Response to consultation on revised Guidelines on money laundering and terrorist financing (ML/TF) risk factors
Go back
EACB members also wish to highlight that further clarifications should be added concerning Guideline 4.74. Indeed, we wonder whether the EBA intends to cover indirect exposure to CASPs where the financial institution does not offer crypto asset services and does not have relationships with CASPs. In the case in which the intention is to cover indirect exposure, it is uncertain whether it will be required for banks that are not CASPs themselves to analyse the distributed ledger connected to a transaction. Further, the extent to which financial institutions can apply a risk-based approach to assess the background of a transaction remains unknown. Due to the nature of CASPs, we would also like to highlight that it is complicated to recognize the transaction counterparties as such. Finally, the conduct towards entities with multiple licenses should be further specified (for example, an entity that has a combination of a PSP license, Banking license or a CASP license).
On Guideline 9.20, it is only recently that a number of international and national regulations included definitions related to Virtual Assets and Virtual Asset Service Providers (VASPs), notably the 2021 FATF Updated Guidance for a risk-based approach, and for example the French Plan d’Action pour la Croissance et la Transformation des Entreprises (PACTE) (LOI n° 2019-486 of 22 May 2019). It is therefore difficult to have yet an appropriate understanding of the level of compliance of VASPs with AML/CTF requirements. At the same time, we would like to stress that VASPs established in the EU should benefit from an appropriate access to banking services. In order to effectively monitor their operations, it is important to specify how we should implement the risk-based approach to EU VASPs. In particular, we would welcome additional clarifications in the guidelines on mitigating measures regarding requirements banks may have to apply when they have business relationships with EU VASPs. Additionally, according to the new FTR regulation, the definition of correspondent banking relationships will include these business relationships. We would also welcome further guidance on the implementation of the risk-based approach, considering this new legal qualification.
Considering jointly the Guidelines 9.20 and 9.21, we would also like to stress that banks should be allowed to perform CDD measures based on the type of business they offer to CASPs. Indeed, it is our view that guidelines on crypto assets should not be applicable when a bank only provides traditional services to a CASP and that are separated from the transfers of crypto assets, for example corporate lending products that are not related to correspondent relationship with CASP. Therefore, all requirements under 9.20 and 9.21 should only be made mandatory where an FI is directly exposed to the CASP’s business activities. The application of all requirements, regardless of the product offering might otherwise be disproportionate.
On specific elements of Guideline 9.21, we have the following questions and observations:
a) How should dialogue be understood in the context of this requirement?
b) What is meant by Senior Management in this context? We also note that it is not risk increasing if the UBOs and Senior Managers are not the same individuals.
c) Please clarify this requirement to be more specific on what banks are supposed to assess. Also, how does the requirement that a CASP shares it's CDD measures taken on voluntary basis commensurate to competition law?
f) It is very difficult to reliably establish if a customer is providing services for which it is required to be licensed and/or registered. Would it be sufficient to rely on customer statements in this regard?
Question 4: Do you have any comments on the proposed changes to Guideline 4.
Concerning the modification of Guideline 4.60, it is important to note that there are situations in which credit institutions do not have all information on the underlying transaction (e.g., correspondent relationships/customers of the respondent), which makes difficult to detect and assess unusual patterns of transactions. Additionally, the current guidelines explicitly mention that ‘Transactions may be unusual […] because: […] the category to which the customer belongs’ (Guideline 4.60 a)). This latter category is not included in the guidelines under consultation. However, it is our opinion that categorizing client groups enables an effective and efficient AML/CTF framework of cooperative banks and should therefore remain part of the EBA present Guidelines.EACB members also wish to highlight that further clarifications should be added concerning Guideline 4.74. Indeed, we wonder whether the EBA intends to cover indirect exposure to CASPs where the financial institution does not offer crypto asset services and does not have relationships with CASPs. In the case in which the intention is to cover indirect exposure, it is uncertain whether it will be required for banks that are not CASPs themselves to analyse the distributed ledger connected to a transaction. Further, the extent to which financial institutions can apply a risk-based approach to assess the background of a transaction remains unknown. Due to the nature of CASPs, we would also like to highlight that it is complicated to recognize the transaction counterparties as such. Finally, the conduct towards entities with multiple licenses should be further specified (for example, an entity that has a combination of a PSP license, Banking license or a CASP license).
Question 6: Do you have any comments on the proposed changes to Guideline 8.
While we understand the need to assess the respondent institutions’ AML/CFT controls, we consider that the proposed amendment to Guideline 8.17 c) will exceed the scope of due diligence responsibilities that should be expected from correspondent relationships, e.g., the performance of sample testing and/or on-site inspections. We instead believe that this level of scrutiny should be performed by supervisory entities as part of the licensing and registering procedure. Indeed, in our view, the licensing and/or registering authorities should have the primary responsibility for ascertaining that licensed/registered CASPs have all the adequate AML/CFT controls in place (e.g., transaction monitoring) prior granting the license/registration.Question 7: Do you have any comments on the proposed changes to Guideline 9.
On Guideline 9.16, we believe that further guidance concerning the ultimate beneficial ownership thresholds is needed. If the funds of a single third party are limited, it might not be feasible or even have added value to consider each third party as the UBO of the customer. FIs should be able to take a risk-based approach to implement this requirement.On Guideline 9.20, it is only recently that a number of international and national regulations included definitions related to Virtual Assets and Virtual Asset Service Providers (VASPs), notably the 2021 FATF Updated Guidance for a risk-based approach, and for example the French Plan d’Action pour la Croissance et la Transformation des Entreprises (PACTE) (LOI n° 2019-486 of 22 May 2019). It is therefore difficult to have yet an appropriate understanding of the level of compliance of VASPs with AML/CTF requirements. At the same time, we would like to stress that VASPs established in the EU should benefit from an appropriate access to banking services. In order to effectively monitor their operations, it is important to specify how we should implement the risk-based approach to EU VASPs. In particular, we would welcome additional clarifications in the guidelines on mitigating measures regarding requirements banks may have to apply when they have business relationships with EU VASPs. Additionally, according to the new FTR regulation, the definition of correspondent banking relationships will include these business relationships. We would also welcome further guidance on the implementation of the risk-based approach, considering this new legal qualification.
Considering jointly the Guidelines 9.20 and 9.21, we would also like to stress that banks should be allowed to perform CDD measures based on the type of business they offer to CASPs. Indeed, it is our view that guidelines on crypto assets should not be applicable when a bank only provides traditional services to a CASP and that are separated from the transfers of crypto assets, for example corporate lending products that are not related to correspondent relationship with CASP. Therefore, all requirements under 9.20 and 9.21 should only be made mandatory where an FI is directly exposed to the CASP’s business activities. The application of all requirements, regardless of the product offering might otherwise be disproportionate.
On specific elements of Guideline 9.21, we have the following questions and observations:
a) How should dialogue be understood in the context of this requirement?
b) What is meant by Senior Management in this context? We also note that it is not risk increasing if the UBOs and Senior Managers are not the same individuals.
c) Please clarify this requirement to be more specific on what banks are supposed to assess. Also, how does the requirement that a CASP shares it's CDD measures taken on voluntary basis commensurate to competition law?
f) It is very difficult to reliably establish if a customer is providing services for which it is required to be licensed and/or registered. Would it be sufficient to rely on customer statements in this regard?