EU’s Fourth Anti-Money Laundering Directive

October 31, 2016

EU’s Fourth Anti-Money Laundering Directive

What is AML (Anti-Money Laundering)?


Security is paramount to Cardstream. We think about security at every level of our business, constantly evaluating our operations, functions and security to optimise the online safety of our partners, their merchants and their cardholders; as evidenced by our Level 1 PCI DSS security. But security and fraud doesn’t start and stop at the payment gateway level. All banking institutions, with reference here to our acquiring bank partners, are responsible for ensuring the authenticity of potential merchants. This is achieved by three separate checks in the underwriting process: AML (Anti-money Laundering), KYC (Know Your Customer) CDD (Customer Due Diligence); although occasionally EDD (Enhanced Due Diligence) is necessary.  A quick breakdown of these below:

Know Your Customer – Will include checking a person’s identity against a list of known ‘politically exposed person’(s). Analysis of customer due diligence. Identifying the beneficiaries, directors and shareholders, then exposing them to the same KYC and DCC/EDD. The company’s registration name, number and date and country of incorporation will need to be checked. On occasion CDD will be covered under KYC.

Customer Due Diligence – Authenticating customer’s identity by: Name, photographic ID and residential address or date of birth.

may sometimes require

Enhanced Due Diligence – Further authentication of customer identity by verification of, additionally: obtaining further information to establish the customer’s identity; applying extra measures to check documents supplied by a credit or financial institution; making sure that the first payment is made from an account that was opened with a credit institution in the customer’s name. [1]

Anti-Money Laundering – This process is usually personal to each person processing the AML checks, but things that can be used will be Credit Report printing or investigating, via resources such as Credit Safe or Experian. They may also check the stock market, services such as G2 Web Services for merchant relationships and risk history, blacklists, whitelists, reputation information and compliance violations. They will also monitor for previous Visa and Mastercard card scheme issues.

Fraud is something that affects a country at every level. From government initiatives, to cardholders, to merchants and the public generally. Money laundering is used to finance crime, organised or otherwise. It operates by generating or converting property and currency to facilitate illicit operations of varying degrees of damage, from an opportunist to terrorism.  Enter the EU’s Fourth Anti-Money Laundering Directive.

What is the EU’s Fourth Anti-Money Laundering Directive?


AML Directives serve as legal guidance into limiting fraud and money laundering to tackle the threat to the countries National Security to address “… a key enabler of serious and organised crime, the social and economic costs of which are estimated to be £24 billion a year.” [2] The organisations it will affect are predominantly banks, gambling companies, Estate Agents, Pension Funds, Trusts/foundations, public authorities, accountants and independent legal professionals.

The EU’s Fourth Anti-Money Laundering Directive came into force in June 2015 and all ‘obliged entities’ should be adherent by 26th June 2017, giving a two-year implementation time.  The UK by-and-large has many of the Directive’s new changes already in place, although the recent Brexit raises questions about how anti-money laundering will be affected in the future. [3]

Whilst much reference is made to national security, the Directive also aims to counter fraud and tax crimes more generally, whilst illuminating company and trust ownership. It also brings virtual and quasi-currencies under the Directives remit. [4]

How will the EU’s Fourth Anti-Money Laundering Directive be different from its predecessor?


The EU Directive states the word “149 times in the Fourth Directive, compared with 36 times in the Third Directive and 13 times in the Money Laundering Regulations 2007”. This heavily implies an emphasis on a “risk-based approach to money laundering”. [5] One of the bigger changes brought about here is the decrease in transaction value before a due diligence is needed from €15,000 down to €10,000 for a single, or seemingly associated transactions. This value is €2,000 for casinos.

There is also a greater focus on Politically Exposed People (PEPs); local PEPs will now be subject to the same checks as local PEPs, as will their relatives. The PEPs will count as PEPs for 12 months from after leaving the office, although the directive very clearly states to discriminate against these parties, or refuse them based on PEPs is poor practice, in fact: I quote, “Refusing a business relationship with a person simply on the basis of the determination that he or she is a politically exposed person is contrary to the letter and spirit of this Directive and of the revised FATF Recommendations.” [6]

The new directive considers a bigger focus on identifying the Ultimate Beneficiary of the Organisation (UBO) and identity checking of them.

Beyond implementation & Application to Acquiring Banks


Responsibilities don’t halt once the implementation, sign up, partnership or transaction has been complete (well, maybe the latter).  Once a relationship is established or service provided, there should be ongoing risk assessments and analysis of the business or person based on factors such as geographic area, products or services and delivery method. There may be severe penalties for non-compliance with fines reaching up to at least €5,000,000, or 10% of an organisation’s annual turnover.

This all sits very closely to how your application for your merchant and their merchant account set-up processes. If you ever feel concerned that applications may be difficult for a merchant account, it is always worth considering that the diligence is extraordinarily important to the wellbeing of people and the economy. Cardstream are enormously proud to be partnered with so many security conscious organisations and banks, and to be PCI DSS 3.2 compliant, doing our own bit in managing security. [1] [2] [3] [4] [5][6]