delivered on 12 May 2022 (1)

Case C‑562/20

SIA Rodl & Partner

(Request for a preliminary ruling from the Administratīvā rajona tiesa (District Administrative Court, Latvia))

(Reference for a preliminary ruling – Prevention of the use of the financial system for the purposes of money laundering or terrorist financing – Directive (EU) 2015/849 – Risk assessment by obliged entities – Automatic application of enhanced due diligence measures – High-corruption-risk third country – Publication of sanctions)

This request for a preliminary ruling from the Administratīvā rajona tiesa (District Administrative Court, Latvia) concerns the interpretation and validity of several key provisions of Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. (2)

It provides the Court of Justice with an opportunity to clarify the scope of various essential aspects of the system for the prevention of money laundering and terrorist financing, according to the risk-based approach provided for in that directive, and in particular the definition of the degree of discretion granted to Member States in the matter, as well as the extent of the obligations imposed on obliged entities as regards the assessment of the risk posed by their customers and the application to them of the appropriate level of due diligence measures.

Article 13(1)(c) and (d) of Directive 2015/849 provides that ‘customer due diligence measures shall comprise:

(c) assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship;

(d) conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity’s knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date.’

Article 14(5) of Directive 2015/849, as amended by Directive 2018/843, provides that: ‘Member States shall require that obliged entities apply the customer due diligence measures not only to all new customers but also at appropriate times to existing customers on a risk-sensitive basis, or when the relevant circumstances of a customer change, or when the obliged entity has any legal duty in the course of the relevant calendar year to contact the customer for the purpose of reviewing any relevant information relating to the beneficial owner(s), or if the obliged entity has had this duty under Council Directive 2011/16/EU.’

Article 18(1) and (3) of Directive 2015/849, as amended by Directive 2018/843, provides that:

‘1. In the cases referred to in Articles 18a to 24, as well as in other cases of higher risk that are identified by Member States or obliged entities, Member States shall require obliged entities to apply enhanced customer due diligence measures to manage and mitigate those risks appropriately. ...

As set out in Article 60(1), first subparagraph, and Article 60(2) of Directive 2015/849:

‘1. Member States shall ensure that a decision imposing an administrative sanction or measure for breach of the national provisions transposing this Directive against which there is no appeal shall be published by the competent authorities on their official website immediately after the person sanctioned is informed of that decision. The publication shall include at least information on the type and nature of the breach and the identity of the persons responsible. ...

Point 3(b) of Annex III to Directive 2015/849 provides that the ‘non-exhaustive list of factors and types of evidence of potentially higher risk referred to in Article 18(3)’ includes, among the ‘geographical risk factors’, ‘countries identified by credible sources as having significant levels of corruption or other criminal activity’.

Directive 2015/849 was transposed into Latvian law by the Noziedzīgi iegūtu līdzekļu legalizācijas un terorisma un proliferācijas finansēšanas novēršanas likums (‘Law on the prevention of money laundering and terrorist and proliferation financing’) of 17 July 2008 (3) (‘the Latvian anti-money laundering Law’).

The applicant in the main proceedings, SIA Rodl & Partner (‘Rodl & Partner’), is a company established in Latvia whose business consists, inter alia, in providing accounting, audit and tax consultancy services. It has the status of obliged entity within the meaning of Directive 2015/849.

During the period from 3 April 2019 to 6 June 2019, officials from the Noziedzīgi iegūtu līdzekļu legalizācijas novēršanas pārvalde (Anti-money laundering unit) at the Valsts ieņēmumu dienests (Latvian tax authority; ‘the VID’) carried out inspections at Rodl & Partner. In the course of those inspections, the VID found, inter alia, that Rodl & Partner, as an obliged entity, had failed to carry out and document an assessment of the risks of money laundering and terrorist financing, in accordance with the Latvian anti-money laundering Law, in respect of two of its customers: the It izglītības fonds foundation (‘the foundation’) and the company SIA RBA Consulting (‘RBA Consulting’).

The first customer, the foundation, is based in Latvia and was set up to promote the information technology sector to students. The foundation became a customer of Rodl & Partner on 25 October 2016. The relevant identification form was signed on 7 March 2017 by VR, a national of the Russian Federation with a Latvian residence permit and an employee of the foundation, which he directs. The form identifies the Latvian company as a whole as the beneficial owner of the foundation.

Rodl & Partner decided that the risk of money laundering and terrorist financing in respect of this customer should be considered low. However, the VID noted that, according to a report dated 22 June 2018 published on the VID’s website, as well as international practice, the potential use of non-governmental organisations (‘NGOs’) is one of the main threats in relation to terrorist financing. Therefore, according to the VID, Rodl & Partner was required to carry out enhanced scrutiny of the customer, particularly as it was linked to a high-corruption-risk third country, namely the Russian Federation.

The second customer, RBA Consulting, is a company based in Latvia whose business is to provide public relations and communication services. The sole business partner and beneficial owner of that company is a Latvian national. It has been a customer of Rodl & Partner since 28 December 2017. Rodl & Partner also decided that the risk profile for that customer should be considered low.

However, after analysing the company’s bank account statements, the VID found that it was receiving monthly transfers of EUR 25000 from Nord Stream 2 AG, a subsidiary of the Russian company Gazprom. Furthermore, it appeared that the relevant invoices had been issued on the basis of a contract dated 1 January 2018 between RBA Consulting and Nord Stream 2 AG. Despite a request from the VID that it produce a copy of that contract, Rodl & Partner declined to do so, stating that it had examined the original contract at the customer’s premises. In the light of the foregoing, the VID concluded that, in monitoring its business relationship with that customer, Rodl & Partner had failed to pay sufficient attention to the transactions between RBA Consulting and Nord Stream 2 AG, an undertaking owned by an entity based in a high-corruption-risk third country.

By decision of the VID of 11 July 2019, Rodl & Partner was fined EUR 3000 for breaching its obligations under the Latvian anti-money laundering Law. On the basis of that decision, on 11 August 2019, the VID published information on its website regarding the infringements committed by Rodl & Partner. The decision imposing the fine was upheld by the Director-General of the VID on 13 November 2019. Rodl & Partner brought an action before the referring court seeking the annulment of that decision and the removal of the information published online about the sanctions imposed on it.

The referring court observes, first, that neither Directive 2015/849 nor the Latvian anti-money laundering Law provides that an NGO, solely on account of its legal form, poses a higher risk and for that reason should be subjected to enhanced customer due diligence measures. It notes that Rodl & Partner has contended that, if the VID were to decide that an obliged entity should apply enhanced due diligence measures whenever its customer is an NGO or one of its employees is a national of a high-corruption-risk third country, the question would then arise as to whether such a requirement was disproportionate and whether it should be provided for by law.

The referring court also observes that the Russian Federation is not included in the list of high-risk countries published by the Financial Action Task Force (FATF), nor in the Commission’s list of high-risk third countries. The referring court considers it possible to categorise that country as a high-corruption-risk country within the meaning of point 3(b) of Annex III to Directive 2015/849. (4) However, it notes that neither the provisions of Directive 2015/849 nor those of the Latvian anti-money laundering Law directly require the customer to be subjected to enhanced due diligence measures simply because a Russian national is an employee of that customer. In those circumstances, the referring court concludes that there are doubts as to the interpretation of Article 18(1) and (3) of Directive 2015/849, read in conjunction with point 3(b) of Annex III thereto.

Second, if those provisions were to be interpreted as meaning that there is an automatic obligation to take enhanced customer due diligence measures where there is a potential risk associated with the customer’s legal form (NGO) and because the person authorised and employed by the customer is a national of a high-corruption-risk third country, it would be necessary to examine whether that interpretation is consistent with the principle of proportionality enshrined in Article 5 TEU.

Third, the referring court has doubts as to whether, in the present case, the VID exceeded the provisions of the relevant legislation by deciding that the mere fact that RBA Consulting is the business partner of a subsidiary of a Russian company is a factor which, by itself, increases the risk associated with the customer. Such a presumption is not envisaged in the Latvian anti-corruption Law, nor in Directive 2015/849.

Fourth, the referring court has doubts about whether the VID exceeded the powers vested in it under the relevant legislation by requiring the production of a copy of the contract concluded between RBA Consulting and Nord Stream 2 AG. The referring court is therefore unsure whether Article 13(1)(c) and (d) of Directive 2015/849 must be interpreted as requiring the production of a copy of the contract concluded between the customer and a third party.

Fifth, in the light of the circumstances of the case, the referring court considers it necessary to clarify whether Article 14(5) of Directive 2015/849 must be interpreted as meaning – and if so, whether this is justified and proportionate – that the obliged entity is required to apply customer due diligence measures in respect of existing customers even where there has been no material change in the customer’s situation, and whether that obligation applies only to customers identified as constituting a high risk.

Sixth, and lastly, the referring court observes that some of the information about the infringements committed by Rodl & Partner, which the VID published on its website, is incorrect. It is for that reason unsure as to the interpretation of Article 60(1) and (2) of Directive 2015/849.

In those circumstances, the referring court decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

‘(1) Must Article 18(1) and (3) of Directive 2015/849, in conjunction with Annex III, point 3(b), thereto, be interpreted as meaning that those provisions (i) automatically require a provider of external bookkeeping services to take enhanced customer due diligence measures on the ground that the customer is a non-governmental organisation and the person authorised and employed by the customer is a national of a high-corruption-risk third country, in the present case, the Russian Federation, who holds a Latvian residence permit, and (ii) automatically require that customer to be categorised as representing a higher degree of risk?

(2) If the preceding question is answered in the affirmative, can the abovementioned interpretation of Article 18(1) and (3) of Directive 2015/849 be regarded as proportionate and, therefore, consistent with the first subparagraph of Article 5(4) of the Treaty on European Union?

(3) Must Article 18 of Directive 2015/849, in conjunction with Annex III, point 3(b), thereto, be interpreted as meaning that it lays down an automatic obligation to take enhanced customer due diligence measures in every case where one of the customer’s business partners, but not the customer itself, is in some way linked to a high-corruption-risk third country, in the present case, the Russian Federation?

(4) Must Article 13(1)(c) and (d) of Directive 2015/849 be interpreted as meaning that, when taking customer due diligence measures, the obliged entity must obtain from the customer a copy of the contract concluded between that customer and a third party, and, therefore, that an examination of that contract in situ is considered to be insufficient?

(5) Must Article 14(5) of Directive 2015/849 be interpreted as meaning that the obliged entity is required to apply due diligence measures to existing commercial customers even where there is no indication of any significant changes in the customer’s circumstances and the period laid down by the competent authority of the Member State for the adoption of new monitoring measures has not expired, and that that obligation is applicable only in relation to customers that have been categorised as representing a high risk?

(6) Must Article 60(1) and (2) of Directive 2015/849 be interpreted as meaning that, when publishing information on a decision imposing an administrative sanction or measure for breach of the national provisions transposing that directive against which there is no appeal, the competent authority has an obligation to ensure that the information published conforms exactly to the information contained in that decision?’

The six questions referred for a preliminary ruling by the referring court in the present case concern the interpretation and validity of several key provisions of Directive 2015/849. Before providing a reply, it is worth making some preliminary remarks about the version of Directive 2015/849 applicable ratione temporis and about the system for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing provided for in that directive.

It is apparent from the documents before the Court that Rodl & Partner conducted its risk assessments on 1 September 2017 for the foundation and on 8 February 2018 for RBA Consulting. The VID carried out its inspections between 3 April 2019 and 6 June 2019, and the contested VID decision was adopted on 13 November 2019. Directive 2018/843, which amended Directive 2015/849, entered into force on 9 July 2018. Article 4(1) of that directive set 10 January 2020 as the deadline for transposition by the Member States.

It may be inferred from this that the risk assessments on which Rodl & Partner relied in order to determine the degree of risk and, consequently, the due diligence measures for its two customers took place before the entry into force of the 2018 amending directive. The inspections carried out by the VID, on the other hand, took place after the entry into force of that directive, but before the deadline for its transposition had passed.

In those circumstances, I agree with the Commission’s observation at the hearing that, as will be seen in more detail in point 63 below, in the system for the prevention of money laundering and terrorist financing provided for by Directive 2015/849, the risk assessment – and the consequent application of customer due diligence measures corresponding to the degree of risk identified – is an ongoing process. It follows that, contrary to what the referring court appears to argue in its response to the questions put by the Court, it cannot be held, in my view, that the legislation on the basis of which the legality of the risk assessment carried out by an obliged entity must be examined is necessarily that which is applicable at the time of the original assessment. Indeed, in the scheme of Directive 2015/849, the risk assessment is necessarily dynamic in nature and the obliged entities are expected to keep their risk assessments up to date. (5) Consequently, the risk assessment of a customer carried out by the obliged entity – justifying the adoption of a particular level of due diligence measures in respect of that customer – must comply with the legislation applicable at the time of the inspection by the authorities. The obliged entity cannot justify a discrepancy in its risk assessment, and in the resulting due diligence measures applied, by claiming that its original assessment was governed by different rules.

In my view, it follows from those considerations that the version of the directive applicable to the facts in this case is the one in force at the time of the inspections carried out by the VID, that is to say, the version amended by Directive 2018/843.

That said, it should also be noted that the directives are addressed to the Member States. (6) The obligations incumbent on obliged entities are derived, in principle, from the law transposing that directive. When the VID carried out the inspections that led to the contested measure, the period for transposition of Directive 2018/843 had not yet expired. It is not clear from the documents before the Court whether, at the time of those inspections, the Latvian anti-money laundering Law had already been updated to include the amendments introduced by that directive. In any event, the obligations incumbent on Rodl & Partner were those laid down in the version of the Latvian legislation applicable at the time of the inspections – the version, in fact, cited by the referring court in the order for reference. (7)

However, I do not consider that the amendments introduced by Directive 2018/843 to the provisions of Directive 2015/849 cited in the questions referred for a preliminary ruling by the referring court have a substantial impact on the answers to those questions. (8) I also note that those questions do not raise any issues of incompatibility of the national legislation with the provisions of Directive 2015/849.

The system for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing provided for in Directive 2015/849

(a)

System of prevention according to a risk-based approach

The Court has previously held that, as is apparent from its Article 1, read in the light of recital 1, Directive 2015/849 has as its main objective the prevention of the use of the EU financial system for the purposes of money laundering and terrorist financing, so as to avoid flows of illicit money damaging the integrity, stability and reputation of the EU financial sector and threatening its internal market as well as international development. (9) That directive was adopted in an international context, in order to apply and make binding in the European Union the FATF recommendations. (10)

The provisions of Directive 2015/849 are, therefore, predominantly preventive in nature, in so far as they seek to establish, taking a risk-based approach, a body of dissuasive measures to combat money laundering and terrorist financing effectively and to safeguard the soundness and integrity of the financial system. (11)

As stated in recitals 22 and 23 of Directive 2015/849, that holistic risk-based approach (12) constitutes a need for Member States and the European Union to identify, understand and mitigate the risks of money laundering and terrorist financing that they face. The risk-based approach presupposes an assessment of those risks, which, in the scheme of Directive 2015/849, (13) is carried out at three levels: at EU level by the Commission (Article 6), (14) at the level of each Member State (Article 7) and at the level of the obliged entities (Article 8).

In particular, pursuant to Article 7 of Directive 2015/849, each Member State is required to take appropriate steps to identify, assess, understand and mitigate the risks of money laundering and terrorist financing affecting it and to keep that risk assessment up to date.

Pursuant to Article 8 of that directive, obliged entities must be required, in a manner proportionate to their nature and size, to take appropriate steps to identify and assess the risks of money laundering and terrorist financing, taking into account risk factors including those relating to their customers, countries or geographic areas.

That risk assessment is the prerequisite for the adoption of appropriate prevention measures – in other words, customer due diligence measures – aimed at avoiding or, at least, preventing, as far as possible, money laundering and terrorist financing. (15) Without a risk assessment, it is not possible for the Member State concerned or, as the case may be, an interested party, to decide in an individual case which measures to apply. (16)

Moreover, risk itself is variable in nature, and the variables, on their own or in combination, may increase or decrease the potential risk posed, thus having an impact on the appropriate level of preventive measures. (17) Therefore, there is a correlation between the risk assessment and the due diligence measures, in the sense that the level of due diligence depends on the higher or lower level of risk. (18) In this respect, the Court has made it clear that due diligence measures must have a concrete link with the risk of money laundering and terrorist financing and must be proportionate to that risk. (19)

In that context, Directive 2015/849 distinguishes between three types of due diligence measures that obliged entities may be required to apply to their customers depending on the level of risk identified: standard, simplified and enhanced measures. (20)

With regard to standard measures of customer due diligence, these are governed in particular by Articles 13 and 14 of Directive 2015/849. According to Article 13(1) of that directive, they consist of identifying the customer (point (a)) and the beneficial owner (point (b)), assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship (point (c)) and conducting ongoing monitoring of the business relationship (point (d)). Under paragraph 2 of that article, obliged entities may determine the extent of such measures on a risk-sensitive basis.

With regard to simplified measures, it is clear from Article 15(1) and (2) of Directive 2015/849 that, where the Member State or the obliged entity identifies areas of lower risk, or where an obliged entity has ascertained that the business relationship or the transaction presents a lower degree of risk, obliged entities may apply simplified customer due diligence measures.

Lastly, as regards enhanced measures, it is clear from Article 18(1) of Directive 2015/849 that, in the cases referred to in Articles 18a to 24 of that directive, as well as in other cases of higher risk that are identified by Member States or obliged entities, obliged entities are required to apply enhanced customer due diligence measures to manage and mitigate those risks appropriately.

It follows that, apart from the specific cases provided for in Articles 18a to 24 of Directive 2015/849 – where the application of enhanced due diligence measures is automatic – in view of the necessary correlation, mentioned in point 37 above, between the assessment of the level of risk of money laundering and terrorist financing and the appropriateness of the preventive measures, the application of enhanced measures presupposes the identification of higher risks by the Member State or the obliged entity. More specifically, the applicable enhanced customer due diligence measures must be based on the assessment of the existence and the highest level of risk of money laundering and terrorist financing. (21)

In that respect, it follows from the combined provisions of Article 18(1) and (3) of Directive 2015/849 that, in order to identify cases of higher risk other than those provided for in Articles 18a to 24 of that directive, Member States and obliged entities must take into account at least the factors of potentially higher-risk situations set out in Annex III to that directive. Annex III contains a non-exhaustive list of the factors and types of evidence indicative of such a risk.

The role of Member States in the risk-based approach of Directive 2015/849

The wide degree of discretion left to the Member States

Directive 2015/849 achieves only minimum harmonisation in the fight against money laundering. (22) As is evident from the points made thus far, it leaves the Member States considerable room for manoeuvre both with regard to the identification of the risks of money laundering and terrorist financing, and with regard to the appropriate measures to prevent, avoid or at least hinder such activities.

On the one hand, Directive 2015/849 explicitly recognises that Member States may be affected differently by different risks of money laundering and terrorist financing. (23) As emphasised by the Commission at the hearing and by the Republic of Latvia in its observations, such differentiated risks may depend on the specific situation of each Member State and may vary according to a host of parameters, such as its geographical location or its economic or social situation.

On the other hand, that directive leaves it to each Member State to determine the level of protection it deems appropriate with respect to the identified level of risk of money laundering or terrorist financing. (24)

That degree of discretion with regard to the level of protection granted by Directive 2015/849 to Member States concerns both the possibility of allowing simplified customer due diligence measures where a low risk is identified and – other than in the cases expressly provided for in Articles 18a to 24 thereof – the requirement for the application of enhanced customer due diligence measures in the event of a higher level of risk being identified.

With specific regard to enhanced measures, the Court of Justice has already explicitly recognised the existence of significant discretion for Member States as to the appropriate way of implementing the obligation to require enhanced due diligence measures and to determine both the situations in which a higher risk of that kind exists and the appropriate enhanced due diligence measures. (25) Moreover, the existence of that discretion is explicit from the very wording of Article 18(1) of Directive 2015/849. (26)

It should also be noted that Article 5 of Directive 2015/849 expressly allows Member States to adopt or retain in force stricter provisions to prevent money laundering and terrorist financing, within the limits of EU law. (27) The Court of Justice has clarified that the ‘stricter provisions’ referred to in that provision may concern situations for which that directive prescribes a certain type of customer due diligence and also other situations which Member States consider to present a risk. (28) In addition, that article applies to all provisions in the area covered by Directive 2015/849 to prevent money laundering and terrorist financing. (29)

It follows from all of the foregoing considerations that Directive 2015/849 allows considerable room for manoeuvre for the Member States, which may either set a level of protection higher than that chosen by the EU legislature and authorise or require customer due diligence measures other than those provided for in that directive, pursuant to the power provided for in Article 5, or identify other situations presenting a higher risk in the exercise of the discretion that Article 18 grants to them. In so doing, the Member States may, in particular, identify the specific measures to be applied in certain situations or give the entities or persons subject to that directive discretion to apply, on the basis of a risk assessment, the measures considered proportionate to the risk in a specific situation. (30)

(2)

The scope and definition of the wide degree of discretion of the Member States

In that context, it is necessary to clarify – as is apparent from the debate that took place at the hearing – the scope and definition of the wide degree of discretion granted by Directive 2015/849 to the Member States in the light of the general principles of EU law. The wording of the directive itself, particularly in Article 5, states that Member States are in any case required to act ‘within the limits of Union law’.

More specifically, in relation to the general principle of legal certainty, the question arises as to the appropriate legal basis for Member States to identify – within the framework set out in that directive – the additional risk factors that could justify or even require the application of enhanced customer due diligence measures.

It is necessary to determine whether, in the light of the general principle of legal certainty, it is necessary for all the constituent elements of the risk factors identified by a Member State to be explicitly mentioned in legislation, with a clear reference, for example, to the countries or types of organisations that pose a higher degree of risk and thus warrant the application of enhanced measures.

In that respect, it is my view that, in accordance with the principles of legality and legal certainty, the identification of the risk factors in general that could potentially affect subjective situations or even fundamental rights must, in principle, be based on measures having the status of legislation. However, I also believe that the law should not, and cannot, lay down exhaustive rules covering all the specific risk factors.

Given the dynamic nature of economic relations and criminal activities, it is, in my view, impossible comprehensively to determine in advance all the possible factors that might have an impact on the assessment of the risk of money laundering or terrorist financing. As explicitly recognised in recital 30 of Directive 2015/849, risk itself is variable in nature. It is necessary, therefore, to provide the system with a certain amount of flexibility in order to allow for a dynamic adaptation when identifying those factors, while respecting the principle of legal certainty and the protection of fundamental rights guaranteed by EU law.

Accordingly, I take the view that EU law does not preclude legislation from specifying general risk categories that, in accordance with the constitutional requirements specific to each Member State, are specified in other instruments which need not be legislative in nature. (31) However, such instruments must receive sufficient publicity, since the public – and in particular the obliged entities, required to carry out risk assessments by applying those criteria in practice – need to be aware of them.

The identification of those risk factors and of the appropriate measures to mitigate those risks must be consistent with other general principles of EU law. These include the principle of proportionality, mentioned in the second question referred for a preliminary ruling, and the principle of non-discrimination, specifically enshrined in Article 21 of the Charter of Fundamental Rights, which prohibits any form of discrimination based on, inter alia, membership of a national minority. Therefore, in exercising the degree of discretion granted to them by Directive 2015/849, Member States must not exceed what is necessary to achieve the objectives of preventing and combating money laundering and terrorist financing and must refrain from discrimination.

(c) The role of obliged entities in the risk-based approach of Directive 2015/849

As noted in point 35 above, and as is apparent from Articles 8 and 11 to 18 of Directive 2015/849, in the system for the prevention of money laundering and terrorist financing created by that directive according to a risk-based approach, obliged entities play a crucial role in the risk assessment of those activities. As the Commission observed at the hearing, this fundamental role is due to the proximity of the obliged entities to economic activities, and therefore to potentially illegal activities, which means that they are best placed to spot any suspicious transactions.

In that respect, Directive 2015/849 lays down an obligation for obliged entities to take appropriate measures to identify and assess the risks of money laundering and terrorist financing, taking into account the pertinent risk factors, as well as an obligation to apply the appropriate due diligence measures.

The risk assessment and the consequent application of customer due diligence measures by obliged entities involve the use of evidence-based decision-making in order to target the risks of money laundering and terrorist financing more effectively. (32) This assessment relates to specific situations and must not therefore be carried out in the abstract. According to this holistic approach, the assessment must take into account all the factors that could have an impact on the identification of the risk.

In that regard, it is explicitly stated in Article 8(2) of Directive 2015/849 that risk assessments carried out by obliged entities must be documented, kept up-to-date and made available to the relevant competent authorities and self-regulatory bodies concerned.

The need for documentation and evidence for the authorities regarding the assessments carried out by obliged entities and the decisions they take as regards due diligence measures is also mentioned in Article 13(4) of Directive 2015/849. That provision requires that obliged entities must be able to demonstrate to competent authorities or self-regulatory bodies that the due diligence measures applied are appropriate in view of the risks of money laundering and terrorist financing that have been identified. (33)

In addition, the risk assessment is a dynamic and, to the extent that it is reasonable, ongoing process. This is inferred from the obligation under Article 8(2) of Directive 2015/849 to keep risk assessments up to date and from the obligation under Article 13(1)(d) of Directive 2015/849 to monitor constantly the business relationship and to be familiar with the customer’s risk profile while keeping the documents, data and information held up to date.

It should also be noted that, in accordance with the principle of proportionality, the obligations imposed on obliged entities cannot be disproportionate. That requirement is stipulated in the last sentence of Article 8(1) of Directive 2015/849, according to which the measures imposed on obliged entities under that directive must be proportionate to their nature and size. This need is also apparent from the wording of recital 2 of that directive, which emphasises the need for a balanced approach and spells out the ‘need to create a regulatory environment that allows companies to grow their businesses without incurring disproportionate compliance costs’.

It follows from the foregoing that, in my view, in the prevention system established by Directive 2015/849, the obliged entity must be able to demonstrate to the authorities, first, that it has carried out the most comprehensive risk analysis possible, to the extent that this is reasonable and proportionate to its nature and size, of the risks of money laundering and terrorist financing, taking into account all relevant factors and sources, and, second, that it has applied a level of customer due diligence measures that is appropriate to the degree of risk identified in each case.

The questions referred by the referring court for a preliminary ruling must be examined in the light of all the foregoing considerations.

By its first question referred for a preliminary ruling, the referring court asks whether Article 18(1) and (3) of Directive 2015/849, read in conjunction with Annex III, point 3(b), thereto, must be interpreted as meaning that those provisions automatically require an obliged entity to categorise a customer as representing a higher degree of risk and consequently to take enhanced customer due diligence measures in respect of that customer on the ground that the customer is an NGO and the person authorised and employed by the customer is a national of a high-corruption-risk third country.

By its second question, the referring court asks whether, if the answer to the first question is in the affirmative, those provisions thus interpreted are in accordance with the principle of proportionality referred to in the first subparagraph of Article 5(4) TEU.

As noted in point 41 above, Article 18(1) of Directive 2015/849 provides that enhanced due diligence measures are to be applied in two situations: in the cases referred to in Articles 18a to 24 of that directive, and in other cases of higher risk that are identified by Member States or obliged entities. Since it is not apparent from the order for reference that the present case comes under one of the cases referred to in Articles 18a to 24 of Directive 2015/849, the first question must be regarded as relating to the second situation.

In that respect, it is clear from the combined provisions of Article 18(1) and (3) of Directive 2015/849 that, in order to identify cases of higher risk, Member States and obliged entities must take into account at least the factors of potentially higher-risk situations set out in Annex III to that directive.

As is apparent from points 42 and 43 above, other than in the cases referred to in Articles 18a to 24 of Directive 2015/849, according to the risk-based approach on which the entire prevention system created by that directive is based, the possible categorisation of a customer as representing a higher degree of risk, and therefore the adoption of enhanced customer due diligence measures in respect of that customer, must be based on a detailed risk assessment in relation to that customer. It is also apparent from point 60 above that such an assessment must take into account all the factors that are capable of having an impact on the identification of the degree of risk of that customer.

It follows that, other than in the cases referred to in Articles 18a to 24 of Directive 2015/849, the categorisation of a customer as representing a higher degree of risk, and therefore the adoption of enhanced customer due diligence measures in respect of that customer, is not automatic. Rather, the adoption of enhanced measures must be based on a case-by-case assessment of the specific risk relating to that customer, carried out by the obliged entity on the basis of the criteria identified by the Member State concerned or by the obliged entity itself in view of all the pertinent risk factors.

In the first question referred for a preliminary ruling, the referring court mentions two specific risk factors: the fact that the customer is an NGO and the fact that the person authorised and employed by the customer is a national of a high-corruption-risk third country, in this case the Russian Federation.

Regarding the first of those factors, the referring court observes that neither Directive 2015/849 nor the Latvian anti-money laundering Law provides that an NGO inherently poses a higher risk simply on account of its legal form.

In that respect, as is apparent from point 44 et seq. of this Opinion, in the system provided for in Directive 2015/849, Member States have a wide degree of discretion in determining the risks of money laundering and terrorist financing specific to them. Accordingly, they may identify other situations presenting a higher risk. (34)

It should be noted in this regard that Article 6(1)(2)(1) of the Latvian anti-money laundering Law specifically states that the obliged entity, when assessing the risks of money laundering and terrorist financing, is required to take into account, as one of the circumstances that could have an impact on the risk, the risk posed by the customer’s legal form. Subject to the scrutiny of the referring court, which alone is competent to apply the national law, it would thus appear that the Latvian anti-money laundering Law explicitly identifies the customer’s legal form as a risk factor to be taken into account in the risk assessment carried out by the obliged entity.

In addition, the Latvian Government has pointed out in its observations that a 2019 report from the VID’s anti-money laundering unit (35) revealed that NGOs are particularly vulnerable to money laundering and terrorist financing, particularly NGOs that are not registered as public interest organisations. The Latvian Government also cited other sources of information, specifically concerning Latvia, (36) which would suggest that the legal form of the foundation or NGO should be regarded as a potential high risk factor during the risk assessment.

As I noted in point 56 above, in my view, EU law does not preclude general categories of risk (such as the legal form of the customer, in this case) from being indicated in the law, and subsequently being specified (in this case, specifically the legal form of NGOs or foundations) in other subsequent instruments that do not necessarily have to be legislation. However, it is for the referring court to determine in practice whether, in the Latvian legal system, the fact that a customer has the legal form of a foundation or an NGO must be considered a potentially higher risk factor which an obliged entity is required, under national law, to take into account in its risk assessment of that customer.

If so, it would then be necessary to conclude that, although the fact that a customer has the legal form of an NGO does not automatically mean that that customer should be categorised as representing a higher risk – with the consequent automatic application of enhanced due diligence measures – any failure to take this aspect into account constitutes an omission in the assessment of the risk of money laundering and terrorist financing carried out in respect of that customer. In addition, as mentioned in points 61 and 62 above, the obliged entity must be able to demonstrate to the competent authorities that it carried out the appropriate risk assessment and that it took account of all relevant factors in that assessment.

Regarding the second factor mentioned in point 73 above (the fact that the person authorised and employed by the customer is a national of a high-corruption-risk third country), it should be noted that, as the referring court observed, the Russian Federation does not appear, nor did it appear at the material time, on the list of high-risk countries published by the FATF, (37) nor on the list of high-risk third countries drawn up by the Commission. (38)

However, it follows from point (3)(b) of Annex III to Directive 2015/849, referred to in Article 18(3) thereof, that the geographical factors indicative of potentially high-risk situations include ‘countries identified by credible sources as having significant levels of corruption or other criminal activity’.

It should also be noted that Article 11(1)(3) of the Latvian anti-money laundering Law states that, in discharging their customer due diligence obligations, obliged entities must take into account at least some risk factors, including, in point 2(b), the fact that the customer or its beneficial owner is linked to a country or territory that presents a high risk of corruption.

In that respect, the referring court observes that the Russian Federation can be regarded as a country or territory presenting a high risk of corruption. (39) Furthermore, at the hearing, the Latvian Government referred to guidelines and other information published on the VID website which specifically state that, in Latvia, the existence of a link with the Russian Federation is considered in practice a factor that could increase the risk of money laundering. Moreover, it seems reasonable to conclude that, given the observation made in point 44 above, factors relating to the Republic of Latvia’s geographical position and economic and social situation may – given the degree of discretion granted by Directive 2015/849 to Member States – mean that that Member State is justified in adopting a specific approach towards Russia. Subject to the analysis of the referring court, which alone is competent to apply the national law, it would thus appear that the existence of a ‘link’ between the customer or beneficial owner and the Russian Federation is regarded in Latvian law as a potential higher risk factor which an obliged entity is required, under national law, to take into account in the risk assessment that it must carry out in respect of its customers.

If so, it would be necessary to conclude – in the same way as for the risk factor consisting of the legal form of an NGO – that the fact that a customer has a link to the Russian Federation, although not automatically resulting in such a customer being categorised as presenting a higher risk (entailing the automatic application of enhanced due diligence measures), is still a risk factor that the obliged entity must necessarily take into account in the risk assessment of that customer. Consequently, any failure to take this factor into account would also constitute an omission in the assessment of the risk of money laundering and terrorist financing carried out in respect of that customer.

Nevertheless, without prejudice to the assessments to be made by the referring court on the basis of Latvian law, a few points need to be made about the concept of ‘link’. In accordance with the principle of proportionality, the link must have a certain relevance and must relate in some way to the risk of money laundering and terrorist financing.

In those circumstances, the fact that a mere employee of the customer is a national of a country at risk of money laundering does not seem to me to constitute a sufficient link to suggest that there may be an increased risk factor. Such an approach could also potentially give rise to discrimination contrary to the principle of non-discrimination referred to in point 57 above. The situation might be different if, on the contrary, the link involved the beneficial owner of the customer or an employee whose role enables him or her to carry out activities that could potentially be linked to money-laundering activities.

The order for reference does not provide sufficient evidence, particularly as regards the role of VR, a national of the Russian Federation, in the foundation, to take a position on the subject. However, I cannot help but note – as can be inferred from the order for reference – that the Latvian company as a whole has been identified as the beneficial owner of the foundation, a conclusion that appears manifestly contrary to the concept of beneficial owner used in Directive 2015/849. (40) It is in any event for the referring court to verify such aspects.

Lastly, in order to provide the referring court with the most comprehensive answer possible, it must be noted – as can be inferred from points 61 and 62 above, and as the Commission observed at the hearing – that, in the first place, it is for Rodl & Partner to prove why, in view of the customer’s specific situation and in the presence of certain factors, potentially indicative of a high risk, it concluded that the customer in question presented merely a low risk and that it was sufficient therefore to apply simplified measures.

In the second place, in the light of the documents before the Court, it appears that the VID did not penalise Rodl & Partner for failing to apply enhanced measures in respect of its customer in line with the VID’s nationwide practice, whereby a customer must be subjected to enhanced due diligence measures by an obliged entity whenever that customer has the legal form of an NGO or one of its employees is a national of a high-corruption-risk third country. (41) The existence of this practice is contested by the Latvian Government. From the documents before the Court, it appears that the VID instead penalised Rodl & Partner for carrying out an inadequate risk assessment and for failing to consider, in that assessment, factors that might potentially have affected the risk assessment in respect of its two customers. It is obviously for the referring court to verify that aspect.

In the light of all of the foregoing, I propose that the Court answer the first question referred for a preliminary ruling as set out in point 1 of Section IV of this Opinion. Consequently, I do not consider it necessary to answer the second question referred for a preliminary ruling, which was raised only if the answer to the first question was in the affirmative.

By its third question, the referring court asks whether Article 18 of Directive 2015/849, read in conjunction with Annex III, point 3(b), thereto, must be interpreted as meaning that it lays down an automatic obligation to take enhanced customer due diligence measures in every case where one of the customer’s business partners, but not the customer itself, is in some way linked to a high-corruption-risk third country.

As is clear from the considerations set out in relation to the first question referred for a preliminary ruling, and more specifically in points 69 to 72 above, except in the cases referred to in Articles 18a to 24 of Directive 2015/849, the categorisation of a customer as presenting a higher degree of risk, and thus the adoption of enhanced customer due diligence measures in respect of that customer, is not automatic, but must be based on a case-by-case assessment of the specific risk relating to that customer, carried out by the obliged entity on the basis of the criteria identified by the Member State in question or by the obliged entity itself in view of all the pertinent risk factors.

It follows from those considerations, applicable mutatis mutandis to the present question referred in relation to the possible automatic application of enhanced due diligence measures, that the answer to the third question referred for a preliminary ruling must also, in my view, be negative.

However, in order to provide the referring court with the most useful answer possible, we should examine in more detail the question of the relevance – in the system for the prevention of money laundering and terrorist financing provided for in Directive 2015/849 – of situations in which one of the customer’s business partners, but not the customer itself, is linked in some way to a high-corruption-risk third country.

It should be noted in this regard that, as explained earlier, Annex III to Directive 2015/849 lists the geographical factors indicative of potentially high-risk situations, including ‘countries identified by credible sources as having significant levels of corruption or other criminal activity’. Annex III does not make a distinction according to whether the geographical factors apply to the customer or to its business partners. It also follows from Article 8(1) of Directive 2015/849 that the risk assessment that obliged entities are required to carry out must take into account the risk factors relating not only to their customers, but also, inter alia, to ‘transactions’. The approach whereby the analysis of risk factors is not limited to the customer as a person, but includes its business transactions, is also confirmed by Article 13(1)(d) of Directive 2015/849 on customer due diligence measures. Under that provision, in fact, the obligation to conduct ongoing monitoring of the business relationship also covers the customer’s business.

On the other hand, the main objective of Directive 2015/849, recalled in point 31 above, favours a broad interpretation of the concept of geographical risk, which includes not only the origin of the customer from ‘countries identified by credible sources as having significant levels of corruption or other criminal activity’, but also other possible links with that country, such as business activities or significant trading revenues related to it. In that regard, I note that it is apparent from the FATF’s guidance for a risk-based approach for accounting professionals (42) – which may be relevant for the interpretation of Directive 2015/849 (43) – that the fact that the origin of the customer’s source of wealth, which includes trading revenues, comes from a higher risk country constitutes a risk factor to be taken into account by entities that offer accounting services. (44)

However, as already noted in point 29 above, the obligations incumbent on obliged entities derive, in principle, from the national law transposing Directive 2015/849, and not directly from that directive itself. Article 11(1)(3) of the Latvian anti-money laundering Law, cited in point 82 above, considers as a risk factor to be taken into account in the risk assessment the fact that the customer or its beneficial owner has links to a country or territory that presents a high risk of corruption. Unlike Annex III to Directive 2015/849, that provision thus appears to limit the relevance of the geographical factor, in subjective terms, to the customer or its beneficial owner.

Nevertheless, that provision must be interpreted in accordance with Directive 2015/849, which it is for the referring court to do. I note, however, that it follows from the foregoing considerations that an interpretation consistent with that directive would require that provision to be interpreted as including as a geographical risk factor the customer’s link to a country or territory that presents a high risk of corruption in relation to the customer’s trading revenues, and therefore the transactions carried out by that customer in relation to that country, including revenues from business activities carried out with business partners linked to a high-corruption-risk third country.

Despite this, the need for proportionality mentioned in point 64 above requires us to refer to the size and amount of the transaction or trading revenues linked to the higher risk country, which necessarily entails a case-by-case analysis. It follows that not all revenue from business activities carried out with business partners linked to a high-corruption-risk third country will constitute a risk factor to be taken into account in the customer’s risk assessment. Only significant transactions and trading revenues will be relevant for that purpose and may be regarded as a link to that country. This could be the case, for example, where the customer earns some of its revenues – which may be a considerable proportion of its total turnover – from that business partner linked to the high-corruption-risk third country, or where the business transactions are such as to make the customer somehow dependent on that business partner.

In any event, it is for the referring court to assess whether that occurs in the present case with regard to the relationship between RBA Consulting and its business partner linked to the high-corruption-risk third country, and whether, therefore, Rodl & Partner ought to have taken that business transaction into account in its customer’s risk assessment. In that regard, the considerations outlined in points 88 and 89 above apply mutatis mutandis to the risk assessment in respect of RBA Consulting.

In the light of all of the foregoing, I propose that the Court answer the third question referred for a preliminary ruling in the manner set out in point 2 of Section IV of this Opinion.

By the fourth question referred for a preliminary ruling, the referring court asks whether Article 13(1)(c) and (d) of Directive 2015/849 must be interpreted as meaning that those provisions require the obliged entity, when taking customer due diligence measures, to obtain from the customer a copy of the contract concluded between that customer and a third party, or whether the examination of that contract in situ may be considered sufficient.

The fourth question referred, like the third question, forms part of the VID’s objections to Rodl & Partner’s assessment of the degree of risk presented by the second customer in issue, namely RBA Consulting.

As noted in point 39 above, Article 13(1) of Directive 2015/849 defines the (standard) customer due diligence measures that obliged entities are required to apply in the event of the identification of a standard level of risk. These include those provided for in points (c) and (d) of that provision.

As is apparent from points 61 and 62 above, and from Articles 8(2) and 13(4) of Directive 2015/849 mentioned therein, obliged entities are required to comply with evidentiary and documentation requirements vis-à-vis the relevant competent authorities as regards both the risk assessments that they carry out in respect of their customers, and the suitability of the due diligence measures that they apply in respect of their customers in relation to the degree of risk identified. (45)

Moreover, Article 40(1)(a) of Directive 2015/849 requires obliged entities to retain a copy of the documents and information that are necessary to comply with the customer due diligence requirements laid down in that directive.

The abovementioned provisions of Directive 2015/849 do not, however, explain exactly how obliged entities may comply with those evidentiary and documentation requirements vis-à-vis the competent authorities. In that context, the question referred by the referring court relates precisely to those arrangements.

In that connection, I take the view that at the time of an inspection such as that carried out by the VID, an obliged entity such as Rodl & Partner is required to document in an appropriate manner and provide evidence of the risk assessment carried out in respect of one of its customers, of the fact that in that assessment it has considered all the pertinent risk factors, and of the fact that that assessment provides a reasonable basis for the conclusion regarding the level of due diligence measures applied to that customer.

Where, in the context of that risk assessment, it is necessary to take into account a business relationship or transaction with a partner linked to a high-corruption-risk third country, the obliged entity must provide the appropriate documentation to the competent authority demonstrating that it has analysed that business relationship or transaction and duly taken it into account in order to reach its conclusions on the degree of risk presented by the customer.

However, the requirement for the obliged entity to provide evidence and documentation does not, in my view, always necessarily entail the physical presentation of a copy of a contract. Depending on the circumstances, the evidence may be provided in other ways, as long as they are appropriate for that purpose. For example, this could involve – as the Commission essentially pointed out – the production of assessment reports relating to the contract which contain the information necessary to assess the risk linked to that business relationship and which demonstrate that the obliged entity has indeed analysed and considered the contract in question in its risk assessment of that customer.

In my opinion, however, the obliged entity cannot justify its failure to take this business relationship into account in the customer’s risk assessment on the pretext that it is unable to produce the contract in question. The complete absence of evidence and documentation regarding a business relationship which is relevant for the customer’s risk assessment constitutes an infringement of the obligations mentioned in point 105 above. It is obviously for the referring court to determine whether that is indeed the case here.

In the light of all of the foregoing, I propose that the Court answer the fourth question referred for a preliminary ruling in the manner set out in point 3 of Section IV of this Opinion.

By its fifth question, the referring court asks whether Article 14(5) of Directive 2015/849 must be interpreted as meaning that the obliged entity is required to apply due diligence measures to existing commercial customers even where there is no indication of any significant changes in the customer’s circumstances and the period laid down by the competent authority of the Member State for the adoption of new monitoring measures has not expired, and whether that obligation is applicable only in relation to customers that have been categorised as representing a high risk.

That question has been raised because, in the main proceedings, the VID had found that Rodl & Partner was in breach of the Latvian anti-money laundering Law, which requires the obliged entity to update regularly – and at least once every 18 months – information about its customers. (46) However, when the VID carried out the inspection at Rodl & Partner, RBA Consulting had not yet been a customer for 18 months.

Article 14(5) of Directive 2015/849 provides that obliged entities are required to apply the customer due diligence measures not only to all new customers but also at appropriate times to existing customers on a risk-sensitive basis, particularly when the relevant circumstances of a customer change (or in other situations added by the amendments introduced by Directive 2018/843).

In that respect, I note that, in interpreting a provision of EU law, it is necessary to consider not only its wording, but also the context in which it occurs and the objectives pursued by the rules of which it is part. (47)

From a literal point of view, it follows from Article 14(5) of Directive 2015/849 that obliged entities have an obligation to apply the due diligence measures to existing customers ‘at appropriate times’, on a ‘risk-sensitive basis’. It also appears that one of the cases where this is appropriate is ‘at times when the relevant circumstances of a customer change’. Directive 2015/849 does not, however, provide clarification as to what is meant by ‘appropriate times’. Nevertheless, it is inferred from the wording of the provision that the obliged entity must apply or update the due diligence measures when this appears not only necessary but appropriate, in relation to the assessment of the risk of money laundering posed by the customer, which, as we have already seen, depends on an analysis of all the pertinent factors. Again from a literal point of view, it should also be noted that the provision in question does not limit that obligation solely to customers categorised as presenting a high degree of risk.

That interpretation of the provision in question is corroborated schematically. First, Article 14(5) of Directive 2015/849 is included in Section 1, entitled ‘General provisions’, of Chapter II of that directive concerning customer due diligence obligations. It follows that the obligation incumbent on obliged entities pursuant to that article applies to all customers, regardless of whether they present a low, normal or high degree of risk.

Second, as previously noted in point 63 above, in the scheme of Directive 2015/849, the risk assessment is a dynamic and, to the extent that it is reasonable, ongoing process. In principle, therefore, obliged entities are required to monitor constantly, in so far as reasonable, their customers’ transactions. It follows that, should they become aware of aspects, such as business transactions, that could potentially affect the customer’s risk assessment, they are required to take those aspects into consideration and, where appropriate, review the risk analysis and, if necessary, the level of due diligence measures applied to that customer.

A broad interpretation, provided it is reasonable, of the provision at issue is, in my view, consistent with the main objective of Directive 2015/849, as mentioned in point 31.

As regards the present case, I first note that – as pointed out by the Latvian Government and by the referring court itself – Latvian law lays down an obligation for the obliged entity to update information about its customers periodically. However, the period of 18 months is only the maximum period within which the update must take place. An interpretation of that provision in accordance with Article 14(5) of Directive 2015/849 implies, in my opinion, that it cannot be understood as meaning that there is no obligation for the obliged entity to review and if necessary modify its risk assessment in respect of a customer – and consequently, where appropriate, to adapt the measures applied to that customer – whenever it becomes aware of factors that could potentially affect that risk assessment.

It is for the referring court to ascertain whether the transactions concluded between RBA Consulting and the company linked to the high-corruption-risk country, of which Rodl & Partner was undisputedly aware, were transactions that made it appropriate, in relation to the risk assessment of RBA Consulting – particularly in the light of those transactions – for Rodl & Partner to update that assessment and, if necessary, modify the due diligence measures in respect of its customer, regardless of the expiry of the maximum period of 18 months laid down by Latvian law.

In the light of all of the foregoing, I propose that the Court answer the fifth question referred for a preliminary ruling in the manner set out in point 4 of Section IV of this Opinion.

124.

By its sixth question, the referring court asks whether Article 60(1) and (2) of Directive 2015/849 must be interpreted as meaning that, when publishing information on a decision imposing an administrative sanction or measure for breach of the national provisions transposing that directive against which there is no appeal, the competent authority has an obligation to ensure that the information published conforms exactly to the information contained in that decision.

125.

In that respect, above all, the Latvian Government’s arguments that this question is hypothetical and therefore inadmissible must be rejected. (1) First, the simple fact of questioning the Court of Justice on the interpretation of both paragraph 1 and paragraph 2 of Article 60 of Directive 2015/849, which are linked in view of the wording of the latter paragraph, does not make that question hypothetical. Second, it is expressly stated in the order for reference that, even at the time of the adoption of those decisions, there were inaccuracies in the publication of the contested decision.

126.

It essentially follows from the wording of Article 60(2) that it is the information contained in the decisions against which an appeal has been lodged that has to be published online. Such information must therefore correspond to the information contained in those decisions. Therefore, I propose that the Court answer the sixth question referred for a preliminary ruling in the manner set out in point 5 of Section IV of this Opinion.

127.

On the basis of all of the foregoing considerations, I propose that the Court answer the questions referred for a preliminary ruling by the Administratīvā rajona tiesa (District Administrative Court, Latvia) as follows:

Article 18(1) and (3) of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, read in conjunction with Annex III, point 3(b), thereto, must be interpreted as meaning that those provisions do not automatically require an obliged entity to categorise a customer as representing a higher degree of risk and consequently to take enhanced customer due diligence measures in respect of that customer on the ground that the customer is a non-governmental organisation and the person authorised and employed by the customer is a national of a high-corruption-risk third country. However, in view of the degree of discretion left to Member States by Directive 2015/849, a Member State may determine in its national law that such circumstances constitute higher-risk factors which an obliged entity is required to take into account in the risk assessment that it must carry out in respect of one of its customers.

Article 18 of Directive 2015/849, read in conjunction with Annex III, point 3(b), thereto, must be interpreted as meaning that those provisions do not lay down an automatic obligation to take enhanced customer due diligence measures in every case where one of the customer’s business partners, but not the customer itself, is in some way linked to a high-corruption-risk third country. Nevertheless, the fact that the customer earns a significant proportion of its revenues or carries out significant business transactions in relation to such a country constitutes a higher-risk factor that an obliged entity is required to take into account in a customer’s risk assessment.

Article 13(1)(c) and (d) of Directive 2015/849 must be interpreted as meaning that it does not require the obliged entity, when taking customer due diligence measures, necessarily to obtain from the customer a copy of the contract concluded between that customer and a third party. However, the obliged entity is required, where necessary, to provide appropriate documentation to the competent authority demonstrating that it has analysed that transaction or business relationship and duly taken it into account in reaching its conclusions on the level of risk posed by the customer.

Article 14(5) of Directive 2015/849 must be interpreted as meaning that the obliged entity is required, to the extent that it is reasonable, to monitor constantly the transactions and business relationships of its customers, even when the maximum period laid down in the law of the Member States for the review of the customer’s situation has not yet expired or significant changes in the customer’s situation have not been identified. In the event that the obliged entity becomes aware of aspects that could potentially affect the customer’s risk assessment, it is required to take those aspects into consideration and, where appropriate, review the risk analysis and, if necessary, the level of due diligence measures applied to that customer. That requirement does not apply solely to high-risk customers.

Article 60(1) and (2) of Directive 2015/849 must be interpreted as meaning that, when it publishes information on a decision imposing an administrative sanction or measure for breach of the national provisions transposing that directive against which there is no appeal, the competent authority has an obligation to ensure that the information published conforms exactly to the information contained in that decision.

(1) Original language: Italian.

(2) Directive of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ 2015 L 141, p. 73). Directive 2015/849 was amended by Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive 2015/849 and Directives 2009/138/EC and 2013/36/EU (OJ 2018 L 156, p. 43).

(3) Latvijas Vēstnesis, 2008, No 116.

(4) The referring court refers to the assessment of the country concerned by Transparency International (www.transparency.org/en/countries/russia).

(5) See Article 8(2) of Directive 2015/849 and point 63 below.

(6) See, in the present case, Article 6 of Directive 2018/843.

(7) See footnote 3 of the order for reference.

(8) The amendments made by Directive 2018/843 to Article 18 of Directive 2015/849 (which is the subject of the first three questions referred for a preliminary ruling) do not concern the present case. Article 13(1)(c) and (d) and Article 60(1) and (2) of Directive 2015/849 (referred to in the fourth and sixth questions) were not amended by Directive 2018/843. Article 14(5) of Directive 2015/849 (referred to in the fifth question) was amended by Directive 2018/843, but the amendments do not seem relevant for the answer to the fifth question.

(9) Judgment of 6 October 2021, ECOTEX BULGARIA (C‑544/19, EU:C:2021:803, paragraph 44).

(10) See, in relation to Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing (OJ 2005 L 309, p. 15), subsequently repealed by Directive 2015/849, judgment of 2 September 2021, LG and MH (Self-laundering) (C‑790/19, EU:C:2021:661, paragraph 68 and the case-law cited).

(11) Those measures are intended to prevent or, at the very least, to restrict as far as possible those activities, by establishing, for that purpose, barriers at all stages which those activities may include, against money launderers and terrorist financers (see, in this respect, in relation to Directive 2005/60, judgment of 2 September 2021, LG and MH (Self-laundering) (C‑790/19, EU:C:2021:661, paragraph 69 and the case-law cited)).

(12) The risk-based approach is also explicitly mentioned in Article 4(1), Article 18(1), second subparagraph, Article 30(8), Article 31(6) and Article 48(6) and (10) of Directive 2015/849.

(13) See, specifically, Section 2 of Chapter I of Directive 2015/849.

(14) Under Article 6 of Directive 2015/849, the Commission conducts an assessment of the risks of money laundering and terrorist financing affecting the internal market and relating to cross-border activities.

(15) See Sections 1 to 3 of Chapter II of Directive 2015/849, which is headed ‘Customer due diligence’.

(16) See in this regard, in relation to Directive 2005/60, judgment of 10 March 2016, Safe Interenvíos (C‑235/14, EU:C:2016:154, paragraph 107; ‘Safe Interenvíos’).

(17) See recital 30 of Directive 2015/849.

(18) See, to that effect, in relation to Directive 2005/60, Safe Interenvíos, paragraph 64, as well as paragraph 107.

(19) See, in relation to Directive 2005/60, Safe Interenvíos, paragraph 87.

(20) See, in relation to Directive 2005/60, Safe Interenvíos, paragraph 59.

(21) See, to that effect, in relation to Directive 2005/60, Safe Interenvíos, paragraph 107.

(22) See, in relation to Directive 2005/60, judgments of 25 April 2013, Jyske Bank Gibraltar (C‑212/11, EU:C:2013:270, paragraph 61), and Safe Interenvíos, paragraph 76.

(23) Indeed, it is clear from the wording of Article 7(1) of Directive 2015/849 that each Member State must identify and mitigate the risks of money laundering and terrorist financing affecting it (emphasis added).

(24) See, in relation to Directive 2005/60, Safe Interenvíos, paragraph 105.

(25) See, in relation to Directive 2005/60, Safe Interenvíos, paragraph 73.

(26) That provision enables Member States to identify, within the framework of their national law, according to a risk-based approach, other situations posing a higher risk and therefore justifying or even requiring the application of enhanced customer due diligence measures in addition to the standard due diligence measures. See, in relation to Directive 2005/60, Safe Interenvíos, paragraph 74.

(27) See, to that effect, in relation to Article 5 of Directive 2005/60, judgments of 25 April 2013, Jyske Bank Gibraltar (C‑212/11, EU:C:2013:270, paragraph 61), and Safe Interenvíos, paragraph 76.

(28) See, in relation to Directive 2005/60, Safe Interenvíos, paragraph 77.

(29) This is included in Section 1 of Chapter I of Directive 2015/849, headed ‘Subject matter, scope and definitions’. See, in relation to Directive 2005/60, Safe Interenvíos, paragraph 78.

(30) See, in relation to Directive 2005/60, Safe Interenvíos, paragraph 106.

(31) In that respect, it may be worth noting the distinction that exists in some constitutional systems between matters that are strictly reserved for the law (where the law must lay down exhaustive rules on all aspects of the matter) and matters that are partially reserved for the law (where the law can simply establish general rules, which will then be specified in more detail in subsequent instruments that do not necessarily have to have legislative status).

(32) See recital 22 of Directive 2015/849.

(33) See, in relation to Directive 2005/60, Safe Interenvíos, paragraph 86.

(34) See point 50 above and Safe Interenvíos, paragraph 106.

(35) The report is entitled ‘Juridisko personu un nevalstisko organizāciju noziedzīgi iegūtu līdzekļu legalizācijas un terorisma finansēšanas riski’ (‘Risks of money laundering and terrorist financing of legal persons and non-governmental organisations’). As mentioned in point 12 above, in the description of the facts in the order for reference, the referring court also states that the VID had referred to a report published on 22 June 2018. It is not clear whether this is the same document or a different document.

(36) The Latvian Government referred to the report of the Council of Europe’s Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism (Moneyval) entitled ‘Anti-money laundering and counter-terrorist financing measures Latvia Fifth Round Mutual Evaluation Report’.

(37) www.fatf-gafi.org/countries/#high-risk.

(38) See Article 9(2) of Directive 2015/849 and Commission Delegated Regulation (EU) 2016/1675 of 14 July 2016 supplementing Directive (EU) 2015/849 of the European Parliament and of the Council by identifying high-risk third countries with strategic deficiencies (OJ 2016 L 254, p. 1).

(39) The referring court refers to the analysis carried out by Transparency International as a ‘credible source’. See www.transparency.org/en/countries/russia.

(40) See Article 3(6) of Directive 2015/849.

(41) As is apparent from point 16 above, the referring court, in the order for reference, appears to rely on an argument put forward by Rodl & Partner which refers to the merely hypothetical existence of such a practice. For that reason, I do not consider it necessary to analyse the question, raised by Rodl & Partner, as to the possible compatibility of that national practice with Article 56 TFEU.

(42) ‘Guidance for a Risk-Based Approach – Accounting Profession’, of June 2019, available on the website https://www.fatf-gafi.org/media/fatf/documents/reports/RBA-Accounting-Profession.pdf. See page 22 et seq., and in particular page 27.

(43) On the need to align the interpretation of EU legal acts on money laundering with the FATF recommendations, see the end of recital 4 of Directive 2015/849.

(44) See paragraph 71(a) and Box 2 on page 26 of the abovementioned FATF guidance.

(45) See, in relation to Directive 2005/60, Safe Interenvíos, paragraph 86.

(46) See Article 8(2) of the Latvian anti-money laundering Law.

(47) See, inter alia, judgment of 24 March 2021, MCP (C‑603/20 PPU, EU:C:2021:231, paragraph 37 and the case-law cited).

(48) The Latvian Government submits, on the one hand, that, by referring to Article 60(1) and (2) of Directive 2015/849, the question referred for a preliminary ruling concerns two situations that cannot occur simultaneously: namely, a situation in which an uncontested decision is published, and a situation in which a contested decision is published. On the other hand, the outcome of the dispute in the main proceedings does not depend on the assessment of any previous inaccuracy in the publication.