Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
We agree to the proposed methodology of assessment and classification of the risk profile of obliged entities. But risk classification should always be dynamic and the EBA would need to update what will they be evaluating, we would expect an approach that is going to be flexible for emerging threats that might rise. Banks will need to have platforms that are flexible and can give you that risk profile evaluation, with much information as possible. This is envisioned in our Perpetual Client Risk Assessment (pCRA) solution, for an updated, holistic view of the risk profiles.
pCRA enables an ‘always-on’ risk assessment, ingesting real time information from any risk event such as screening, monitoring, or KYC, providing a full 360 degree snapshot of the client and their risk. Where activity, transactions or other risk events fall outside the expected behaviours of a customer, pCRA enables automatic application of screening and monitoring rules as defined by the organisation’s risk policies in response.
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
The core and complementary data points proposed by the EBA is welcome. We recommend that the list of data points in Annex I be expanded to incorporate indicators related to fraud risk, credit risk, and new account activity, as these are often closely linked to money laundering and can provide early signals of emerging threats.
However, legacy financial institutions often operate with siloed technology stacks that don’t communicate with each other, making it extremely difficult to consolidate the required data across onboarding, transaction monitoring, screening, and control assessment systems. Even if all the required data points exist within an institution, without integration and centralisation, the value of that data is lost. In the short term, introducing these proposed data requirements will impose considerable challenges to institutions, particularly for those with legacy infrastructure or fragmented data systems. This is why end-to-end financial crime compliance platforms are necessary.
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
There has been an estimated 30% year-on-year growth in the number of sanctioned entities, in large part due to global political instability, and with potential complexity arising from trade embargoes and other restrictions that necessitate further screening. With this high volatility, reviewing risk profiles once every year is not enough, and can quickly become outdated.
Risk assessment process should not be treated as static or periodic; but perpetual. It must be continuous and holistic, drawing on real-time data from across risk domains to reflect the true, evolving risk exposure of the institution. With the right technology in place for screening and monitoring customers and transactions, financial institutions can perpetually refresh their risk assessment processes.
Getting to this stage of perpetual client risk assessment would require uplifting of legacy solutions. Mapping and consolidating required information across onboarding, transaction monitoring, screening and reporting will require new system integrations or updates. With pCRA, a framework that continuously recalculates risk based on changes in client behaviour, transaction patterns, screening results, and control performance. This approach is more aligned with the spirit of risk-based supervision and ensures more timely, accurate, and proportional regulatory engagement.
Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.
We support the differentiated assessment of EEA-linked transactions versus those involving third countries—not as a blanket rule, but as a baseline risk adjustment within a flexible, risk-based framework. However, member countries in the EEA are often not on the same level of regulatory compliance standards and technology adoption. While some countries are ahead of the curve, others are falling behind in terms of risk management and governance, calling for risk-based nuanced jurisdiction-specific configurations.
The distinction should not be automatic or binary; risk assessment must remain contextual and data-driven, especially for global financial institutions operating in both EEA and across the world. Through nuanced jurisdiction-specific configuration, and centralised risk management in each of the entities, this allows for differentiated treatment of transactions based on both counterparty and origin/destination jurisdiction. Data integration across the group is critical to capture cross-border risk exposure—particularly when branches or subsidiaries in high-risk jurisdictions interact with low-risk hubs.
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
While these values offer a simple, binary test for determining materiality, they fail to capture the dynamic nature of risk in today’s financial landscape. A one-size-fits-all approach overlooks key variables such as customer type, transaction behaviour, product risk, and sector exposure—all of which can significantly impact an institution’s ML/TF risk profile, even at lower volumes.
A more effective approach would be to use dynamic, risk-based thresholds that take into account the nature of the business, customer profile, transaction behaviour, and geographic footprint. For example, smaller fintechs operating cross-border might serve fewer customers with lower average spend, yet their activity could be high-risk due to innovative product structures, limited physical presence, or limited onboarding oversight. Additionally, small-value but high-risk patterns—such as those seen in low-volume trade-based money laundering—would not be captured under the current proposal. Criminals may deliberately structure operations to remain just below customer or transaction thresholds to avoid heightened scrutiny or direct AMLA oversight.
To support more meaningful supervision, we recommend supplementing fixed numerical thresholds with behavioural indicators, such as transaction complexity, customer concentration, or indicators of structuring, particularly where risk indicators are disproportionately high relative to volume.
Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.
see above.
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
We advocate for a risk-based approach that distinguishes between retail and institutional customers, given their significantly different risk profiles, transaction behaviours, and potential impact on financial crime exposure.
Using the same numerical threshold (e.g., 20,000 customers) to measure materiality fails to account for this qualitative difference in risk. An institutional client base of just a few hundred could generate significantly higher ML/TF risk than thousands of retail clients. In line with the risk-based approach and to ensure regulatory focus on material risks rather than customer volumes alone, we believe that customer thresholds should not be uniform across retail and institutional segments.
Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.
We believe the identification of the group-wide perimeter should be based on the nature and risk profile of each entity’s operations, rather than applied as a blanket rule across all corporate structures. While it is important to have consistency in defining which entities fall under group-level supervision, a more effective method would involve assessing each entity’s functional role, financial activity, customer exposure, and control environment to determine whether it materially contributes to the group’s AML risk profile.
Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?
see above.
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Yes. Standardising and improving the quality of collected customer data supports:
- Better name matching during client and transaction screening.
- Fewer false positives due to consistent formats and reliable identifiers.
- Stronger assurance that screened identities actually match real-world individuals/entities.
This will also help in standardising fraud and adverse media data points ensuring consistent risk identification across institutions and improves interoperability between systems. It enables more reliable alert generation and reduces inconsistencies in how compliance, reputational and behavioural risks are assessed and for better reporting. While the EBA’s intent is to create a common data language to make risk assessment standardised and easier, not all data points carry the same weight, and treating them equally without a nuanced, risk-based application can lead to inefficiencies. This should be complemented with AML tools that support multi-configuration screening for increased accuracy of alerts and reduce false positives.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Yes, we agree with the proposals in Section 2, as a unified approach to collecting and assessing the purpose and intended nature of the business relationship enhances consistency, auditability, and the quality of AML risk assessments across the EU. From a technology standpoint, implementing the proposals in Section 2 introduces some upfront costs related to data model updates, integration with onboarding platforms, and customer file enrichment. However, RegTech solutions like Napier AI can help mitigate these costs by enabling risk-based configuration of CDD workflows, automating data capture, and embedding ongoing monitoring to meet regulatory expectations efficiently.
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Agree.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Enhanced due diligence (EDD) is critical in high-risk situations to mitigate exposure to financial crime, and the proposals in Section 5 rightly emphasise the need for deeper checks, ongoing risk evaluation, and documentation beyond initial onboarding. However, for institutions to meet these requirements effectively and efficiently, they must have the technology in place to support multiconfiguration screening—enabling them to apply different EDD triggers and thresholds for various customer types, geographies, and risk scenarios.
At Napier AI, we support our clients with configurable screening solutions that can be tailored to trigger EDD workflows when specific thresholds or red flags are met. These include dynamic segmentation, country risk factors, and real-time alerting.
Institutions can fine-tune name matching algorithms, alert thresholds, and data sources to reflect varying levels of risk tolerance: enabling stricter controls where needed and reducing false positives in lower-risk areas. By embedding these controls early in the onboarding and monitoring lifecycle, institutions can better ensure compliance with enhanced measures while maintaining operational efficiency.
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Yes, we agree with the proposals in Section 6. Effective ongoing monitoring is essential to detect evolving risk and ensure that business relationships remain aligned with the customer’s known profile. We particularly support the emphasis on applying a risk-based approach to review frequency and updating customer due diligence information in response to relevant changes.
At Napier AI, we advocate for and enable real-time screening and monitoring as a core part of our compliance framework. By continuously assessing transactions, behavioural patterns, and risk indicators, institutions can identify inconsistencies and trigger immediate updates to customer risk ratings. This ensures that monitoring is not just periodic, but dynamic and proactive, allowing firms to meet regulatory expectations while reducing false positives and improving investigative efficiency.