Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
Selected option 1b – the collection of a minimum data set for supervisors to assess obliged entities’ risk profile – will lead to a static approach that may deform the real picture of an entities’ risk position. Static numbers such as customers and geography of customers only will not be sufficient, moreover the risk nature of services and goods provided, the risk appetite of the companys’ customer acceptance policy, frequency and quality of their SAR reporting (amongst others) may be valuable indicators that define an entities risk profile with greater precision.
A greater data-set taking into account some of the stats above would lead to a more precise risk profile, hence to more effective supervision in the areas of actual higher risk
Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.
Residual risk is always the result of risk mitigation measures, procedures and controls and thus the subsequent inherent risk should always be lower.
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
The following additional data fields would in our opinion help supervising authorities to assess the obliged entities’ risk profile more precisely:
Money Remittance: number, value and overall-share of transactions incoming and outgoing from or to jurisdictions of higher risk
E-Money: number, value and overall-share of transactions incoming and outgoing from or to jurisdictions of higher risk
Transfer crypto-assets: Usage of blockchain analytic tools and number of alerts created by these
3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?
No comments
3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?
No comments
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
No comments
Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.
The criteria of reduced frequency based on the full number of FTEs by an obliged entity is less than or equal to 5 is misleading; companies of that size operating in higher risk situations (deriving from product offer and customer base) often combine control function within 1 FTE, thus significantly increasing the risk that necessary AML/CFT controls are not being carried out diligently and effectively.
Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.
Definetly, transactions from and to obliged entities that are under the same regulation and supervision impose less risk than transactions from third countries. Especially with a harmonized approach to supervision, the same level of security can be expected as with domestic transactions.
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
No comment
Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.
No comment
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
No comment
Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.
Agree – the methodology for seclection for assessment of risk profile of obliged entities should be the same for direct or indirect supervision.
Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.
Agree
Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
Agree
Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.
Agree
Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?
We don’t agree, as this highly depends on a) the effectiveness of group-wide controls and b) the distribution of customers and service offer of goods.
A scenario where the parental company onboards and introduces the customer and then distributes it among its subsidiaries is different to where all subsidiaries onboard and maintain customers on their own.
Where a group of companies shares the same customer base, the risk profile of the member with the highest risk should apply to all other siblings, subsidiaries or parents directly connected; where a company operates entirely on its own (means by product offer, customer acquisition and distribution channels), its risk should be assessed separately, despite the applicability of group-wide controls.
Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
Agree
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Agree
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
The remote solutions described under Article 6 paragraphs 2-6 provide a level of protection comparable to the electronic identification means and established ID verification providers have demonstrated their ability to detect fraud by means of manipulated ID documents or forged documents presented by the same person (“Known Faces”). By usage of all means, that is liveness-check, check of security features and recording of biometric data combind with velocity checking of devices, IP-addresses used and appearance of known faces, they have proven highly reliable.
With e-IDAS compliant solutions still in its childhood-days and a wide spread mistrust of the public on data solutions provided and controlled by governmental organizations, it must be feared that a significant share of customers may refrain from usage of these solutions in the future and rather prefer a video-verification where they think (!) the government is not recording and analysing their activity.
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
No comments
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Agree
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Agree
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Agree
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
Can’t elaborate on that
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Agree
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Agree
Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Agree
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Agree
Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.
No comments
Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.
No comments
Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.
As for Article 4 (2) c) the other criteria identified by the supervisor should take into account whether the breach negatively effected the obliged entities’ risk profile or abilitity to control its risks or the breach does not have any influence at all.
Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.
No comment
5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?
No comment
5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?
No comment
5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?
No comment
Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.
No comment
Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.
No comment
Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?
No comment
Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?
No comment