Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

Article 40 of the AMLD requires supervisors to apply a risk-based approach to AML/CFT supervision. Under a risk-based approach, supervisors are required to adjust the frequency and intensity of supervision based on the ML/TF risk profile of each obliged entity in light of each entity’s business model, operation and customer base. 

The draft RTS should help assess and classify the inherent and residual risk profile of each obliged entity based on an automated scoring system. The danger with an automated scoring system is that it lacks an assessment of the individual case and national or organizational specificities since it will have to limit itself to common agreed criteria and data points, which have to be carefully selected not to create static categories of risk indicators. 

• Assessing the quality of controls based on a two-step process seems more appropriate, whereby the control risks would be first assessed in an automated manner based on objective criteria and then manually adjusted based on professional judgment where necessary.
• We overall encourage an approach to limit data requests from obliged entities and stakeholders to those that are strictly necessary for ML/TF risk assessment purposes. 

While the methodology laid out by the EBA to determine risk appears in line with international standards established by the Financial Action Task Force (FATF) – when ascertaining inherent risk, looking at controls and then coming to a residual risk assessment – we have clear concerns around the suggested single set of data points. 

Apatride Network, a stateless-led organisation in the EU, is concerned about the potential harm of overly automated scoring systems that fail to account for diversity of data, such as that of legal status conditions and nationality. Apatride Network's research data, covering the EU+UK region, highlights the impact of inflexible systems that do not account for specific cases, such as stateless persons, refugees, and asylum claimants. The issue is tied to lack of qualifications of writers and managers of automated scoring systems in having sufficient expertise in data points relating to legal identification, migration, nationality, and international protection. 

There is a lack of safeguards to prevent arbitrary discrimination or exclusion based on limited or improperly formulated data points. We urge the EBA to include clear guidance on how to incorporate relevant exceptions and apply professional judgement where the legal or identity documentation may differ due to such widespread factors as forced displacement or statelessness.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

No comment

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

We have concerns about several proposed data points, specifically:

Number of NPOs and number of NPOs with cross-border transactions to/from non-EEA countries 

The listing of NPOs as client base and hence a potential indicator for risk gives the impression that having NPOs as clients creates a certain risk profile for obliged entities. NPOs where they are legal entities should be included in the category of legal entities and customers. We strongly recommend to remove the category of number of NPOs and number of NPOs with cross-border transactions to/from non-EEA countries for the following reasons:  

FATF Recommendation 8 and the methodology for assessing it clearly recognize that not all NPOs are vulnerable to TF/ ML abuse and that only (potentially small) subsets of the NPO sector are at risk. The listing of NPOs would also not take into account risk mitigation measures adopted by NPOs in the humanitarian sector and other NPOs at national or sector levels. The EU SNRA also refers to the specificity of "humanitarian NPO's" and the robust risk management procedures they have implemented.

 Therefore, putting all NPOs as indicator for risk is contrary to current standards. Moreover, singling out NPOs in this way will result in unintended consequences for the sector as a whole, including for obliges entities/financial service providers to not serve the NPO sector anymore (so called bank derisking). NPOs are a legal entity like any other, and there is already a criterion for this laid out in the Annex (‘Number of legal entities’). There is no need to exceptionalize one particular legal entity in this way when the consequences of this for the sector are well documented. 

The EU Supranational Risk Assessment flags the bank derisking that the sector is subject to (p.7). The FATF has also carried out extensive work on the unintended consequences of its framework for NPOs, which include financial exclusion and bank derisking, as has the EBA. The singling out of NPOs in the list of indicators will only exacerbate this problem and is not in line with existing FATF standards. 

FATF has also stated in different contexts that the sole fact of a cross-border transaction does not create higher risks. Analysis of past financing of terrorist incidents even point to local and low budget actions.  Hence the reference to cross-border transactions to/from non-EEA countries could potentially be removed for any customer/legal entity.  

Based on international standards and good practice, what the EBA is proposing is not risk-based or proportionate, will lead to undue focus on the sector when regulation should be vehicle agnostic, and will be repeating mistakes that have been made in the past two decades and more with the FATF framework leading to grave impact on the humanitarian, peacebuilding, rights and development work of NPOs and the communities we serve. 

Apatride Network echo concerns raised above about the problematic singling out of NPOs. Moreover, our surveying confirms that grassroots organisations are essential lifelines for vulnerable communities. Yet such organisations struggle to access and retain banking services due to regulatory and policy shortcomings.

The EBA should ensure that data points used for risk scoring do not indirectly penalize vulnerable communities and individuals through risk by immaterial association or assumption. 

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

No comment

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

No comment

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

No comment

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

No comment

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

No comment

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

No comment

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

No comment

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

No comment

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

No comment

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

No comment

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

No comment

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

No comment

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

No comment

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

No comment

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Apatride Network supports a risk-based approach but are concerned about the potential harm of automated scoring systems. Our research data highlights the impact of inflexible systems that do not account for specific cases, such as stateless persons or those with refugee/asylum legal status.

We welcome the fact that the current differences in the national transposition of the AMLD’s CDD requirements will be streamlined and clarified to the extent possible. At the same time, we are concerned that the proposed framework poses a risk to financial inclusion and does not reflect the financial inclusion priority set by the new FATF Presidency. Although progress in financial access has been made in the past years, still more than 13 million adults (4% of the adult population) face financial exclusion in the EU, according to an ESBG analysis of the Global Findex Database 2021. Specific communities are particularly impacted, including stateless people, refugees, asylees, homeless people, Roma and Sinti communities. Furthermore, while FATF R.8 states that AML/CFT measures should not unduly disrupt or discourage legitimate activities of non-profit organisations (NPOs), restrictive interpretation and application often leads to disproportionate administrative burdens for NPOs, including public-benefit foundations, as well as cases of derisking. FATF are updating their guidance on AML/CFT Measures and Financial inclusion and have committed to launch a workstream to reconceptualize risks related to this topic, taking into account how AML/CFT measures are also a risk to financial inclusion. This proposed RTS will only reinforce these risks. 

More specifically, we would like to express the following concerns and recommendations:

• Art. 3, art. 4 and Annex 1 (a): We recommend that the information on the place of birth consists of the city and/or the country name. Many identity documents (or acceptable alternative documents) include either the city or the country name; therefore, this requirement could lead to increased cases of derisking. Additionally, birth registration data cannot always be obtained due to a host of conditions many in the world are living under, and come to the EU from, including conflict, war, forced displacement, forced dispossession, regime change, apartheid, occupation, genocide, blockades, and gender apartheid. 

  Furthermore, we want to bring to your attention that registration of nationality and place of birth can be discriminatory in nature and can lead to financial exclusion. This includes registration of dual nationality as current practice has shown.

• On legal entities: Many NPOs across the world function as unincorporated associations; for example a voluntary group, resident initiative, cultural group, community trust, or an animal welfare group. Because of their nature and/or the high compliance burden associated with registering as a legal entity they opt to remain unregistered. Budgets of such groups are typically low (<10,000 EUR). Individuals associated with these groups open a bank account or use their personal bank account to accommodate money flows. This could potentially lead to derisking.  Therefore, we recommend providing guidance to obliged entities that in such case, risk-based due diligence measures should be applied and these should not lead to derisking.  

• Art. 5: We recommend providing stronger guidance in this article to ensure criteria are applied in a way that takes into account the reason why a legitimate customer may be unable to provide standard documentation (as stated in recital 7). Furthermore, we recommend specifying in art. 5 (2) that the document should contain country and/or city of birth (not necessarily the city; see above). Lastly, we recommend to add 

  statelessness and refugee or subsidiary protection status to nationality, in line with art. 22 (1) AMLR. We recommend specifying in Annex 1 (a) (iii) that the attribute “other” can be documented instead of “nationality” to ensure obliged entities include statelessness and refugee or subsidiary protection status in their ICT systems and dropdown menu in application forms, which is currently often lacking.  

• Art. 13 and 14: we recommend adding a provision to ensure synergy with art. 59 (2) AMLR to avoid obliged entities require information on individual beneficiaries when NPOs and foundations similar to express trusts or constituted as express trusts and similar legal arrangements do not need to list individual beneficiaries as BOs based on art. 59 (2) AMLR. NPOs and foundations similar to express trusts or constituted as express trusts and similar legal arrangements while not being required to list individual beneficiaries (since they benefit the general public) could add a description of the class of beneficiaries and its characteristics, as described in their statutes. Only in the case of private interest trusts  (family trusts), individual beneficiaries would need to be listed. 

   

• Art. 16 (a) and (b) require obliged entities to obtain information from their clients on the value and benefits expected from occasional transactions or business relationships (point a) and the anticipated ​​number, size, volume and frequency of incoming and outgoing transactions (point b). First of all, it is unclear how value and benefit (point a) should be interpreted for non-profit organisations, especially since volume of incoming and outgoing transactions is mentioned in point b. Furthermore, value and benefit as well as anticipated number, size, volume and frequency are extremely difficult to estimate as results of fundraising efforts are not known in advance. Moreover, unexpected circumstances (e.g. natural disasters, war or conflict) may prompt organisations to respond and launch an appeal, leading to a much higher number and frequency of incoming transactions. Such unexpected circumstances may also lead to unforeseen destination of funds (point d). It is unclear what potential consequences could be of such deviations. Lastly, it will be very difficult for persons or entities who launch a fundraising appeal through crowdfunding platforms (and whom will now also be subject to CDD measures) to anticipate the number, size, volume and frequency of incoming transactions. Many of them may be launching an appeal for the first time and do not know what response to expect.

  Therefore, we recommend to: 

  • add an exemption for value and benefit for NPOs in point b;  
  • remove the reference to the anticipated number and frequency of transactions; and
  • add guidance for obliged entities that deviations from any of these estimations should not lead to determination of a higher level of risk if the customer can provide legitimate reasons for the deviations  

Furthermore, we would like to highlight the consequences of this section for donation-based crowdfunding platforms. Under the AMLR, crowdfunding platforms will for the first time be considered obliged entities. No distinction is made in this regard between for-profit and non-profit entities, and it does not matter whether crowdfunding platforms focus on private interests or public benefits. Public benefit crowdfunding platforms are often non-profit entities themselves who do not have the capacity and financial resources to be able to comply with these requirements; this new framework therefore threatens their viability. Moreover, the research “Following the Crowd: clarifying terrorism financing risk in European crowdfunding” (2021, Royal United Services Institute for Defence and Security Studies) found no significant or consistent evidence that European donation-based crowdfunding platforms are misused for terrorism financing purposes. The compliance burden for public benefit crowdfunding platforms related to customer due diligence measures is therefore not proportionate to the level of risk. 

If crowdfunding platforms are required to apply customer due diligence measures on persons or entities that make (small) donations through their platform (this will depend on various RTSs and guidelines that AMLA will develop), the numerous requirements will be extremely challenging for non-profit, donation-based crowdfunding platforms. This includes e.g. the provisions related to specification of nationalities (art. 4), verification of the customer in a non-face-to-face context (art. 6) and all provisions related to beneficial ownership (art. 9-12) in case a company donates through their platform. We propose to add exemptions for donation-based crowdfunding platforms in these articles to apply due diligence measures on persons or entities who seek funding through their platform to simplify due diligence requirements: to avoid misuse of donation-based crowdfunding platforms for illicit money flows, it would be sufficient to apply due diligence towards persons and entities seeking funding. 

In general, a significant number of forcibly displaced and stateless people face financial exclusion due to lack of sufficient knowledge of financial sector staff of various forms of legal documentation and/or nationality categorisations:

Accordingly, we recommend the following:
- Allow flexibility in CDD fields such as place of birth and nationality (e.g., accept “unknown” or “stateless” as valid entries).
- Mandate ICT systems to include “stateless” or “other” as selectable categories for nationality.
- Clarify that lack of trail of documentation due to systemic or historic exclusion, such as often caused by malicious or incompetent state party, must not automatically trigger a high-risk rating.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

Apatride Network welcomes the inclusion of multiple options for customer verification in non-face-to-face contexts. However, we are concerned that the provisions in Article 6 may not provide adequate flexibility for individuals who are stateless, refugees, or otherwise excluded from formal national ID systems, including e-IDAS-compliant solutions.

Our research and interviews show that many individuals facing banking exclusion often cannot access or do not possess state-recognised electronic identification (even as they are in possession of paper form of it). Stateless individuals, forcibly displaced persons, and those from marginalized communities often lack e-IDAS-compatible documentation or cannot navigate systems built around them.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

No comment

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comment

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comment

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We ask for clarity on how this applies to informal networks or community groups supporting stateless persons. In such contexts, funds are often pooled and moved informally due to systemic financial exclusion and inability of many vulnerable populations to open formal accounts. This must not lead to arbitrary penalties or risk escalation.

Related to section 4, we would like to point out that it is unclear what the concept of “the person on whose behalf or for the benefit of whom a transaction or activity is being conducted” would mean in the context of non-profit organisations and crowdfunding platforms. 

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Art. 25-27 introduce several new requirements for enhanced due diligence, several of which are not apt to the nature of NPOs and/or disproportionately burdensome (or even impossible to fulfill) and can lead to derisking or blocking of transfers. We are particularly concerned about the following:

• Art. 25 (1) requires obliged entities to obtain information on the intended nature of the business relationship which enable them to verify the legitimacy of the destination of funds. This may include information from authorities and other obliged entities. It is unclear what it is meant by information from authorities. This can be very problematic or even impossible for NPOs to obtain, especially for NPOs that provide humanitarian assistance in conflict areas and NPOs that conduct or support human rights work in countries with authoritarian regimes (including those that were forced to relocate from their country of origin due to government repression). This requirement could lead to refusal of an obliged entities to onboard an NPO as client. We recommend including an exemption for non-profit organisations.
• Art. 26 (1) (a) on proof of income of BOs. The concept of beneficial owners does not fit the non-profit sector which explicitly does not serve private interests but public interests. For many NPOs (including public benefit foundations) as well as other types of foundations, board members are considered BOs. They often serve on a voluntary basis. Their sources of wealth or income do not stem from the NPO and are not relevant to assess the level of risk associated with the organisation. Moreover, this requirement could lead to discrimination based on income: e.g. persons who represent excluded groups may no longer be considered for a board member position to avoid high-risk classification. For some public-benefit organisations (those similar to express trusts or constituted as express trusts and similar legal arrangements), there is cumulative listing of BOs, irrespective of whether those individuals exercise control over the organisation and/or own assets or have rights on assets. This list includes the beneficiaries; it is impossible for such NPOs to provide information on their income and wealth. The same can apply to founders if they are no longer connected to the organisation. Therefore, we recommend including an exemption for non-profit organisations.  
• In the same vein, art. 27 (c) requires obliged entities to obtain information to assess whether transactions are consistent with the business relationship. According to point c, this should include information which enables them to assess the legitimacy of the parties involved in the transaction, including any intermediaries. This is also very difficult for NPOs, particularly those who work with partners in other parts of the world. Partners can include very small organisations or unregistered groups whose legitimacy may be difficult to assess by obliged entities. We recommend including an exemption for non-profit organisations.

Apatride Network’s research shows that proof-of-income requirements are a barrier to the most vulnerable populations and are disproportionate and discriminatory in practice. We recommend:

- An exemption from proof-of-income requirements for non-profit-related accounts, stateless and forcibly displaced individuals.

- A requirement for obliged entities to apply enhanced due diligence proportionately and with flexibility for persons in vulnerable legal or economic positions.

Apatride Network urges the EBA to ensure that its AML/CFT framework does not unintentionally exclude or harm stateless persons, refugees, asylees, and NPOs from the formal financial system. Our research findings point to structural issues that require competent due diligence and compliance systems aligned with the rule of law. Ultimately, financial actors and regulators must strive to ensure that such systems do not violate anti-discrimination regulations and laws.

We would welcome the opportunity to provide anonymized data summaries or participate in further discussions on this topic.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comment 

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comment 

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comment 

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

No comment 

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

No comment 

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

No comment 

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

No comment 

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

No comment 

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

No comment 

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

No comment 

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

No comment 

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

No comment 

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

No comment 

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

No comment 

Name of the organization