Opinion of Advocate General Kokott delivered on 29 September 2022.

• Jurisdiction: European Union
• ECLI: ECLI:EU:C:2022:738
• Date: 29 September 2022
• Celex Number: 62021CC0078
• Court: Court of Justice (European Union)

Provisional text

OPINION OF ADVOCATE GENERAL

KOKOTT

delivered on 29 September 2022 (1)

Case C‑78/21

AS ‘PrivatBank’,

A,

B,

Unimain Holdings Limited

v

Finanšu un kapitāla tirgus komisija

(Request for a preliminary ruling from the Administratīvā apgabaltiesa (Regional Administrative Court, Latvia))

(Reference for a preliminary ruling – Articles 56 and 63 TFEU – Freedom to provide services – Free movement of capital and payments – Financial services – Restrictions – Prohibition for a credit institution to establish or maintain business relations with persons having no connection with Latvia – Justification – Prevention of the use of the financial system for the purpose of money laundering and terrorist financing – Article 65(1)(b) TFEU – Directive (EU) 2015/849 – Proportionality)

I. Introduction

1. The system for the prevention of money laundering and terrorist financing in the European Union establishes certain requirements for the risk management systems of banks. Those requirements include, inter alia, the obligation to verify the identity of customers before establishing a business relationship or carrying out a transaction and to obtain information on the purpose of the business relationship. If this is not possible, the transactions and business relationships in question may not be carried out/established. The intensity of the due diligence measures depends on the customer’s risk profile, which, according to recital 22 of Directive (EU) 2015/849, (2) is to be determined using a holistic, risk-based approach.

2. In the present case, the Latvian supervisory authority responsible for combating money laundering, the Finanšu un kapitāla tirgus komisija (Financial and Capital Markets Commission, Latvia; ‘the FKTK’), identified, over a certain period of time, deficiencies in the risk management system of a credit institution established in Latvia. The latter was clearly incapable of performing the requisite due diligence measures with respect to its customers. Therefore, the FKTK imposed on that credit institution a requirement that it should not establish a business relationship with anyone who is found to have no links with Latvia and to have a monthly account turnover exceeding a certain threshold, or that it should immediately terminate such a relationship, where the business relationship was commenced after the adoption of the FKTK’s decision. This raises the question as to whether, and if so, under what circumstances and conditions, such a measure is compatible with fundamental freedoms.

II. Legal framework

A. European Union law

1. TFEU

3. In accordance with the first paragraph of Article 56 TFEU, within the framework of the Treaty provisions set out below, restrictions on freedom to provide services within the European Union are to be prohibited in respect of nationals of Member States who are established in a Member State other than that of the person for whom the services are intended.

4. Under Article 63(1) TFEU, all restrictions on the movement of capital between Member States and between Member States and third countries are prohibited.

5. Article 65(1)(b) TFEU provides that the provisions of Article 63 TFEU are to be without prejudice to the right of Member States to take all requisite measures to prevent infringements of national law and regulations, in particular in the field of taxation and the prudential supervision of financial institutions, or to lay down procedures for the declaration of capital movements for purposes of administrative or statistical information, or to take measures which are justified on grounds of public policy or public security.

2. Directive 2015/849

6. The fourth EU Money Laundering Directive, Directive 2015/849, recast the third EU Money Laundering Directive, Directive 2005/60/EC. (3) The fifth EU Money Laundering Directive, Directive (EU) 2018/843, (4) is not temporally applicable to the present case.

7. Recital 22 of Directive 2015/849 is worded as follows:

‘The risk of money laundering and terrorist financing is not the same in every case. Accordingly, a holistic, risk-based approach should be used. The risk-based approach is not an unduly permissive option for Member States and obliged entities. It involves the use of evidence-based decision-making in order to target the risks of money laundering and terrorist financing facing the Union and those operating within it more effectively.’

8. Article 1(1) and (2) of Directive 2015/849 defines the subject matter of that directive:

‘1. This Directive aims to prevent the use of the Union’s financial system for the purposes of money laundering and terrorist financing.

2. Member States shall ensure that money laundering and terrorist financing are prohibited.’

9. According to Article 5 of Directive 2015/849:

‘Member States may adopt or retain in force stricter provisions in the field covered by this Directive to prevent money laundering and terrorist financing, within the limits of Union law.’

10. Article 7(1) of Directive 2015/849 concerns the risk assessment to be carried out by Member States:

‘Each Member State shall take appropriate steps to identify, assess, understand and mitigate the risks of money laundering and terrorist financing affecting it, as well as any data protection concerns in that regard. It shall keep that risk assessment up to date.’

11. Article 8(1) of Directive 2015/849 concerns the risk assessment to be carried out by financial institutions:

‘Member States shall ensure that obliged entities take appropriate steps to identify and assess the risks of money laundering and terrorist financing, taking into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or delivery channels. Those steps shall be proportionate to the nature and size of the obliged entities.’

12. Chapter II of Directive 2015/849 regulates customer due diligence. In Section 1, entitled ‘General provisions’, Articles 13 and 14 set out the standard customer due diligence measures. According to Article 13(1), those measures consist in identifying the customer (point (a)) and the beneficial owner (point (b)), assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship (point (c)) and conducting ongoing monitoring of the business relationship (point (d)).

13. The first subparagraph of Article 14(4) of Directive 2015/849 governs the consequences of the inability to comply with the due diligence requirements referred to in Article 13 of that directive:

‘Member States shall require that, where an obliged entity is unable to comply with the customer due diligence requirements laid down in point (a), (b) or (c) of the first subparagraph of Article 13(1), it shall not carry out a transaction through a bank account, establish a business relationship or carry out the transaction, and shall terminate the business relationship and consider making a suspicious transaction report to the [Financial Intelligence Unit (FIU)] in relation to the customer in accordance with Article 33.’

14. Sections 2 and 3 of Chapter II of Directive 2015/849 regulate, respectively, simplified and enhanced customer due diligence.

15. With regard to simplified customer due diligence measures, it follows from Article 15(1) and (2) of Directive 2015/849 that where a Member State or an obliged entity identifies areas of lower risk, or where an obliged entity has ascertained that the business relationship or the transaction presents a lower degree of risk, the Member State may allow the obliged entity to apply simplified customer due diligence measures. In relation to the respective risk assessments, Article 16 of that directive refers to the factors of potentially lower risk situations set out in Annex II.

16. With regard to enhanced customer due diligence, it follows from Article 18(1) of Directive 2015/849 that, in the cases referred to in Articles 19 to 24, and when dealing with natural persons or legal entities established in the third countries identified by the Commission as high-risk third countries, as well as in other cases of higher risk that are identified by Member States or obliged entities, the latter are to apply enhanced customer due diligence measures to manage and mitigate those risks appropriately. In relation to the risk assessment, Article 18(3) refers to the factors of potentially higher-risk situations set out in Annex III.

17. Section 4 of Chapter VI of Directive 2015/849, entitled ‘Policies, procedures and supervision’, governs sanctions. In accordance with the second sentence of Article 58(1), sanctions or measures resulting from the implementation of the directive must be effective, proportionate and dissuasive. Article 59(2) of the directive lists administrative sanctions and measures that Member States can apply as a minimum, including in particular, according to point (c) of that provision, the withdrawal or suspension of authorisation, where an obliged entity is subject to an authorisation.

18. Article 59(4) of Directive 2015/849 also permits administrative sanctions which are not provided for in the directive:

‘Member States may empower competent authorities to impose additional types of administrative sanctions in addition to those referred to in points (a) to (d) of paragraph 2 or to impose administrative pecuniary sanctions exceeding the amounts referred to in point (e) of paragraph 2 and in paragraph 3.’

19. Annexes II and III to Directive 2015/849 each contain a non-exhaustive list of factors and types of evidence of potentially lower risk and, respectively, potentially higher risk. In accordance with point 1(c) read in conjunction with point 3(a) of Annex II, the Member States are situated in a geographical area of lower risk. In accordance with point 3(b) of Annex III, the factors for a potentially higher geographical risk include ‘countries identified by...