Fifth and Sixth EU Anti-Money Laundering Directives


    Fifth and Sixth EU Anti-Money Laundering Directives

    Directive (EU) 2018/843 of 30 May 2018 Amending Directive (EU) 2015/849 on the Prevention of the Use of the Financial System for the Purposes of Money Laundering or Terrorist Financing, and Amending Directives 2009/138/EC and 2013/36/EU (‘the Fifth Directive’) aims to prevent the use of the Union’s financial system for the purposes of money laundering and terrorist financing, strengthening EU provisions and ensuring their consistency with the global standards laid down in the international recommendations adopted by the Financial Action Task Force (‘FATF’). 

    Directive (EU) 2018/1673 of 23 October 2018 on Combating Money Laundering by Criminal Law (‘the Sixth Directive’) aims to establish a minimum set of rules concerning the definition of criminal offences and sanctions in the area of money laundering. 

    Last Updated: July 30, 2019

  • Requirements - Fifth Directive

    Due diligence 

    According to the Fifth Directive, Member States shall ensure that obliged entities (which comprise, in accordance with Article 2(1) of the Fifth Directive, among others, credit institutions, financial institutions, auditors, external accountants and tax advisors, service providers, providers of gambling services, providers engaged in exchange services between virtual currencies and fiat currencies and custodian wallet providers) apply customer due diligence measures (Article 11(1) of the Fifth Directive). In particular, costumer due diligence comprise (Article 13(1) of the Fifth Directive): 

    • identifying the customer and verifying its identity on the basis of documents, data or information obtained from a reliable and independent source; 
    • identifying the beneficial owner of the costumer and taking reasonable measures to verify its identity so that the obliged entity is satisfied that it knows who the beneficial owner is; 
    • assessing and, if appropriate, obtaining information on the purpose and intended nature of the business relationship; and 
    • monitoring the business relationship to ensure that the conducted transactions are consistent with the obliged entity’s knowledge of the customer, the business and risk profile. 

    Enhanced due diligence 

    With respect to business relationships or transactions involving high-risk third countries, as identified pursuant to Article 9(2) of the Fifth Directive, obliged entities shall apply enhanced customer due diligence measures, which comprise (Article 18(a) of the Fifth Directive): 

    • obtaining additional information on the customer and on the beneficial owner; 
    • obtaining additional information on the intended nature of the business relationship; 
    • obtaining information on the source of funds and wealth of the customer and of the beneficial owner; 
    • obtaining information on the reasons for the planned or conducted transactions; 
    • obtaining the approval of senior management for establishing or continuing the business relationship; and 
    • conducting enhanced monitoring of the business relationship. 

    Reliance on third parties 

    Obliged entities shall be able to rely on third parties to meet the customer due diligence requirements provided by Article 13(1) of the Fifth Directive. However, the ultimate responsibility for meeting those requirements shall remain with the obliged entity which relies on the third party (Article 25 of the Fifth Directive). 

    Member States shall prohibit obliged entities from relying on third parties established in high-risk third countries (Article 26(2) of the Fifth Directive). 

    In the case obliged entities rely on third parties to meet the customer due diligence, they must obtain from the third party relied upon the necessary information concerning the customer due diligence requirements provided by Article 13(1) of the Fifth Directive (Article 27(1) of the Fifth Directive). 

    Reporting obligations 

    Obliged entities must (Article 33(1) of the Fifth Directive): 

    • inform the competent financial intelligence unit (‘FIU’) when they know or suspects that funds are the proceeds of criminal activity or are related to terrorist financing, as well as respond to eventual requests by the FIU for additional information;  
    • provide the FIU with all necessary information, when requested; and 
    • report to the FIU all suspicious transactions, including attempted transactions. 

    Obliged entities must also refrain from carrying out transactions which they know or suspect to be related to proceeds of criminal activity or to terrorist financing until they have completed the necessary action in accordance with Article 33(1) of the Fifth Directive (Article 35(1) of the Fifth Directive).  

    Obliged entities must record documents and information in accordance with the relevant national law for the purpose of preventing, detecting and investigating, by the FIU or by other competent authorities, possible money laundering or terrorist financing activities (Article 40(1) of the Fifth Directive).  

    Internal policies 

    Obliged entities must adopt measures so that their employees are aware of the provisions adopted pursuant to the Fifth Directive. In particular, those measures shall include participation of their employees in training programmes to help them recognise operations which may be related to money laundering or terrorist financing and to instruct them as to how to proceed in such cases (Article 46(1) of the Fifth Directive). 

  • Requirements - Sixth Directive

    When the criminal offences provided by Article 3(1) and (5) and by article 4 of the Sixth Directive find application, the fact that the offender is an obliged entity within the meaning of Article 2 of the Fifth Directive and has committed the offence in the exercise of its professional activities must be considered an aggravating circumstance (Article 6(1)(b) of the Sixth Directive). 

    When a legal person is found liable in accordance with Article 7 of the Sixth Directive, punishment may include, besides criminal sanctions, other kind of sanctions, such as, among others (Article 8 of the Sixth Directive): 

    • the exclusion from entitlement to public benefits or aid; 
    • exclusion from access to public funding, including tendering, grants and concessions; 
    • disqualification from carrying out commercial activities; 
    • closing establishments used for committing the offence; or 
    • freezing or confiscating the property concerned. 
  • How OneTrust Helps

    OneTrust Vendorpedia simplifies third-party risk management by combining automation with aggregated vendor research to streamline the vendor engagement lifecycle, from onboarding to offboarding. The platform helps organizations conduct faster and more in-depth security and privacy reviews. 

    Vendorpedia is backed by the world’s largest and most up-to-date database of privacy and security laws, frameworks, and standards, which directly power and enrich OneTrust Vendorpedia. Research is generated by 30 in-house security and privacy experts and a network of 500 lawyers across 300 jurisdictions. 

    For additional details on Vendorpedia, read more here. 

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.