Response to consultation on revised Guidelines on money laundering and terrorist financing (ML/TF) risk factors
Go back
• Regarding point (m) and the concept of “shell bank”, it continues to be covered in Article 3, Directive (EU) 2015/849. However, the same does not apply to the concept of “occasional transaction”. The concept of “occasional transaction” is not defined in the Directive (EU) 2015/849, nor the recast Transfer of Funds Regulation (TFR), despite being used in both legislation and EBA’s guideline itself (vide Guideline 1.2). In several articles of the Directive (EU) 2015/849, such as Articles 11, 40 and 41, it can be noted reference to the term “occasional transaction”, however, without defining it. The same can be observed in Article 25 (3) TFR. Therefore, because it can generate doubts/insecurity whenever applying the concept of “occasional transaction” in practice, it would be relevant to understand why the definition is deleted from the already existing Guideline.
• In addition, the Guideline reference 9.21 should be replaced with 9.22 which provides guidance on types of business activities/services that should be considered virtual currency business.
• It would also be beneficial to clarify the concept of “unregulated businesses”. In FATF report “Targeted Update on Implementation of the FATF Standards on Virtual Assets/VASPs”, paragraph 10, it can be noted the use of the terms “unlicensed or unregistered” instead of “unregulated”. The same applies to the TFR. In paragraph 17 TFR, it refers to “non-Union entities that are not regulated, registered or licensed in any third country” and on paragraph 60, it changes the reference to “unregistered and unlicensed entities”.
• We suggest the EBA clarifies its rationale for the proposed amendment to Guideline 4.35.
• No comments on the proposed amendment Guideline 4.60 letter a).
• Guideline 4.61 letter a): TFR writes “crypto-assets” instead of “crypto assets”. The suggestion to write not only the sentence (“[…] for example by establishing the source and destination of the funds or crypto-assets […]”) but the entire Guidance following TFR’s adopted wording style.
• No comments on the proposed amendment Guideline 4.74 letter b).
• 4.74, new letter (d): As per paragraph 17 TFR, “where situations of higher risk are identified, EBA should issue guidelines specifying the enhanced due diligence measures that obliged entities should consider applying to mitigate such risks, including the adoption of appropriate procedures such as the use of distributed ledger technology (DLT) analytic tools, to detect the origin or destination of crypto-assets”. The proposed text indicates that “firms should determine whether the use of advanced analytics tools, like the distributed ledger analytics tools, is necessary in light of the ML/TF risk associated with the firm’s business, and with the firm’s customers’ individual transactions”. No explicit reference is made to “higher risk situation”. We suggest adding “higher risk situations” to the new letter.
• The amendments to 6.2 d) imply that the EBA anticipates that all firms are using advanced analytics and automated tools for the purposes of transaction monitoring. Further, where they are deployed, not all staff will be engaged in the monitoring of outcomes of these tools. We propose that the EBA guidelines are clear that ‘Where automated systems, including advanced analytics tools, are deployed for the purposes of monitoring transactions and business relationships, firms should take steps to ensure that relevant staff understand how to interpret the outcomes from these systems and tools.’
“However, to the extent permitted by national legislation, where, in accordance with the ML/TF risk assessment of the individual customer, the risk associated with the business relationship is low, a bank may apply SDD measures, provided that’.”
• 9.21: We propose the following:
A. Suggestion to also document the result of the dialogue with the customer
B. FATF (e.g., Targeted Update on Implementation of the FATF Standards on Virtual Assets/VASPs 2023) propose separately the “identification” and “verification” of the identity of the customer’s beneficial owner. Suggestion to clearly indicate the “identification” and “verification of the identity”, as well as recordkeeping requirements of the efforts applied on these tasks.
• Guideline 15.1: We agree with the amendment to include Guideline 21
• Guideline 17.4: We agree with the amendment to 17.4 letters b) and i)
• 21.1: No comment
• 21.2: Given that Title 1 applies to all firms vs Title II, which is sector-specific, and CASPs may offer more than one service. We suggest that 21.2 should be reworded to say the following:
“When offering crypto asset services, CASPs should comply with provisions in Title I as well as sector-specific provisions set out in Title II, where relevant to the firms' product offering”.
• 21.3: Refers to “peer-to-peer”; We suggest that the definition of peer-to-peer be added as a footnote. Given that peer-to-peer is a form of over-the-counter (OTC), the difference is that peer-to-peer does not include an intermediary, whilst OTC is the method of how a transaction takes place. We also suggest adding a definition of hardware and what is exempt.
• 21.4: No comment
• 21.5: A key observation in this section is that a lot of risk factors noted are similar in nature but just use different wording or elaborate more on underlying risk. So, there is an opportunity to consolidate some of these risk factors.
• 21.6: No comment
• 21.7:
o (a): No comment
o (b): Guidance states, “The originating or the beneficiary crypto asset account or a distributed ledger address is linked to a jurisdiction”. Our view is that there will be some practical challenges in associating an originator or beneficiary distributed ledger address to specific jurisdiction due to the way in which crypto transactions are recorded on the blockchain, making it difficult to identify jurisdiction information definitively.
o (b) - We propose adding a new sub-bullet iii. ‘associated with high risk of cyber-attacking and/or are known to be subject to travel bans and asset freezes measures that are related to cyber threats and/or are subject to sanctions under the cyber-sanctions regime.’
o (d) Two comments on guidance “The business relationship is established through the CASPs or crypto-ATMs, which are located in regions or jurisdictions outside the EU and are associated with high levels of predicate offences or the risk of ML/TF”:
1. We suggest that this is reworded to: “…which are located in regions or jurisdictions outside of the EU that are associated with high levels of predicate offences, or the risk of ML/TF is high and/or where the AML/CTF regulatory and supervisory framework is less robust than the one provided for in Directive (EU) 2015/849."
2. Guidance 21 is developed specifically for CASPs so in this context what’s not clear is the wording ‘business relationship is established through the CASPs or crypto-ATMs'. We suggest the EBA provides more detail/rationale regarding the inclusion of this wording.
• 21.8 – 21.16: no comments
Question 1: Do you have any comments on the proposed changes to definitions.
• It would be beneficial to understand the rationale behind the proposal to delete Paragraph 12 point (f). We suggest that the EBA include an explanation within the guidance.• Regarding point (m) and the concept of “shell bank”, it continues to be covered in Article 3, Directive (EU) 2015/849. However, the same does not apply to the concept of “occasional transaction”. The concept of “occasional transaction” is not defined in the Directive (EU) 2015/849, nor the recast Transfer of Funds Regulation (TFR), despite being used in both legislation and EBA’s guideline itself (vide Guideline 1.2). In several articles of the Directive (EU) 2015/849, such as Articles 11, 40 and 41, it can be noted reference to the term “occasional transaction”, however, without defining it. The same can be observed in Article 25 (3) TFR. Therefore, because it can generate doubts/insecurity whenever applying the concept of “occasional transaction” in practice, it would be relevant to understand why the definition is deleted from the already existing Guideline.
Question 2: Do you have any comments on the proposed changes to Guideline 1.
• We suggest that the new letter (d) clarifies that the “adoption of innovative technology” considers not only “new” but also “enhanced” technologies. In addition to the prior launch and adequate recording, the ML/TF risk exposure could be monitored for a certain period.Question 3: Do you have any comments on the proposed changes to Guideline 2.
Further explanation of the word ‘links’ would be useful to clarify regulatory expectations around what would be (or not be) considered ‘links’ to sectors associated with higher ML/TF risk. Alternatively, the term “exposure” could be used instead of “links”.• In addition, the Guideline reference 9.21 should be replaced with 9.22 which provides guidance on types of business activities/services that should be considered virtual currency business.
• It would also be beneficial to clarify the concept of “unregulated businesses”. In FATF report “Targeted Update on Implementation of the FATF Standards on Virtual Assets/VASPs”, paragraph 10, it can be noted the use of the terms “unlicensed or unregistered” instead of “unregulated”. The same applies to the TFR. In paragraph 17 TFR, it refers to “non-Union entities that are not regulated, registered or licensed in any third country” and on paragraph 60, it changes the reference to “unregistered and unlicensed entities”.
Question 4: Do you have any comments on the proposed changes to Guideline 4.
• No comments on the proposed amendment Guideline 4.29.• We suggest the EBA clarifies its rationale for the proposed amendment to Guideline 4.35.
• No comments on the proposed amendment Guideline 4.60 letter a).
• Guideline 4.61 letter a): TFR writes “crypto-assets” instead of “crypto assets”. The suggestion to write not only the sentence (“[…] for example by establishing the source and destination of the funds or crypto-assets […]”) but the entire Guidance following TFR’s adopted wording style.
• No comments on the proposed amendment Guideline 4.74 letter b).
• 4.74, new letter (d): As per paragraph 17 TFR, “where situations of higher risk are identified, EBA should issue guidelines specifying the enhanced due diligence measures that obliged entities should consider applying to mitigate such risks, including the adoption of appropriate procedures such as the use of distributed ledger technology (DLT) analytic tools, to detect the origin or destination of crypto-assets”. The proposed text indicates that “firms should determine whether the use of advanced analytics tools, like the distributed ledger analytics tools, is necessary in light of the ML/TF risk associated with the firm’s business, and with the firm’s customers’ individual transactions”. No explicit reference is made to “higher risk situation”. We suggest adding “higher risk situations” to the new letter.
Question 5: Do you have any comments on the proposed changes to Guideline 6.
• 6.2 (c): To be consistent with the new letter of Guideline 1.7. We suggest adding “or a new business practice”, following the sentence “taking into account the specific nature of their products and services”.• The amendments to 6.2 d) imply that the EBA anticipates that all firms are using advanced analytics and automated tools for the purposes of transaction monitoring. Further, where they are deployed, not all staff will be engaged in the monitoring of outcomes of these tools. We propose that the EBA guidelines are clear that ‘Where automated systems, including advanced analytics tools, are deployed for the purposes of monitoring transactions and business relationships, firms should take steps to ensure that relevant staff understand how to interpret the outcomes from these systems and tools.’
Question 6: Do you have any comments on the proposed changes to Guideline 8.
• We agree with the proposed updates to Guideline 8Question 7: Do you have any comments on the proposed changes to Guideline 9.
• 9.18: We agree with the amendment – word placement of “individual”. We also propose a slight amendment (see below):“However, to the extent permitted by national legislation, where, in accordance with the ML/TF risk assessment of the individual customer, the risk associated with the business relationship is low, a bank may apply SDD measures, provided that’.”
• 9.21: We propose the following:
A. Suggestion to also document the result of the dialogue with the customer
B. FATF (e.g., Targeted Update on Implementation of the FATF Standards on Virtual Assets/VASPs 2023) propose separately the “identification” and “verification” of the identity of the customer’s beneficial owner. Suggestion to clearly indicate the “identification” and “verification of the identity”, as well as recordkeeping requirements of the efforts applied on these tasks.
Question 8: Do you have any comments on the proposed changes to Guideline 10, 15 and 17.
• Guideline 10.2: We agree with the amendment. We also note that firms whose authorization includes the provision of business activities as payment initiation services and account information services – these firms could also be crypto asset service providers therefore guideline 21 should apply.• Guideline 15.1: We agree with the amendment to include Guideline 21
• Guideline 17.4: We agree with the amendment to 17.4 letters b) and i)
Question 9: Do you have any comments on the proposed changes to Guideline 21.
We broadly agree with the provisions included in Guideline 21. Below are our comments on the following amendments:• 21.1: No comment
• 21.2: Given that Title 1 applies to all firms vs Title II, which is sector-specific, and CASPs may offer more than one service. We suggest that 21.2 should be reworded to say the following:
“When offering crypto asset services, CASPs should comply with provisions in Title I as well as sector-specific provisions set out in Title II, where relevant to the firms' product offering”.
• 21.3: Refers to “peer-to-peer”; We suggest that the definition of peer-to-peer be added as a footnote. Given that peer-to-peer is a form of over-the-counter (OTC), the difference is that peer-to-peer does not include an intermediary, whilst OTC is the method of how a transaction takes place. We also suggest adding a definition of hardware and what is exempt.
• 21.4: No comment
• 21.5: A key observation in this section is that a lot of risk factors noted are similar in nature but just use different wording or elaborate more on underlying risk. So, there is an opportunity to consolidate some of these risk factors.
• 21.6: No comment
• 21.7:
o (a): No comment
o (b): Guidance states, “The originating or the beneficiary crypto asset account or a distributed ledger address is linked to a jurisdiction”. Our view is that there will be some practical challenges in associating an originator or beneficiary distributed ledger address to specific jurisdiction due to the way in which crypto transactions are recorded on the blockchain, making it difficult to identify jurisdiction information definitively.
o (b) - We propose adding a new sub-bullet iii. ‘associated with high risk of cyber-attacking and/or are known to be subject to travel bans and asset freezes measures that are related to cyber threats and/or are subject to sanctions under the cyber-sanctions regime.’
o (d) Two comments on guidance “The business relationship is established through the CASPs or crypto-ATMs, which are located in regions or jurisdictions outside the EU and are associated with high levels of predicate offences or the risk of ML/TF”:
1. We suggest that this is reworded to: “…which are located in regions or jurisdictions outside of the EU that are associated with high levels of predicate offences, or the risk of ML/TF is high and/or where the AML/CTF regulatory and supervisory framework is less robust than the one provided for in Directive (EU) 2015/849."
2. Guidance 21 is developed specifically for CASPs so in this context what’s not clear is the wording ‘business relationship is established through the CASPs or crypto-ATMs'. We suggest the EBA provides more detail/rationale regarding the inclusion of this wording.
• 21.8 – 21.16: no comments