The EU Legal Framework: Challenges and Opportunities for Financial Institutions

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


Prevention of money laundering (AML) and financing of terrorism (CFT) is one of the main tasks that European regulators and prosecutors have on their agenda.

In this regard, a common European approach is crucial to identify and respond to the risks affecting the internal market, promoting the adoption of global solutions to respond to these cross-border threats at an international level, and considering that financial institutions established in any European Economic Area (EEA) Member State have access to the single market for financial services under single passport rights.

The single passport is based on the principle of mutual recognition and harmonised prudential measures, and it allows a European financial institution that has been authorised by its domestic regulator (home country regulator) to establish a branch or provide services in any other EEA Member State without the need to seek further authorisation or another licence from the host regulator (host country regulator).

In seeking to give an overview of the most relevant effects of EU provisions on Member States’ legislation, this chapter covers the most important aspects that affect the European AML/CFT framework and their concrete implementation in the Italian legal system, in particular in relation to:

  • the EBA Guidelines and their effects on the internal governance of financial institutions, requiring those institutions to develop a synergic approach to redesigning the structure of their internal control systems after the appointment of an AML/CFT manager and the expansion of the tasks and responsibilities of the management body and AML/CFT compliance officer;
  • the EBA Guidelines on remote onboarding customer solutions, which set out the steps that financial institutions should take to ensure safe and effective remote customer onboarding practices in line with applicable AML/CFT legislation and the European data protection framework;
  • the European effect on the identification and verification of the beneficial owner within the ambitious package of legislative proposals to strengthen the European Union’s AML/CFT framework; and
  • the establishment of the Anti-Money Laundering Authority (AMLA) and updates to anomaly indicators laid down by the Italian financial intelligence unit (Italian FIU).

The purpose of the EU institutions is to guarantee the harmonisation of regulatory sources to ensure common standards among EU Member States’ regulatory framework to make effective the principle of mutual recognition and to achieve a balanced and proportionate horizontal regulatory approach to addressing AML/CFT risks. However, notwithstanding the exercise of the right of establishment and the freedom to provide services, it is undeniable that significant differences still exist in AML/CFT requirements for exercising ‘regulated activities’.

Therefore, despite the attempt at harmonisation by EU institutions, we anticipate that host country regulators will tend to broaden the scope of their supervisory activity by bringing under their control financial institutions that have been authorised in other EU Member States through the ‘permanent establishment’ mechanism – borrowed from international tax legislation – and imposing the host country AML/CFT legal framework and domestic regulation.

More specifically, new investigation trends show that, when a financial services provider systematically fails to comply with AML/CFT regulations, allowing bank account holders to commit frauds and launder the relevant proceeds, prosecution services and regulators allege that it is the financial services provider itself that aided and abetted the fraudsters and, thus, committed the crime of fraud or money laundering and self-laundering.

In these scenarios, there is an increasing likelihood of criminal proceedings to ascertain the commission of the crime, both against the financial services provider and its senior management, but also the significant use of the pretrial monitorship: prior to, and independently of any conviction, if there is evidence of serious compliance failure allowing the commission of financial crimes by clients, prosecutors require a court-appointed monitor to strengthen the financial services provider’s internal control systems.

Against this backdrop, we explain and demonstrate why a solid internal AML/CFT compliance framework – compliant with European standards – will minimise the risks of financial institutions facing serious consequences such as fines, industry bans, monitorships and criminal proceedings.

EBA Guidelines

Impact on internal governance of financial institutions

Appointment of AML manager

The European Banking Authority (EBA) – which is striving to further harmonise financial institutions’ governance arrangements, processes and mechanisms across the European Union – has made significant efforts in the process of establishing a European AML/CFT legal framework.

The EBA updated its Guidelines on internal governance on 2 July 2021,[2] to reinforce the governance requirements for credit and financial institutions and enhance the responsibility of the management body to implement a sound risk strategy, risk appetite and risk management framework.

As part of this process of strengthening the internal control systems of financial institutions, the EBA published new Guidelines on 14 June 2022,[3] setting clear expectations about the roles and responsibilities of the management body and AML/CFT compliance officers (the 2022 Guidelines), to ensure a common interpretation and adequate implementation of AML/CFT internal governance arrangements within all Member States in compliance with the requirements laid down by Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (ML/FT).

The purpose of the 2022 Guidelines is to develop a synergic approach to building an AML/CFT compliance framework that is not only formally compliant with the principles laid down by EU law, as implemented by Member States, but that is concretely effective by being based on an integrated and holistic view of AML/CFT risks.

According to the 2022 Guidelines, achieving this goal is mainly based on the:

  • evolution of the roles and responsibilities of the management body in the AML/CFT compliance framework in both its supervisory and management functions;
  • identification and appointment of a member of the management body as AML/CFT manager, whose role will include being in charge of implementing the AML/CFT obligations applicable to financial institutions and driving this new approach in the management of AML/CFT risks;
  • strengthening the role and responsibilities of the AML/CFT compliance officer; and
  • (re)organisation of the AML/CFT compliance function at group level.

Notwithstanding all the recommendations contained in the EBA Guidelines, the pivotal innovation within the structure of the internal control system of financial institutions is the appointment of the AML/CFT manager. The holder of this post, without prejudice to the overall and collective responsibility of the management body, will be the ‘main contact point’ for collecting information from the AML/CFT compliance officer and disseminating it to the management body, to ensure that the latter is provided with sufficiently comprehensive and timely information and data on ML/FT risks and the AML/CFT internal framework to carry out its role and functions.

The AML manager also oversees the mechanism for justifying and recording decisions and, therefore, has a strong influence on the management body’s decision-making process. Any concerns raised by the AML/CFT compliance officer must be properly and promptly resolved. If the management body decides not to follow the AML/CFT compliance officer’s request or suggestion, it is required to duly justify and record the decision in light of the risks and concerns raised.

The Bank of Italy has declared its intention to comply with the 2022 Guidelines by updating its ‘Provisions on the organisation, procedures and internal controls related to AML’ (the Provisions), dated 26 March 2019, which describe, together with Circular No. 285 of 17 December 2013 (which has been constantly updated), the structure of the internal control system of financial institutions by identifying the roles, powers and responsibilities of all relevant internal bodies and functions.

Against this backdrop, Italian and, more generally, European financial institutions will be required to perform an assessment of the adequacy of their internal control system to identify any possible gaps and to develop an action plan aimed at identifying possible measures to strengthen their AML/CFT compliance framework.

Particular attention shall be paid to:

  • redefining the information flows among all internal bodies and functions involved in the management of AML/CFT risks, given that a lack of information may invalidate the monitoring activities and the maintenance of the AML/CFT compliance framework itself; and
  • evaluating the drafting of specific procedures that regulate the recipients of shared information, the internal function responsible for sharing information, the frequency of the information flow and the possible actions needed to strength the internal control system.

Remote solutions for onboarding customers

Impact of new technologies on financial institutions

As part of its harmonisation process, on 22 November 2022, the EBA published its Guidelines on the use of remote customer onboarding solutions (the Onboarding Guidelines),[4] with the aim of setting up common EU standards in processes for remote customer onboarding, and taking into account that both EU and local authorities, being aware of the new risks and challenges of ML/FT, will require all financial institutions that operate within EU Member States to comply with these new standards.

As a result of the covid-19 pandemic and the advent of the digital society, there has been a significant change in the onboarding rules and procedures that financial institutions are willing to apply to improve the process for identification of their customers.

Briefly, new technologies for AML/CFT refer to:

  • innovative skills, methods and processes used to guarantee the effective implementation of AML/CFT requirements; and
  • innovative methods to use established technology-based processes to comply with AML/CFT obligations.

In particular, new technologies can be extremely useful to assure accurate onboarding processes without the need for any face-to-face identity verification, as laid down by Directive (EU) 2018/843 (Article 1(8)(a)), which regulates remote customer onboarding solutions.

However, current technological innovations, particularly those using artificial intelligence (AI) and machine learning, are bringing to light new risks that all financial institutions are required to address. Indeed, all relevant authorities are becoming more aware of and sensitive to the risk of the commission of wrongdoings aimed at falsifying or manipulating data processed by remote identity verification tools, such as face morphing and other alterations of digital images. As a matter of fact, some data is easier to steal than others, such as personal identification numbers and passwords.

Identity onboarding processes are therefore not risk-free. Biometric data is irreversible and, if stolen or falsified, it can be extremely difficult for the true owner to prove that he or she is not involved in the operation in which the remote identification systems were used. It is also important, when introducing a remote customer onboarding solution, to follow data protection law and cybersecurity best practices, to respect the privacy of the owner of the biometric data, as well as to ensure that the data is not used for a purpose other than that for which informed consent was given (known as function creep).

Against this backdrop, the Onboarding Guidelines require financial institutions to define, in their policies and procedures, the information needed to identify the customer and the type of document or information required to verify the customer’s identity. The Onboarding Guidelines do not encourage specific technological methods or solutions, as they embrace the principle of technological neutrality. This approach is key to ensure that the content of the Guidelines remains applicable and relevant because it avoids sponsoring a technology that is likely to become obsolete in a short time.

The Onboarding Guidelines provide for several solutions to the concrete issues associated with the development of remote identity onboarding systems, requiring financial institutions to:

  • ensure that:
    • information obtained through the remote customer onboarding solution is up to date and in compliance with applicable legal and regulatory standards for initial customer due diligence;
    • media files are captured in a readable format; and
    • the customer is unambiguously recognisable through their use;
  • adopt and implement specific policies and procedures so that the institution does not accept a copy of an original document without comparing it with the original document to ensure that the copy is reliable. Part of the verification process is about matching customer identity, so it is important for the financial institution to ensure that the customer’s visible information matches the information in the documents;
  • adopt and implement specific policies and procedures to verify a client’s identity when remote onboarding solutions involve the use of biometric data, as well as policies and procedures if the solution does not provide the required level of security, including, for example, creating a combination of different controls, one of which is remote and another that provides a different mode of interaction; and
  • adopt and implement different policies and procedures, such as for remote customer onboarding solutions, whether or not the customer interacts with an employee to perform the verification process.

In summary, the Onboarding Guidelines describe all steps that financial institutions must perform to ensure safe and effective remote customer onboarding practices in line with applicable AML/CFT legislation and the EU data protection framework, taking into account the risks associated with the use of new technologies in remote identity onboarding systems.

The Bank of Italy, in Note No. 32, dated 13 June 2023, declared its intention to comply with the EBA Guidelines on the use of remote customer onboarding, which will apply as of 2 October 2023, thus becoming supervisory guidelines, requiring all financial institutions to comply with the new European standards.

European impact on identification and verification of beneficial owner

The soundness, integrity and stability of European financial institutions and confidence in the financial system could be undermined by expedients put in place to disguise the origin of criminal proceeds or to channel licit or illicit money for terrorist purposes. To facilitate their criminal activities, money launderers and terrorist financiers try to take advantage of the free movement of capital and the freedom to provide financial services envisaged in the European Union. Therefore, there is a primary need to identify and verify any natural person who exercises ownership or control over European legal entities (a beneficial owner).

Directive (EU) 2015/849 defines ‘beneficial owner’ as any natural person ‘who ultimately owns or controls a legal entity’ or the natural person ‘on whose behalf a transaction or activity is being conducted’. A beneficial owner usually owns 25 per cent or more of a shareholding; however, if a company has only minority shareholders (less than 25 per cent), beneficial ownership will alternatively be determined by the natural person holding the majority of voting rights or the company’s directors.

To root out and deter money laundering, EU Member States are required to implement a register of beneficial owners in a publicly accessible forum, which is usually integrated into Member States’ chambers of commerce.

Against this backdrop, European institutions are involved in the approval process of a European legislative package to develop a comprehensive EU policy on preventing ML/FT, including:

  • the ‘Single Rulebook’,[5] which establishes provisions on conducting customer due diligence, beneficial owner transparency, and the use of anonymous instruments (e.g., crypto assets) and new entities (e.g., crowdfunding platforms);
  • the proposed 6th Anti-Money Laundering Directive, which contains provisions on supervision and FIUs, as well as on competent authorities’ access to necessary and reliable information (e.g., registers of beneficial owners and assets stored in free zones); and
  • a proposed regulation to establish the AMLA, which will have supervisory and investigative powers to ensure compliance with AML/CFT requirements (see below).

To detect money laundering schemes and freeze assets in time, national FIUs and other competent authorities should be able to access information about beneficial owners, bank accounts, land or real estate registers. In this regard, Directive (EU) 2015/849 (as amended by Directive (EU) 2018/843) established a regime of public access to registers of beneficial owners of companies and other legal entities established in the territory of Member States that ensures, in principle, that the public can have access to certain information regarding beneficial owners contained in those registers without the need to demonstrate any interest.

However, it could be extremely difficult to strike the right balance between, on the one hand, the need for transparency regarding beneficial owners and the control structures of companies, which assumes a fundamental role in the prevention of ML/FT, and, on the other hand, respect for the fundamental rights of the people involved, in relation to privacy and protection of personal data, enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

The European Court of Justice (CJEU) has ruled on the right to access to information on beneficial ownership,[6] affirming the invalidity of Article 30(5) of Directive (EU) 2015/849, which requires Member States to ensure that information about the beneficial ownership of corporate and other legal entities incorporated within their territory is accessible in all cases to any member of the general public.

The reasoning of the CJEU is based on the qualification of the general public’s access to information about beneficial owners as a serious interference with the fundamental rights to privacy and the protection of personal data. Therefore, access to the requested information should be allowed when it is necessary and proportionate to the objective pursued.

After the adoption, on 11 March 2022, of the electronic register of beneficial owners, based on the above-mentioned CJEU judgment, the Italian Ministry of Enterprises and Made in Italy adopted Decree No. 12 (on 12 April 2023), which provides the technical specifications of the electronic format of the single business communication to be used for reporting data on the beneficial owners of corporations, private legal entities, trusts producing legal effects relevant for tax purposes and legal institutions similar to trusts.

Establishment of AMLA and anomaly indicators set by Italian FIU

The implementation of the European legislative package on preventing ML/FT will lead to the establishment of the AMLA, the new European authority that will be the centre of an integrated system composed of the authority itself and national authorities with an AML/CFT supervisory mandate.

The European approach is based on the idea of pursuing the fight against ML/FT on two levels:

  • the domestic level, which involves domestic authorities and national FIUs; and
  • the EU level, which requires strong cooperation among national FIUs and European authorities (i.e., AMLA, European Union Agency for Law Enforcement Cooperation (Europol), European Union Agency for Criminal Justice Cooperation (Eurojust) and European Public Prosecutor’s Office).

The AMLA would not actually be an FIU but it would enhance information exchange and cooperation between national FIUs, acting as a support and coordination hub to assist national FIUs, including providing templates and standards for the reporting of suspicious transactions and suspicious activity by obliged entities (e.g., professionals, auditors, persons engaged in other non-financial activities) to FIUs.

In this regard, AML regulations provide for greater involvement of financial institutions in the fight against ML, not only by delegating control functions (i.e., to the management body, the AML/CFT manager or the AML/CFT compliance officer) but also by imposing a duty of active cooperation with the authorities through the reporting of suspicious transactions to FIUs and the disclosure of information concerning clients, with a view to preventing and punishing unlawful behaviour.

Suspicion may arise from the characteristics, size or nature of a transaction or from any other circumstance of which the reporting institution becomes aware by reason of its functions and considering the economic capacity or business activity of the persons carrying out the transaction. The suspicion must be based on a comprehensive assessment of all elements – objective and subjective – of the transactions during the customer’s activity or as the result of an engagement.

To support financial institutions (and other obliged entities) in detecting suspicious transactions, the Italian FIU adopts and periodically updates the list of anomaly indicators, which consists of a non-exhaustive list of both operational characteristics and customer behaviours that exemplify ML/FT intent. These indicators are aimed, on the one hand, at limiting the burden of discretion of financial institutions (and other obliged entities) in the assessment they are required to perform and, on the other hand, at defining standards to contribute to the correct and uniform fulfilment of the reporting requirements.

On 12 May 2023, the Italian FIU updated its list of 34 indicators, divided into sub-indicators that are exemplifications of the indicators to which they refer, and which will come into effect from 1 January 2024. In more detail, the list is divided as follows:

  • Section A (indicators from 1 to 8) highlights profiles pertaining to the behaviour or the characteristics of the person to whom the operation is referred (i.e., the customer, the executor or the beneficial owner);
  • Section B (indicators from 9 to 32) concerns the characteristics and configuration of operations, including in relation to specific business sectors; and
  • Section C (indicators 33 and 34) pertains to operations that could be linked to the FT and the spread of weapons of mass destruction.

Considering the particular social-economic context we are dealing with, the Italian FIU has specifically raised the level of attention in relation to:

  • the direct or indirect involvement of politically exposed persons and public entities or entities that pursue a public purpose;
  • the involvement of cryptoassets;
  • the sale or purchase of credits or assets, including in bankruptcy proceedings; and
  • collective financing schemes (i.e., crowdfunding) or individual lending (i.e., peer-to-peer lending).

Italian financial institutions will be required to perform a preliminary selection of relevant indicators in light of their concrete business activities. The Italian FIU has clarified that Section A and indicators from 9 to 14 of Section B should be considered relevant to all recipients, except under specific circumstances. Moreover, after the assessment on the concrete applicability of indicators, financial institutions shall select the applicable sub-indicators.


The increasing cooperation among domestic regulators, the institution of a new European authority, the development of AI technology and new products represent some of the challenges financial institutions are required to deal with to develop innovative solutions that can easily adapt to an evolving regulative framework and market so as to prevent the risk of ML/FT offences being committed.

In this respect, the above-mentioned European initiatives have concrete impacts on financial institutions’ daily activities, notwithstanding the new investigative trends. In particular, what emerges is that the EU preventive perspective is deeply intersected with the domestic punitive perspective.

It is fundamental, therefore, that financial institutions properly assess risks and perform continuous monitoring to avoid potential negative consequences that could have devastating effects on their business activities, in particular considering that an alleged failure to implement an adequate internal control system can expose them to the risk of being prosecuted for not having adopted and implemented all preventive measures in compliance with AML/CFT European standards.


[1] Jean-Paule Castagno is a partner, Andrea Alfonso Stigliano is a special counsel and Chiara Bettinzoli is an associate at Orrick, Herrington & Sutcliffe LLP.

[6] Judgment issued in Joined Cases C-37/20 (Luxembourg Business Registers) and C-601/20 (Sovim) (CJEU Judgment).

Unlock unlimited access to all Global Investigations Review content