A New Act on Measures to prevent Money Laundering has come into Force

Date 7 aug. 2017
Download PDF version PDF



2 June 2017, the Danish Parliament implemented the last part of the fourth EU directive on preventive measures against money laundering into Danish legislation. The new Act came into force on 26 June 2017.


The changes in the new Act entail a transition of the Act from primarily rule based into far more risk based. This means that companies to a greater extent are responsible for ensuring compliance with the Act, in that the companies are obligated to identify and assess risks in their customer relations. The general purpose of this is to strengthen the efforts towards preventing Danish companies and banks from being abused by criminals for money laundering or terrorist financing. Furthermore, the new Act aims to uphold the security and integrity of the Danish financial system.

In the following, the most important changes as well as which companies are covered by the Act will be examined.


The most important Changes in the Anti Money Laundering Act

As mentioned above, the most important change in the new Act is the change from being primarily rule based to being far more risk based. This implies that while previously companies were merely required to comply with ground rules on identification of customers etc., the companies’ obligations have been extended so as to include risk management by making risk assessments.


By increasingly obligating the companies to know their customers and to perform risk assessments, the companies are left with a greater discretion but also a greater responsibility to ensure that their customers are not exploiting the company for money laundering or terrorist financing. The Act has inserted different procedures to ensure that the companies comply with the new risk procedures.

The companies currently encompassed by the Act are the same as in the previous Act, with the exception of physical money transportation. Additionally, gambling providers and alternative investment firms are also covered.



The Obligations of the Companies according to the new Act

The companies covered by the Act are companies which to some extent handle money transactions as part of their services to their customers. The new obligations imposed on the companies by the new Act are:

  • The company must make a risk assessment for all customers, provided that the customer relationship includes a transaction. The risk assessment must be stored and documentation must be available.
  • The company must draw up internal written policies, procedures and controls, including know your customer procedures and more strict procedures for politically exposed people (PEP).
  • Further, the company must train their employees in the Anti Money Laundering Act and the processing of sensitive personal data collected from the customer

Risk Assessments

The new extended requirements regarding the companies’ obligation to perform risk assessments entail that the company must identify and handle all possible risk factors in their customer relations in regards to the company’s business concept. Certain companies have more concessional demands, whereas companies that are assessed as having a higher risk of being abused have more strict requirements for their risk assessments. High-risk companies include companies such as currency exchange companies, banks, gambling providers etc. whose business concepts consist primarily of transactions with money and where the companies’ customers to a larger degree have the possibility of exploiting the company for money laundering or terrorist financing.

The company’s obligation to identify risks entails that the company must make the risk assessments based on the directional risk assessments which are published in Denmark, the European Commission and, if applicable, the supervising authority’s risk assessments. In Denmark, the Financial Supervisory Authority, the Danish Business Authority and the Danish Gambling Authority supervise the companies’ compliance with the Act. It is expected that the supervising authorities issue guidelines on how risk assessments must be carried out.


The supervisory authorities must also carry out risk-based supervision, which means that the authorities must take into account the discretion that the individual company is given in pursuance of the Act and direct their resources to the areas estimated as being at an increased risk.


The company must assess the risks by weighting the individual risk factors associated with the company's customers, products, services and transactions based on the company's delivery channels and the geographical areas in which the company carries out their business activities. As mentioned above, the scope of risk factors and risk assessment depends on the individual business concept. Typically, companies that introduce money into the financial system will have a greater amount of risk factors to be assessed than e.g. law firms, auditors, etc. who receive bank transfers from known customers. The customer's bank has made a risk assessment of the customer and its account deposits before the customer makes further financial transactions from bank deposits. However, this does not exempt the individual company from making their own risk assessments of each customer.


The requirement of documentation implies that the assessment must be on the basis of actual documentation and must not be based on assumptions. The amendment to the Act also implies that it is not sufficient for a company to merely make an initial risk assessment; the company must review each client's risk profile whenever the risk factors change significantly or, additionally, at least once a year in the case of long-term customers. The company must be able to document that they have complied with the statutory requirements in the event of control.

After the risk assessment has been completed, and in the event that this gives rise to circumstances to be investigated, it is the company's duty to handle the risk factors that constitute the greatest risk first.


The Company's Duty to develop internal written Policies, Procedures and Controls

Since the Act has gone from a rule-based approach to a risk-based approach, a higher standard requires the operator to draw up internal procedures to ensure that the company effectively prevents, reduces and manages the risks that the company has in their customer relationships.


The company must ensure, as far as possible, that the company is not abused for money laundering or terrorist financing through the above-mentioned risk assessments. The requirement for companies to have internal procedures, policies and controls helps to ensure company compliance with the Act.

These policies involve the following procedures:

  • Risk management of the company
  • Know Your Customer Procedures – especially internal procedures related to identification, verification and the customer's real intentions and the continuous monitoring of clients with increased risk profiles.
  • The company's duty of inspection and notification obligations – particularly the company's obligation to pay special attention to unusually large transactions, unusual behavior, customers from high-risk countries and operations that do not have an established lawful purpose. The duty of notification also implies the obligation to notify the State Attorney for Special Economic and International Crime (SØIK) in cases where it is required.
  • The company has the same duty to screen its employees as applies with customers. This implies that the company has a duty to ensure that its employees cannot abuse their position for money laundering or terrorist financing.
  • With its policies, procedures and controls, the company also has an obligation to ensure internal compliance with the statutory requirements. Some companies have a special duty to appoint an employee in the company to be responsible for ensuring the company's compliance. In order to ensure that this person is able to carry out sufficient control, it is important that there is independence between the person performing the control and the employees subject to said control. Internal controls must be documented and control measures must be described.

The policies developed must set the overall strategic goals for the company's compliance with the rules of the Act and ensure that the company avoids the risk that their customers abuse the company for money laundering and terrorist financing. The procedures describe how these strategic goals are achieved in practice.


Seeing as the companies covered by the rules have different business profiles and risk factors, it is important that the internal policies and procedures are based specifically on the company's particular business concept and that the internal policies and procedures are formulated specifically for internal use in the company. For these types of policies and procedures, standard forms can be made.

The company has a duty to adequately train its employees in the scope of the Act and in how the employees in the course of their daily work must be able to ensure that the company complies with the requirements of the Act.


Know Your Customer Procedures

Where previously, companies were required to legitimize their customers, the new Act has expanded with the introduction of so-called customer recognition procedures in which companies must assess the individual customer relationship and the client's real intentions with the given transaction. This is done by first legitimizing the customers, after which this identification must be verified through a reliable and independent source, and then the risk assessment must be used to divide the customers into risk profiles. Generally three risk profiles apply: increased risk, medium risk and limited risk.


The obligation to know the customer exists in the entire customer relationship, which means that the company has an obligation to continuously monitor and reassess the client's risk profile. This is done either by the occurrence of significant changes in the customer's relationship, and thus in the customer's risk factors, or as part of annual controls.

As mentioned, there are particularly rigorous procedures for PEP's, their relatives and business partners.


Our Assessment

The amendments to the Money Laundering Act has led companies to be more involved in the responsibility to ensure that Danish companies are not abused for money laundering or for the financing of terrorism.


With the increased requirements for corporate risk assessments, the new amendments to the Act ensure that each company allocates the resources necessary and prioritizes compliance with the Act, thereby helping to ensure the prevention of money laundering and terrorist financing.


The implementation of the latest EU Directive is also a response to the increase in terrorist acts in Europe, and the purpose of the Act is to prevent customers' abuse of businesses for illegal financial activities.



The above does not constitute legal counselling and Moalem Weitemeyer Bendtsen does not warrant the accuracy of the information. With the above text, Moalem Weitemeyer Bendtsen has not assumed responsibility of any kind as a consequence of a reader’s use of the above as a basis of decisions or considerations