Money laundering (ML) poses a clear and present threat to citizens, democratic institutions and the financial system. The rules to prevent dirty money from being laundered through the financial system have today grown into an extensive regulatory framework, and do not only apply to European Union (EU) Member States, as similar regulations exist at both global and regional level in many other parts of the world.

There is no accepted international definition of ML and the term has only existed for about 40 years. However, what is typically understood by ML is the handling of money derived from crime, which is often the result of or prerequisite for illicit trafficking or other transnational criminal activities.

The fight against ML and terrorist financing (TF) is crucial for ensuring financial stability and security in Europe. The complex issue of dealing with dirty money flows is not new. Within the EU, anti-money laundering (AML) rules were introduced as compensatory measures when the borders between EU Member States were removed and the internal market began to be realised from the early 1980s onwards. The free movement of capital and financial services and increased cross-border trade also brought new opportunities for criminal actors and networks.

In order to protect the EU's financial interests and maintain sound financial systems, the EU AML framework has been closely linked to the Union’s efforts to combat the financing of terrorism. The EU regulatory framework is today a central part of the EU's security policy, and the EU's AML rules are now among the toughest in the world (European Commission, 2021b). Despite this, we have also seen a number of recent examples of ML scandals. With the increased digitalisation and fragmentation of key parts of our modern world, newly updated regulatory frameworks are facing rapidly accelerating challenges.

In sum, ML constitutes a ‘chameleon threat’, as Valsamis Mitsilegas so aptly described it (Mitsilegas, 2003a), which must be constantly combated, because ML facilitates new forms of illegal and criminal activity, such as drug trafficking in the 1980s, organised crime in the 1990s, and after 11 September 2001, also terrorism.

This chapter, which builds on my previous research in the field,Footnote 1 is based on a historical and contextual presentation where the development of the EU regulatory framework against ML and TF is placed in its historical context and is described in terms of the different threats, interests and actors involved. A selection of analytical and partly overlapping perspectives with specific challenges for the emerging regulatory framework is continuously identified and presented: Firstly, the increase in private–public cooperation where private actors have been involved in shaping the regulatory framework and been assigned “policing” tasks. Secondly, the exchange of information and the specific challenges posed by digitalisation. Thirdly, the interaction between administrative law and criminal law and different types of sanctions. Fourthly, the increased focus on EU security policy and the long-standing so-called securitisation of ML and TF, which has led, among other things, to an increased competence for the EU institutions to regulate this area.

The questions this chapter asks and tries to answer are thus: How has the regulatory framework against ML and TF evolved in relation to globalisation, as well as the theme of this volume, the renewed importance of borders and a consequential real or apparent regulatory fragmentation? What analytical perspectives and legal challenges can be identified when studying this development? What shortcomings and legal challenges remain, and are they addressed by the existing and recently updated instruments as well as recent legislative proposals, or is there room for further reform?

These analytical and partly overlapping perspectives will be addressed in the historical and contextual presentation of this chapter after a brief presentation of the EU acquis in a global context, describing parallel developments at the EU level, followed by current reform proposals, and finally, the new EU legislative package and remaining challenges.

The EU Regulatory Framework in a Global Context

Although ML is an international phenomenon that has been a major problem around the world for a long time, the phenomenon and the concept have only come to prominence in the last 40 years. Although the term ML was used in the past, it was introduced into legislation only in 1986 in the US ML Control Act. In the beginning, ML was mainly recognised as a domestic problem, but the dirty money laundered often came, and still comes today, from drug trafficking, human trafficking and other cross-border criminal activities.

At the same time, ML is a crime that hinders the proper functioning of financial systems. As the International Monetary Fund has pointed out, possible consequences of ML and TF include risks to the soundness and stability of financial institutions and systems, increased volatility of international capital flows and a dampening effect on foreign direct investment (International Monetary Fund, 2023). In this respect, ML poses a particular threat as a sound financial infrastructure is one of the fundamental elements of a stable society. With increased economic globalisation, national borders became less relevant also for financial transactions. Taken together, the threats of ML and the emerging AML Regulation have gradually become transnational and global, which also has a significant impact on the regional and national levels.

In 1988, ML was recognised as a global problem with the prohibition of laundering of drug proceeds in the UN Convention against Illicit Traffic in Narcotic Drugs and Psychotropic Substances (Vienna Convention, 1988). However, the Vienna Convention was limited to drugs and did not refer specifically to the concept of ML. In the same year, principles on ML were also adopted by the Basel Committee on Banking Supervision (BCBS, 1988). This body is made up of banking supervisory authorities in a number of states and aims to develop common standards for the supervision of banking and financial institutions. The 1990 Council of Europe Convention on Laundering, Search, Seizure and Confiscation of the Proceeds from Crime (Strasbourg Convention, 1990) is the first multilateral treaty dealing with ML offences in general (Kersten, 2002). The Strasbourg Convention also extended the so-called predicate offences, i.e., the types of offences that can form the basis of ML offences, to go beyond drug trafficking. In 1998, the Organisation of Economic Cooperation and Development (OECD, 1998) presented a series of recommendations on harmful tax practices. In 1999, the UN International Convention for the Suppression of the Financing of Terrorism was adopted (UN Convention, 1999), and in 2000 the UN General Assembly adopted the UN Convention against Transnational Organized Crime (UN Convention, 2000).

The Council of Europe Convention on Laundering, Search, Seizure and Confiscation of the Proceeds from Crime and on the Financing of Terrorism (Warsaw Convention, 2005) builds on and updates the 1990 Strasbourg Convention and is the most comprehensive international convention on ML. It aims to facilitate international cooperation and mutual assistance in criminal investigations. The Convention contains not only provisions on the criminalisation of ML but also provisions on the freezing and confiscation of assets. The Warsaw Convention is the first international convention covering both the prevention and control of ML and TF. The adoption of the Warsaw Convention reflects the importance of timely access to financial information or information on assets held by criminal organisations.

Today, the Financial Action Task Force (FATF) is the most important international standard-setter for combating ML and TF. FATF was established in response to the G7's recognition of the threat that ML poses to banks and other financial institutions (Winer, 2002). FATF is thus a part, albeit independent, of the OECD (Bergström, 2013). The FATF currently consists of 38 member jurisdictions and two regional organisations, representing most major financial centres in all parts of the world including Hong Kong, Japan, Singapore, the United Kingdom and the United States. Members include the European Commission and fourteen Member States, but also, up until 24 February 2023, Russia, when membership was suspended after the Russian Federation’s “illegal, unprovoked and unjustified full-scale military invasion of Ukraine” (FATF, 2023a). The remaining thirteen Member States, which have been part of the EU since 2004 onwards, are members of Moneyval, which is a FATF-type regional body that carries out self-assessments and mutual assessments of the measures taken in the Member States of the Council of Europe. The members of Moneyval also include, for example, Ukraine (MONEYVAL, 2023).

The FATF recommendations on ML were first issued in 1990, and the current version from 2012 was last amended in November 2023 (FATF, 2023b). They cover both administrative and criminal law measures to combat ML. With the first revisions in 1996, the 40 FATF recommendations were extended beyond the laundering of drug proceeds, and after 9/11, 2001, FATF explicitly extended its recommendations to TF. As a result, FATF's preventive measures now include not only the use of money derived from crime, but also the collection of money or property for terrorist purposes.

The method of mutual evaluation used is that FATF sets standards, model rules, or recommendations, and then evaluates Member States against these. The FATF methodology was adopted in February 2013 and last updated in June 2023 (FATF, 2023c). It operates through peer-review: panels of national legal and banking experts are set up, which then regularly evaluate the laws and practices of other states. FATF applies sanctions in the form of warnings to states deemed not to comply with the non-binding FATF standards. This results in significantly higher transaction costs for financial institutions in the blacklisted state, as financial institutions in other FATF states require greater security when dealing with them. This type of blacklisting partly explains a relatively high level of compliance with FATF standards. As far as EU Member States are concerned, the standards are binding, as they have been transposed into EU law by a wide range of directives and regulations concerning ML (Bergström, 2013).

Compensatory Measures when Borders were Removed

In a European context, the justification for introducing the first AML Directive (1AMLD, 1991) in 1991 was that the emergence of the European internal market, with European rules on financial transactions and the abolition of national borders, required compensatory measures to curb cross-border financial crime (Bergström, 2016). The purpose of the 1AMLD was therefore to prevent an open and liberal financial market, including the free movement of capital and the freedom to provide financial services, from being used for ML purposes.

The 1AMLD was strongly influenced by international rules and was based on the 40 original FATF recommendations and influenced by UN conventions and the recommendations and principles adopted by the Council of Europe and the BCBS. The definition of ML was taken from the Vienna Convention. The preamble to the 1AMLD stated that ML must be combated mainly by means of criminal law and within the framework of international cooperation between judicial and law enforcement authorities. Despite this, as the EU lacked criminal law competence at the time, it adopted the directive invoking as legal bases the right of establishment, and the establishment and functioning of the internal market.

The preamble further stated that ML has a clear impact on the emergence of organised crime in general and drug trafficking in particular and that there is a growing awareness that combating ML is one of the most effective means of combating this form of crime, which constitutes a particular danger to society in the Member States. According to the Directive, a criminal law approach should not be the only way to combat ML, as the financial system can play a highly effective role.

In 2001, the Second AML Directive (2AMLD, 2001) was adopted, amending the first. The 2AMLD referred in particular to the extended definition of ML, beyond drug offences as predicate offences. The Directive identified the fight against organised crime as an objective particularly closely linked to AML measures. The directive contained a long list of acts to be considered criminal offences when committed intentionally, which has since been extended to also prevent TF.

Extension towards Terrorist Financing and Enhancing the Role of Private Actors

In order to protect the EU's financial interests and maintain sound financial systems, the EU AML framework has been closely linked to the Union's efforts to counter TF. After 9/11, 2001, the FATF explicitly extended its recommendations to TF and in October 2001 adopted eight specific recommendations to this end (FATF, 2023b, p. 7). According to these, each country should take immediate steps to ratify and implement the 1999 UN International Convention for the Suppression of the Financing of Terrorism, and to implement the UN Resolutions on the Prevention and Suppression of the Financing of Terrorist Acts. Each country should criminalise the financing of terrorism, terrorist acts and terrorist organisations, and ensure that such offences are classified as predicate offences for ML. FATF also agreed on rules on freezing and confiscation of terrorist assets, reporting suspicious transactions related to terrorism, international cooperation, alternative remittance, wire transfers, and non-profit organisations. In 2004, a ninth specific recommendation on cash couriers was drawn up to ensure that terrorists and other criminals cannot finance their activities or launder the proceeds of crime through the physical cross-border transport of currency and bearer-negotiable instruments (FATF, 2023b, p. 7 and 25).

The adoption of the Third AML Directive (3AMLD, 2005) in 2005 brought regional EU rules into line with FATF's comprehensive, revised and extended recommendations. As a result, the preventive measures in the directive now covered not only the handling of money derived from crime, but also the collection of money or property for terrorist purposes. In addition to extending the provisions to all financial transactions that may be linked to terrorist activities, the biggest change in the 3AMLD and the solution to the problem of ML was to establish a standard for risk analysis (Herlin-Karnell, 2011). The starting point was that the risks differ between countries, customers and business areas as well as over time. The operators themselves are the best analysts of where the risk areas are, or may arise, because they know their business and their customers best. Under a risk-based approach, companies are expected to carry out risk assessments of their customers and divide them into low- and high-risk categories. As a result, the concept of “know your customer”, used in the financial sector, became de facto applicable to everyone covered by the directive.

One of the reasons for more actively involving the private sector in AML was to gain better access to knowledge about the activities of actors who may be involved in illegal behaviour. It is for the private sector to collect appropriate information and decide when suspicious transaction reports should be made. At the beginning of AML regulations, private actors were only part of the public sector in preventing ML offences. However, the shift to the risk-based approach had major consequences for the relationship between private and public actors. A natural part of this change was the expansion of the “policing” tasks of private actors, which have always played an important role in crime prevention. Focusing on this shift of responsibility to the private sector and on the consequent increase in private–public partnerships is therefore an important perspective in the analysis of EU policy against ML and TF (Bergström, 2011; Bergström et al., 2011).

Private actors are not only expected to work against money launderers and report suspicious transactions under threat of administrative and criminal sanctions. They are also actively involved in shaping the underlying rules and procedures at different levels. In addition to the public initiatives of the international and regional supervisors, banking organisations have been involved in the regulation. The current Basel III is a comprehensive set of reform measures developed by the Basel Committee to strengthen the regulation, supervision and risk management of the banking sector. One of the most striking features of the EU AML framework is therefore the intensified multi-level cooperation between public and private actors, where traditional public tasks are shared by public and private actors. As a result, this area of law is extremely complex, involving international, EU-based and national actors and regulations, covering public, private and criminal law rules as well as enforcement mechanisms (Bergström, 2018a).

The risk-based approach introduced by the revised FATF Recommendations and 3AMLD was further developed in 2015 in the Fourth AML Directive (4AMLD, 2015) towards a more targeted and focused risk-based approach with evidence-based decision-making, to better target risk. It further provided guidance from European supervisory authorities, with their increased focus on the effectiveness of AML/CFT (Countering the Financing of Terrorism) systems, and addressed the shortcomings of the 3AMLD identified by the European Commission (European Commission, 2012). According to the Council, the strengthened rules reflected the need for the EU to adapt its legislation to take account of technological developments and other means at the disposal of criminals.

In February 2016 the European Commission adopted an Action Plan (European Commission, 2016a) to better counter TF and to ensure greater transparency of financial transactions following the revelations in the so-called Panama Papers. This was a coordinated action with the G20 and the OECD aimed at directly and vigorously combating tax evasion by both legal and natural persons in order to create a fairer and more efficient tax system. In this respect, it is part of a broader EU effort to improve tax transparency and tackle tax evasion (European Commission, 2016b).

In December 2016, the Council adopted a compromise text aimed at amending the 4AMLD. Although the objective of combating tax evasion was no longer explicitly mentioned, tools designed to achieve this aim remained, albeit slightly modified. The previous directives were repealed on 26 June 2017, when the 4AMLD was to be implemented by Member States. The scope of the directive was extended in several ways: by lowering the threshold for cash payments, which triggers reporting obligations, from EUR 15,000 to EUR 10,000, by including providers of gambling services in the scope of the directive and by including tax crimes as a new predicate offence. In addition, the 4AMLD incorporated new data protection provisions and clarified how AML supervisory powers are applied in cross-border situations.

At this time, the Transfer of Funds Regulation (European Parliament & Council of the European Union, 2015) adopted in 2015 also entered into force. This Regulation sets out rules based on the FATF regulations on the information on payers and payees accompanying transfer of funds in order to help prevent, detect and investigate ML and TF.

Subsequently, in May 2018, after almost two years of negotiations and counter-proposals, the European Parliament and the Council adopted the Fifth AML Directive (5AMLD, 2018) amending the 4AMLD. By 23 June 2020, five months after the transposition deadline (10 January 2020), all 27 Member States except Cyprus, Portugal, Romania and Spain, including the United Kingdom, had reported that they had transposed the new provisions.

As the UK has now left the EU and the post-Brexit transition period has expired, UK-EU security and criminal justice relations are governed by the EU-UK Trade and Cooperation Agreement (Trade & Cooperation Agreement, 2021), which entered into force on 1 May 2021. The EU-UK Trade and Cooperation Agreement includes a title on AML and CFT, largely devoted to prevention, as well as detailed provisions on EU-UK cooperation on freezing and confiscation. The provisions of this Title and the relevant definitions take precedence over the relevant provisions of the 2005 Warsaw Convention and the 1990 Strasbourg Convention (Mitsilegas, 2022).

Exchange of Information and Digitalisation

Another important perspective in the analysis of the Union's AML policy, which is closely linked to the above-discussed intensification of private–public partnerships, is the specific challenges associated with increased information exchange and digitalisation. The processing and exchange of personal data to detect a criminal who may be hiding behind the customer of a person subject to AMLD's monitoring obligations, such as financial institutions and lawyers, involves a delicate balancing act between security and protection of fundamental rights. As customers’ personal data is used to report and investigate suspicious financial transactions, customers should be assured that decisions are not based on data that should not have been collected, that has been stored without permission, or is not, or is no longer, accurate.

The proposed amendments to the 4AMLD, and the 2015 Regulation, were criticised by the European Data Protection Supervisor (EDPS), an independent supervisory authority within the EU tasked with monitoring compliance with Union rules on the protection of personal data by the Union's own institutions, bodies, offices and agencies. The criticism concerned the proposals to introduce policy objectives other than countering ML and TF without these being clearly identified. The processing of personal data collected for one legitimate purpose for another, completely unrelated purpose violates the data protection principle of purpose limitation and risks violating the principle of proportionality. Thus, certain forms of processing of personal data that are acceptable in the context of AML and the fight against terrorism need not be necessary and proportionate in other contexts (EDPS, 2017).

A similar problem arises when it comes to client loyalty and client confidentiality, which is central for example to the legal profession and crucial for an effective representation of clients. Despite concerns within the legal profession, the CJEU (2007) has ruled in Case C-305/05 Ordre des barreaux francophones that the obligations of the AML Directives do not infringe the right to a fair trial guaranteed by Article 6 of the European Convention on Human Rights (ECHR) and Article 6(3) TEU, so the provisions must therefore be upheld also against lawyers. Similarly, in Michaud v. France, Application No 12323/11, the European Court of Human Rights (ECtHR, 2012) has held that the obligation for French lawyers to report suspicious transactions made by their clients does not disproportionately interfere with confidential lawyer-client relations or with the rights under Article 8 of the ECHR.

As has been pointed out, the fact that there are few appeals or complaints about the financial penalties, possibly due to the “name and shame” risk associated with AML and TF, may raise concerns about procedural guarantees, the effectiveness of sanctions and whether or not the penalties imposed are actually effective in preventing crime (Bergström, 2016). It has also been argued that AML measures have little effect in preventing TF, which, on the other hand, involves comparatively little money that does not have to be the proceeds of crime, but often comes from perfectly legitimate sources, as underlined, among other things, in a book on EU sanctions from 2013 (Cameron, 2013).

In addition to the above-mentioned examples of privacy and data protection challenges, there are a number of specific challenges linked to the increasing reliance on electronic reports, e-evidence and other digitisation themes. Not least, can it be difficult to identify who is responsible, where certain information including evidence is located, and which rules should apply at different stages of the various processes planned to deal with such issues. This may have a greater impact on inter-agency cooperation, the free movement of information and the wider protection of fundamental rights.

However, cooperation between police and judicial authorities, and companies providing information and communication services, is nothing new. In addition to the involvement of private actors in the financial sector, including AML, police and judicial authorities have been cooperating with telecom operators and providers for decades. However, there is an increased use of online services and new information and communication technologies (ICT) that are usually addressed by private companies as technology companies or service providers (Franssen, 2018). Such data is often processed, transferred and/or stored by foreign companies or service providers. This poses particular challenges for police and judicial authorities collecting electronic evidence to fight crime committed using or involving the use of ICT. This is because the information that criminals share or store using new ICT, thus processed by private companies, is not accessible to public authorities without cooperation with these private actors (Bergström, 2020; Franssen, 2018).

Administrative Law Measures and the EU Criminal Law Directive

In the same way that the previous section highlighted the importance of private–public collaboration and the challenge of information exchange and digitalisation, our third analytical perspective, focuses on another key element in the fight against ML and TF, namely the interaction between administrative law and criminal law and between different types of sanctions. As is well known, the EU originally, and for a long time, lacked competence to adopt legislative measures in the area of criminal law. This changed with the Treaty of Lisbon, whereby the TFEU paid attention to a number of particularly serious crimes with a cross-border dimension, such as ML, and made it possible for the Union to adopt minimum rules on the definition of criminal offences and sanctions for these crimes. Thus, Article 83(1) TFEU allowed the European Parliament and the Council to lay down minimum rules concerning ML by means of directives adopted in accordance with the ordinary legislative procedure.

Still, this new competence did not immediately lead to legislation. Instead, for a long time, the regulatory framework continued to consist mainly of two administrative instruments, the already mentioned 4AMLD and a Transfer of Funds Regulation, both of which were based on Article 114 TFEU on the internal market. The main aim of this regulatory framework was to improve the conditions for the establishment and functioning of the internal market by setting up common rules for the financial systems that could otherwise be used for ML purposes. The main focus of the EU AML measures based on the risk-based approach remained on prevention, while AML in terms of control and sanctioning was still a matter for national law and the emerging regulatory framework for international cooperation between judicial and law enforcement authorities. The EU AML Criminal Law Directive (European Parliament and Council of the European Union, 2018a) later extended the EU's focus from the prevention to the control of ML and TF.

But despite all the assumptions that the EU's framework for combating ML and TF is mainly of an administrative nature, there is a blurred and not at all clear line between administrative law, criminal law and sanctions in each area (Bergström, 2018a, 2018b). Not least because the provisions of national and EU law are intertwined and interlinked. This may have negative effects in terms of procedural safeguards and the protection of fundamental rights—for example, if sanctions are in fact criminal rather than administrative in nature, or if the different solutions chosen in different Member States lead to variations in the level of protection of fundamental rights across the EU.

Although the 4AMLD already provided for an EU definition of ML and thereby harmonised national criminal law on AML measures, it did not require Member States to introduce certain criminal law provisions setting out certain specific minimum and maximum sanctions for infringements (Herlin-Karnell, 2016). In other words, the regulatory framework laid down harmonised rules with regard to the definition of ML, i.e., the rules specifying which conduct was considered to constitute a criminal offence, but it did not specify the type and level of sanctions applicable to such conduct.

Instead, the 4AMLD stressed that sanctions or measures for infringements of national provisions transposing the directive must be effective, proportionate and dissuasive. Member States may thereby decide not to lay down rules for administrative sanctions or measures for breaches which are subject to criminal sanctions in their national law. In that case, Member States must communicate to the European Commission the relevant criminal law provisions. As the President of the Court of Justice of the European Union, Koen Lenaerts, and Legal Secretary José Gutiérrez-Fons pointed out in their chapter (Lenaerts & Gutiérrez-Fons, 2016), the CJEU (2013) recalled in Case C-617/10 Åkerberg Fransson that where EU law does not specifically provide for a sanction for an infringement of EU law or refers to national laws and regulations, Member States are free to choose the applicable sanctions; i.e. administrative, criminal or a combination of these. However, the resulting penalties must comply with the EU Charter of Fundamental Rights and be effective, proportionate and dissuasive. On the other hand, a measure based on Article 83(1) TFEU does not leave Member States any such freedom.

Therefore, probably unsurprisingly, on 21 December 2016, only two days after the Council adopted the compromise proposal amending the 4AMLD, the European Commission proposed a directive aimed at combating ML by criminal law. Furthermore, the explanatory memorandum stated that terrorists often use criminal proceeds to finance their activities and use ML in that process. The underlying idea was thus that criminalising ML would help CFT. The first EU directive on combating ML by criminal law was adopted on 23 October 2018 and had to be implemented by Member States by 3 December 2020 (Bergström, 2019).

Prior to the implementation of this directive, it was the responsibility of Member States to ensure that administrative sanctions and measures in accordance with the Internal Market Directive, and criminal sanctions in accordance with national law in compliance with international and other relevant Union law, had been put in place. Although the AML Directive by criminal law changed this situation, the line between administrative law and criminal law and sanctions in the AML system is not clear. On the one hand, the new directive reinforces the existing measures to detect and prevent abuse of the financial system for ML and TF. On the other hand, the EU's current focus is being extended from prevention to control. The new directive covers the definitions, scope and sanctions of ML offences and affects cross-border police and judicial cooperation between national authorities and the exchange of information. It is part of the global fight against ML and TF. The directive implements international commitments in this area, including the Warsaw Convention and FATF Recommendation 3, which in turn calls on countries to criminalise ML on the basis of the Vienna Convention and the Palermo Convention.

The EU AML Acquis in the Context of EU Security Policy

From having been extended to the collection of money or property for terrorist purposes, the AML regulatory instruments are now included in an even broader security context. According to the so-called Copenhagen School, the word security in international relations refers to a perceived existential threat, usually to the state, a region or a society, which justifies extraordinary measures (Emmers, 2018). A classic example is then US President George W. Bush's speech about the war on terror after 9/11 (Bush, 2001). An issue is securitised when an actor claims that the issue constitutes a security threat. If this threat is not taken seriously, the state risks going under. If the securitisation is successful, it means that an actor can justify extreme measures that are not accepted under normal circumstances.

In the context of the securitisation of cross-border crime the EU AML framework represents a new paradigm for security governance (Mitsilegas, 2003b). The securitisation of cross-border organised crime and TF have been used to increase the EU's powers, or at least have resulted in such an increase (Bergström, 2020). This is most evident in the area of EU judicial and police cooperation. In particular, the terrorist attacks of 9/11, 2001, accelerated the decision-making process in the European Union. In addition to the adoption of measures such as the framework decision on the European arrest warrant, the securitisation of cross-border crime, and more recently the securitisation of terrorism as such, has resulted in intensified AML rules. Both of these threats require action at the global level, and at the EU regional level. AML and asset freezing measures thus exemplify the shift towards the securitisation of threats to the financial sector in general and cross-border organised crime and TF in particular.

Similar to the securitisation process, the concept of risk and risk management signals that an issue is placed high on both the business agenda and the political agenda (Bergström et al., 2011). To call something a risk is to require action, risk assessment and risk management. The risk-based approach introduced by the revised FATF Recommendations and the 3AMLD has been further developed towards a more targeted and focused risk-based approach using evidence-based policy-making as well as guidance from European supervisory authorities.

In parallel with these developments, the EU became more active in the area of security policy, where AML has taken on an increasing role in recent years. In 2015, the European Commission presented the European Agenda on Security for the period 2015–2020 (European Commission, 2015). It stressed that the primary objective of organised crime is profit and that international criminal networks use legitimate business structures to conceal the source of their profits. The European Commission called for strengthening the capacity of law enforcement authorities to tackle the financing of organised crime, cybercrime, the prevention of terrorism and countering radicalisation. Key actions include effective measures to follow the money and reduce the financing of criminals, where cooperation between competent authorities, in particular the national FIUs to be connected to Europol, will be strengthened. In addition, Eurojust can offer more expertise and support to national authorities in financial investigations. Cross-border cooperation between FIUs and national asset recovery offices (AROs) is intended to help fight ML and gain access to the illicit proceeds of crime. The powers of FIUs will thus be strengthened to better track the activities of organised crime networks and their financial activities and to strengthen the powers of the competent national authorities to freeze and confiscate illicit assets. The EU further contributes to the prevention of TF through the network of EU FIUs and EU-US Terrorist Finance Tracking Programmes. The European Agenda on Security supports Member States’ cooperation in addressing these security threats, and called for further action in the area of TF and ML.

In February 2016, the European Commission presented an action plan to further step up the fight against TF, in brief with two main objectives (European Commission, 2016a). The first objective was to prevent the movement of funds and identify TF. Key issues included ensuring that virtual currency exchange platforms are covered by the AML Directive, CFT through anonymous prepaid instruments such as prepaid cards, improving access to information and cooperation between EU FIUs. Furthermore, to ensure a high level of protection of financial flows from high-risk third countries and to provide EU FIUs with access to centralised bank and payment account registries and central data retrieval systems. The second main objective was to disrupt sources of income for terrorist organisations, including addressing sources of TF, and to work with third countries to ensure global mobilisation with the same aim. The European Commission's Action Plan stressed the need to combat ML through criminal law and the need to ensure that criminals who finance terrorism are deprived of their assets.

On 24 July 2019, the European Commission adopted the Communication “Towards better implementation of the EU’s anti-money laundering and countering the financing of terrorism framework” (European Commission, 2019a), together with four reports aimed at helping European and national authorities better manage risks (European Commission, 2019b, 2019c, 2019d, 2019e). These reports provide an update on sectoral risks related to ML and TF, analyse the shortcomings in current supervision and cooperation and identify ways to address them. The four reports stress the need for full implementation, while underlining that a number of structural weaknesses in the implementation of Union rules in this area still need to be addressed.

Although the incorporation and entry into force of the 5AMLD was expected to address some of these issues, other issues remain. In particular, the 5AMLD increases the transparency of beneficial ownership information, gives FIUs greater access to information, improves cooperation between supervisors and regulates virtual currencies and prepaid cards to better prevent TF.

Current Reform Proposals

On 7 May 2020, the European Commission adopted an Action Plan for a comprehensive Union policy preventing money laundering and terrorist financing (European Commission, 2020a). This is based on six pillars, which aim to improve the EU's overall fight against ML and TF and strengthen the EU's global role in this area. They include effective implementation of existing rules, a common EU regulatory framework, supervision at the EU level, a support and cooperation mechanism for FIUs, better use of information to maintain criminal law and a stronger Europe in the world. As a result, EU rules will become more harmonised and thus, according to the European Commission, more effective. The rules will be better monitored and coordination between Member States’ authorities will be improved. These measures build on the results of the 2019 AML package, which highlighted in particular regulatory fragmentation, uneven supervision and limitations in cooperation between FIUs across the EU, which can be said to be partly consistent with the analytical perspectives of this chapter.

Six months earlier, in November 2019, the finance ministers of France, Germany, Italy, Latvia, the Netherlands and Spain published a joint document on a joint monitoring mechanism in the field of ML and TF, Towards a European Supervisory Mechanism for Money Laundering and Terrorist Financing (Joint Paper, 2020). In the conclusions of the ECOFIN meeting on 5 December 2019, the finance ministers of all EU Member States addressed the European Commission. The European Commission was asked to explore the possibility of conferring certain responsibilities and powers for AML supervision on a Union body with an independent structure and direct powers over certain obliged entities selected by the Union body in accordance with a risk-based approach. The European Commission was invited to make legislative proposals in this regard in parallel with efforts to achieve a higher level of harmonisation through AML legislation.

Building on the progress made under the European Commission's European Agenda on Security 2015–2020 and President von der Leyen's Political Guidelines, on 24 July 2020 the Commission presented its new EU Security Union Strategy for the period 2020–2025 (European Commission, 2020b). The strategy underlined that strengthening the EU AML/CFT framework will also help curbing terrorism and organised crime. It also identified four strategic priorities for action at the EU level. Firstly, “Ensuring a future-proof security environment for individuals”; secondly, “Tackling evolving threats”; thirdly, and of greatest interest in this context; “Protecting Europeans from terrorism and organised crime” including work on countering radicalisation, prosecuting terrorists, border security, better use of existing databases and cooperation with non-EU countries. It also includes an agenda to fight organised crime, specific actions against trafficking in human beings, an agenda on drugs, an agenda on illicit trafficking in firearms and a new EU action plan against migrant smuggling, among others. Fourthly, ‘Developing a strong European security ecosystem’, specifically mentions cooperation and information exchange and important measures to strengthen Europol's mandate, further develop Eurojust and better connect judicial and law enforcement authorities, as well as cooperation with Interpol.

The New EU Legislative Package and Remaining Challenges

Eventually, on 20 July 2021, the European Commission presented its legislative package to strengthen EU AML and CFT rules (European Commission, 2021a). The package contains four legislative proposals, considered to be a coherent whole, creating a new and stricter enforcement framework for AML and CFT in the Union: a new regulation establishing a new EU authority; A new regulation establishing a single rulebook including rules on customer due diligence and beneficial ownership measures; A sixth directive complementing the regulation and replacing the 5AMLD and containing provisions that will be implemented in national law, such as provisions on national supervisory authorities and FIUs, and; A recast of the Transfer of Funds Regulation to track the transfer of crypto-assets. The underlying aim is to improve the detection of suspicious transactions and activities and to close loopholes used by criminals to launder illicit proceeds or finance terrorist activities through the financial system. The new regulatory framework increases coordination and cooperation between Member States’ authorities, while the creation of a new EU agency forms the core of the legislative package.

The regulation establishing the new EU AML and CFT Authority (AMLA) aims to create control at EU level and to bring about  a support and cooperation mechanism for FIUs. Like the current legal framework, the proposal is based on Article 114 TFEU. Within the framework of that provision, according to settled case-law (CJEU, 2006, 2014), the EU legislature may consider it necessary to establish an EU body responsible for contributing to the implementation of a harmonisation process.

The new legislative package introduces far-reaching changes. Having directly applicable rules in a regulation, with more detail than in the existing directive, will both promote consistency in supervisory and enforcement practices in the Member States, as well as provide rules for the new EU authority to apply itself as a direct supervisor for selected obliged entities. AMLA will directly supervise some of the most risky financial institutions operating in a large number of Member States or require immediate action to address imminent risks.

In the area of indirect supervision and coordination and support for FIUs, the proposal contains various provisions empowering AMLA to develop technical supervisory- and implementing standards and to adopt guidelines and recommendations, thus determining a defined role and function for the Authority. AMLA will thus establish a single integrated AML/CFT supervision system across the EU.

AMLA's coordination of national authorities aims to ensure that the private sector correctly and consistently applies EU rules. AMLA will monitor and coordinate national supervisors responsible for other financial entities and coordinate supervisors for non-financial entities. AMLA will further support cooperation between national FIUs and facilitate communication and joint analysis between them to better detect illicit flows of a cross-border nature. AMLA's support to supervisors and FIUs in risk assessment and analysis will be an important function of the new enforcement structure. AMLA will help FIUs improve their analytical capacity on illicit flows and make financial intelligence an important source for law enforcement agencies.

AMLA should be operational in 2024 and will start its direct supervisory work somewhat later, once the new directive has been transposed and the new regulatory framework becomes applicable. According to the European Commission, a more harmonised framework will facilitate compliance for the bodies covered by the rules, not least for those operating across borders. The EU regulatory framework will harmonise rules across the EU, for example through more detailed rules on customer due diligence, beneficial ownership and the powers and tasks of supervisory bodies and FIUs. Existing national registers of bank accounts will be interconnected, which will give FIUs faster access to information on bank accounts and safe-deposit boxes. The European Commission will also make this system available to law enforcement authorities, which will speed up financial investigations and the recovery of criminal assets in cross-border cases. Access to financial information will be subject to strong safeguards in the proposed Financial Information Exchange Directive that would allow designated competent authorities responsible for the prevention, investigation, detection or prosecution of criminal offences to access and search Member States’ centralised bank account registers through a single access point.

The legislative package includes an EU-wide limit of EUR 10,000 for large cash payments. Restrictions already exist in around two-thirds of Member States, but the amounts vary. National ceilings below EUR 10,000 may remain. In addition, it will be forbidden to provide or own anonymous wallets for crypto assets, just as anonymous bank accounts are already banned. Currently, only certain categories of crypto-asset service providers are subject to EU rules. The proposed reform will extend these rules to the entire crypto sector and force all service providers to make checks on their customers. These changes are intended to ensure full traceability of transfers of crypto-assets, such as bitcoin, and will make it possible to prevent and detect their possible use for ML or TF.

The EU legislative package thus strengthens the existing regulatory framework by taking into account new and emerging challenges related to technological innovation, such as virtual currencies, more integrated financial flows in the internal market and the global nature of terrorist organisations. ML is a global phenomenon that requires strong international cooperation. AMLA will support the Union's policy towards third countries with regard to ML and FT threats from outside the Union. The Authority will cooperate in this regard with the relevant European Commission services, the European External Action Service, as well as EU bodies, offices and agencies. A country designated by the FATF will also be listed by the EU. There will be two EU lists, a “black list” and a “grey list” reflecting the FATF list. Once listed, the EU will take measures proportionate to the risks posed by the country. The EU will also be able to list countries that are not listed by the FATF but pose a threat to the EU financial system on the basis of an independent assessment.

In this chapter, a selection of analytical and related perspectives with particular challenges for the emerging AML/CFT framework has been highlighted and briefly analysed. Two recurrent challenges identified in these analytical perspectives are, first, regulatory fragmentation. Regulation at different levels, such as global, regional and national levels, can lead to both application and efficiency problems. The new legislative package consists of four legislative proposals, three of which are directly applicable in the Member States. A new EU agency is proposed to be given specific competences, and power over the Member States’ authorities active in the area, is established. On the one hand, predictability and effectiveness of the regulatory framework are likely to improve, while some enforcement problems may remain before national frameworks have had time to adapt to the new regulations and other relevant provisions.

Fragmentation of the regulatory framework that occurs due to the difficulty of drawing clear boundaries between what is private and what is public, or between what is administrative law and what is criminal law and associated challenges such as differences regarding the protection of rights in the relevant regulatory instruments, will probably continue to lead to some problems. If, for example, you are affected by a criminal sanction, you have access to higher protection and more rights than if you receive an administrative, although severe sanction. It is true that access to financial information will be subject to strong safeguards in the proposed Financial Information Exchange Directive, but how these will actually be implemented at the national level remains to be seen. Furthermore, the processing of individuals’ personal data in EU-wide databases to which both national authorities focusing on prevention, and judicial and law enforcement authorities with a focus on control have access, poses a particular challenge. The data protection principle of purpose limitation must not be circumvented. However, as an EU body, the new AMLA authority will be subject to the relevant data protection regulation, Regulation (EU) 2018/1725, (European Parliament and the Council of the European Union, 2018b) in the sense that it can handle personal data.

This brings us to a second recurrent challenge, the protection of fundamental rights, and the balance between public interests such as financial market integrity, and individual rights and freedoms, as well as a number of related issues and challenges. Specific challenges linked to digitalisation, cooperation between authorities and exchange of information have been addressed in the legislative proposals that have now been developed. Here there is every reason to be critical of how individuals’ fundamental rights are protected when the long-ongoing securitisation of ML and TF with increased competence to regulate and to take extraordinary measures risks weakening the system of fundamental rights guarantees in the Union. With the increased fragmentation and digitalisation of key parts of our modern world, newly updated regulatory frameworks are facing rapidly accelerating challenges. It is to be hoped that the variety of tools that the European Commission and AMLA will be able to use will allow the EU to keep pace with a rapidly changing and complex international environment with rapidly changing risks without restricting the protection of fundamental rights. The legislative package is currently being discussed by the European Parliament and the Council, and here there is every reason to pay attention to developments so that individuals’ fundamental rights are not curtailed in response to the ever-changing threats to our society.