Ga verder naar contentGa verder naar content en skip ook inhoudsopgave
SduIn- en Uitvoer
Home

Judgment of the Court (First Chamber) of 17 November 2022

Judgment of the Court (First Chamber) of 17 November 2022

Data

Court
Court of Justice
Case date
17 november 2022

Verdict

Judgment of the Court (First Chamber)

17 November 2022(*)

"(Reference for a preliminary ruling - Prevention of the use of the financial system for the purpose of money laundering and terrorist financing - Directive (EU) 2015/849 - Article 18(1) and (3) - Annex III, point 3(b) - Risk-based approach - Risk assessment conducted by obliged entities - Identification of risks by Member States and obliged entities - Customer due diligence measures - Enhanced due diligence measures - High-corruption-risk third countries - Article 13(1)(c) and (d) - Evidence and documentation requirements imposed on obliged entities - Article 14(5) - Ongoing customer monitoring imposed on obliged entities - Publication of decisions imposing a sanction)"

In Case C‑562/20,

concerning a request for a preliminary ruling under Article 267 TFEU from the administratīvā rajona tiesa (District Administrative Court, Latvia), by decision of 12 October 2020 received at the Court on 28 October 2020, in the proceedings

SIA ‘Rodl & Partner’

v

Valsts ieņēmumu dienests,

THE COURT (First Chamber),

composed of A. Arabadjiev, President of the Chamber, L. Bay Larsen, Vice-President of the Court, acting as Judge of the First Chamber, P.G. Xuereb, A. Kumin (Rapporteur) and I. Ziemele, Judges,

Advocate General: G. Pitruzzella,

Registrar: M. Siekierzyńska, Administrator,

having regard to the written procedure and further to the hearing on 3 February 2022,

  1. after considering the observations submitted on behalf of:

    • SIA ‘Rodl & Partner’, by J.‑C. Pastille, Rechtsanwalt, and L. Rasnačs, advokāts,

    • the Latvian Government, by I. Hūna, K. Pommere and V. Soņeca, acting as Agents,

    • the European Parliament, by J. Etienne, O. Hrstková Šolcová, M. Menegatti and L. Ruppeka-Rupeika, acting as Agents,

    • the Council of the European Union, by D. Ancāne, M. Chavrier, I. Gurov and K. Pleśniak, acting as Agents,

    • the European Commission, by L. Havas, A. Sauka and T. Scharfacting as Agents,

after hearing the Opinion of the Advocate General at the sitting on 12 May 2022,

gives the following

Judgment

The request for a preliminary ruling concerns the interpretation of Article 13(1)(c) and (d), Article 14(5), Article 18, Article 60(1) and (2), and of Annex III, point 3(b) to Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ 2015 L 141, p. 73), as well as the validity of Article 14(5), and Article 18(1) and (3) of that directive. The request has been made in proceedings between SIA ‘Rodl & Partner’ and Valsts ieņēmumu dienests (national tax authority, Latvia) (the ‘VID’) concerning a financial penalty imposed on Rodl & Partner for infringements of the national provisions on prevention of money laundering and terrorist financing.

Legal framework

European Union law

Recitals 1, 22, 30, 43 and 66 in the preamble to Directive 2015/849 read as follows:

  • Flows of illicit money can damage the integrity, stability and reputation of the financial sector, and threaten the internal market of the Union as well as international development. Money laundering, terrorism financing and organised crime remain significant problems which should be addressed at Union level. In addition to further developing the criminal law approach at Union level, targeted and proportionate prevention of the use of the financial system for the purposes of money laundering and terrorist financing is indispensable and can produce complementary results.

  • The risk of money laundering and terrorist financing is not the same in every case. Accordingly, a holistic, risk-based approach should be used. The risk-based approach is not an unduly permissive option for Member States and obliged entities. It involves the use of evidence-based decision-making in order to target the risks of money laundering and terrorist financing facing the Union and those operating within it more effectively.

  • Risk itself is variable in nature, and the variables, on their own or in combination, may increase or decrease the potential risk posed, thus having an impact on the appropriate level of preventative measures, such as customer due diligence measures. Therefore, there are circumstances in which enhanced due diligence should be applied and others in which simplified due diligence may be appropriate.

  • It is essential that the alignment of this Directive with the revised ]Financial Action Task Force (FATF)] Recommendations is carried out in full compliance with Union law, in particular as regards Union data protection law and the protection of fundamental rights as enshrined in the Charter [of Fundamental Rights of the European Union]. Certain aspects of the implementation of this Directive involve the collection, analysis, storage and sharing of data. Such processing of personal data should be permitted, while fully respecting fundamental rights, only for the purposes laid down in this Directive, and for the activities required under this Directive such as carrying out customer due diligence, ongoing monitoring, investigation and reporting of unusual and suspicious transactions, identification of the beneficial owner of a legal person or legal arrangement, identification of a politically exposed person, sharing of information by competent authorities and sharing of information by credit institutions and financial institutions and other obliged entities. The collection and subsequent processing of personal data by obliged entities should be limited to what is necessary for the purpose of complying with the requirements of this Directive and personal data should not be further processed in a way that is incompatible with that purpose. In particular, further processing of personal data for commercial purposes should be strictly prohibited.

  • In accordance with Article 21 of the Charter [of Fundamental Rights], which prohibits discrimination based on any ground, Member States are to ensure that this Directive is implemented, as regards risk assessments in the context of customer due diligence, without discrimination.’

    • Article 1(1) and (2) of that directive provides:

    ‘1.

    This Directive aims to prevent the use of the Union's financial system for the purposes of money laundering and terrorist financing.

    2.

    Member States shall ensure that money laundering and terrorist financing are prohibited.’

    Article 5 of the directive provides:

    ‘Member States may adopt or retain in force stricter provisions in the field covered by this Directive to prevent money laundering and terrorist financing, within the limits of Union law.’

    Under Article 7(1) of Directive 2015/849:

    ‘Each Member State shall take appropriate steps to identify, assess, understand and mitigate the risks of money laundering and terrorist financing affecting it, as well as any data protection concerns in that regard. It shall keep that risk assessment up to date.’

    Article 8(1) and (2) of the directive is worded as follows:

    ‘1.

    Member States shall ensure that obliged entities take appropriate steps to identify and assess the risks of money laundering and terrorist financing, taking into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or delivery channels. Those steps shall be proportionate to the nature and size of the obliged entities.

    2.

    The risk assessments referred to in paragraph 1 shall be documented, kept up-to-date and made available to the relevant competent authorities and self-regulatory bodies concerned. Competent authorities may decide that individual documented risk assessments are not required where the specific risks inherent in the sector are clear and understood.’

    Article 11 of the directive provides:

    ‘Member States shall ensure that obliged entities apply customer due diligence measures in the following circumstances:

    1. when establishing a business relationship;

    2. when carrying out an occasional transaction that:

      1. amounts to EUR 15 000 or more, whether that transaction is carried out in a single operation or in several operations which appear to be linked; or

      2. constitutes a transfer of funds, as defined in point (9) of Article 3 of Regulation (EU) 2015/847 of the European Parliament and of the Council [of 20 May 2015 on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (2015, L 141, p. 1),] exceeding EUR 1 000;

    1. when there is a suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or threshold;

    …’

    Article 13(1) and (4) of Directive 2015/849 states:

    ‘1.

    Customer due diligence measures shall comprise:

    1. assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship;

    2. conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity's knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date.

    4.

    Member States shall ensure that obliged entities are able to demonstrate to competent authorities or self-regulatory bodies that the measures are appropriate in view of the risks of money laundering and terrorist financing that have been identified.’

    Article 14(5) of the directive provides:

    ‘Member States shall require that obliged entities apply the customer due diligence measures not only to all new customers but also at appropriate times to existing customers on a risk-sensitive basis, including at times when the relevant circumstances of a customer change.’

    Under Article 18(1) to (3) of the directive:

    ‘1.

    In the cases referred to in Articles 19 to 24, and when dealing with natural persons or legal entities established in the third countries identified by the Commission as high-risk third countries, as well as in other cases of higher risk that are identified by Member States or obliged entities, Member States shall require obliged entities to apply enhanced customer due diligence measures to manage and mitigate those risks appropriately.

    2.

    Member States shall require obliged entities to examine, as far as reasonably possible, the background and purpose of all complex and unusually large transactions, and all unusual patterns of transactions, which have no apparent economic or lawful purpose. In particular, obliged entities shall increase the degree and nature of monitoring of the business relationship, in order to determine whether those transactions or activities appear suspicious.

    3.

    When assessing the risks of money laundering and terrorist financing, Member States and obliged entities shall take into account at least the factors of potentially higher-risk situations set out in Annex III.’

    The first subparagraph of Article 40(1) of Directive 2015/849 provides:

    ‘Member States shall require obliged entities to retain the following documents and information in accordance with national law for the purpose of preventing, detecting and investigating, by the [Financial Intelligence Unit (FIU)] or by other competent authorities, possible money laundering or terrorist financing:

    1. in the case of customer due diligence, a copy of the documents and information which are necessary to comply with the customer due diligence requirements laid down in Chapter II, for a period of five years after the end of the business relationship with their customer or after the date of an occasional transaction;

    2. the supporting evidence and records of transactions, consisting of the original documents or copies admissible in judicial proceedings under the applicable national law, which are necessary to identify transactions, for a period of five years after the end of a business relationship with their customer or after the date of an occasional transaction.’

    Article 60(1) and (2) of the directive states:

    ‘1.

    Member States shall ensure that a decision imposing an administrative sanction or measure for breach of the national provisions transposing this Directive against which there is no appeal shall be published by the competent authorities on their official website immediately after the person sanctioned is informed of that decision. The publication shall include at least information on the type and nature of the breach and the identity of the persons responsible. Member States shall not be obliged to apply this subparagraph to decisions imposing measures that are of an investigatory nature.

    2.

    Where Member States permit publication of decisions against which there is an appeal, competent authorities shall also publish, immediately, on their official website such information and any subsequent information on the outcome of such appeal. Moreover, any decision annulling a previous decision to impose an administrative sanction or a measure shall also be published.’

    Annex III to the directive contains a ‘non-exhaustive list of factors and types of evidence of potentially higher risk referred to in Article 18(3)’. That list consists of three categories, namely ‘customer risk factors’ (point 1), ‘product, service, transaction or delivery channel risk factors’ (point 2) and ‘geographical risk factors’ (point 3). Those risk factors include, in point 3(b) of the Annex, ‘countries identified by credible sources as having significant levels of corruption or other criminal activity’.

    Latvian law

    The Noziedzīgi iegūtu līdzekļu legalizācijas un terorisma un proliferācijas finansēšanas novēršanas likums (Law on the prevention of money laundering and the financing of terrorism and proliferation), of 17 July 2008 (Latvijas Vēstnesis, 2008, No 116), was amended for the purpose, in particular, of transposing Directive 2015/849 into Latvian law. That law, in the version applicable to the facts in the main proceedings (‘Law on prevention’) states in Article 6(1) and (1.2) thereof:

    ‘(1)

    The obliged entity, according to its type of activity, shall conduct and document the assessment of the money laundering and terrorism financing risks in order to identify, assess, understand, and manage the money laundering and terrorist financing risks inherent to its own activities and customers, and, on the basis of such assessment, shall establish an internal control system for the prevention of money laundering and terrorism financing, including by developing and documenting the relevant policies and procedures, which shall be approved by the board of the obliged entity, if any is appointed, or, where appropriate, by the senior management body of the obliged entity.

    (1.2)

    When performing the money laundering and terrorist financing risk assessment and creating the internal control system, the obliged entity shall take into account at least the following circumstances affecting the risks:

    1. customer risk inherent in the legal form, ownership structure of the customer, economic or personal activities of the customer or the beneficial owner of the customer;

    2. country and geographical risk, i.e., the risk that the customer or the beneficial owner of the customer is affiliated to a country or territory whose economic, social, legal or political circumstances may be indicative of a high money laundering or terrorist financing risk inherent in the country …’

    Article 8(2) of the Law provides:

    ‘The obliged entity shall, on a regular basis, but at least once every 18 months, assess the efficiency of the operation of the internal control system, including by reviewing and updating the money laundering and terrorist financing risk assessment related to the customer, its country of residence (establishment), economic or personal activity of the customer, services and products used and their delivery channels, as well as the transactions made, and, if necessary, shall implement measures for improving the efficiency of the internal control system, including [those for] review[ing] and adjust[ing] the policies and procedures for the prevention of money laundering and terrorist financing.’

    The dispute in the main proceedings and the questions referred for a preliminary ruling

    Rodl & Partner is a commercial company established in Latvia, whose activity consists in providing accounting, bookkeeping and audit services as well as tax consultancy services. It has ‘obliged entity’ status within the meaning of the Law on prevention. During the period between 3 April and 6 June 2019, Rodl & Partner was inspected by the VID in the context of preventing money laundering, resulting in the production of an initial report on 3 April 2019, and then a final report on 6 June 2019. The report of 3 April 2019 revealed, first, that the internal monitoring system established by Rodl & Partner in order to meet the requirements laid down in the Law on prevention brought to light certain irregularities and, second, that Rodl & Partner, as an obliged entity, had failed, in disregard of the requirements laid down in Article 6(1) of that law, to conduct and document a money laundering and terrorist financing risk assessment on two of its customers, namely the foundation IT izglītības fonds and RBA Consulting SIA. In fact, the VID considered that those two customers represented a high risk of money laundering and terrorist financing and that, therefore, Rodl & Partner should have adopted enhanced due diligence measures in relation to them. Thus, with regard to the foundation IT izglītības fonds, the VID noted, first, that the foundation was a non-governmental organisation (NGO) which, as such, was particularly vulnerable and susceptible to being used illegally for terrorist financing purposes, as indicated by a report published by the Noziedzīgi iegūtu līdzekļu legalizācijas novēršanas dienests (Money laundering prevention service, Latvia); second, that the person employed as the manager of that foundation who had signed, on 7 March 2017, that foundation’s identity card was a national of the Russian Federation, a high-corruption-risk third country, and, third, that the foundation designated the Latvian company as a whole as the beneficial owner, which infringed the current national regulations. As regards RBA Consulting, the VID established that it had conducted financial transactions with a company majority-owned by a company established in the Russian Federation. Moreover, when the VID had asked Rodl & Partner to provide it with a copy of the contract forming the basis of those transactions, the obliged entity did not comply with that request, explaining only that it had been made aware of the original of that contract in the premises of RBA Consulting. By decision of 11 July 2019, the director of the VID ordered Rodl & Partner to pay a fine of EUR 3 000 for infringements of the Law on prevention in its relations with the foundation IT izglītības fonds and RBA Consulting. On the other hand, as the final inspection report of 6 June 2019 had established that the irregularities vitiating the internal control system had been corrected, no infringement was established in that regard. On 11 August 2019, the VID published on its website information on the infringements committed by Rodl & Partner as established by that decision. Following an administrative appeal lodged against that decision, the decision was confirmed by a decision of the Director-General of the VID of 13 November 2019. On 13 December 2019, Rodl & Partner brought an action before the administratīvā rajona tiesa (District Administrative Court, Latvia), the referring court, seeking the annulment of the decision of 13 November 2019 and an order requiring the VID to remove the information published on its website regarding the penalty imposed. The referring court observes, in the first place, that neither the Law on prevention nor Directive 2015/849 provide for the possibility of an NGO constituting, by virtue of its legal form, a higher risk with regard to money laundering and terrorist financing which, for that reason alone, must be the subject of enhanced due diligence by obliged entities. Similarly, none of the criteria that might indicate a higher geographical risk stated in the Guidance for a Risk-based Approach for the Accounting Profession, published by the FATF, would concern the nationality of a customer’s employee. Therefore, according to that court, if the VID considered, as the national inspection authority, that an obliged entity must apply enhanced due diligence measures in all cases where the customer is an NGO or that one of its employees, without being the beneficial owner of that customer within the meaning of that directive, is a national of a high-corruption-risk third country, the question would arise whether such a requirement, not provided for by law, would be excessive and disproportionate and, therefore, inconsistent with the principle of proportionality, as laid down in Article 5 TEU. In that context, the referring court states that the Russian Federation is not a high-risk country as it is not mentioned on the list of high-risk countries published by the FATF or in that of third countries whose systems to combat money laundering or terrorist financing are inadequate, which has been adopted by the European Commission. However, the referring court states that, on the basis of Annex III, point 3(b), to Directive 2015/849, the Russian Federation might be regarded as a high-corruption-risk territory, which the NGO Transparency International also maintains. Second, the referring court considers that, under Article 5 of Directive 2015/849, as interpreted by the Court of Justice in its judgment of 10 March 2016, Safe Interenvíos (C‑235/14, EU:C:2016:154 ), a Member State may adopt stricter provisions to prevent money laundering and terrorist financing where, in the Member State’s opinion, such a risk exists. Nonetheless, the referring court wonders whether, in the present case, by considering the fact that RBA Consulting is the business partner of a subsidiary which is majority-owned by a company established in the Russian Federation as a high-risk factor, the VID applied the Law on prevention disproportionately, as neither that law nor Directive 2015/849 provides for such a risk factor. Similarly, that court wonders whether the VID exceeded its powers by requiring Rodl & Partner to provide it with a copy of the contract concluded between RBA Consulting and that subsidiary, as neither the Law on prevention nor Directive 2015/849 would require the obliged entity to obtain the copies of such transaction records. Third, the referring court states that the VID considered that Rodl & Partner had disregarded Article 8(2) of the Law on prevention, under which the obliged entity must, on a regular basis, at least once every 18 months, assess the money laundering and terrorist financing risk related to the customer. When the VID assessed the situation of Rodl & Partner, RBA Consulting had not yet been a customer for 18 months. Therefore, the question arises whether the provisions of Directive 2015/849, in particular Article 14(5) thereof, require the obliged entity to apply due diligence measures to existing customers even if no change in the relevant circumstances of their situation can be identified and, where appropriate, whether such measures are reasonable and proportionate, or whether those measures apply only to customers representing a high risk of money laundering or terrorist financing. Fourth, and last, the referring court points out that the information on infringements committed by Rodl & Partner which the VID published on its website contained inaccuracies. Therefore, that court is uncertain as to the interpretation of Article 60(1) and (2) of Directive 2015/849. In these circumstances, l’administratīvā rajona tiesa (District Administrative Court) decided to stay the proceedings and to refer the following questions to the Court of Justice for a preliminary ruling:

    1. Must Article 18(1) and (3) of Directive 2015/849, together with Annex III, point 3(b), thereto, be interpreted as meaning that those provisions (i) automatically require a provider of external bookkeeping services to take enhanced customer due diligence measures on the ground that the customer is a non-governmental organisation and the person authorised and employed by the customer is a national of a high-corruption-risk third country, in the present case, the Russian Federation, who holds a Latvian residence permit, and (ii) automatically require that customer to be categorised as representing a higher degree of risk?

    2. If the preceding question is answered in the affirmative, can the abovementioned interpretation of Article 18(1) and (3) of Directive 2015/849 be regarded as proportionate and, therefore consistent with the first subparagraph of Article 5(4) of the Treaty on European Union?

    3. Must Article 18 of Directive 2015/849, together with Annex III, point 3(b), thereto, be interpreted as meaning that it lays down an automatic obligation to take enhanced customer due diligence measures in every case where one of the customer’s business partners, but not the customer itself, is in some way linked to a high-corruption-risk third country, in the present case, the Russian Federation?

    4. Must Article 13(1)(c) and (d) of Directive 2015/849 be interpreted as meaning that, when taking customer due diligence measures, the obliged entity must obtain from the customer a copy of the contract concluded between that customer and a third party, and, therefore, that an examination of that contract in situ is considered to be insufficient?

    5. Must Article 14(5) of Directive 2015/849 be interpreted as meaning that the obliged entity is required to apply due diligence measures to existing commercial customers even where there is no indication of any significant changes in the customer’s circumstances and the time limit laid down by the competent authority of the Member State for the adoption of new monitoring measures has not expired, and that that obligation is applicable only in relation to customers that have been categorised as representing a high risk?

    6. Must Article 60(1) and (2) of Directive 2015/849 be interpreted as meaning that, when publishing information on a decision imposing an administrative sanction or measure for breach of the national provisions transposing that directive against which there is no appeal, the competent authority has an obligation to ensure that the information published conforms exactly to the information contained in that decision?’

    The questions referred for a preliminary ruling

    The first and third questions

    By its first and third questions, which should be examined together, the referring court asks, in essence, whether Article 18(1) and (3) of Directive 2015/849, read together with Annex III, point 3(b), thereto, must be interpreted as meaning that it requires an obliged entity to automatically categorise a customer as high-risk and, therefore, to apply enhanced due diligence to that customer where the customer is an NGO, where one of the customer’s employees is a national of a high-corruption-risk third country or where the business partner of that customer, but not the customer itself, is linked to such a high-corruption risk third country. First of all, it must be observed that the main aim of Directive 2015/849, as is apparent from its heading and from Article 1(1) and (2) thereof, is the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (see, by analogy, as regards Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (OJ 2005 L 309, p. 15), judgment of 2 September 2021, LG and MH (Self-laundering) , C‑790/19, EU:C:2021:661, paragraph 68 and the case-law cited; see, to that effect, judgment of 6 October 2021, ECOTEX BULGARIA , C‑544/19, EU:C:2021:803, paragraph 44 ). The provisions of Directive 2015/849, which are preventive in nature, seek to establish, taking a risk-based approach, a body of preventive and dissuasive measures to combat money laundering and terrorist financing effectively (see, by analogy, judgment of 2 September 2021, LG and MH (Self-laundering) , C‑790/19, EU:C:2021:661, paragraph 69 and the case-law cited), in order to prevent, as is apparent from recital 1 in the preamble to that directive, flows of illicit money from being able to damage the integrity, stability and reputation of the financial sector and threaten the internal market of the European Union as well as international development. As the Advocate General observed in point 33 of his Opinion, and as is apparent from Articles 6 to 8 of Directive 2015/849, the risk-based approach requires an assessment of the risk undertaken, within the framework of the system established by that directive, at three levels, that is, first of all, at EU level, by the Commission, then, at Member State level and, finally, at obliged entity level. As is apparent from recital 30 in the preamble to the directive, the application by those entities of appropriate due diligence measures to the customer concerned depends on that assessment. In fact, according to the case-law of the Court of Justice, without such assessment, it is not possible for either the Member State concerned or, as the case may be, the said entities to decide in an individual case what measures to apply (see, by analogy, judgment of 10 March 2016, Safe Interenvíos , C‑235/14, EU:C:2016:154, paragraph 107 ). In that regard, Directive 2015/849 provides, in Sections 1 to 3 of Chapter II thereof, headed ‘Customer due diligence’, three types of due diligence measures, namely standard measures, simplified measures and enhanced measures. As is clear from the case-law of the Court of Justice, those measures are intended to prevent or, at the very least, to restrict as far as possible those activities, by establishing, for that purpose, barriers at all stages which those activities may include, against money launderers and terrorist financers (see, by analogy, judgment of 2 September 2021, LG and MH (Self-laundering) , C‑790/19, EU:C:2021:661, paragraph 69 and the case-law cited). As regards enhanced due diligence measures, which are the only measures at issue in respect of the first and third questions raised, it must be observed that Article 18(1) of Directive 2015/849 mentions certain situations posing a higher risk of money laundering and terrorist financing in which Member States require obliged entities to apply such measures to the customer to manage and mitigate that risk appropriately. Therefore, such enhanced due diligence measures must be applied by those entities, first, in the cases referred to in Articles 19 to 24 of that directive, second, when dealing with natural persons or legal entities established in the third countries listed by the Commission as high-risk third countries and, third, in other cases of higher risk that are identified by Member States or obliged entities. It follows that, apart from the specific situations referred to in Articles 19 to 24 of Directive 2015/849 and the situations involving relations with natural persons or legal entities established in the third countries listed by the Commission as high-risk third countries referred to in Article 18 of that directive, the application of enhanced due diligence measures presupposes, in accordance with the risk-based approach, the prior identification by the Member State or obliged entity of higher money laundering or terrorist financing risks. Therefore, other than in those specific situations, the assignment of a higher risk to a customer and, consequently, the application of enhanced due diligence measures to that customer are not automatic. In the present case, it is apparent from the case file before the Court of Justice that the business relations established by Rodl & Partner with, respectively, the foundation IT izglītības fonds and RBA Consulting are not covered by Articles 19 to 24 of Directive 2015/849. Moreover, the Russian Federation is not one of the high-risk third countries listed in Commission Delegated Regulation (EU) 2016/1675, of 14 July 2016, supplementing Directive (EU) 2015/849 of the European Parliament and of the Council by identifying high-risk third countries with strategic deficiencies (OJ 2016 L 254, p. 1). It follows from the foregoing considerations that Article 18(1) and (3) of Directive 2015/849, read together with Annex III, point 3(b), thereto, must be interpreted as meaning that it does not automatically require an obliged entity to categorise a customer as representing a higher degree of risk and, therefore, to apply enhanced due diligence measures to that customer on the sole ground that the customer is an NGO, that one of the customer’s employees is a national of a high-corruption-risk third country, or that one of the customer’s business partners, but not the customer itself, is linked to a high-corruption-risk third country. That said, the referring court points out that, under Article 5 of Directive 2015/849, a Member State may adopt stricter provisions to prevent money laundering and terrorist financing in cases where, in the Member State’s view, the risk factors referred to in the previous paragraph of the present judgment exist. The referring court wonders, nonetheless, whether that possibility can justify the decision that the VID took, in the present case, in respect of Rodl & Partner. In those circumstances, it is necessary to determine whether the provisions of Directive 2015/849 preclude the right of a Member State to require the obliged entity to take into account such risk factors when assessing the need to apply enhanced due diligence measures to a customer. In that regard, it must be held that business relations such as those established by Rodl & Partner with the foundation IT izglītības fonds and RBA Consulting may fall under ‘other cases of higher risk that are identified by Member States or obliged entities’, as referred to in Article 18(1) of Directive 2015/849. In order to identify those ‘other cases of higher risk’ it follows, from a combined reading of paragraphs 1 and 3 of Article 18, that Member States and obliged entities must, in the risk assessment which they are required to carry out, at least take into account factors and types of evidence of potentially higher risk, as stated in Annex III to that directive. In fact, the non-exhaustive list of factors and types of evidence of potentially higher risk contained in that annex includes, inter alia, customer risk factors, transaction risk factors and geographical risk factors. Therefore, it follows, both from the wording of Article 18(1) and (3) of Directive 2015/849 and from the non-exhaustive nature of the list contained in Annex III, that the Member States have significant discretion, when transposing that directive, as to the appropriate way of implementing the obligation to require enhanced due diligence measures and to determine both the situations in which a higher risk of that kind exists and the due diligence measures (see, by analogy, judgment of 10 March 2016, Safe Interenvíos , C‑235/14, EU:C:2016:154, paragraph 73 ). In that connection, it must be recalled, first, that Directive 2015/849 carries out only a minimum harmonisation, as Article 5 thereof allows Member States to adopt or retain in force stricter provisions where those provisions seek to strengthen the fight against money laundering and terrorist financing, within the limits of EU law. In that regard, the Court of Justice has already explained that the expression ‘stricter provisions’, referred to in Article 5 thereof, may concern not only situations for which Directive 2015/849 prescribes a certain type of customer due diligence, but also other situations which Member States consider to present a higher risk (see, by analogy, judgment of 10 March 2016, Safe Interenvíos , C‑235/14, EU:C:2016:154, paragraph 77 ). In fact, as that Article 5 is contained in Section 1, headed ‘Subject matter, scope and definitions’, of Chapter I, headed ‘General provisions’, of Directive 2015/849, it applies to all the provisions in the field covered by that directive, including those contained in Section 3, headed ‘Enhanced customer due diligence’, of Chapter II thereof. However, it is apparent from a combined reading of Article 5 and Article 18(1) and (3) of Directive 2015/849 that Member States may identify other high-risk situations in the exercise of the discretion that Article 18 grants to them (see, by analogy, judgment of 10 March 2016, Safe Interenvíos , C‑235/14, EU:C:2016:154, paragraph 106 ). Second, in so far as Article 5 of Directive 2015/849 provides that Member States are required to act ‘within the limits of Union law’, they must, when exercising the discretion accorded to them by Article 18 thereof, comply, in particular, with the general principles of EU law, such as the principles of legality, legal certainty, proportionality and non-discrimination (see, by analogy, judgment of 10 March 2016, Safe Interenvíos , C‑235/14, EU:C:2016:154, paragraph 96 ). Moreover, it must be observed, in that connection, that it is apparent from recital 66 in the preamble to Directive 2015/849 that, under Article 21 of the Charter of Fundamental Rights, which prohibits discrimination based on any ground, Member States must ensure that that directive is implemented, as regards risk assessments in the context of customer due diligence, without discrimination. In that regard, first, as the Advocate General pointed out, in essence, in points 55 and 56 of his Opinion, in view of the dynamic nature of both economic relations and criminal activities, EU law, in particular the principles of legality and legal certainty, does not preclude nationals from exhaustively identifying all possible factors posing a higher risk of money laundering and terrorist financing, in so far as those factors are stated subsequently in acts which do not necessarily have the status of a law, but must be subject to appropriate publication. Second, factors posing a higher risk of money laundering and terrorist financing must not, on the one hand, go beyond what is necessary to achieve the objective of combating money laundering and terrorist financing and, on the other hand, give rise to discrimination. Third, it is apparent from Article 7(1) of Directive 2015/849 that Member States are, by reason of their own particular circumstances, exposed to varying money laundering and terrorist financing risks. Therefore, it is for each Member State to determine the level that it deems appropriate with respect to the identified level of risk of money laundering or terrorist financing (see, by analogy, judgment of 10 March 2016, Safe Interenvíos , C‑235/14, EU:C:2016:154, paragraph 105 ). In the present case, as regards the potential risk factor relating to the customer’s legal form, it is apparent from the order for reference that Article 6(1.2) of the Law on prevention provides that the circumstances which the obliged entity must take into account when performing a money laundering and terrorist financing customer risk assessment include ‘risk inherent in the legal form’ of the customer. Moreover, the Latvian Government stated, in its written observations, that a report published in 2019 by the money laundering prevention service showed that NGOs are especially vulnerable to money laundering and terrorist financing, given that 94% of the NGOs entered in the Latvian register of undertakings did not state their field of activity or stated that they fell under the category referred to as ‘association or foundation not elsewhere classified’, from which it may be inferred that the legal form of the NGO must be regarded as a potential high-risk factor in the risk assessment. As to the potential risk factor attached to the existence of a link between the customer of an obliged entity and the Russian Federation, as the Latvian Government stated in its written observations and at the hearing, it is apparent from a national report published on the VID website and from published guidelines that, because of its geographical proximity to that third country and its substantial economic relationship with it, Latvia is exposed, in practice, to the risk of its economy being used for the laundering of money from that third country, which is regarded by Transparency International as a high-corruption-risk country. In that connection, it must be recalled that, under Annex III, point 3(b), to Directive 2015/849, one of the geographical factors of potentially higher risk is the fact that the country in question is identified by credible sources as having significant levels of corruption or other criminal activity. Therefore, subject to the checks which are a matter for the referring court, which alone has jurisdiction to interpret and apply national law, the legal form of an NGO and the existence of a link between the customer of an obliged entity and the Russian Federation seem to be regarded, in Latvian law, as factors of potentially higher risk which that entity is required to take into account in the risk assessment that it must perform in respect of the customer. Where appropriate, it will be necessary for that court to check whether Rodl & Partner took those factors into account in its risk assessment of the customers concerned. Moreover, it must be observed, first, that Annex III, point 3(b), to Directive 2015/849 does not draw a distinction depending on whether the geographical risk factor relates to the customer or its business partners. Next, it follows from a combined reading of Article 8(1) and Article 18(2) thereof and Annex III thereto that, in the risk assessment which they are required to perform, the obliged entities must take into account, in particular, risk factors relating to their customers’ transactions. Lastly, those provisions make clear that all complex and unusually large transactions, and all unusual patterns of transactions that have no apparent economic or lawful purpose, may be considered as having a potentially higher risk. Therefore, the fact that the customer of an obliged entity conducts transactions involving links with a high-corruption-risk third country may be regarded, under Directive 2015/849, as a potentially higher geographical risk factor. It will be for the referring court to check whether the Latvian legal order provides for such a risk factor and, if so, whether Rodl & Partner should have taken that fact into account in its risk assessment of RBA Consulting. Consequently, having regard to the discretion which Directive 2015/849 grants to the Member States, the legal form of an NGO, the existence of a link between the customer of an obliged entity and the Russian Federation or commercial transactions which that customer conducts with a business partner linked to that country may, where appropriate, constitute, in compliance with the limits of EU law stated in paragraph 49 of the present judgment and, in particular, the principles of proportionality and non-discrimination, factors of potentially higher risk. However, as the Advocate General pointed out in point 86 of his Opinion, the mere fact that an employee of the customer who is not the beneficial owner of the customer and who does not have a function within the customer enabling him or her to perform activities which may potentially be linked to money laundering activities has the nationality of a high-corruption-risk third country does not seem to be characteristic of a situation representing a higher risk of money laundering or terrorist financing. Similarly, the principle of proportionality requires that only commercial transactions of some significance or complexity, or which are unusual in nature concluded by the customer of the obliged entity with a business partner established in a high-corruption-risk third country, may be regarded as geographical factors of potentially higher risk, which obliged entities must take into account in their customer risk assessment. In those circumstances, Article 18(1) and (3) of Directive 2015/849, read together with Article 5 and Annex III thereto, does not preclude a Member State from identifying other factors of potentially higher risk which obliged entities must take into account in their customer risk assessment and which may relate to the legal form of a customer, such as that of an NGO, while bearing in mind the principle of full compliance with the fundamental rights referred to in recital 43 in the preamble to Directive 2015/849, or the relationship of the customer or its business partner with a high-corruption-risk third country, in so far as those factors are provided for in the legal order of that Member State, are subject to appropriate publication and are compatible with EU law and, in particular, with the principles of proportionality and non-discrimination. In the light of all the foregoing considerations, the answer to the first and third questions is that Article 18(1) and (3) of Directive 2015/849, read together with Article 5 thereof and Annex III, point 3(b), thereto, must be interpreted as not requiring an obliged entity automatically to categorise a customer as representing a higher degree of risk and, accordingly, to apply enhanced due diligence measures to that customer on the sole ground that the customer is a non-governmental organisation, that one of the customer’s employees is a national of a high-corruption-risk third country or that one of the customer’s business partners, but not the customer itself, is linked to such a third country. A Member State may, however, identify in national law such circumstances as being factors indicating a potentially higher risk of money laundering and terrorist financing which obliged entities must take into account in their customer risk assessment, in so far as those factors are compatible with EU law and, in particular, with the principles of proportionality and non-discrimination.

    The second question

    The second question was referred in the event that the answer to the first question was in the affirmative. Therefore, in view of the negative answer given to the first question, there is no need to answer the second question.

    The fourth question

    By its fourth question, the referring court asks, in essence, whether Article 13(1)(c) and (d) of Directive 2015/849 must be interpreted as meaning that, when taking customer due diligence measures, the obliged entity must obtain from the customer a copy of the contract concluded between that customer and a third party. According to settled case-law, in order to provide a satisfactory answer to the national court which has referred a question to it, the Court of Justice may deem it necessary to consider provisions of EU law to which the national court has not referred in its question (judgment of 24 February 2022, Glavna direktsia ‘Pozharna bezopasnost i zashtita na naselenieto’, C‑262/20, EU:C:2022:117, paragraph 33 and the case-law cited). Article 11 of Directive 2015/849, in Section 1, headed ‘General provisions’, of Chapter II thereof, sets out the situations in which obliged entities are required to apply standard customer due diligence measures, because the situations are considered to present risks of money laundering or terrorist financing (see, by analogy, judgment of 10 March 2016, Safe Interenvíos , C‑235/14, EU:C:2016:154, paragraph 60 ). Obliged entities are therefore required to apply those measures where they have identified, in their customer risk assessment, a normal level of risk. As to the due diligence measures themselves which obliged entities must implement, Article 13(1) of that directive mentions some of them, including assessing and, as appropriate, obtaining information on the purpose and intended nature of the business relationship (point (c)) or conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity’s knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date (point (d)). Moreover, pursuant to Directive 2015/849, those entities are obliged to comply with certain evidence and documentation requirements laid down by the competent national authorities as regards both their customer risk assessments and the appropriateness of the due diligence measures applied to those customers in relation to the risk level identified. In fact, first, Article 8(2) of Directive 2015/849 states that the risk assessments to be carried out by the obliged entities must be documented, kept up-to-date and made available to the relevant competent authorities and self-regulatory bodies concerned. In that regard, recital 22 in the preamble to that directive states that the risk-based approach is not an unduly permissive option for Member States and obliged entities, but involves the use of evidence-based decision-making in order to target the risks of money laundering and terrorist financing facing the European Union and those operating within it more effectively. Next, Article 13(4) of Directive 2015/849 provides that obliged entities must be able to demonstrate to competent authorities or self-regulatory bodies that the due diligence measures are appropriate in view of the risks of money laundering and terrorist financing that have been identified. Finally, Article 40(1), first subparagraph, (a), of that directive, in Chapter V thereof, headed ‘Data protection, record retention and statistical data’, requires obliged entities to retain a copy of the documents and information which are necessary to comply with the customer due diligence requirements laid down in Chapter II of the directive, for a period of five years after the end of the business relationship with their customer. It follows from the provisions cited in paragraphs 71 and 72 of the present judgment that, where, when assessing a risk, the obliged entity identifies a potentially higher risk relating to a complex transaction involving an unusually high amount or having no apparent economic or lawful purpose which its customer has concluded with a business partner linked to a high-corruption-risk third country, that entity must, at the time of the inspection carried out by the competent national authority, provide that authority with appropriate documentation demonstrating that it has examined that transaction and that it has properly taken it into account in arriving at its conclusions as to the level of risk presented by that customer. That said, as the Advocate General noted in point 107 of his Opinion, the provisions cited in paragraphs 71 to 73 of the present judgment do not state the procedures by which obliged entities can comply with the evidence and documentation requirements laid down by the competent national authorities. Those procedures are governed by national law, subject to compliance with EU law and, in particular, with the principles of proportionality, business secrecy and protection of personal data. Therefore, as the Commission stated in its written observations, the evidence and documentation obligation imposed on obliged entities does not necessarily involve physical presentation of the copy of a contract, since there are other appropriate methods of proof, such as the production of contract assessment reports which contain the information necessary to assess the risk associated with the transaction and the business relationship concerned. In this case, as stated in paragraph 21 of the present judgment, Rodl & Partner did not provide the VID with a copy of the contract concluded between RBA Consulting and a third company majority-owned by a company established in the Russian Federation, explaining only that it had been made aware of the original of that contract in the premises of RBA Consulting. Moreover, it is not apparent from the file available to the Court of Justice that Rodl & Partner had established or even alleged that it had provided the VID with appropriate evidence on the risk assessment associated with that business relationship and the transactions concluded as part of that relationship, or on due diligence measures taken in that regard. In the light of the foregoing considerations, the answer to the fourth question is that Article 13(1)(c) and (d), of Directive 2015/849, read together with Article 8(2), Article 13(4), and Article 40(1), first subparagraph, (a), thereto, must be interpreted as meaning that, when taking customer due diligence measures, the obliged entity is not required to obtain from the customer concerned a copy of the contract concluded between that customer and a third party, in so far as that entity can provide the competent national authority with other appropriate documents demonstrating first, that it has examined that transaction and the business relationship concluded between the customer and the third party and, second, that it has properly taken them into account in applying the due diligence measures necessary in view of the money laundering and terrorist financing risks identified.

    The fifth question

    By its fifth question, the referring court asks, in essence, whether Article 14(5) of Directive 2015/849 must be interpreted as meaning that the obliged entity is required to apply due diligence measures to existing customers even where there is no indication of any changes in the customer’s circumstances and the time limit laid down by the national authority for a new risk assessment has not yet expired. The court further asks whether that obligation is applicable only in relation to customers representing a high risk of money laundering and terrorist financing. In the event that the answer to those questions is in the affirmative, the referring court asks whether such an interpretation is consistent with the principle of proportionality. According to settled case-law, in interpreting a provision of EU law it is necessary to consider not only its wording but also the context in which it occurs and the objectives pursued by the rules of which it forms part (judgment of 2 September 2021, LG and MH (Self-laundering) , C‑790/19, EU:C:2021:661, paragraph 47 and the case-law cited). As to the wording of Article 14(5) of Directive 2015/849, that provision requires obliged entities to apply customer due diligence measures not only to all new customers but also at appropriate times to existing customers on a risk-sensitive basis, including at times when the relevant circumstances of a customer change. Therefore, it is apparent from the very wording of that provision that obliged entities must, on a risk-sensitive basis, apply due diligence measures not only to their new customers, but also at appropriate times to their existing customers. The provision states that one of the appropriate times conceivable is where the relevant circumstances of the customer concerned change. Moreover, that provision does not limit the obligation on obliged entities only to customers categorised as representing a high risk. In that regard, it must be observed that, under Article 8(2) of Directive 2015/849, obliged entities must, in particular, keep up-to-date assessments of the risk of money laundering and terrorist financing to which they are exposed. It follows from the foregoing that Article 14(5) of Directive 2015/849, read together with Article 8(2) thereof, requires the obliged entity, on the basis of an updated risk assessment, to apply due diligence measures or, where necessary, enhanced due diligence measures to an existing customer where that seems appropriate, including where the relevant circumstances of the customer change. Such an interpretation is confirmed by the general scheme of the rules of which Article 14(5) of Directive 2015/849 is part. In that regard, that provision is contained in Section 1, headed ‘General provisions’ of Chapter II of that directive, on customer due diligence. It follows that the obligation on obliged entities under that provision applies to all customers, irrespective of the risk category to which they have been assigned. Furthermore, it follows from the wording of Article 13(1)(d) of Directive 2015/849 that obliged entities must conduct ongoing monitoring of their customers and of the transactions concluded by them. It follows that, as the Advocate General pointed out in point 119 of his Opinion, where an obliged entity has knowledge of relevant evidence concerning one of its existing customers, such as business transactions which may affect the risk assessment made on that customer, it must take that evidence into account and, where deemed appropriate, review the risk analysis and, where necessary, the level of due diligence measures applied to that customer. Finally, the interpretation of Article 14(5) of Directive 2015/849, as set out in paragraph 85 of this judgment, ensures that the main objective of that directive is achieved, which is, as recalled in paragraph 33 of this judgment, the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. In the present case, it is for the referring court to verify whether the transactions concluded between RBA Consulting and a company majority-owned by a company established in the Russian Federation, of which it is not disputed that Rodl & Partner was aware, constituted, under Article 14(5) of Directive 2015/849, relevant evidence making it appropriate, using a risk-based approach, to apply due diligence measures, or, where necessary, enhanced due diligence measures, to RBA Consulting, irrespective of the fact that the time limit laid down by national law for carrying out a new risk assessment on that customer had not yet expired. In the light of the foregoing considerations, the answer to the fifth question is that Article 14(5) of Directive 2015/849, read together with Article 8(2) thereof, must be interpreted as meaning that obliged entities are required, on the basis of an updated risk assessment, to apply due diligence measures or, where necessary, enhanced due diligence measures to an existing customer where appropriate, including where the relevant circumstances of the customer change, irrespective of the fact that the time limit laid down by national law for carrying out a new risk assessment on that customer has not yet expired. That obligation is not applicable only to customers representing a high risk of money laundering and terrorist financing. In the light of the foregoing, there is no need to consider the alternative question asked by the referring court in connection with the fifth question, as stated in paragraph 80 of this judgment.

    The sixth question

    By its sixth question, the referring court asks, in essence, whether Article 60(1) and (2) of Directive 2015/849 must be interpreted as meaning that, when publishing a decision imposing a sanction for breach of the national provisions transposing that directive against which there is no appeal, the competent national authority has an obligation to ensure that the information published conforms to the information contained in that decision. The Latvian Government considers that question to be inadmissible. In fact, first, that question is, in its view, hypothetical in so far as Article 60(1) of Directive 2015/849, the interpretation of which is accordingly requested by the referring court, refers to the situation in which a decision against which there is no appeal and not one against which, as in this case, there is an appeal, is published, the latter situation being covered by Article 60(2) thereof. Second, the referring court did not establish any inaccuracy in the information published on the VID’s website, and therefore the sixth question for a preliminary ruling bore no relation to the facts or the subject matter of the proceedings in the main action and was not therefore objectively required in order to resolve the dispute in the main proceedings. In that regard, first, it is apparent from the order for reference that the Republic of Latvia has transposed Article 60(2) of Directive 2015/849 into national law and that it therefore authorises the publication of decisions against which there is an appeal. However, by providing that public authorities must ‘also’ publish, immediately, on their official website the information that the decision at issue is the subject of an appeal, that provision makes clear that those authorities must publish that information in addition to the information specified in paragraph 1 of Article 60, which provides that the publication must ‘include at least information on the type and nature of the breach and the identity of the persons responsible’. It follows that the mere fact that the Court of Justice is being asked to interpret both paragraph 1 and paragraph 2 of Article 60 which, in the light of the wording of the latter paragraph, are linked, does not make the sixth question hypothetical. Second, the referring court considers that, at the time when the order for reference was adopted, the publication on the VID’s website of the decision imposing a sanction on Rodl & Partner still contained inaccuracies. It follows from the foregoing evidence that the sixth question is admissible. As to the content of the publication of decisions against which there is an appeal, it must be observed that, in accordance with a combined reading of paragraphs 1 and 2 of Article 60 of Directive 2015/849, which were set out, in essence, in paragraph 97 of the present judgment, only information contained in those decisions is published on the competent national authority’s website. Therefore, information which is not the same as the information contained in those decisions cannot be published. In the light of the foregoing considerations, the answer to the sixth question is that Article 60(1) and (2) of Directive 2015/849 must be interpreted as meaning that, when publishing a decision imposing a sanction for breach of the national provisions transposing that directive, the competent national authority must ensure that the information published is exactly the same as that contained in that decision.

    Costs

    Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
    On those grounds, the Court (First Chamber) hereby rules:

    1. Article 18(1) and (3) of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC, read together with Article 5 thereof and Annex III, point 3(b), thereto,

      must be interpreted as meaning that it does not require an obliged entity automatically to categorise a customer as representing a higher degree of risk and, accordingly, to apply enhanced due diligence measures to that customer on the sole ground that the customer is a non-governmental organisation, that one of the customer’s employees is a national of a high-corruption-risk third country or that one of the customer’s business partners, but not the customer itself, is linked to such a third country. A Member State may, however, identify in national law such circumstances as being factors indicating a potentially higher risk of money laundering and terrorist financing which obliged entities must take into account in their customer risk assessment, in so far as those factors are compatible with European Union law and, in particular, with the principles of proportionality and non-discrimination.

    2. Article 13(1)(c) and (d), of Directive 2015/849, read together with Article 8(2), Article 13(4), and Article 40(1), first subparagraph, (a), thereof,

      must be interpreted as meaning that when taking customer due diligence measures, the obliged entity is not required to obtain from the customer concerned a copy of the contract concluded between that customer and a third party, in so far as that entity can provide the competent national authority with other appropriate documents demonstrating, first, that it has examined that transaction and the business relationship concluded between the customer and the third party and, second, that it has properly taken them into account in applying the due diligence measures necessary in view of the money laundering and terrorist financing risks identified.

    3. Article 14(5) of Directive 2015/849, read together with Article 8(2) thereof,

      must be interpreted as meaning that obliged entities are required, on the basis of an updated risk assessment, to apply due diligence measures or, where necessary, enhanced due diligence measures to an existing customer where appropriate, including where the relevant circumstances of the customer change, irrespective of the fact that the time limit laid down by national law for carrying out a new risk assessment on that customer has not yet expired. That obligation is not applicable only to customers representing a high risk of money laundering or terrorist financing.

    4. Article 60(1) and (2) of Directive 2015/849

      must be interpreted as meaning that when publishing a decision imposing a sanction for breach of the national provisions transposing that directive, the competent national authority must ensure that the information published is exactly the same as the information contained in that decision.

    [Signatures]