The impact of 2018’s new regulations on compliance of financial institutions


In the fast-paced compliance world, financial institutions aren’t just trying to keep up with bad guys and their inventive ways to commit crime. They also have to keep up with regulations that are updated every few years. 2018 will see three important regulatory changes that financial institutions need to be ready for. In this article, we discuss those changes, explaining how it’ll affect banks and what you, as a compliance manager, can do to get ready for the future.

Fifth Anti Money Laundering Directive

In 2017, we saw the Fourth Anti Money Laundering Directive coming into effect. Financial institutions were expected to have had the changes implemented by the 26th of June. This year, however, we’re expecting a final agreement on the Fifth Anti Money Laundering Directive. (a provisionary agreement was already made in December 2017).

A few of the expected additions to the Fourth Anti Money Laundering Directive are that it:

  • Clarifies enhanced customer due diligence
  • Includes virtual currencies to anti-money laundering monitoring
  • Prevents the abuse of anonymous prepaid cards
  • Allows for more sharing of information between Financial Intelligence Units
  • Requires financial institutions to share information with Financial Intelligence Units
  • Gives the public access to beneficial ownership information

The goal of the Fifth Anti Money Laundering Directive is to create more transparency in banking after the Panama Papers revealed tax evasion practices by some of the world’s wealthiest people, including 12 national leaders. It’s also a measure against terrorism as it’s believed that anonymous prepaid cards were used during the 2015 Paris attacks.

So, on the one hand, the European Union is trying to prevent crime by creating more transparency in banking; and on the other hand, they’re trying to protect their citizens’ personal data with the GDPR act.


The General Data Protection Regulation comes into effect on the 25th of May 2018. The purpose of this act is to protect EU citizens’ private data. This act has the potential to interfere with the duty that banks have to monitor criminal behavior since it’s necessary to collect large amounts of data for that task.

With this new legislation, clients need to give explicit approval to banks to keep their data. They also have the right to view and have their data erased. If there’s ever to be a data breach, such as keeping data records without the client’s consent or having client data stolen, fines of up to 20 million euro can be imposed. Failing to notify the Information Commissioner’s Office (ICO) of data breaches may cost you another 20 million euro. So, a compliance manager needs to not only ensure that his organization respects the GDPR regulations; but, also follow strict procedures in case the regulation is incidentally breached. To achieve this, processes and responsibilities may need to be redesigned. This may specifically apply to your special investigations and forensics historical data.

Under the GDPR act, banks need to keep their customers’ information safe. At the same time, they need to provide third parties with information if their customers want them to under the PSD2 act.


With their client’s consent, banks are required to give access to client information to third parties under the Second Payment Services Directive (implemented as of January 13th, 2018). This act will open up the financial services market to new players. Those new players can service clients by collecting all financial information in one place as well as to initiate transactions for them. Financial institutions worry about the risks that could come with opening up their systems to third parties. There are also the questions: How to give access to that information? Should they give direct access to their systems? Should they create a third-party interface?  Or, send data files to third parties? Every method will involve different risks. Compliance managers will need to control those new foreseeable and unforeseeable risks.

Stricter Law Enforcement

Not only are the Fifth Anti Money Laundering Directive, GDPR and PSD2 coming into effect this year, experts are also expecting the European Union to take the lead in fighting against anti-money laundering, terrorist financing and other financial crimes in 2018. The EU will do so by tightening up surveillance and by making their enforcement stricter. We’ve seen that the enforcement actions of the European Union against financial institutions have already set record fines in 2017, this will only become worse for financial institutions that fail to comply.

A logical reaction banks have to stricter enforcement is to be even more rigorous in their monitoring. It’s a known fact that the workload at compliance departments is extremely high and almost unmanageable. That workload will again increase if banks start generating even more alerts out of fear for stricter law enforcement and higher fines by regulators. Resulting in even more work in analysis, investigation, and follow-up.

Necessary system updates

The only way to deal with these new rules and stricter enforcement, without hiring a considerable amount of new staff, is to update your processes and systems.

  • For 5AMLD upfront screening of customers needs to become even more thorough. Monitoring of transactions needs to be more sensitive.
  • For GDPR audit trails need to become even more extensive and easier to share with the authorities. Personal data needs protection against those that have no business in viewing that data and making it more easily accessible for clients.
  • For PSD2 a safe way to share information with third parties needs to be found while containing the new risks involved.

But banks shouldn’t just get ready for the year ahead, even if there aren’t any new regulations rolled out every few years, there’s a need for banks to be future proof. After all, the world is advancing technologically and so are criminals.

In order to create true transparency in banking, monitoring needs to become more than the question: “To process, or not to process this transaction?” Regulators have made it the bank’s responsibility to know their clients and to actively battle criminals who keep on trying to use the banking infrastructure to further fund their illicit activities. The truth is: you’ll never know your clients until you know what they’re doing, when they’re doing it, and who they’re interacting with. And, that’s something you can’t determine from monitoring a single transaction.

In our work, we see that banks are too busy putting out fires to be able to future-proof their organization. Their reaction to stricter regulations and enforcement is to sharpen their monitoring rules. If you have a huge backlog or an enormous staff dedicated to your compliance, that’s a signal that something in your organization isn’t going as well as it could be. It means that your compliance is controlling you; instead of you being in control of your compliance. It means that you aren’t ready for the future, and that your bank is at risk of getting hit by fines from regulators; as well as being a clear target for abuse by criminals. These are unnecessary risks that can be avoided with new and advanced technologies that can help you improve the processes within your organization.

Find out how you can make sure that your bank is ready for any changes in regulations in the near or far future. Download our white paper ‘the one thing compliance managers can change to save their bank from regulatory fines (even if workload is unmanageable)’ here.



Margarita Encheva