FATF Audit Adjustment Act 2024 and FM-GwG Adjustment Act – what is changing?

Two important Austrian laws for the prevention of money laundering and terrorist financing as well as compliance with international sanctions, the FATF Audit Adjustment Act 2024 (FATF-Prüfungsanpassungsgesetz 2024) and the FM-GwG Adjustment Act (FM-GwG-Anpassungsgesetz), were recently passed.

Here you will find everything you need to know in a nutshell:

General

Although no new Federal Government is yet in sight in Austria following the parliamentary elections at the end of September 2024, the National Council has already been active. On November 20, 2024, in the so-called 'game of free forces', a legislative package that is particularly relevant for the financial industry (among other things) was passed: the FATF Audit Adjustment Act 2024 and the FM-GwG Adjustment Act. The plan has already been approved by the Bundesrat and the FM-GwG-Anpassungsgesetz was promulgated on December 13, 2024 with BGBl I 151/2024. We assume that the FATF Audit Adjustment Act will also be promulgated before the end of 2024.

Many of the adopted changes will be relevant in the near future from January 1, 2025, which is why we have already taken a closer look at the new developments.

What will change with the FATF Audit Adjustment Act 2024 and the FM-GwG Adjustment Act?

The main reason for the hastily adopted changes is the current country review of Austria by the Financial Action Task Force (FATF). In this regard, there were still some open points from the FATF country review in 2016 that should be closed to prevent Austria's reputational damages. Accordingly, the review process was brief, which many have criticized, and in our opinion rightly so. In addition, some topics of the EU Anti-Money Laundering Package - keyword crypto-value transfers - have been implemented, which also contains FATF recommendations.

The most important changes, which we will discuss in more detail below, can be summarized as follows:

• The sanctions regime is to be reorganized with the Sanctions Act 2024 (SanktG 2024), in particular the responsibility for monitoring and enforcing compliance with sanctions measures is to be transferred from the Austrian National Bank (OeNB) to the Financial Market Authority (FMA). However, the latter will not take effect until the beginning of 2026.

• Obligated entities under the FM-GwG are required to establish strategies, controls and procedures to mitigate and manage the risk of non-implementation and circumvention of targeted financial sanctions related to proliferation financing. From 2026, this will apply to all targeted financial sanctions.

• In addition, provisions that were included in the 5th Anti-Money Laundering Directive with Regulation (EU) 2023/1113, the new EU Money Transfer Regulation, are implemented in the FM-GwG. The new Money Transfer Regulation extends the existing obligation to provide information on the payer and the recipient when transferring funds to include transfers of crypto assets.

• Furthermore, adjustments have been made to the Beneficial Owner Register Act (WiEReG) in order to implement the transparency requirement with regard to so-called nominee agreements in accordance with FATF guidelines. This results in stricter requirements than the previous reporting obligation with regard to trusteeships.

• The FM-GwG amendment was also used to significantly increase the limitation periods for the imposition of administrative penalties for breaches of due diligence obligations. This point has been met with much criticism.

• Finally, a decision was made to make it easier to obtain an exemption from banking secrecy, which takes account of the ongoing digitalization.

• Finally, it should be mentioned that the Gambling Act is also being amended. However, we will not go into this in more detail here.

Sanctions Act 2024

The centerpiece of the package is the Sanctions Act 2024, which replaces the previous Sanctions Act 2010. While the FMA will only be responsible for monitoring and enforcing sanctions from 2026, some substantive provisions of the Sanctions Act 2024 will come into force immediately after their announcement, which we expect before the end of 2024. This should speed up the national implementation of UN sanctions to 24 hours. In addition, the possibility of making one's own listing proposals is introduced and national bridging measures are provided for. The exchange of information between enforcement authorities and with the UN and the EU will also be improved.

Section 7 of the Sanctions Act 2024, which is particularly relevant for financial market participants – for the (transition) period 2025, these are credit and financial institutions pursuant to Section 1 of the Banking Act and payment institutions pursuant to Section 4 no. 4 of the Payment Services and Electronic Money Act 2018 – is to come into force as early as December 30, 2024. It requires that they define strategies, controls and procedures in writing for effective compliance with sanctions measures in accordance with the requirements of the new Section 23a Financial Markets Anti-Money Laundering Act. These must include, in particular, the following:

• a risk analysis at the company level,

• measures to identify risk factors and potential indications of non-implementation and circumvention of targeted financial sanctions related to proliferation financing or potentially risky constellations,

• risk management systems with regard to the non-implementation and circumvention of targeted financial sanctions related to proliferation financing and

• notification and reporting requirements related to targeted financial sanctions related to proliferation financing.

From January 1, 2026, the SanktG 2024 will no longer apply only to the above-mentioned credit, financial and payment institutions, but to all obliged entities under section 25 para 1 FM-GWG and thus in particular to crypto-asset service providers, investment firms and service providers, AIFMs and insurance companies. However, this does not mean that they do not have to take precautions now. The FM-GwG already provides for a “light” sanction monitoring for them from 2025. According to Section 23a FM-GwG, obliged entities must observe targeted financial sanctions related to proliferation financing and establish strategies, controls and procedures to mitigate and manage the risk of non-implementation and circumvention of those sanctions. The restriction to proliferation financing will be lifted as of January 1, 2026. Obligated parties under the FM-GWG and thus also crypto-asset service providers, investment firms, etc. will therefore have to assess the risk of non-implementation and circumvention of all targeted financial sanctions from 2026 and mitigate it by means of appropriate internal organizational measures. This includes all targeted financial sanctions imposed on the basis of the SanktG 2024 as well as directly applicable EU sanctions. The gradual expansion of the scope should, according to the explanations, enable an orderly implementation. As stated, the FMA will then also take over responsibility for monitoring the sanction regulations from the OeNB; 22 new full-time equivalents are planned for this purpose at the FMA.

The application of the strategies, controls and procedures pursuant to section 7 of the SanktG and section 23a of the FM-GwG must be ensured at the individual and group level, with some time restrictions. While group implementation must already be ensured in the area of combating the financing of terrorism, this will not apply to the requirements under the SanktG until 2026.

New enhanced due diligence requirements for crypto-value service providers

Section 11a FM-GwG, in implementation of EU law, imposes new due diligence requirements for transactions in connection with self-hosted addresses. According to the new Money Transfer Ordinance, this is a distributed ledger address that has no connection to a crypto service provider or an entity established outside the EU that provides services comparable to those of a crypto value service provider. Crypto-asset service providers must therefore identify and assess the risk of money laundering and terrorist financing and of non-implementation and circumvention of targeted financial sanctions related to proliferation financing arising from transfers to and from self-hosted addresses. They must have internal policies, procedures and controls in place to address this risk and apply appropriate mitigating measures.

Furthermore, section 10 (2) to (5) FM-GwG stipulate certain enhanced due diligence requirements for cross-border correspondent banking relationships in which crypto services are provided with a response facility that is not based in the EU and provides comparable services, for example, to determine whether the response facility is authorized or registered. In addition, sufficient information about the responding institution must be collected. The controls that the responding institution has in place to combat money laundering and terrorist financing must also be evaluated. Finally, approval must be obtained from senior management before entering into such a new correspondent banking relationship and the respective responsibilities of each party to the correspondent banking relationship must be documented. In the case of payable-through crypto-asset accounts, the “correspondent bank” must verify that the response facility has verified the identity of the customers who have direct access to the correspondent facility's accounts and has continuously performed due diligence on these customers and that it is able to provide the correspondent institution with the relevant due diligence data at the correspondent institution's request.

It is important for obliged entities to know that the EBA has added to its guidelines on risk factors for money laundering and terrorist financing (“Risk Factor Guidelines”) to clarify how the enhanced customer due diligence requirements apply when obliged entities provide certain crypto services (see Guidelines amending Guidelines EBA/GL/2021/02 of January 16, 2024, EBA/GL/2024/01). 

Finally, the relevant terms will be updated shortly before the applicability of MiCAR, Regulation (EU) 2023/1114, which will usher in a new legal era for crypto-assets from the beginning of 2025. The definitions that have applied so far (virtual currency and service provider in relation to virtual currencies) will no longer apply. They are replaced by the legal definitions “crypto asset” and “crypto asset service provider”.

The provision of crypto-value services requires a corresponding license in accordance with the MiCAR. However, virtual currency service providers already registered under the FM-GwG may continue to provide crypto-value services without a MiCAR license on the basis of their existing registration until the end of 2025.

Amendment of the WiEReG on nominee agreements

The FATF Recommendations include requirements to prevent the misuse of so-called nominee agreements. A nominee is a natural or legal person who is either the owner of a legal entity or a member of the senior management of a legal entity and acts on the instructions of a nominator. The nominator exercises control over the nominee on the basis of a contractual or informal agreement. In many cases, the nominator is the beneficial owner of the company. Although it is recognized that many types of nominee agreements serve legitimate business purposes and pose minimal or no risks in terms of money laundering or terrorist financing, nominees can also be used as a deliberate means of circumventing the rules on transparency of beneficial ownership. This enables the misuse of legal entities for money laundering and related crimes.

Accordingly, section 2a of the WiEReG defines nominee agreements, in particular the terms nominator, nominee, nominee director and nominee agreement. Subsequently, section 4a of the new FM-GwG requires nominees and nominee directors to collect adequate, precise and current information about the identity of their nominators and the nominators' beneficial owners and to disclose this information and their status.

Extension of the limitation periods for due diligence violations

The extension of the limitation periods in administrative penalty proceedings for violating money laundering regulations, as adopted in the FM-GwG Amendment Act, is particularly controversial. By amending Section 36 of the FM-GwG, the period for the limitation of prosecution is extended from three to six years and the limitation of criminal liability from five to eight years. In addition, the limitation period for criminal liability will be suspended during appeal proceedings at the Federal Administrative Court. The reasons given for the extension were the ten-year retention requirement for obliged entities with regard to documents relating to business relationships and occasional transactions, the cross-border nature, the length of proceedings and the long duration of requests for administrative assistance, which have been demonstrated in practice.

Experts criticize the extension of the limitation periods. This does not solve the root of the problem, which is that proceedings are too slow. This change could lead to further delays in investigations, because longer deadlines may tempt the authorities not to pursue investigations with the necessary speed. Furthermore, it is questionable whether it is appropriate that obligated parties can be punished longer than the actual perpetrators. In our opinion, the extension of the deadlines seems unconstitutional.

Release from banking secrecy

As part of the FATF Audit Adjustment Act 2024, the legislator has also made a welcome change in connection with the release from banking secrecy. Previously, § 38 para. 2 no. 5 BWG stated that there was no obligation to maintain banking secrecy if the customer expressly agreed to the disclosure of the secret in writing. The written form requirement seemed out of place in the now digitized (banking) world and led to impractical media disruptions. Although written consent will still have to be obtained in the future, it is no longer mandatory. Rather, section 38 (2) no. 5 BWG now stipulates that customer consent can also be given electronically by means of a clearly affirmative action, so that, for example, consent can also be given by checking the appropriate checkbox. The amendment will come into force at the end of the day on which it is announced.