Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
The proposed approach is fine, but the methodology is left unfinished. The RTS provides a list of data points, but there is no information on how calculations or thresholds on these data points will occur in order to evaluate risks. The calculation method should no be left outside of the consultation, as it is the key point of the RTS.
Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.
The residual risk should reflect what remains of the inherent risk after application of the risk reduction measures, therefore it cannot be higher than the inherent risk. If a case occurred where it was the case, it would only mean that the inherent risk has been inadequately calculated.
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
It will be an additional regulatory report, again different from the existing ones, at a time when all the financial place highlights the burden of piles of regulatory reports and advocates for less instead of more.
3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?
The problem is less the unavailability of the data than their unavailability in central databases which would allow the calculation of the required numbers without significant systems developments. Taking examples such as "Number of NPOs with cross border transactions to/from non-EEA countries", or "Total Number and Value (EUR) of consumer loans granted during the previous year that are not associated to the acquisition of any product/service": these would require the compilation of different clients databases, products databases and payment databases that might not be readily available, thus generating significant development costs.
3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?
Customers and geographies informations might be available.
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
The cost is incurred by finding ways to gather and calculate the data. On the quantitative side, once the effort has been done for the first time, it is unlikely that an annual or triannual frequency will change much. Once the data has been gathered, the actual effort is on the qualitative side, to manage the manual adjustments and exceptions. Communications on these topics between institutions, auditors and authorities are what really makes a difference between being done annually or triannually.
Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.
Regarding the quantitative criteria, the definition of a micro-entity is usually set as an entity with 10 or less employees. The need to create a different threshold is not obvious.
Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.
As the ultimate goal of gathering this information is evaluating AML-FT risk, the difference should not be made between EEA and non-EEA countries, but between AML-FT equivalent countries and non-AML-FT equivalent countries.
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
N/A
Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.
N/A
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
N/A
Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.
N/A
Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.
N/A
Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
N/A
Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.
N/A
Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?
N/A
Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
N/A
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
In paragraph 2 of article 5, it is difficult to understand why the reduced requirements would exclude the validity date. That security features might not always be available is understandable, but date of issuance and where relevant expiry date are a key feature available on most identity documents.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
The most dangerous element in article 6 is the last sentence of point 2. If any allowances are made to lower the security of the process, it should be linked to the level of AML-FT risk of the activity, and not to the size or complexity of the entity. In addition, when the entity performs KYC on behalf of another entity (such as insurance brokerage), the AML-FT risk of the entity should be the risk of the final entity and not the risk of the introducing entity.
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
N/A
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
The EBA and some national authorities already provided guidelines on typical higher risk and lower risk products. All documents on that topic should be gathered and aligned in a single reference document.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
The only element which does not fit a rational process is article 24 point 2. Instead of "reputation", which suggests a non-factual rumor-like evaluation, it would be preferable to detail elements such as convictions, investigations or negative news.
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A
Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A
Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.
Article 1 does not differentiate enough between what "migh be" and what "has happened". If we take the example of point (g) of the article: "whether the breach could have facilitated or otherwise led to criminal activities", this should typically be split into two points "whether the breach could have facilitated criminal activities" and "whether the breach actually facilitated or led to criminal activities". On the contrary, points (i) and (g) both mention actual or potential impact, but none of them mention money laundering circuits. In a more general manner, the elements listed in article 1 are too organization oriented and not enough actual impact oriented.
Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.
Article 2 is linked to article 1. It is necessary for article 1 to be clarified in order for article 2 to be more efficiently organized. In its current state, article 2 would typically assign the same weight to a potential ML activity than to an actual one, which is problematic.
Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.
In terms of balance, having two lowering criteria and six increasing criteria does not seem so objective. At least some typical lowering criteria are missing, such as the fact that relevant preventive AML-FT measures were in place, or the breach occurred on an activity discontinued for high AML-FT risk.
Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.
Turnover has not much meaning in the banking activity. Each financial sector has one or more relevant P/L elements which should be the basis for revenue criteria.
5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?
N/A
5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?
The fact that the market impact would be taken into account for a divestment but not for a suspension of authorization does not seem relevant.
5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?
N/A
Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.
This is pretty straightforward, as some indicators can be applied in all cases (e.g. cooperation), while other refers to elements which only exist in the financial sector (e.g. liquidity requirements)
Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.
no
Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?
No
Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?
At least, the RTS should be clearer on the frequency of collection of payments. It is hard to understand why the penalty payments are calculated on a daily to monthly basis, but can be collected up to five years afterwards, while the penalty period according to article 57 cannot exceed twice 6 months.