Compliance Blog

Fifth Money Laundering Act, OFAC & Co.: A guide to business partner auditing in practice


The fifth Money Laundering Act has been in force in the EU since January 2020. This expands the scope of entities subject to audit. But it’s not only the MLA that influences the screening process. Carsten Ettmann, Senior Business Consultant for Risk & Compliance, discusses the most important topics in a short interview

The fifth EU Money Laundering Directive has been in force since January 2020. Which of the addenda do you consider to be the most important for the domestic economy?

Probably the most defining addendum is the clear OBLIGATION to establish a compliance risk management system. Based on this, it’s likewise obligatory to comply with due diligence obligations. As a rule, this includes the general due diligence obligations, i.e. clearly identifying the business partner and determining the UBOs and PEPs.

Isn’t it enough in Germany or Austria simply to inspect the transparency register?

In a word: No! Under the new Section 23a of the German MLA, obliged entities must immediately report any discrepancies to the registrar entity if the information they have access to on the beneficial owners and the information they have at their disposal do not match. The registrar entity will then set up a clearly visible provision on the website of the transparency register where discrepancy reports can be submitted. The mere mention that discrepancies are possible and must then be reported shows that it is insufficient simply to take a look at the transparency register to fulfil one’s obligations with regard to designation of an UBO.

In addition, obliged entities under the German Money Laundering Act may not rely exclusively on the information in the transparency register – further investigations are required on a risk-oriented basis.

In addition, the transparency register is under construction. This means that, in the case of globally active companies with complex ownership structures in particular, the information available there will certainly be sparse in the first few years.

In Austria, the Money Laundering Act likewise specifies that the beneficial owner can be identified through the transparency register. But this is not sufficient in the case of the ultimate beneficial owner.

Risk management is mandatory for companies covered by the Money Laundering Act – but what steps does this actually involve?

Basically, the following is mandatory at a minimum:

Potential risks of money laundering and terrorist financing must first be identified (i.e. by means of a risk atlas to determine which risks actually exist) and secondly evaluated (i.e. designated with probabilities of occurrence and, preferably, planned using case scenarios).

These potential risks apply in particular to

  • Customers, countries, geographical areas
  • Products, services, transactions
  • Distribution channels
  • Other, new technologies

The motto is: Not documented – not done! The investigation and evaluation steps and their results must be documented. The Money Laundering Act also provides for regular review and updating of information. Automated monitoring facilitates the process.

Business partner checks can therefore be automated. What are the benefits of an automated process?

Above all, the time savings and lower workload due to a faster workflow. Manual processes are reduced. Reducing the human error rate in processes and work steps is a second, convincing argument in favour of automating the inspection process. But these are by no means the only two reasons!

And where does automation reach its limits?

In the case of false positives. When screening data, only potential hits can be considered. When screening sanctions lists or identifying PEPs in particular, confidence levels must be applied that usually also lead to false positives, i.e. supposed hits on lists that are in fact not real hits at all. This is where the possibilities of automation end. But a suitable compliance risk management system can certainly reduce the need for manual intervention to a minimum. Within this context, we recommend that the first key task is master data management – one that meets the demanding compliance requirements.

The beneficial owner is the focus of these processes. But what if I can’t identify a UBO when I audit my business partner?

Sometimes it may not be possible to identify a natural person even after carrying out comprehensive investigations. Similarly, there may be some doubt as to whether the identified person is the actual beneficial owner. In these cases, the act stipulates that either the legal representative, the managing associate or the partner of the contracting party can be considered the UBO.

Therefore, if the UBO can’t be clearly identified, it’s necessary to identify one of these “fictitious UBOs”. In this case, the Austrian Money Laundering Act also provides for the identification of managing associates, directors and members of senior management. In Switzerland, this regulation is less strict.

So far, we’ve dealt almost exclusively with business partner screening during onboarding. Is that enough, or is ongoing monitoring actually obligatory?

The legislator explicitly requires that data should be kept up to date, without specifying the intervals at which the data should be reviewed. The key to ensuring that monitoring is done right is, once again, compliance risk management. This means that monitoring has to be carried out based on the risk of the dataset under consideration. The risk-mitigating and risk-enhancing factors are regulated in the Annexes to the Money Laundering Act.