Response to consultation on effective management of ML/TF risks when providing access to financial services
Go back
Art 16 CFR inter alia covers the principle of the freedom to contract. It states that contracts can be freely determined with regard to both the contracting party and the subject matter of the contract as well, provided that they do not violate mandatory provisions of applicable law or statutory prohibitions.
This fundamental legal principle is also enshrined in every jurisdiction of EU Member States, e.g. in Austria on the basis of Art 5 and 6 State Basic Act („Staatsgrundgesetz”) and in Germany based on Art 2 para 1 German Basic Law for the Federal Republic of Germany (“Grundgesetz”).
Moreover, it has to be borne in mind that – f.e. in Austria – banks regularly receive official warning messages from their national FIUs.
These read, for example, in extracts as follows:
“For several weeks now, money mule accounts are opened online by mainly Latvian citizens for fraud purposes.” – published 24 October 2022
“Young Ukrainian people (born after year 2000) are increasingly opening online accounts. These accounts are used for order fraud.” – published 22 June 2022
It is absolutely clear that banks cannot ignore these official warning messages. Instead, the institutions concerned have to respond in accordance with the money laundering law in order to meet the expectations of the national FIU. Hence, the necessary AML measures subsequently taken have nothing to do with a (potential) violation of Art 21 CFR (Non-discrimination) due to discrimination against foreigners or vulnerable customers.
In addition, we would also like to draw attention to the fact that a NPO (Non-profit organisation) stood behind the illegal payments from Qatar in the current corruption scandal of certain MEPs.
Against this background, EBA should fully respect the principle of the freedom of contract and necessary risk-based AML measures.
• Some of the requirements are excessive. This especially applies to Para 9 point e (page 13) concerning the detailed list of staff and beneficiaries which is exuberant, having in mind multinational NPOs for example.
• The risk-based approach should be applied in a stronger manner. In addition, beyond the scope of application of the enhanced due diligence the requirement for a document-based audit should be limited. For reputable NPOs, reduced requirements should be sufficient if there is no indication of potentially higher risk.
• Furthermore, the requirements are too often not feasible in practice. This is among others particularly true in terms of para 12 (page 15) in case a NPO is conducting activities in jurisdictions subject to EU or UN sanctions (e.g. Red Cross in Ukraine/Russia).
• The declared aim of the EBA GL is to "better understand" the client (NPO). However, an extensive gathering of information from the NPO and also third party documents (audit reports) has to be avoided by all means. Exuberant due diligence processes cause high costs in the onboarding process. This also applies to the regularly update of data of existing clients. The question arises who has to bear the costs. Moreover, the question arises if certain requirements can be passed on to clients? Can it be part of a NPO's obligation to examine itself with regards to ML/TF risks. In this context, we point out that the far-reaching KYC requirements as envisaged in the draft GL and the associated costs for financial institutions could lead to more de-risking in general. This would completely run counter to the aim of the guidelines.
• Moreover, we criticize restrictions of the management with regard to business policy decisions. Such an approach contradicts the EU fundamental freedoms (the freedom to provide services is unreasonably restricted). In addition, business management decisions according to the principles of profitability are also substantially restricted.
• The process for rejecting customers has to be implemented by the institutions and decisions have to be made on a case-by-case basis. Hence, an extensive adaptation of the policy is necessary. According to EBA a rejection of customers shall be done on the basis of an individual case report and general experiences (for example customers with Iran connections, fraud gangs) must no longer be taken into account. We explicitly oppose such an approach.
• Furthermore, we see the problem that a bank is forced to business areas in which it is not specialised nor the occuring costs are enshrined in the economic calculation of the institution (e.g. a bank that is only active in the domestic commercial sector is forced to take on NPOs based in third countries or offshore).
• One has to bear in mind that such an approach completely contradicts the development in the AML area of the last 10 years according to which banks themselves determine and identify the risk areas and decide on the ways to minimise their risk through the measures taken (risk-based approach and supervision).
• GL 10-14: Mitigating risks instead of de-risking in case of business relationships is not possible for all credit institutions. The reason for this is that there are many particularly smaller credit institutions which have geared their business strategy towards a specific customer base. Based on this we recommend a clarification/determination that mitigating risks instead of de-risking shall only take place when compatible with the business strategy and basic ethical values of credit and financial institutions
• In fact, the EBA approach results in a general obligation to conduct contracts with natural and legal persons which infringes fundamental rights of banks.
• Different new products and services lead to an unduly burden for monitoring systems as a new category for business relationships is created. At least we recommend a change in the proposed wording in Rec. 21: "In those cases, procedures should, where (technically and without incurring large costs) possible, include the assessment of the following options to potentially mitigate the associated risks:".
6. Do you
• The EBA approach seems to aim at handing over the reports to rejected customers. This results in legal actions, cumbersome bureaucracy for the national legal system and liability issues for the responsible bank employees.
1. Do you have any comments on the annex that covers NPO customers?
We consider the broadened due diligence process required at the onboarding stage as unreasonable. The provisions conflict with Article 16 EU Charter of Fundamental Rights (CFR) according to which the freedom to conduct a business in accordance with Union law and national laws and practices has to be recognised.Art 16 CFR inter alia covers the principle of the freedom to contract. It states that contracts can be freely determined with regard to both the contracting party and the subject matter of the contract as well, provided that they do not violate mandatory provisions of applicable law or statutory prohibitions.
This fundamental legal principle is also enshrined in every jurisdiction of EU Member States, e.g. in Austria on the basis of Art 5 and 6 State Basic Act („Staatsgrundgesetz”) and in Germany based on Art 2 para 1 German Basic Law for the Federal Republic of Germany (“Grundgesetz”).
Moreover, it has to be borne in mind that – f.e. in Austria – banks regularly receive official warning messages from their national FIUs.
These read, for example, in extracts as follows:
“For several weeks now, money mule accounts are opened online by mainly Latvian citizens for fraud purposes.” – published 24 October 2022
“Young Ukrainian people (born after year 2000) are increasingly opening online accounts. These accounts are used for order fraud.” – published 22 June 2022
It is absolutely clear that banks cannot ignore these official warning messages. Instead, the institutions concerned have to respond in accordance with the money laundering law in order to meet the expectations of the national FIU. Hence, the necessary AML measures subsequently taken have nothing to do with a (potential) violation of Art 21 CFR (Non-discrimination) due to discrimination against foreigners or vulnerable customers.
In addition, we would also like to draw attention to the fact that a NPO (Non-profit organisation) stood behind the illegal payments from Qatar in the current corruption scandal of certain MEPs.
Against this background, EBA should fully respect the principle of the freedom of contract and necessary risk-based AML measures.
• Some of the requirements are excessive. This especially applies to Para 9 point e (page 13) concerning the detailed list of staff and beneficiaries which is exuberant, having in mind multinational NPOs for example.
• The risk-based approach should be applied in a stronger manner. In addition, beyond the scope of application of the enhanced due diligence the requirement for a document-based audit should be limited. For reputable NPOs, reduced requirements should be sufficient if there is no indication of potentially higher risk.
• Furthermore, the requirements are too often not feasible in practice. This is among others particularly true in terms of para 12 (page 15) in case a NPO is conducting activities in jurisdictions subject to EU or UN sanctions (e.g. Red Cross in Ukraine/Russia).
• The declared aim of the EBA GL is to "better understand" the client (NPO). However, an extensive gathering of information from the NPO and also third party documents (audit reports) has to be avoided by all means. Exuberant due diligence processes cause high costs in the onboarding process. This also applies to the regularly update of data of existing clients. The question arises who has to bear the costs. Moreover, the question arises if certain requirements can be passed on to clients? Can it be part of a NPO's obligation to examine itself with regards to ML/TF risks. In this context, we point out that the far-reaching KYC requirements as envisaged in the draft GL and the associated costs for financial institutions could lead to more de-risking in general. This would completely run counter to the aim of the guidelines.
2. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
We do not understand why only financial institutions and not also payment service providers shall be in the scope. This unequal treatment does not ensure a level playing field among all the different players.3. Do you have any comments on the section titled ‘General requirements’?
• Regarding Para 11 and 12 we critically note that institutions are no longer able to take general risk-minimising measures which conflicts with the independent decision-making duty of the board of directors.• Moreover, we criticize restrictions of the management with regard to business policy decisions. Such an approach contradicts the EU fundamental freedoms (the freedom to provide services is unreasonably restricted). In addition, business management decisions according to the principles of profitability are also substantially restricted.
• The process for rejecting customers has to be implemented by the institutions and decisions have to be made on a case-by-case basis. Hence, an extensive adaptation of the policy is necessary. According to EBA a rejection of customers shall be done on the basis of an individual case report and general experiences (for example customers with Iran connections, fraud gangs) must no longer be taken into account. We explicitly oppose such an approach.
• Furthermore, we see the problem that a bank is forced to business areas in which it is not specialised nor the occuring costs are enshrined in the economic calculation of the institution (e.g. a bank that is only active in the domestic commercial sector is forced to take on NPOs based in third countries or offshore).
• One has to bear in mind that such an approach completely contradicts the development in the AML area of the last 10 years according to which banks themselves determine and identify the risk areas and decide on the ways to minimise their risk through the measures taken (risk-based approach and supervision).
• GL 10-14: Mitigating risks instead of de-risking in case of business relationships is not possible for all credit institutions. The reason for this is that there are many particularly smaller credit institutions which have geared their business strategy towards a specific customer base. Based on this we recommend a clarification/determination that mitigating risks instead of de-risking shall only take place when compatible with the business strategy and basic ethical values of credit and financial institutions
4. Do you have any comments on the section titled ‘adjusting monitoring’?
• The section contradicts any existing practice (identification) linked with an inappropriate effort (see para 14). Based on Art 16 Directive 2014/92/EU the right for payment accounts with basic features is already incoroporated in Union law. Hence, no further legal measures are necessary.• In fact, the EBA approach results in a general obligation to conduct contracts with natural and legal persons which infringes fundamental rights of banks.
5. Do you have any comments on the section titled ‘applying restrictions to services or products’?
• Para 16: Apart from the inappropriate burden for banks (also the necessary resources for the assessment of limited services and products as well as the required documentation must be taken into account) our practical experience shows that there exists high fraud potential regarding criminal organisations of certain countries.• Different new products and services lead to an unduly burden for monitoring systems as a new category for business relationships is created. At least we recommend a change in the proposed wording in Rec. 21: "In those cases, procedures should, where (technically and without incurring large costs) possible, include the assessment of the following options to potentially mitigate the associated risks:".
6. Do you
6. Do you have any comments on the section titled ‘Complaint mechanisms’?
• The requirements result in an excessive growth of the volume of documentation in particular due to the EU general data protection regulation (GDPR).• The EBA approach seems to aim at handing over the reports to rejected customers. This results in legal actions, cumbersome bureaucracy for the national legal system and liability issues for the responsible bank employees.