particular his family circle (the current scope is considered too restrictive);
    • Be cautious about the fact that EPPs that have been out of vigilance for more than a year may return to normal vigilance (especially in the case of life insurance policies). Indeed, even if some former EPPs remain in enhanced vigilance, this is not exactly equivalent to the application of additional vigilance measures.
  • Beneficial owners (BE) :
    • The majority of financial institutions seek to identify the EBs of their clients, but focus on capital control and in a few cases only refer to the register of beneficial owners (RBE) to verify the information;
    • With regard to sanctions, the FATF is surprised by the absence or weakness of sanctions in the following cases:
      • Failure to keep records and update information with the RCS ;
      • administrative sanctions for failure to declare intermediary status (loss of voting rights or powers and loss of dividend rights) are neither proportionate nor dissuasive.
    • For associations, foundations and endowments, there is no obligation to identify the EB within the meaning of the FATF[6] .

1.2.   The challenges of bank correspondence

This is again a recurring point of attention.

Correspondent banking relationships within the EU are subject to a risk-based approach but not to systematic enhanced scrutiny.

The FATF considers that this system is restrictive. It therefore calls for the development of a risk-based approach within the EU (and not only outside the EU).

1.3.   Points of attention on geographical areas

France is largely compliant with the requirements for vigilance towards high-risk countries.

The FATF points out that French legislation does not allow the targeting of specific countries that would not be identified either by the FATF or by the European Commission. Moreover, the possibility of limiting business relationships within the framework of enhanced scrutiny could lead to de-research.

1.4.   Points of attention on new entrants

Players such as VSPs[7] (virtual asset servicing providers) benefit from a lighter regime than other financial institutions that are not justified.

This is the case:

  • Obligations to communicate explicitly to the authority their risk assessments;
  • With regard to transfers, while VSPs are aware of their obligations concerning the rules for transfers of virtual assets and indicate that they have put in place the necessary measures to implement them, the accompanying information on the originator and beneficiary with the transfer, known as the “Travel Rule”, poses a technological challenge and clarifications from national and European authorities are awaited.

With regard to designated non-financial businesses and professions (DNFBPs), risk-based AML/CFT supervision is still recent and insufficient for some sectors, notably for real estate agents and notaries who are involved in a real estate sector exposed to significant money laundering risks.

1.5.   The challenges faced by groups in relation to their foreign entity(ies)

Here again, France complies with the expectations, particularly in terms of procedures and internal control.

However, the FATF calls for vigilance on the part of parent companies in relation to their subsidiaries and branches in the EU/EEA. Indeed, in this case, they ensure that the entities comply with local regulations but are not obliged to ensure that these regulations are as restrictive as the regulations in France.

1.6.   De-risking issues


The issue is again addressed by the FATF: some financial institutions tend to avoid risks instead of mitigating them (e.g. with regard to PSAN clients or non-profit organisations – NPOs[8] ).

With regard to non-profit organisations, these same organisations have complained that they have difficulty accessing the banking system because of an exclusion linked to the purpose of the organisation. This point echoes recent complaints from associations about the behaviour of certain institutions[9] .

2.   The main components of the next regulation

While the FATF report on France is satisfactory, Europe is moving forward to harmonise arrangements by regulating (which will facilitate the supervision of large group entities that are located within the EU, as the regulations should be the same).

Indeed, the advantage of a European regulation is to harmonise the schemes[10] and thus reduce cross-border opportunities. This regulation also extends the scope of those subject to the regulation to new players, including providers of services on crypto-assets and providers of participatory finance services other than those governed by Regulation (EU) 2020/1503.

The draft regulation will be supplemented by technical standards drafted by the Anti-Money Laundering and Counter-Terrorist Financing Authority (AML/CFT)[11] which will clarify certain issues, such as thresholds for occasional transactions and criteria for identifying related transactions.

Based on the draft regulation[12] , what will be the main impacts on devices?

2.1.   Strengthening the risk-based approach

The regulation is even more precise on the elements to be taken into account that can influence the occurrence of risks. The following points are concerned:

2.1.1.    An increase in the granularity of the risk classification (Art.8)

The criteria for adapting the level of vigilance are increasing in order to gain a better understanding of the risk factors relating to customers, products, etc. While these factors are generally taken into account in the customer risk profile[13] , the Regulation systematises the refinement of the risk-based approach.

Classification, a document at the heart of this approach, will need to be given specific attention by governance bodies, as classification is an expression of the risk appetite in AML/CFT matters (or, at the very least, the trade-offs that are tolerated by the organisation).

2.1.2.    The basic rules of vigilance

Reporting entities shall apply customer due diligence measures in the following cases:

  1. When entering into a business relationship ;
  2. Where they are associated with or occasionally engage in a transaction of EUR 10 000 or more, or its equivalent in national currency, whether executed in a single transaction or through a series of linked transactions, or a lower threshold set ;
  3. Where BC-FT is suspected, regardless of any applicable thresholds, exemptions or derogations;
  4. Where there are doubts about the veracity or relevance of previously obtained data for the purpose of identifying a customer.

Where a reporting entity is unable to comply with the measures set out, it shall refrain from executing a transaction or entering into a business relationship, and shall terminate the business relationship and consider submitting a suspicious transaction report about the customer to the FIU in accordance with Article 50 (Art. 17).

No change in the economic justification of customer claims (Art. 20) :

Identification of the purpose and intended nature of a business relationship or transaction concluded on an occasional basis :

  • The purpose of the proposed account, transaction or business relationship ;
  • The estimated amount and economic justification of the proposed transactions or activities;
  • The origin of the funds ;
  • The destination of the funds.

2.1.3.    Thresholds on certain types of customers

For occasional customers[14] , the threshold will be harmonised:

  • Harmonisation of vigilance thresholds in the context of occasional customers :
    • The threshold will be reduced to EUR 10 000 (which will not make much difference for most institutions in France in particular).

In addition, customer due diligence will have to be in place when the institution (including PSANs) occasionally initiates or executes a transaction that constitutes a transfer of funds[15] or a transfer of crypto-assets within the meaning of Article 3(10) of the Regulation, in an amount exceeding EUR 1 000 or its equivalent in national currency (Art 15).

Let us recall the rules in France on occasional customers:

The regulations do not require the implementation of due diligence measures with regard to the occasional customer and, where applicable, its beneficial owner… except in the following cases (Art. L 561-5 of the CMF):

  • In case of suspicion of BC-FT (Art. L. 561-26 of the CMF) ;
  • Or, when the transaction meets one of the restrictively listed conditions (II of Art. R. 561-10 of the CMF):
    • A transfer of funds, regardless of the amount;
    • A manual foreign exchange transaction of an amount > €1,000 or linked foreign exchange transactions of an aggregate amount > €1,000 or any remote foreign exchange transaction, regardless of its amount.

2.1.4.    Third countries at risk in terms of AML/CFT

The Regulation proposes to distinguish 3 categories of risky third countries, consistent with the FATF approach:

  • Third countries with “significant strategic deficiencies” in their AML/CFT systems, which will be referred to as “high-risk third countries”[16] ;
  • Third countries with “compliance weaknesses” in their AML/CFT systems;
  • Third countries pose a specific and serious threat to the EU financial system and the proper functioning of the internal market.

Third countries with compliance weaknesses in their AML/CFT systems, defined as being subject to “enhanced scrutiny” by the FATF, will in principle be identified by the Commission and subject to country-specific enhanced due diligence measures proportionate to the risks.

2.2.   Strengthening customer knowledge and updates

2.2.1.    A strengthening of the quality of the files[17]

In the case of a customer with reduced vigilance, the files relating to customer knowledge and their verification must be completed within 30 days of the date on which the relationship was established.

In addition, customer files should not be updated beyond 5 years (which may have an impact for some large banking networks).

Finally, in the context of the third party introduction, the transmission of information[18] on the customer must be made within 5 working days of the start of the relationship[19] .

2.2.2.    Still and always issues of knowledge of beneficial owners and PEPs

The aim is above all to harmonise the arrangements at European level.

The subject is important and the regulation must be precise on sensitive issues such as the knowledge of beneficial owner(s) or Politically Exposed Persons (PEPs).

No major changes in this area.

However, it is worth noting the scope of the actors who will be required to disclose information on beneficial owners:

  • Legal entities established outside the Union and to express trusts or similar legal arrangements administered outside the Union as long as they operate in the EU:
    • “Information on the beneficial owners of legal entities incorporated outside the Union or on the beneficial owners of express trusts or similar legal arrangements administered outside the Union shall be recorded in the central register (at least in one of the Member States’ registers if these entities operate in several countries).
  • To nominee shareholders and nominee directors:
    • “Nominee shareholders and nominee directors of companies or other legal entities shall maintain adequate, accurate and timely information on the identity of their principal and the beneficial owner(s) of their principal and shall report this information, and their status, to companies or other legal entities.” [20].

In addition, the proposed Regulation confirms the exemption from identification of the beneficial owner for bodies governed by public law within the meaning of Directive 2014/24/EU.

Finally, researching ownership percentages is good; making sure that it is the people in control is even better…

For PEPs[21] , the risk-based approach is again to be preferred, as not all PEPs are necessarily equal in terms of their exposure to corruption.

  • Specific case of life insurance beneficiaries :
    • Reasonable measures to be taken (or more depending on the risk) in cases where the beneficiary is a PEP, at the latest at the time of payment of benefits or at the time of partial or total assignment of the insurance contract.

2.2.3.    Outsourcing should be under control (Art. 38 and 39)

Here again, the context is getting stronger.

Firstly, the use of subcontractors established in the risk third countries identified by the Commission will be prohibited. However, reporting entities established in the EU with branches and subsidiaries established in those third countries may use those branches and subsidiaries where all the conditions set out in paragraph 3(a) to (c) are met; namely:

  • The reporting entity relies on information provided exclusively by a reporting entity that is part of the same group;
  • The effective implementation of the AML/CFT obligations is monitored at group level by the home Member State supervisor.

In addition, the following tasks may not be subcontracted under any circumstances:

  1. Approval of the reporting entity’s risk assessment ;
  2. The internal controls established in accordance with Article 7 (policies, controls and procedures of the outsourcing entity) ;
  3. The development and approval of policies, controls and procedures applied by the reporting entity to comply with the requirements of this Regulation;
  4. Assigning a risk profile to a potential client and establishing a business relationship with that client;
  5. Determining the criteria for detecting suspicious or unusual transactions and activities;
  6. Reporting suspicious activities or threshold-based information to the FIU in accordance with Article.

When a reporting entity subcontracts an authorised task, it shall ensure that the external agent or service provider applies the measures and procedures it has adopted (written form, at least a contract when the service provider does not belong to the institution concerned). This will, of course, require a review of all subcontractors who provide AML/CFT services in order to ensure compliance with these developments.

2.2.4.    Framework to facilitate exchanges within a Group (Art.13)

Being able to exchange information within a group on clients or declarations is an asset for improving its systems and avoiding inconsistencies. The draft regulation thus specifies the situations in which information may be exchanged:

  • KYC, i.e. the identity and characteristics of the customer, the beneficial owner(s) or the person on whose behalf the customer is acting;
  • The nature and purpose of the business relationship ;
  • Declarations of suspicion (communication regulated in France by the Monetary and Financial Code).

Clarification is needed on :

  • The roles and responsibilities of parent companies that are not themselves reporting entities (e.g. the role of the automotive or retail groups vis-à-vis the banks they own);
  • The extension of group requirements to other similar structures sharing common ownership, management or compliance monitoring, such as networks or partnerships, EIGs.

2.3.   A strengthening of the control mechanisms with regard to the processing of financial sanctions

Financial sanctions and asset freezing arrangements are important in contexts where these sanctions are becoming significant and the stakes involved are high. Taxpayers have long had an obligation of result, not of means.

However, the regular sanctions that have been imposed by the ACPR show that all is not yet perfect. The regulation is becoming more precise and restrictive, particularly with regard to the need to identify the factors that would reduce the effectiveness of the systems in place and the risks of circumventing these systems. It is no longer just a matter of ensuring that the lists are up to date, integrated into the systems and that analyses are carried out.

The systems will have to go further, particularly in anticipating areas of vulnerability and developing relevant scenarios.

2.4.   Clarification of roles and responsibilities

While these developments have already been integrated into the financial institutions in France (the elements below do not constitute a change), for all reporting entities, the organisation must be harmonised, including the internal control framework (Article 7):

  • Appoint a compliance officer from among the executive bodies who is responsible for, inter alia (Art.9):
    • Implementation of policies, controls and procedures and monitoring of major incidents and malfunctions;
    • To provide the management body with a regular update on the AML/CFT control system;
    • Prepare a minimum annual report to the management body on the implementation of policies and controls.
  • Appoint a compliance officer, appointed by the board of directors or the management body, who is responsible for :
    • The day-to-day application of AML/CFT policies ;
    • Ensure compliance of the device;
    • Regular reporting to the executive and supervisory bodies (including the Board);
    • Identify and manage conflict of interest situations.

2.5.   Protection of personal data (Art 56)

The Regulation specifies the points of attention with regard to personal data.

To the extent strictly necessary for the prevention of money laundering and terrorist financing, reporting entities may process the special categories of personal data referred to in Article 9.

Reporting entities may process personal data provided that :

  • Reporting entities shall inform their customers or potential customers ;
  • The data are from reliable sources, are accurate and up-to-date;
  • The reporting entity shall adopt measures to ensure a high level of security, in particular with regard to confidentiality.

In addition, the entity should ensure that :

  • This personal data concerns money laundering, its underlying offences or terrorist financing;
  • Procedures to distinguish between allegations, investigations, proceedings and convictions in the processing of such data, taking into account the fundamental right of access to an impartial tribunal, the rights of the defence and the presumption of innocence.

2.6.   Harmonisation of the formats for suspicious transaction reports

The aim of the regulation is also to facilitate the harmonisation of suspicious transaction reports to the FIU (Financial Intelligence Unit) in order to bring all reporting entities into line with European best practice.

The developments would thus concern :

  • Harmonisation of formats ;
  • Clarification of the time limits for responding to a request for information submitted by the FIU :
    • In principle, the deadline is 5 days;
    • The deadline can be reduced to 24 hours depending on the urgency of the request.

2.7.   Conclusion

Whether we are talking about the FATF recommendations or the proposed regulation, we are mainly in the area of clarification or even precision for financial institutions that have been involved in AML/CFT matters for many years. The systems have matured and if they are not yet perfect, it is probably less due to a lack of regulation than to the sensitivity of the teams or sufficient resources.

The proposed regulation will thus mainly lead to adjustments in the arrangements. The essential principles of AML/CFT remain unchanged: the risk-based approach, the importance of knowing one’s customer (including of course the beneficial owner(s)) and the need for vigilance. Let’s start by applying what is required and try to develop safety reflexes in relation to these subjects, just like the seatbelt in the car… When a beep is emitted when it is not put on, it helps to develop reflexes and to change habits!

Annex – The main EBA guidelines on AML since 2019
  • The ML/TF Risk Factors Guidelines’ under Articles 17 and 18(4) of Directive (EU) 2015/849 : EBA/GL/2021/02.
  • EBA Guidelines on internal governance under Directive 2013/36/EU: EBA/GL/2021/05
  • Joint EBA and ESMA Guidelines on the assessment of the suitability of members of the
  • management body and key function holders: ESMA35-36-2319 EBA/GL/2021/06.
  • EBA Guidelines on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CFT Compliance Officer under Article 8 and Chapter VI of Directive (EU) 2015/849: EBA/CP/2021/31.
  • EBA Guidelines on outsourcing arrangements : EBA/GL/2019/02.
  • EBA Guidelines on ICT and security risk management : EBA/GL/2019/04.
Annex – Reminder of the axes of reinforcement at European level
  • A proposal for a Regulation on the prevention of the use of the financial system for the purpose of money laundering (ML) and terrorist financing (TF).
  • A proposal for a Directive (AMLD6) laying down mechanisms for Member States to prevent the use of the financial system for money laundering or terrorist financing purposes and repealing Directive (EU) 2015/8496.
  • A proposal to recast Regulation (EU) 2015/847 on information accompanying transfers of funds.
  • A proposal to create a new European authority to combat money laundering: Authority for Anti-Money Laundering and Countering the Financing of Terrorism (‘AMLA’ or ‘the Authority’).

Also noteworthy is the strengthening of the role of the European Banking Authority (EBA) in AML/CFT:


Annex (as a reminder, extract from the previous AFGES News letter)

Basic element of the activity report (role of the Compliance Officer) :

  • On the assessment of money laundering and terrorist financing risks :
    • An explicit statement as to whether the business-wide ML/TF risk assessment or a review thereof, as referred to in Article 8(1) of Directive (EU) 2015/849, has been required by the competent authority for the reporting year;
    • A summary of the main conclusions of the risk assessment referred to in Article 8(1) of Directive (EU) 2015/849, where such an update has been carried out in the past year;
    • A description of any changes in the institution’s methodology for assessing the risk profile of the individual customer of the business relationship, including the extent to which it is aligned with the institution-wide assessment of money laundering and terrorist financing risk;
    • The distribution of clients by risk category and date of entry into relations, data from the reports submitted by the business lines, including the number of files not updated;
    • A structured overview of the work carried out by the AML/CFT compliance officer during the past year, including information and statistical data on :
      • The nature, number and amount of unusual transactions detected;
      • The nature, number and amount of unusual transactions actually analysed;
      • The nature, number and amount of suspicious transaction or activity reports to the FIU (depending on the country where the transaction took place).
      • Aggregate information on customer relationships that have been discontinued closed due to AML/CFT concerns.
      • Number of information requests received from the FIU ;
      • Number of court applications received ;
      • Number of orders requiring postponement of the execution of a transaction ;
      • Number of responses provided to the FIU and decisions taken in relation to these clients, i.e. whether the business relationship with these clients has been blocked, suspended, terminated, etc.
      • Summary of statistical data or key risk indicators relating to AML/CFT risks, in order to give an accurate picture of the AML/CFT risks to which the financial sector operator is exposed through its customers, countries or geographical areas, products, services, transactions or distribution channels, taking into account the revised EBA guidelines on money laundering and terrorist financing risk factors[22] .
    • On policies and procedures :
      • Summary information on significant measures taken and procedures adopted during the year, including follow-up of recommendations, malfunctions and irregularities identified in the past as well as new problems and irregularities and proposed measures;
      • The nature and number of compliance monitoring actions undertaken to assess the application of the institution’s AML/CFT policies, controls and procedures;
      • The adequacy of the AML/CFT monitoring tools used by the institution.
    • In the area of awareness raising and training :
      • The nature and amount of AML/CFT training activities carried out, planned, not finalised, and the personnel involved in these training activities;
      • The training plan for the coming year to assess the adequacy of the training and education provided:
        • Number of hours of training per type of employee and per type of department/function and percentage of employees who have received training ;
        • Date of participation in a seminar, title and duration of the seminar and delivery mode (i.e. e-learning, online and face-to-face) as well as names of trainers;
        • Whether the conference/seminar was prepared within the financial sector or delivered by an external organisation or consultants; and
        • summary information on the programme/content of the conferences/seminars.
      • A description of any other measures adopted by the compliance officer in relation to AML/CFT;
      • Any other relevant information on the functioning of the AML/CFT compliance officer function and on AML/CFT prevention measures that the AML/CFT compliance officer considers may be of interest to bring to the attention of the management body;
      • AML/CFT Compliance Officer’s Business Plan for the following year;
      • Supervisory activities, including communications to the institution, by the competent authority, reports to the management body and monitoring reports, sanctions imposed, and the manner in which the institution has fulfilled its obligations;
      • The status of corrective measures, without prejudice to any other periodic reports that may be required in the case of monitoring or corrective measures.


Annex – Reminder of the content of the 5th European Directive

The Fifth Anti-Money Laundering Directive (EU) 2018/843 entered into force in June 2018. The main components relate to:

  • Improving transparency, particularly in relation to ownership of companies and trusts;
  • Strengthening controls on third countries at risk ;
  • Strengthening of measures against the risks associated with prepaid cards and virtual currencies ;

Strengthen cooperation between national financial intelligence units and promote the exchange of information between anti-money laundering supervisors and the European Central Bank (ECB).

[1] As a reminder, the FATF is an intergovernmental body created in 1989 by the ministers of its member states.  The objectives of the FATF are to develop standards and promote the effective implementation of legislative, regulatory and operational measures relating to AML/CFT.

[2] See AFGES News letter February 2022 – Update on AML/CFT measures



[5] This includes a superb glossary of acronyms on pp. 340-343 as well as a summary of the recommendations.

[6]To date, mainly the legal representatives of associations and the president for endowment funds, the president, general manager or board member for foundations.

[7] As stated by the FATF, VSPs appear to have a good understanding of the ML/FT risks to which they are specifically exposed (…) However, due to their recent subjection, it is still difficult to fully assess the effectiveness of their preventive measures.

[8] With regard to NPOs, the FATF considers that the risk-based approach taken by supervisory authorities needs to be refined.

[9] “The interior minister, Gérald Darmanin, has written to the economy minister, Bruno Le Maire, asking him to promote “dialogue” between the French banking federation (FBF) and Muslim associations, after mosques in the Rhône region denounced account closures.”(Extract Figaro 090622)

[10] The implementation of the amended Directive (EU) 2015/849 has led to divergences in application at national level.

[11] : to see the role and power of this new authority


[13] Relying in particular on the various documents that help determine these factors, such as the European Banking Authority’s revised Guidance on CB/FT risk factors

[14] As a reminder, the nature of the due diligence measures to be implemented with regard to customers is based on the distinction between customers in a business relationship and occasional customers.

[15] Within the meaning of Article 3(9) of Regulation (EU) 2015/847 – COM(2021)

[16] Including FATF blacklisted countries

[17] Refer also to the guidelines issued by the ACPR on identification and verification of identity and knowledge of customers

[18] Process defined under Article R561-13 of the CMF in France.

[19] As a reminder, the third party introduction can only relate to the implementation of the obligations:

– identification and verification of the identity of the customer and, where applicable, the beneficial owner

and, in the case of life insurance or capitalisation contracts, that of the beneficiary of such contracts.

contracts and, where applicable, the beneficial owner of the latter;

– as well as the collection of knowledge of the business relationship.

[20] Not to be confused with the “nominee” used in the investment fund industry

[21] Each Member State shall draw up and update a list indicating the precise functions which, under national laws, regulations and administrative provisions, are considered to be important public functions. In addition, the Commission shall publish a single list (from these lists) in the Official Journal of the European Union. The ALBC publishes the list on its website.

[22] EBA Revised Guidelines on ML/TF Risk Factors: EBA/GL/2021/02