Response to consultation on draft amending Guidelines on risk-based AML/CFT supervision

Go back

Q2. Do you have any comments with the proposed changes to the Guideline 4.1 ‘Implementing the RBS model’?

On point 4.1.4 Cooperation:

20. Competent authorities should cooperate and exchange all relevant information with each other and with other stakeholders, including prudential supervisors, Financial Intelligence Units, tax authorities, law enforcement agencies and AML/CFT supervisors of third countries to ensure the effective AML/CFT supervision of subjects of assessment. All relevant information should be exchanged without delay. Where subjects of assessment operate on a cross‐border basis, such cooperation should extend to competent authorities of other Member States and where relevant, competent authorities of third countries.

EPIF fully support the need for cooperation but would like to point out that it is important to ensure that that duplicate reporting and the filling in of similar statistics leading to risk assessment by various regulators within the same country are limited or avoided.

On point 40 - Competent authorities should gather sufficient, relevant and reliable information from the sources described in paragraphs 30 and 31 to develop an overall understanding of the inherent risk factors and factors that mitigate these risks within the sector and sub-sector, where relevant.


123. Where competent authorities decide to provide subjects of assessment with a redacted version of their sectoral or sub-sectoral risk assessment, they should ensure this contains sufficient, and sufficiently meaningful, information to enable subjects of assessment to build this information into their own risk assessments.

EPIF believes this analysis should be shared with the subject persons so that the information is aligned during the compilation of the Business Risk Assessments (RBA), to ensure that all the relevant subsector risks are taken into consideration when a subject person conducts its yearly BRA based on a harmonised approach defined at EU level for sectorial and sub-sectorial risk assessments.

With regard to the domestic risk assessment, we strongly support having a harmonised approach. It is important to ensure consistency in the application of the risk across multiple jurisdictions. The measurement of the risk should be done in a harmonised manner taking into account the mitigation measures in place.

On the point 44. - In order to develop a good understanding of the inherent risk factors applicable to subjects of assessment, competent authorities should gather information from various sources that includes, but is not limited to the information relating to:
a) the ownership and corporate structure of the subjects of assessment, taking into account whether the subject of assessment is a foreign or domestic credit institution or financial institution, parent company, subsidiary, branch or other kind of establishment, and the level of complexity and transparency of its organisation and structure.
b) the reputation and integrity of senior managers, members of the management body and qualifying shareholders;
c) the nature and complexity of the products and services provided and the activities and transactions carried out;
d) the delivery channels used, including the provision of services through non-face-to-face channels and the use of agents or intermediaries.
e) the types of customers serviced by the subject of assessment and the level of risk associated with those customers, including customers that are PEPs and those assessed as presenting heightened ML/TF risk according to the subject of assessment risk assessment methodology;
f) the geographical area of the business activities, in particular where they are carried out in high‐risk third countries11, as well as, if applicable, the countries of origin or establishment of a significant part of the subject of assessment’s customers and the geographical links of its qualifying shareholders or beneficial owners;
g) the authorisations, licensing or passporting by the subject of assessment .

With regard to the point d) EPIF would like to point out that distinction should be made in relation to the technology utilised to provide services through Non-face-to-face channels, whereby controls applied utilising technology such as Biometric verification or the use of RFID identification of government issued documentation should be considered as an equivalent face to face onboarding.
Technological advancements are shifting forward the element of non-face-to–face onboarding if we wish to continue to register progress in a unified European union and following steps adopted by specific European governments which embraced similar technology and are now accepting this approach.
Digital identity (ID) technologies are evolving rapidly, giving rise to a variety of digital ID systems. The developments surrounding digital identity verification are one of the most promising uses of RegTech in recent years. Online verification procedures and KYC are far more convenient for users than traditional methods; without compromising security.

Q5. Do you have any comments with the proposed changes to the Guideline 4.4 ‘Step 3 - Supervision’?

Under point 4.4.9 – Feedback to the sector – paragraph 126
126. Competent authorities should assess whether guidance may be needed for the sector as a whole or specific for a particular sub-sector or cover a specific topic. Competent authorities should ensure that guidance
a) is clear and unambiguous;
b) facilitates and supports the implementation, by subjects of assessment, of an effective risk-based approach;
c) does not directly or indirectly foster or condone the indiscriminate de-risking of entire categories of customers.

EPIF would like reiterate that the categorisation of sectors defined as high risk has automatically triggered bank de-risking practices by conventional banks and credit institution under a ZERO risk tolerance threshold. Thus, discriminating customer segments but this de-risking practice is also being extended Financial institutions that service specific sectors (example Gaming Industry).
We would suggest adding a reference to the EBA revised ML/TF Risk Factors Guidelines, which clarify that the application of a risk-based approach to AML/CFT does not require financial institutions to refuse, or terminate, business relationships with entire categories of customers that are considered to present higher ML/TF risk. Instead, the Guidelines should provide guidance on the steps financial institutions should take effectively to manage ML/TF risks associated with individual business relationships.

Name of the organization

European Payment Institutions Federation (EPIF)