Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

With reference to art. 2 – Assessment and classification of the inherent risk profile of obliged entities, it is noted that, as indicated in paragraph 3.2.1 of the consultation document “The draft RTS on the assessment of the inherent and residual risk profile of obliged entities” (point 20 lett. a)the risk indicators and weights would not be included in the draft RTS. Furthermore, point (9) of the same document specifies that "It will be the role of AMLA, in cooperation with competent authorities, to develop and keep up to date the necessary guidance to ensure that each competent authority applies the same thresholds and weights". 

This approach does not provide obliged entities with clear indications regarding the methodology for defining risk indicators and the application of thresholds and weights and for the computation of inherent and residual risk, which are crucial elements in ensuring consistent alignment in the adopted Risk Assessment methodology. Moreover, the definition of such methodology could represent a benchmark for the alignment of obliged entities’ self-assessment methodologies. Accordingly, it would be appropriate for the content of point (9) to be further integrated. 

It would be important, moreover, to clarify if life insurance Undertakings/Companies are included in this new methodology if a part of the group.

We would like to stress, in general, the importance for a clear legal framework and interpretative notes, as the implementation of the requirements and the activity for finding and collection all the information for the data points will require expensive investments for the obliged entities.

Actually, the data points listed in the RTS – for many parts – are not the ones that national intermediaries have used for the national survey managed by our NSA.

In particular, it will be very important to clarify the timing and timeframe for referred data points and work on definitions as some of them may vary from one obliged entity to another. Moreover, it would be important to understand how this assessment based on data points will impact also on the internal risk assessment of the entity and if and how the results of this assessment could or should be compared with the results of the internal risk assessment of the entity. 

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

We agree with the statement that residual risk cannot exceed inherent risk, as the latter can only be mitigated, not amplified, by control measures. Vulnerability thus represents the degree to which inherent risk can be reduced, ultimately determining residual risk.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

In relation to Annex I “Data Points to be collected for the purpose of the RTS under art. 40 (2) of the AMLD and art. 12 (7) of the AMLA Regulation” with specific focus on Sections A and B, the number of data point to be collected appears excessively high (#156 for Inherent Risk and #112 for the quality of controls). It would cause a significant impact in terms of costs and efforts with particular reference to data related to products, services and transactions. A more proportionated approach would be advisable consistently with the simplification process envisaged by the European Commission. 

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

With regard to “Section B – AML/CFT Controls” we suggest removing the data points “Number of high-risk customers that are legal entities” and “number of customers per ML/TF risk category” in cluster 3.A “Customer Due Diligence” as it appears a data point more related to the inherent risk.

Furthermore, we suggest clarifying whether:

  • the assessment results will be calculated with a stand-alone approach for each single obliged entity;
  • each Member state Supervisor will collect data related to stand-alone obliged entities established within the related Member state only
  • the credit institution with foreign branches established in EEA countries must include within the value of each data point also data/information related to its foreign branches established in EEA countries.

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

With reference to the statement “Supervisors shall carry out the first assessment and classification of the inherent and residual risk profile of obliged entities pursuant to art. 2, 3 and 4 of this Regulation at the latest nine (9) months after the date of entry into force of this Regulation” we highlight the need to specify within the defined time the portion of time allocated to the obliged entities which should be at minimum six (6) months considering its complexity.

It is important to take in consideration, with reference to: 

  • the statement included in Annex 1 “The final RTS will include an ‘interpretive note’ that will specify what each data point entails in relation to each sector as well as clarifications in relation to the dates associated with each data point”,

the statement included in point 19 of the background and rationale note: “AMLA would not specify how supervisors collect these data points, because the relevant sources of information may vary from one Member State to another. For instance, in some cases, supervisors may be able to collect part of the information from their prudential counterparts or from the local FIU, while in other cases, they will need to collect all the data from the obliged entities” 

that until both informations are made available to the obliged entities, it will not be possible for them to initiate any  operative project aimed at creating the infrastructure for collecting and delivering data points.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

No comment

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

We agree with the proposal as in EEA jurisdictions the level of regulation and controls, further enhanced through AML Package requirements, is higher than the ones in place in third countries reflecting a higher risk for transactions linked with the latter ones.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

It is not clear how to identify and calculate the total value of transactions. We suggest to clarify the scope of transactions to be considered relevant and to provide detailed indications on the calculation methods.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

The proposal to further lower the thresholds seems to us not to be in line with the intention - declared by the EBA itself - to consider only the cases that are truly relevant (according to the principle of "materiality").

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

No comments

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

We agree that the methodology for selection is based on the results of the risk assessment executed following the methodology defined within the “RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40(2) of the AMLDand we would suggest, as reported in “Point 1 - EBA Question 3” above, to adopt a simplified and standardised approach for the risk assessment methodology. 

Moreover, we deem of utmost importance that RTS and/or subsequent technical documents should address the parametrization and calibration methodology to give the more relevant weight to the inherent risk in the computation of the residual risk and should include a definition of the communication process regarding the selection of obliged entities to be included in the direct supervision by AMLA in order to mitigate the risk of stigma that such selection could bring. 

Direct supervision should be the most advisable model above certain thresholds of inherent risk if associated with significant cross-border activities. Direct supervision should also be applied to institutions with significant ML/TF risk exposure, such as fintech, VASPs or entities active in high-risk geographies, even if they do not meet the quantitative thresholds. A transparent communication strategy to mitigate potential reputational stigma for entities selected under AMLA supervision should be introduced. Selection should be clearly communicated as a supervisory decision—not as a signal of non-compliance.

As the stigma effect could lead to undesirable impacts on operations and correspondent banking, it is essential to clearly communicate to financial markets that this risk assessment is functional to supervision activities only, and does not imply any concerns about the current operations and stability of the institution.

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

We believe it is correct not to provide for the possibility for supervisory authorities to adjust the level of inherent risk assigned also in the methodology for the assessment of inherent risk and residual risk under art. 40 (2) of the AMLD in the absence of precise and homogeneous indications on the factors to be considered. We also believe it is appropriate to review in this RTS the possibility for supervisors to adjust the score assigned to the quality of controls as already represented in relation to the RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40(2) of the AMLD.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

With reference to point 2 in Art. 5 we suggest to provide clarification on the formula with some numerical examples.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

The perimeter of group entities included into this exercise is unclear as well as the role of the Parent Company in collecting and transmitting data points. In particular, the RTS should clarify whether:

  • the assessment aimed at identifying entities to be subject to direct AMLA Supervision will be conducted at group level, including or not including non-EU entities of a Group;
  • the Parent Company has the role to deliver data to AMLA for all the entities in scope or each entity (including entities established in non-EU countries) will deliver data separately;
  • the Parent Company with foreign subsidiaries and foreign branches in EU will have to provide data points to the Parent Group’s Supervisor also for EU subsidiaries and foreign branches that have already provided data to the own Member state supervisor;
  • the foreign branches established in EU countries will have to provide data to their respective National Supervisor;
  • the Parent Company with foreign subsidiaries and foreign branches established in non-EU member states will have to provide the data points also on behalf of them to the Parent Group’s Member state Supervisor;
  • the data related to foreign branches will need to be transmitted stand alone or together with the Parent Company;
  • the data could be submitted in different currencies or in Euro. 

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

The application of the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile is deemed appropriate. Once the objective criteria for the risk assessment calculation, including weights, are established, the parent company will be required to align with these criteria, ensuring that there is no deviation in the calculation method compared to the subsidiaries. This approach will reliably assess the effectiveness of group-wide controls, with the parent company reflecting the aggregate risk profile of the other entities.

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

No comments

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

General considerations

With reference to the degree of specification of level 1, EBA has chosen option 1a “Not specifying further level 1 requirements that are already sufficiently detailed and only providing further clarification where needed to achieve a harmonized risk based approach”.

While understanding the need of allowing flexibility of the obliged entities according to the risk based approach avoiding to specify specific requirements for every situation, the RTS should also avoid:

  • misleading interpretation for groups that have legal entities within Europe;
  • distortions of competition among different obliged entities.

A more prescriptive and detailed approach related to some requirements/aspects, that may hamper harmonization if not detailed, would help mitigating these risks as it would reduce national differences in the application of KYC rules. 

Therefore, we warmly suggest that EBA considers to provide further details on many of the provisions, as requested in the specific comments.

Grand fathering clauses (art. 32)

Banks have always emphasized the need for and importance of an adequate timeline to adapt their workflows and processes to the new CDD requirements and to upgrade IT tools, as well as rolling out training programs. In this perspective, we welcome the provision set out in article 32 even if we ask confirmation about the fact that the reference to “publication of Regulation” is to RTS that will be published after the application of the Regulation 1624/2014 (AMLR).

Specific points:

  • Recital 5 RTS: with reference to "copy thereof certified by an independent professional or a public authority" the wording would not seem sufficiently suitable for the purpose of ensuring the official nature of the documentation accompanying the due diligence. It is necessary to clarify which figures are referred to by the expression "independent professional

     

  • Recital 16 RTS: the expressions used in Recital 16 such as "customer information", "identification updates" are not explicitly defined either in the RTS or in the Regulation, giving rise to interpretative uncertainties. Confirmation is required that the activity is in relation to the updating of the data relating to the identification of the customer and not to all the phases of the due diligence. Therefore, we ask to confirm that there’s also a possibility, based on the risk, for the use of automated systems, without necessarily contacting the customer.
  • In relation with recital (10) where is established the following: “The identification of SMOs is allowed by Regulation (EU) 2024/1624 only in cases where the obliged entity has been unable to identify beneficial owners having “exhausted all possible means of identification” or where “there are doubts that the persons identified are the beneficial owners.Finding it difficult to identify the beneficial owner, for example in cases of complex structures, does not amount to such ‘doubts’ and therefore will not provide a sufficient basis for the obliged entity to identify the SMOs instead”. 

We propose that the RTS includes case studies supporting obliged entities in the application of the requirement related to beneficial ownership for the correct identification of the UBO and SMO (i.e FAQ and Questions and Answers). 

  • With reference to SMO, we would highlight the following points:

a) RTS should include a specific reference to the definition of SMO same as the one used for the purposes of art. 63 of the AMLR (‘senior managing officials’ means the natural persons who are the executive members of the management body, as well as the natural persons who exercise executive functions within a legal entity and are responsible, and accountable to the management body, for the day-to-day management of the entity);

b) with reference to art. 22, par. 2 of the AMLR we would highlight that some passages are not clear and need more clarification. We refer, in particular, to the following:

  • Where, after having exhausted all possible means of identification, no natural persons are identified as beneficial owners, or where there are doubts that the persons identified are the beneficial owners, obliged entities shall record that no beneficial owner was identified and identify all the natural persons holding the positions of senior managing officials in the legal entity and shall verify their identity”.

Without prejudice to the wording of the provision, it would be necessary to consider a  "gradual" identification of these subjects, on the basis of the role actually exercised. A different approach would entail significant economic impact.

  • “Where the performance of identity verification referred to in the second subparagraph may tip off the customer that the obliged entity has doubts regarding the beneficial ownership of the legal entity, the obliged entity shall abstain from verifying the senior managing officials’ identity, and shall instead record the steps taken to ascertain the identity of the beneficial owners and senior managing officials. Obliged entities shall keep records of the actions taken as well as of the difficulties encountered during the identification process, which led to resorting to the identification of a senior managing official“. 

Clarifications and examples are needed in order to understand the meaning of “doubt”.

  • In relation to art. 1 (3) of RTS  where is established the following: “In relation to the name of a legal entity as referred to in Article 22(1)(b) point (i) of Regulation (EU) 2024/1624 obliged entities shall obtain the registered name, and the commercial name where it differs from the registered name” we propose to eliminate the obligation to collect the commercial name or, as a fall back position, to make it optional in addition to the registered name. Alternatively, it is required to indicate the sources that can be used, within the European Union, to identify such reference. Actually, the commercial name is not unambiguous and – as far as we know – it is not able to identify an entity with reasonable certainty.
  • In relation to art. 4 RTS, we would invite EBA to clarify the means by which banks could reasonably collect and verify information on nationalities; among the others it would be useful to clarify if: a) customers’ self-certification can be considered a suitable tool to verify it, considering that this instrument is generally recognized by our national legislation in many cases; b) nationality can be considered the one related to the place of birth if present in the document.

  • In relation to art. 5 (1) RTS  is established the following: “For the purposes of verifying the identity of the person in accordance with Article 22(6) (a) and Article 22(7)(a) of Regulation (EU) 2024/1624 a document, in the case of natural persons, shall be considered to be equivalent to an identity document or passport where all of the following conditions are met: a. it is issued by a state or public authority, b. it contains at least all names and surnames, the holder’s date and place of birth and their nationality, c. it contains information on the period of validity and a document number, d. it contains a facial image and the signature of the document holder, e. it contains a machine-readable zone, f. it contains security features and, g. it contains, where available, biometric data”.

    We would like to point out that a large part of Italian documents acceptable under Italian law for the identification do not contain information on nationality or a machine-readable zone or a security features.  On this point, we therefore believe it is necessary to explicitly state that the national identity document and the passport are considered valid for the purpose of verifying the identity of the customer in each Member State, as well as that all documents considered by national legislation to be equivalent to an identity document or a passport.  Therefore, we propose the following amendment:

    For the purposes of verifying the identity of the person in accordance with Article 22(6) (a) and Article 22(7)(a) of Regulation (EU) 2024/1624 a document, in the case of natural persons, shall be considered to be equivalent to an identity document or passport:

    - where all of the following conditions are met: a. it is issued by a state or public authority, b. it contains at least all names and surnames, the holder’s date and place of birth and their nationality, c. it contains information on the period of validity and a document number, d. it contains a facial image and the signature of the document holder, e. it contains a machine-readable zone, f. it contains security features and, g. it contains, where available, biometric data;

    or

    - a member state, in its legal system, considers that document valid for identification purposes.

    As a fall back position we suggest to eliminate the characteristics that are not present today in all our identity documents.

  • In relation to art. 5 (2) where is established the following “In situations where the customer cannot provide a document that meets the requirements in paragraph 1 of this article for legitimate reason, a document shall be considered equivalent to an identity document or passport if it is issued by a state or public authority and it contains at least all the customer’s names and surnames, place and date of birth, nationality and a facial image of the document holder, we believe that “legitimate reasonscould be better explained. It may contain, for example, all the cases in which the customer does not have a valid identity document or passport or a document whit the characteristics set out in art. 5 (1). In any case, it would be important to define (also as examples)  the  circumstances that can be qualified as the above mentioned “legitimate reasons”.

In such cases we ask to eliminate “nationality” and “place of birth” from the essential requirements considering the fact that many Italian documents do not contain this information. For example, the conditions listed do not seem consistent with those of driving licenses (which is a valid ID document in Italy). In Italy some customers may legitimately have only a document that does not meet the requirements of Article 5.2; it is requested to review the wording as the current content could be discriminatory against these customers. 

Also in this case it would be useful to clarify that documents that a member State, in its legal system, considers valid for identification purposes, can be used. 

In any case we propose the following amendment:

“In situations where the customer cannot provide a document that meets the requirements in paragraph 1 of this article for legitimate reason, a document shall be considered equivalent to an identity document or passport if it is issued by a state or public authority and it contains at least all the customer’s names and surnames and date of birth and a facial image of the document holder”.

 

  • With reference to Article 7 RTS  “Reliable and independent sources of information  - When assessing whether a source of information is reliable and independent, obliged entities shall take risk-sensitive measures to assess the credibility of the source, including the reputation, official status and independence of the information source, the extent to which the information is up-to-date, the accuracy of the source, based on whether the information or data provided had to undergo certain checks before being provided or is consistent with other sources or over time, and the ease with which the identity information or data provided can be forged” we would like to have clarification of what does “official status” mean in relation to source of information.
  • Regarding art. 9 of RTS when beneficial owner is verified based on public registry the full set of information required by art. 62(a) of Regulation 2024/1624 are not available (eg. number of ID document, nationality), Accordingly, we can rely only on information as available from those public registries, also in order to apply art. 22, paragraph 7(b) of EU Regulation 2024/1624. We suggest adopting for those scenarios a similar criterion as provided under RTS section 1, art. 5, paragraph 2, namely: name, surname, POB, DOB together with TAX code (or equivalent, social security number). We also suggest including, in the event that beneficial owner public registry are not available, the trade registry among list of reliable public registers available to verify the beneficial owner based on the information available over there. In case of registry issued by a third country, this public register would be reliable to the extent is provided in a legalized form (eg. notarized with apostille).
  • Regarding art. 10 of RTS:

  • where is established that: “For the purposes of understanding the ownership and control structure of the customer in accordance with Article 20(1) (b) of Regulation (EU) 2024/1624 and in situations where the customer’s ownership and control structure contains more than one legal entity or legal arrangement, obliged entities shall obtain the following information:

    a) a reference to all the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners, if any….” 

    We would require clarification on the definition of reference (in order to correctly implement the requirements) and then have confirmation that the reference (as it will be defined by RTS) is obliged for legal entities and not for natural persons…;

  • where is established that:  2. “Obliged entities shall assess whether the information included in the description, as  referred to in Article 62(1)d of Regulation (EU) 2024/1624, is plausible, there is economic rationale behind the structure, and it explains how the overall structure affects the ML/TF risk associated with the customer” we would like to have a clarification on what is a description.

     

  • Regarding Art. 11 of the RTS: In relation with recital 10, identifying the SMO as beneficial owners is not possible without having “exhausted all possible means of identification”. As indicated, obliged entities shall treat the ownership as complex when "there are two or more layers between the customer and the beneficial owner" and one of the conditions indicated in the same article are met. However, it is very common to have one or more layers between the client and the UBOs. The risk is that in presence or two or more layers, the structure will be considered as complex, even if the are not difficult to identify the UBO. On the contrary, the structure may be complex when it is fragmentated, or when there are one or more trusts, or other legal entities registered in different jurisdictions. Consequently, we consider the definition of “complex structure” excessively broad and requires some clarification. We recommend deleting points a) and c), since they are not deemed to be independently representative of higher risk situation. With respect to point b), we suggest adding the following specification "(...) different jurisdiction in high-risk countries defined according to articles 29, 30 and 31 of Regulation 1624/2024". We consider this approach is consistent with Rationale 41, which highlights the need to follow a risk- based approach that focuses on effective outcomes to avoid an increase the cost of compliance without tangible benefits. “Understanding the ownership and control structure of the customer in case of complex structures,” we would require EBA to indicate the concrete means (even based on the risk) by which the description may be collected, even in terms of exemplificative sources that can be used; 

     

  • Regarding art. 12 of the RTS pursuant to EU Regulation 2024/1624 the SMO is not equivalent to UBO and therefore there is no ground to identify this person as the same as the UBO. This approach of full identification of SMO is overburden for obliged entities. Therefore, we suggest adopting a light measure aimed to identify the SMO based exclusively on the information available by means of trade registry, unless the selected SMO is also authorized person to operate with the obliged entities in the context of the established business relationship. RTS should remove item a) and b) and replace with the following new standard": collect information as available based on public registers".
  • Article 12 - When the obliged entity is allowed to identify SMO, in case of SMO of the legal entity client that are natural and legal person, it would be important to clarify if the bank should identify only the SMO (natural person) of the legal entity client or the SMO of the SMO legal entity, or both of them;
  • Article 13 (2): According to Article 64, par. 3, AMLR, it is necessary to underline that, primarily, it is the trustee who is burdened with the obligation to provide information on beneficial ownership and on the assets of the legal arrangements, and he should comply with it in a timely manner.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

  • In relation to art. 6 RTS “Verification of the customer in a non face-to-face context”, generally speaking, we would highlight that is not very clear why e-idas compliant solutions are first choice and the other solutions a “second best” just in case the first solution is not available or cannot reasonably be expected to be provided.
  • We do not agree with the interpretation that refers Art. 22, paragraph 6, letter a) only to physical “submission” (the term submission can be referred also to online situations).
  • Even if we understand and appreciate the EBA’s RTS effort to overcome the above mentioned interpretation, regarding this point we would like to highlight that banks have recently – and costly – implemented remote on boarding solutions compliant to EBA guidelines that needs to be maintained not just a second solution but equal to the e- idas compliant solution. Moreover, accordingly to the current figures, solutions adopted in line with the EBA guidelines on remote boarding solution are proofed effective to prevent fraud;

On paragraph 3 which introduces the obligation to obtain from the person to be identified his explicit consent, RTS should clarify that the signing of privacy documents could meet the consent and registration requirements also for this purpose.

Furthermore, it is unclear which cases exactly fall under “unavailability” and “cannot reasonably expected to be provided”.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Under Article 22(3) of Regulation (EU) 2024/1624 the banks servicing the bank or payment account to which a virtual IBAN issued by another credit institution or financial institution redirects payments are required to obtain from the institution issuing the virtual IBAN the information to identify and verify the identity of the natural or legal persons using any virtual IBAN is required to obtain the information identifying and verifying the identity of the natural person using that virtual IBAN without delay and in any case within 5 working days.

RTS should provide technical instruction on: i) the way the servicing banks could identify the presence of a virtual IBAN in the payments; ii) the means to be used for requesting and receiving the information and documentation for the identification and verification; and iii) which information and documentation is requested also in terms of verification of the identity. 

 

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

As general remark, both for Art. 15 and 16 of the RTS the mandatory collection of the information listed, without risk based evaluation by obliged entities, doesn’t seem in line with level one legislation, as art. 25 of AMLR requires the collection of a specific set of information only “where necessary”. 

Indeed, according to the current wording, it seems that the information listed should be collected in any case despite the level of the risk associated to the customer. For example, Art. 16 refers to “risk sensitive measures” not to evaluate which information the entity should collect but “in order to obtain” the information listed. The wording is not clear at all. In particular, it is not clear if the information should be collected for each customer (corporate and retail), for each product and if they are subject to updates.

The risk sensitive approach should drive the entity to evaluate which are the information to collect based on the risk.

We would suggest, then, to evaluate the adoption of different approach, more risk based driven, as set out in Level one regulation. With specific reference to art. 16 RTS, lett. b e d), moreover, the quality and quantity of the information proposed to be required, would not seem to be consistent even with risk based approach and could pose difficulties of interpretation. 

Last, some information required by the proposed version of art 16 RTS (again, those referred in point b) does not fit for occasional transaction. In this sense, also a comprehensive check of all the measures required should be done, in order to understand if they can be referred to both to business relationship and occasional transaction.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Politically exposed person 

With reference to politically exposed person it would be important to clarify that, for the purposes of the application of Article 17 of the RTS, reference should be made only to the notion of "a family member or person known to be a close associate to Politically Exposed Persons" set out in Art. 2, paragraph 1, points 35 and 36 of the AML Regulation. This request aims at avoiding different interpretations of the scope of the requirements connected to politically exposed person (as, for example, risk propagation on subjects related to PEP’s family members).  

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

 

  • Article 19 RTS on the minimum requirements for the identification and verification of the BO or senior manager in low-risk situations" provides that in low-risk situations, the obligated entity may consult one of the following sources for identification of the BO or senior management, and use other sources from the same list referred to in point b. or c.:

a. information entered in the central register or in the commercial register;

b. the statement or explanation provided by the customer, including confirmation that the data is adequate, accurate and up-to-date for the purpose of verifying the identity of the beneficial owner or senior management;

c. any source of public and reliable information, including internet research.

We believe it is appropriate to ask for confirmation that this provision allows - in case of low risk - not to collect the identity document of the TE or senior executive and relying on a customer statement from the client, or on what will be found on the BO register or on open sources.

With regard to the provision of art. 22 (2) of the RTS “Customer identification data updates in low-risk situations” and recital (16) where is stated that “Obliged entities shall take the measures necessary to ensure that they hold up-to-date customer identification data at all times, and that they update the information they hold on customers onboarded before this Regulation within 5 years after the application date of this Regulation”. Regarding this point we would like EBA to consider the following approach that mix trigger events revision of data, with time-based update. Moreover, art. 22. 7 of the AMLR seems to go in the direction that, regardless of the low risk, it is not necessary to acquire a copy of the identity document of the beneficial owner. 

EBA should specify that for customers with a low risk of money laundering, the update of the information, if necessary, could take place through automated systems and, therefore, without necessarily contacting the customer. The reason for this request lies in the potential negative consequences may arise for both clients and banks, as well as society as a whole. Retail bank clients are often low risk. Reasons for the absence of response to information requests may include lower awareness of financial security issues, privacy concerns, difficulties in obtaining supporting documents from certain vulnerable clients, etc. A strict application of the relationship termination in this context could then lead to financial exclusion. For this reason, it may be appropriate that, for low-risk customers, banks are able to update/confirm information through automatic processes that do not involve the intervention of an operator or the customer.

Eventually it is necessary to better define the terminology used as it is not clear what should be interpreted for “customer identification update”. In this regard, we highlight that Article 26(2) of Regulation (EU) 2024/1624 aims to ensure that relevant customer documents, data or information are kept up to date. 

It would be useful to specify the information assumed to be "relevant" and how the Bank can achieve the purpose of keeping these informations updated all times.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

Among sectors, public Administration in EEA countries could be subjected to simplified due diligence.

Among services, we refer to operations regulated on regulated markets that take place between financial institutions

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The RTS should specify that the customers subjected to enhanced due diligence and not falling in the category of higher risk shouldn’t be necessarily updated every 1 year, being allowed a different frequency. 

Finally, the RTS should clarify that the 5-year frequency required for all customers could be addressed via a straight-through-processing, leveraging on a trigger-based event review and an automatic confirmation of the lowest-risk clients in absence of additional risk factors. This approach would be risk based and consistent with the simplification process envisaged by the European Commission avoiding unnecessary costs to the industry. 

Moreover, as already said before, it is necessary to better define the terminology used as it is not clear what should be interpreted for “customer identification update”. In this regard, we highlight that Article 26(2) of Regulation (EU) 2024/1624 aims to ensure that relevant customer documents, data or information are kept up to date. 

It would be useful to specify the information assumed to be "relevant" and how the bank can achieve the purpose of keeping these information updated all times.

With reference to the following articles of the Regulation, we would ask whether it falls within EBA’s mandate to provide clarification on the following:

Article 24 (a) -  It would be useful to specify how an obliged entities could be able to obtain information related to destination of funds of a customer from authorities and other obliged entities.

Article 26, lett. G Recital (18) The request to acquire the source of wealth and the source of funds for beneficial owner of high risk customers could be satisfied with different means. For example, the obliged entities could use sources provided by specific entities responsible for processing information of this type but also a declaration of the client.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Requirements on art. 28 and art. 29 are also covered by EBA/GL/2024/14 (Guideline on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures) and EBA/GL/2024/15 (Guideline on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures under Regulation (EU) 2023/1113) that banks have recently implemented. 

It would be useful to define how RTS - once adopted by the European Commission - will relate with respect to the requirements of the EBA GLs. The definition of the approach would help also to understand how to manage the requirement of RTS (art. 29 letter d)) pursuant to which obliged entities shall “ensure the screening as well as the verification is performed using updated targeted financial sanctions lists without undue delay” against EBA GLs’ content, pursuant which PSPs “should have policies and procedures to (…) b) update their internal dataset to be screened (…) immediately after a new restrictive measure enters into force, or an existing restrictive measure is updated or lifted”. We believe it is appropriate to ask for confirmation that RTS, once adopted, would prevail on EBA GLs.

Generally speaking, we agree with the proposal as set out in Section 6, under art. 29 except for the following points: 

  • on transliteration, considering that under point 17 II set of “Summary of responses to the consultation and the EBA’s analysis”, EBA clarifies that “the screening of transliteration is not a mandatory requirement and should be carried out only if available” we would prefer to maintain the status quo.
  • on point a.iii we ask for some clarification on the requirement regarding “any other names”: for the correct implementation of the screening of such information may be necessary examples useful for setting the required screening functionalities.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comments

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Art. 31, par. 3 requires that “Where an electronic identification means or qualified trust service does not possess all attributes that allow the identification and verification of the customer or beneficial owner, as required in Article 22(1) of Regulation (EU) 2024/1624 or Section 4 of this Regulation, the obliged entity shall take steps to obtain and verify the missing attributes through other means in line with Article 22(6).” 

Considering that:

  • art. 31, paragraph 1 of the Draft RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40(2) of the AMLD states that the information to be collected for art. 22(1) of the Regulation is set out in the Annex 1 of the RTS;
  • the Annex 1 of the RTS requires for legal entity, among other, the information about “(iv) the names of persons holding shares or a directorship position in nominee form, including reference to their status as nominee shareholders or directors”

a clarification is requested in particular on what criteria banks have to adopt to identify persons holding shares or a directorship position in nominee form.

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

With reference to article 1 (l) “any other indicator identified by the supervisors” we highlight the following. Considering that the objective of the AML-CFT package is the harmonization of the AML-CFT Rules, we suggest deleting the letter in question as allowing supervisors the faculty to introduce “any other indicators” has the result that the national supervisors will adopt different indicators maintaining the local specificities. 

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

With reference to art. 2 of the draft RTS, in relation to the proposed classification of the level of gravity, we note that there are criteria subject to discretion of the national supervisor (e.g. when an impact is moderate or significant?). The RTS should define when the impact is considered moderate and significant to avoid potential inconsistencies/deviations of application among national legislations and a potential source of litigation.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

With reference to art. 4 and art. 5 of the draft RTS, we highlight the following. Considering that the objective of the AML-CFT package is the harmonization of the AML-CFT Rules, we suggest deleting “any other criteria” as allowing supervisors the faculty to introduce the latter has the result that the national supervisors will adopt different indicators maintaining the local specificities.

With regard to Article 4(2) of the draft RTS, there are indicated criteria subject to a discretion of the supervisor: e.g. “quickly and effectively” (lett. a)), “actively and effectively” (lett. a)), “effective and timely” (lett. b)).

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

No comments

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

No comments

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

No comments

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

No comments

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

No comments

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

No comments

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

No comments

Name of the organization

ABI