Directive (EU) 2015/849 of the European Parliament and of the CouncilShow full title

CHAPTER VIU.K. POLICIES, PROCEDURES AND SUPERVISION

SECTION 1 U.K. Internal procedures, training and feedback

Article 45U.K.

1.Member States shall require obliged entities that are part of a group to implement group-wide policies and procedures, including data protection policies and policies and procedures for sharing information within the group for AML/CFT purposes. Those policies and procedures shall be implemented effectively at the level of branches and majority-owned subsidiaries in Member States and third countries.

2.Member States shall require that obliged entities that operate establishments in another Member State ensure that those establishments respect the national provisions of that other Member State transposing this Directive.

3.Member States shall ensure that where obliged entities have branches or majority-owned subsidiaries located in third countries where the minimum AML/CFT requirements are less strict than those of the Member State, their branches and majority-owned subsidiaries located in the third country implement the requirements of the Member State, including data protection, to the extent that the third country's law so allows.

[F14. The Member States and the ESAs shall inform each other of instances in which the law of a third country does not permit the implementation of the policies and procedures required under paragraph 1. In such cases, coordinated actions may be taken to pursue a solution. In the assessing which third countries do not permit the implementation of the policies and procedures required under paragraph 1, Member States and the ESAs shall take into account any legal constraints that may hinder proper implementation of those policies and procedures, including secrecy, data protection and other constraints limiting the exchange of information that may be relevant for that purpose.]

5.Member States shall require that, where a third country's law does not permit the implementation of the policies and procedures required under paragraph 1, obliged entities ensure that branches and majority-owned subsidiaries in that third country apply additional measures to effectively handle the risk of money laundering or terrorist financing, and inform the competent authorities of their home Member State. If the additional measures are not sufficient, the competent authorities of the home Member State shall exercise additional supervisory actions, including requiring that the group does not establish or that it terminates business relationships, and does not undertake transactions and, where necessary, requesting the group to close down its operations in the third country.

6.The ESAs shall develop draft regulatory technical standards specifying the type of additional measures referred to in paragraph 5 and the minimum action to be taken by credit institutions and financial institutions where a third country's law does not permit the implementation of the measures required under paragraphs 1 and 3.

The ESAs shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 26 December 2016.

7.Power is delegated to the Commission to adopt the regulatory technical standards referred to in paragraph 6 of this Article in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

8.Member States shall ensure that the sharing of information within the group is allowed. Information on suspicions that funds are the proceeds of criminal activity or are related to terrorist financing reported to the FIU shall be shared within the group, unless otherwise instructed by the FIU.

9.Member States may require electronic money issuers as defined in point (3) of Article 2 of Directive 2009/110/EC and payment service providers as defined in point (9) of Article 4 of Directive 2007/64/EC established on their territory in forms other than a branch, and whose head office is situated in another Member State, to appoint a central contact point in their territory to ensure, on behalf of the appointing institution, compliance with AML/CFT rules and to facilitate supervision by competent authorities, including by providing competent authorities with documents and information on request.

10.The ESAs shall develop draft regulatory technical standards on the criteria for determining the circumstances in which the appointment of a central contact point pursuant to paragraph 9 is appropriate, and what the functions of the central contact points should be.

The ESAs shall submit the draft regulatory technical standards referred to in the first subparagraph to the Commission by 26 June 2017.

11.Power is delegated to the Commission to adopt the regulatory technical standards referred to in paragraph 10 of this Article in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

Article 46U.K.

1.Member States shall require that obliged entities take measures proportionate to their risks, nature and size so that their employees are aware of the provisions adopted pursuant to this Directive, including relevant data protection requirements.

Those measures shall include participation of their employees in special ongoing training programmes to help them recognise operations which may be related to money laundering or terrorist financing and to instruct them as to how to proceed in such cases.

Where a natural person falling within any of the categories listed in point (3) of Article 2(1) performs professional activities as an employee of a legal person, the obligations in this Section shall apply to that legal person rather than to the natural person.

2.Member States shall ensure that obliged entities have access to up-to-date information on the practices of money launderers and financers of terrorism and on indications leading to the recognition of suspicious transactions.

3.Member States shall ensure that, where practicable, timely feedback on the effectiveness of and follow-up to reports of suspected money laundering or terrorist financing is provided to obliged entities.

4.Member States shall require that, where applicable, obliged entities identify the member of the management board who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with this Directive.

SECTION 2 U.K. Supervision

Article 47U.K.

[F11. Member States shall ensure that providers of exchange services between virtual currencies and fiat currencies, and custodian wallet providers, are registered, that currency exchange and cheque cashing offices, and trust or company service providers are licensed or registered, and that providers of gambling services are regulated.]

2.Member States shall require competent authorities to ensure that the persons who hold a management function in the entities referred to in paragraph 1, or are the beneficial owners of such entities, are fit and proper persons.

3.With respect to the obliged entities referred to in point (3)(a), (b) and (d) of Article 2(1), Member States shall ensure that competent authorities take the necessary measures to prevent criminals convicted in relevant areas or their associates from holding a management function in or being the beneficial owners of those obliged entities.

Article 48U.K.

1.Member States shall require the competent authorities to monitor effectively, and to take the measures necessary to ensure, compliance with this Directive.

[F21a. In order to facilitate and promote effective cooperation, and in particular the exchange of information, Member States shall communicate to the Commission the list of competent authorities of the obliged entities listed in Article 2(1), including their contact details. Member States shall ensure that the information provided to the Commission remains updated.

The Commission shall publish a register of those authorities and their contact details on its website. The authorities in the register shall, within the scope of their powers, serve as a contact point for the counterpart competent authorities of the other Member States. Financial supervisory authorities of the Member States shall also serve as a contact point for the ESAs.

In order to ensure the adequate enforcement of this Directive, Member States shall require that all obliged entities are subject to adequate supervision, including the powers to conduct on-site and off-site supervision, and shall take appropriate and proportionate administrative measures to remedy the situation in the case of breaches.]

[F12. Member States shall ensure that the competent authorities have adequate powers, including the power to compel the production of any information that is relevant to monitoring compliance and perform checks, and have adequate financial, human and technical resources to perform their functions. Member States shall ensure that staff of those authorities are of high integrity and appropriately skilled, and maintain high professional standards, including standards of confidentiality, data protection and standards addressing conflicts of interest.]

3.In the case of credit institutions, financial institutions, and providers of gambling services, competent authorities shall have enhanced supervisory powers.

[F14. Member States shall ensure that competent authorities of the Member State in which the obliged entity operates establishments supervise the respect by those establishments of the national provisions of that Member State transposing this Directive.

In the case of credit and financial institutions that are part of a group, Member States shall ensure that, for the purposes laid down in the first subparagraph, the competent authorities of the Member State where a parent undertaking is established cooperate with the competent authorities of the Member States where the establishments that are part of group are established.

In the case of the establishments referred to in Article 45(9), supervision as referred to in the first subparagraph of this paragraph may include the taking of appropriate and proportionate measures to address serious failings that require immediate remedies. Those measures shall be temporary and be terminated when the failings identified are addressed, including with the assistance of or in cooperation with the competent authorities of the home Member State of the obliged entity, in accordance with Article 45(2).]

5.Member States shall ensure that the competent authorities of the Member State in which the obliged entity operates establishments shall cooperate with the competent authorities of the Member State in which the obliged entity has its head office, to ensure effective supervision of the requirements of this Directive.

[F2In the case of credit and financial institutions that are part of a group, Member States shall ensure that the competent authorities of the Member State where a parent undertaking is established supervise the effective implementation of the group-wide policies and procedures referred to in Article 45(1). For that purpose, Member States shall ensure that the competent authorities of the Member State where credit and financial institutions that are part of the group are established cooperate with the competent authorities of the Member State where the parent undertaking is established.]

6.Member States shall ensure that when applying a risk-based approach to supervision, the competent authorities:

(a)have a clear understanding of the risks of money laundering and terrorist financing present in their Member State;

(b)have on-site and off-site access to all relevant information on the specific domestic and international risks associated with customers, products and services of the obliged entities; and

(c)base the frequency and intensity of on-site and off-site supervision on the risk profile of obliged entities, and on the risks of money laundering and terrorist financing in that Member State.

7.The assessment of the money laundering and terrorist financing risk profile of obliged entities, including the risks of non-compliance, shall be reviewed both periodically and when there are major events or developments in their management and operations.

8.Member States shall ensure that competent authorities take into account the degree of discretion allowed to the obliged entity, and appropriately review the risk assessments underlying this discretion, and the adequacy and implementation of its internal policies, controls and procedures.

9.In the case of the obliged entities referred to in point (3)(a), (b) and (d) of Article 2(1), Member States may allow the functions referred to in paragraph 1 of this Article to be performed by self-regulatory bodies, provided that those self-regulatory bodies comply with paragraph 2 of this Article.

10.By 26 June 2017, the ESAs shall issue guidelines addressed to competent authorities in accordance with Article 16 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 on the characteristics of a risk-based approach to supervision and the steps to be taken when conducting supervision on a risk-based basis. Specific account shall be taken of the nature and size of the business, and, where appropriate and proportionate, specific measures shall be laid down.

SECTION 3 U.K. Cooperation

Subsection I U.K. National cooperation

[F1Article 49 U.K.

Member States shall ensure that policy makers, the FIUs, supervisors and other competent authorities involved in AML/CFT, as well as tax authorities and law enforcement authorities when acting within the scope of this Directive, have effective mechanisms to enable them to cooperate and coordinate domestically concerning the development and implementation of policies and activities to combat money laundering and terrorist financing, including with a view to fulfilling their obligation under Article 7.]

Subsection II U.K. Cooperation with the ESAs

Article 50U.K.

The competent authorities shall provide the ESAs with all the information necessary to allow them to carry out their duties under this Directive.

[F2Subsection IIa U.K. Cooperation between competent authorities of the Member States

Article 50a U.K.

Member States shall not prohibit or place unreasonable or unduly restrictive conditions on the exchange of information or assistance between competent authorities for the purposes of this Directive. In particular Member States shall ensure that competent authorities do not refuse a request for assistance on the grounds that:

Subsection III U.K. Cooperation between FIUs and with the Commission

Article 51U.K.

The Commission may lend such assistance as may be needed to facilitate coordination, including the exchange of information between FIUs within the Union. It may regularly convene meetings of the EU FIUs' Platform composed of representatives from Member States' FIUs, in order to facilitate cooperation among FIUs, exchange views and provide advice on implementation issues relevant for FIUs and reporting entities as well as on cooperation-related issues such as effective FIU cooperation, the identification of suspicious transactions with a cross-border dimension, the standardisation of reporting formats through the FIU.net or its successor, the joint analysis of cross-border cases, and the identification of trends and factors relevant to assessing the risks of money laundering and terrorist financing at national and supranational level.

Article 52U.K.

Member States shall ensure that FIUs cooperate with each other to the greatest extent possible, regardless of their organisational status.

Article 53U.K.

[F11. Member States shall ensure that FIUs exchange, spontaneously or upon request, any information that may be relevant for the processing or analysis of information by the FIU related to money laundering or terrorist financing and the natural or legal person involved, regardless of the type of associated predicate offences and even if the type of associated predicate offences is not identified at the time of the exchange.]

A request shall contain the relevant facts, background information, reasons for the request and how the information sought will be used. Different exchange mechanisms may apply if so agreed between the FIUs, in particular as regards exchanges through the FIU.net or its successor.

When an FIU receives a report pursuant to point (a) of the first subparagraph of Article 33(1) which concerns another Member State, it shall promptly forward it to the FIU of that Member State.

2.Member States shall ensure that the FIU to whom the request is made is required to use the whole range of its available powers which it would normally use domestically for receiving and analysing information when it replies to a request for information referred to in paragraph 1 from another FIU. The FIU to whom the request is made shall respond in a timely manner.

When an FIU seeks to obtain additional information from an obliged entity established in another Member State which operates on its territory, the request shall be addressed to the FIU of the Member State in whose territory the obliged entity is established. [F1That FIU shall obtain information in accordance with Article 33(1) and transfer the answers promptly.]

3.An FIU may refuse to exchange information only in exceptional circumstances where the exchange could be contrary to fundamental principles of its national law. Those exceptions shall be specified in a way which prevents misuse of, and undue limitations on, the free exchange of information for analytical purposes.

Article 54U.K.

Information and documents received pursuant to Articles 52 and 53 shall be used for the accomplishment of the FIU's tasks as laid down in this Directive. When exchanging information and documents pursuant to Articles 52 and 53, the transmitting FIU may impose restrictions and conditions for the use of that information. The receiving FIU shall comply with those restrictions and conditions.

[F2Member States shall ensure that FIUs designate at least one contact person or point to be responsible for receiving requests for information from FIUs in other Member States.]

Article 55U.K.

1.Member States shall ensure that the information exchanged pursuant to Articles 52 and 53 is used only for the purpose for which it was sought or provided and that any dissemination of that information by the receiving FIU to any other authority, agency or department, or any use of this information for purposes beyond those originally approved, is made subject to the prior consent by the FIU providing the information.

[F12. Member States shall ensure that the requested FIU’s prior consent to disseminate the information to competent authorities is granted promptly and to the largest extent possible, regardless of the type of associated predicate offences. The requested FIU shall not refuse its consent to such dissemination unless this would fall beyond the scope of application of its AML/CFT provisions or could lead to impairment of an investigation, or would otherwise not be in accordance with fundamental principles of national law of that Member State. Any such refusal to grant consent shall be appropriately explained. Those exceptions shall be specified in a way which prevents misuse of, and undue limitations to, the dissemination of information to competent authorities.]

Article 56U.K.

1.Member States shall require their FIUs to use protected channels of communication between themselves and encourage the use of the FIU.net or its successor.

2.Member States shall ensure that, in order to fulfil their tasks as laid down in this Directive, their FIUs cooperate in the application of state-of-the-art technologies in accordance with their national law. Those technologies shall allow FIUs to match their data with that of other FIUs in an anonymous way by ensuring full protection of personal data with the aim of detecting subjects of the FIU's interests in other Member States and identifying their proceeds and funds.

[F1Article 57 U.K.

Differences between national law definitions of predicate offences as referred to in point 4 of Article 3 shall not impede the ability of FIUs to provide assistance to another FIU and shall not limit the exchange, dissemination and the use of information pursuant to Articles 53, 54 and 55.]

[F2Subsection IIIa U.K. Cooperation between competent authorities supervising credit and financial institutions and other authorities bound by professional secrecy

Article 57a U.K.

1. Member States shall require that all persons working for or who have worked for competent authorities supervising credit and financial institutions for compliance with this Directive and auditors or experts acting on behalf of such competent authorities shall be bound by the obligation of professional secrecy.

Without prejudice to cases covered by criminal law, confidential information which the persons referred to in the first subparagraph receive in the course of their duties under this Directive may be disclosed only in summary or aggregate form, in such a way that individual credit and financial institutions cannot be identified.

2. Paragraph 1 shall not prevent the exchange of information between:

(a) competent authorities supervising credit and financial institutions within a Member State in accordance with this Directive or other legislative acts relating to the supervision of credit and financial institutions;

(b) competent authorities supervising credit and financial institutions in different Member States in accordance with this Directive or other legislative acts relating to the supervision of credit and financial institutions, including the European Central Bank (ECB) acting in accordance with Council Regulation (EU) No 1024/2013 (1) . That exchange of information shall be subject to the conditions of professional secrecy indicated in paragraph 1.

By 10 January 2019 , the competent authorities supervising credit and financial institutions in accordance with this Directive and the ECB, acting pursuant to Article 27(2) of Regulation (EU) No 1024/2013 and point (g) of the first subparagraph of Article 56 of Directive 2013/36/EU of the European Parliament and of the Council (2) , shall conclude, with the support of the European Supervisory Authorities, an agreement on the practical modalities for exchange of information.

3. Competent authorities supervising credit and financial institutions receiving confidential information as referred to in paragraph 1, shall only use this information:

(a) in the discharge of their duties under this Directive or under other legislative acts in the field of AML/CFT, of prudential regulation and of supervising credit and financial institutions, including sanctioning;

(b) in an appeal against a decision of the competent authority supervising credit and financial institutions, including court proceedings;

(c) in court proceedings initiated pursuant to special provisions provided for in Union law adopted in the field of this Directive or in the field of prudential regulation and supervision of credit and financial institutions.

4. Member States shall ensure that competent authorities supervising credit and financial institutions cooperate with each other for the purposes of this Directive to the greatest extent possible, regardless of their respective nature or status. Such cooperation also includes the ability to conduct, within the powers of the requested competent authority, inquiries on behalf of a requesting competent authority, and the subsequent exchange of the information obtained through such inquiries.

5. Member States may authorise their national competent authorities which supervise credit and financial institutions to conclude cooperation agreements providing for collaboration and exchanges of confidential information with the competent authorities of third countries that constitute counterparts of those national competent authorities. Such cooperation agreements shall be concluded on the basis of reciprocity and only if the information disclosed is subject to a guarantee of professional secrecy requirements at least equivalent to that referred to in paragraph 1. Confidential information exchanged according to those cooperation agreements shall be used for the purpose of performing the supervisory task of those authorities.

Where the information exchanged originates in another Member State, it shall only be disclosed with the explicit consent of the competent authority which shared it and, where appropriate, solely for the purposes for which that authority gave its consent.

Article 57b U.K.

1. Notwithstanding Article 57a(1) and (3) and without prejudice to Article 34(2), Member States may authorise the exchange of information between competent authorities in the same Member State or in different Member States, between the competent authorities and authorities entrusted with the supervision of financial sector entities and natural or legal persons acting in the exercise of their professional activities as referred to in point (3) of Article 2(1) and the authorities responsible by law for the supervision of financial markets in the discharge of their respective supervisory functions.

The information received shall in any event be subject to professional secrecy requirements at least equivalent to those referred to in Article 57a(1).

2. Notwithstanding Article 57a(1) and (3), Member States may, by virtue of provisions laid down in national law, authorise the disclosure of certain information to other national authorities responsible by law for the supervision of the financial markets, or with designated responsibilities in the field of combating or investigation of money laundering, the associated predicate offences or terrorist financing.

However, confidential information exchanged according to this paragraph shall only be used for the purpose of performing the legal tasks of the authorities concerned. Persons having access to such information shall be subject to professional secrecy requirements at least equivalent to those referred to in Article 57a(1).

3. Member States may authorise the disclosure of certain information relating to the supervision of credit institutions for compliance with this Directive to Parliamentary inquiry committees, courts of auditors and other entities in charge of enquiries, in their Member State, under the following conditions:

(a) the entities have a precise mandate under national law to investigate or scrutinise the actions of authorities responsible for the supervision of those credit institutions or for laws on such supervision;

(b) the information is strictly necessary for fulfilling the mandate referred to in point (a);

(c) the persons with access to the information are subject to professional secrecy requirements under national law at least equivalent to those referred to in Article 57a(1);

(d) where the information originates in another Member State, it shall not be disclosed without the express consent of the competent authorities which have disclosed it and, solely for the purposes for which those authorities gave their consent.]

SECTION 4 U.K. Sanctions

Article 58U.K.

1.Member States shall ensure that obliged entities can be held liable for breaches of national provisions transposing this Directive in accordance with this Article and Articles 59 to 61. Any resulting sanction or measure shall be effective, proportionate and dissuasive.

2.Without prejudice to the right of Member States to provide for and impose criminal sanctions, Member States shall lay down rules on administrative sanctions and measures and ensure that their competent authorities may impose such sanctions and measures with respect to breaches of the national provisions transposing this Directive, and shall ensure that they are applied.

Member States may decide not to lay down rules for administrative sanctions or measures for breaches which are subject to criminal sanctions in their national law. In that case, Member States shall communicate to the Commission the relevant criminal law provisions.

[F2Member States shall further ensure that where their competent authorities identify breaches which are subject to criminal sanctions, they inform the law enforcement authorities in a timely manner.]

3.Member States shall ensure that where obligations apply to legal persons in the event of a breach of national provisions transposing this Directive, sanctions and measures can be applied to the members of the management body and to other natural persons who under national law are responsible for the breach.

4.Member States shall ensure that the competent authorities have all the supervisory and investigatory powers that are necessary for the exercise of their functions.

5.Competent authorities shall exercise their powers to impose administrative sanctions and measures in accordance with this Directive, and with national law, in any of the following ways:

(a)directly;

(b)in collaboration with other authorities;

(c)under their responsibility by delegation to such other authorities;

(d)by application to the competent judicial authorities.

In the exercise of their powers to impose administrative sanctions and measures, competent authorities shall cooperate closely in order to ensure that those administrative sanctions or measures produce the desired results and coordinate their action when dealing with cross-border cases.

Article 59U.K.

1.Member States shall ensure that this Article applies at least to breaches on the part of obliged entities that are serious, repeated, systematic, or a combination thereof, of the requirements laid down in:

(a)Articles 10 to 24 (customer due diligence);

(b)Articles 33, 34 and 35 (suspicious transaction reporting);

(c)Article 40 (record-keeping); and

(d)Articles 45 and 46 (internal controls).

2.Member States shall ensure that in the cases referred to in paragraph 1, the administrative sanctions and measures that can be applied include at least the following:

(a)a public statement which identifies the natural or legal person and the nature of the breach;

(b)an order requiring the natural or legal person to cease the conduct and to desist from repetition of that conduct;

(c)where an obliged entity is subject to an authorisation, withdrawal or suspension of the authorisation;

(d)a temporary ban against any person discharging managerial responsibilities in an obliged entity, or any other natural person, held responsible for the breach, from exercising managerial functions in obliged entities;

(e)maximum administrative pecuniary sanctions of at least twice the amount of the benefit derived from the breach where that benefit can be determined, or at least EUR 1 000 000.

3.Member States shall ensure that, by way of derogation from paragraph 2(e), where the obliged entity concerned is a credit institution or financial institution, the following sanctions can also be applied:

(a)in the case of a legal person, maximum administrative pecuniary sanctions of at least EUR 5 000 000 or 10 % of the total annual turnover according to the latest available accounts approved by the management body; where the obliged entity is a parent undertaking or a subsidiary of a parent undertaking which is required to prepare consolidated financial accounts in accordance with Article 22 of Directive 2013/34/EU, the relevant total annual turnover shall be the total annual turnover or the corresponding type of income in accordance with the relevant accounting Directives according to the last available consolidated accounts approved by the management body of the ultimate parent undertaking;

(b)in the case of a natural person, maximum administrative pecuniary sanctions of at least EUR 5 000 000, or in the Member States whose currency is not the euro, the corresponding value in the national currency on 25 June 2015.

4.Member States may empower competent authorities to impose additional types of administrative sanctions in addition to those referred to in points (a) to (d) of paragraph 2 or to impose administrative pecuniary sanctions exceeding the amounts referred to in point (e) of paragraph 2 and in paragraph 3.

Article 60U.K.

1.Member States shall ensure that a decision imposing an administrative sanction or measure for breach of the national provisions transposing this Directive against which there is no appeal shall be published by the competent authorities on their official website immediately after the person sanctioned is informed of that decision. The publication shall include at least information on the type and nature of the breach and the identity of the persons responsible. Member States shall not be obliged to apply this subparagraph to decisions imposing measures that are of an investigatory nature.

Where the publication of the identity of the persons responsible as referred to in the first subparagraph or the personal data of such persons is considered by the competent authority to be disproportionate following a case-by-case assessment conducted on the proportionality of the publication of such data, or where publication jeopardises the stability of financial markets or an on-going investigation, competent authorities shall:

(a)delay the publication of the decision to impose an administrative sanction or measure until the moment at which the reasons for not publishing it cease to exist;

(b)publish the decision to impose an administrative sanction or measure on an anonymous basis in a manner in accordance with national law, if such anonymous publication ensures an effective protection of the personal data concerned; in the case of a decision to publish an administrative sanction or measure on an anonymous basis, the publication of the relevant data may be postponed for a reasonable period of time if it is foreseen that within that period the reasons for anonymous publication shall cease to exist;

(c)not publish the decision to impose an administrative sanction or measure at all in the event that the options set out in points (a) and (b) are considered insufficient to ensure:

2.Where Member States permit publication of decisions against which there is an appeal, competent authorities shall also publish, immediately, on their official website such information and any subsequent information on the outcome of such appeal. Moreover, any decision annulling a previous decision to impose an administrative sanction or a measure shall also be published.

3.Competent authorities shall ensure that any publication in accordance with this Article shall remain on their official website for a period of five years after its publication. However, personal data contained in the publication shall only be kept on the official website of the competent authority for the period which is necessary in accordance with the applicable data protection rules.

4.Member States shall ensure that when determining the type and level of administrative sanctions or measures, the competent authorities shall take into account all relevant circumstances, including where applicable:

(a)the gravity and the duration of the breach;

(b)the degree of responsibility of the natural or legal person held responsible;

(c)the financial strength of the natural or legal person held responsible, as indicated for example by the total turnover of the legal person held responsible or the annual income of the natural person held responsible;

(d)the benefit derived from the breach by the natural or legal person held responsible, insofar as it can be determined;

(e)the losses to third parties caused by the breach, insofar as they can be determined;

(f)the level of cooperation of the natural or legal person held responsible with the competent authority;

(g)previous breaches by the natural or legal person held responsible.

5.Member States shall ensure that legal persons can be held liable for the breaches referred to in Article 59(1) committed for their benefit by any person, acting individually or as part of an organ of that legal person, and having a leading position within the legal person based on any of the following:

(a)power to represent the legal person;

(b)authority to take decisions on behalf of the legal person; or

(c)authority to exercise control within the legal person.

6.Member States shall also ensure that legal persons can be held liable where the lack of supervision or control by a person referred to in paragraph 5 of this Article has made it possible to commit one of the breaches referred to in Article 59(1) for the benefit of that legal person by a person under its authority.

Article 61U.K.

[F11. Member States shall ensure that competent authorities, as well as, where applicable, self-regulatory bodies, establish effective and reliable mechanisms to encourage the reporting to competent authorities, as well as, where applicable self-regulatory bodies, of potential or actual breaches of the national provisions transposing this Directive.

For that purpose, they shall provide one or more secure communication channels for persons for the reporting referred to in the first subparagraph. Such channels shall ensure that the identity of persons providing information is known only to the competent authorities, as well as, where applicable, self-regulatory bodies.]

2.The mechanisms referred to in paragraph 1 shall include at least:

(a)specific procedures for the receipt of reports on breaches and their follow-up;

(b)appropriate protection for employees or persons in a comparable position, of obliged entities who report breaches committed within the obliged entity;

(c)appropriate protection for the accused person;

(d)protection of personal data concerning both the person who reports the breaches and the natural person who is allegedly responsible for a breach, in compliance with the principles laid down in Directive 95/46/EC;

(e)clear rules that ensure that confidentiality is guaranteed in all cases in relation to the person who reports the breaches committed within the obliged entity, unless disclosure is required by national law in the context of further investigations or subsequent judicial proceedings.

3.Member States shall require obliged entities to have in place appropriate procedures for their employees, or persons in a comparable position, to report breaches internally through a specific, independent and anonymous channel, proportionate to the nature and size of the obliged entity concerned.

[F2Member States shall ensure that individuals, including employees and representatives of the obliged entity who report suspicions of money laundering or terrorist financing internally or to the FIU, are legally protected from being exposed to threats, retaliatory or hostile action, and in particular from adverse or discriminatory employment actions.

Member States shall ensure that individuals who are exposed to threats, hostile actions, or adverse or discriminatory employment actions for reporting suspicions of money laundering or terrorist financing internally or to the FIU are entitled to present a complaint in a safe manner to the respective competent authorities. Without prejudice to the confidentiality of information gathered by the FIU, Member States shall also ensure that such individuals have the right to effective remedy to safeguard their rights under this paragraph.]

Article 62U.K.

1.Member States shall ensure that their competent authorities inform the ESAs of all administrative sanctions and measures imposed in accordance with Articles 58 and 59 on credit institutions and financial institutions, including of any appeal in relation thereto and the outcome thereof.

2.Member States shall ensure that their competent authorities, in accordance with their national law, check the existence of a relevant conviction in the criminal record of the person concerned. Any exchange of information for those purposes shall be carried out in accordance with Decision 2009/316/JHA and Framework Decision 2009/315/JHA as implemented in national law.

3.The ESAs shall maintain a website with links to each competent authority's publication of administrative sanctions and measures imposed in accordance with Article 60 on credit institutions and financial institutions, and shall show the time period for which each Member State publishes administrative sanctions and measures.