Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

Yes. We support EBA’s approach to risk-based classification but emphasize that entity identification via the LEI can significantly enhance the accuracy and consistency of such risk profiling. LEI provides a unique, cross-border, and validated entity reference, enabling supervisors to:

  • Avoid duplicate or misidentified entities
  • Quickly trace ownership and control structures

  • Integrate third-party risk more reliably into risk assessments

    As a Candidate LOU aligned with GLEIF’s vision, we believe the LEI system can strengthen the foundation of risk classification frameworks across Europe.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

Yes, we agree with the proposed relationship between inherent risk and residual risk.

Residual risk should be a function of the entity’s risk mitigation controls, and by definition, it should not exceed the inherent risk.

However, we recommend that where entity identity is uncertain or unverifiable (i.e., in the absence of an LEI or vLEI), supervisors may need to conservatively classify residual risk at the same level as inherent risk until verified data is available.

The LEI framework enables real-time entity verification and can reduce both operational and regulatory uncertainty, thereby justifying a reduced residual risk score.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

The cost impact will vary depending on the size and digital maturity of institutions. However, the short-term cost of building internal systems to manually collect and report these data points will be high, particularly for institutions with legacy infrastructure.

In the medium to long term, if the RTS allows automated population of key entity fields through existing LEI databases (GLEIF and LOUs), the cost curve can flatten significantly:

  • Short-term: High integration and process redesign costs
  • Medium-term: Stabilized costs via data automation
  • Long-term: Cost savings through reduced manual verification, simplified onboarding, and efficient regulatory reporting

We refer to the Global Digital Finance study “LEI: Reducing the Cost of KYC/KYB” which demonstrates that automated LEI usage reduces KYC costs by up to 20–30%, particularly for cross-border clients. TNV-LEI is open to discuss the reduction of financial cost if asked.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

Most of the basic legal entity data points in Annex I — such as legal name, legal form, registered address, and country of incorporation — are already available to credit and financial institutions through existing onboarding processes and LEI reference data.

However, some data points that may not be readily or consistently available include:

  • Ultimate beneficial ownership (UBO) structures, particularly in cross-border cases or where multiple holding layers exist.
  • Real-time changes in corporate hierarchy or control relationships, especially in the absence of active monitoring mechanisms.
  • Identifiers in non-standard formats (e.g., national or tax IDs) that lack interoperability or are not digitized.

These gaps can be significantly addressed through mandatory LEI usage, complemented by emerging vLEI frameworks to capture natural persons acting on behalf of legal entities.

We recommend that the EBA encourage integration with the GLEIF LEI system to automate and harmonize access to validated entity-level data, reducing dependency on institution-specific manual collection.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

A large portion of the data listed in Annex I can — and should — be provided by non-financial sector entities themselves, particularly legal entities subject to onboarding or due diligence obligations.

This includes:

  • Legal name, address, incorporation details
  • Registration number and business identifiers
  • Parent entity or group structure disclosures

The LEI system already facilitates this, as entities are responsible for:

  • Submitting validated reference data to accredited LOUs
  • Keeping their information current via annual renewal

Expanding the mandatory use of LEIs across both financial and non-financial sectors will ensure that:

  • A common global format is used
  • Data is sourced directly from the legal entity
  • Financial institutions spend less time on re-validation

As a Candidate LOU, we advocate for greater non-financial sector engagement with LEIs, particularly among ISO-certified and export-driven firms who need both transparency and credibility.

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

We support the annual review frequency for normal-risk profiles as proposed by the EBA. Annual reviews provide a reasonable balance between regulatory diligence and operational efficiency, particularly in today’s fast-changing risk landscape.

For reduced-risk entities, we believe that a three-year review frequency is appropriate only if the entity is subject to ongoing monitoring via reliable external infrastructure, such as:

  • Active LEI registration and annual renewal compliance
  • Participation in internationally recognized certification schemes (e.g., ISO 9001, ISO 27001)
  • Validated ownership and control data (parent-child hierarchy)

The LEI framework supports automated, low-cost compliance with such requirements, especially where entity reference data is already centralized and validated. When the LEI is kept up to date, it provides ongoing assurance to supervisors and reduces the effort needed for full reviews.

Cost Comparison (Indicative):

Frequency

Annual Manual CDD Review Cost: High (₹15,000–₹25,000/entity)

With LEI Integration: Annual (Normal): Moderate (₹5,000), TNV-LEI plan to offer LEI at approx USD 60 per year. with long term committment, this price further may reduced to USD 40 approx even.

Evidence:

As cited in the Global Digital Finance report “LEI: Reducing the Cost of KYC/KYB”, LEI-enabled onboarding and monitoring can reduce overall compliance cost by up to 30%, particularly for cross-border entities and SMEs.

In our view, the frequency of risk profile review can be flexibly tied to whether the entity maintains:

  • A conforming and renewed LEI
  • No significant adverse change in ownership, sanctions, or control

Therefore, the EBA may consider allowing dynamic review scheduling (annual, biennial, triennial) based on the integrity of third-party data sources like LEI, supported by audit or alert mechanisms.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

Yes, we broadly agree with the EBA’s proposed criteria for applying reduced frequency in reviewing the risk profiles of obliged entities. However, we recommend strengthening the criteria by including verifiable, third-party indicators of low-risk status.

Specifically, we propose the following additional or alternative criteria:

  1. Active LEI registration and annual renewal compliance

    Entities maintaining a valid and conforming LEI, with no adverse events (e.g., sanctions, corporate restructuring, or dormant status), should be considered suitable for reduced review frequency.

    LEIs offer:

  • Transparent legal entity identification
  • Real-time validation of ownership structures
  • A machine-readable way to assess continuity

  1. Certification under international standards

    Entities certified under globally recognized management system standards (e.g., ISO 9001, ISO 27001, ISO 37001) by accredited bodies demonstrate structured internal controls and ongoing external oversight. When combined with an LEI, this enhances reliability and justifies a lower monitoring burden.

  2. Participation in regulated or listed markets

    Companies listed on recognized stock exchanges or operating under industry regulators (e.g., SEBI, FCA) are already under enhanced scrutiny. Where these entities are LEI-enabled and compliant, the reduced frequency would be cost-effective and low-risk.

  3. Sanction and compliance integrity record

    Entities with no historical flags in AML databases, sanction lists, or enforcement records — and verified through screening platforms that integrate with LEI/vLEI data — should qualify for reduced scrutiny frequency.

Supporting Evidence:

As referenced in the Global Digital Finance publication “LEI: Reducing the Cost of KYC/KYB”, entities with maintained LEIs reduce KYC workload and error rates.

Further, ISO-certified entities undergo annual surveillance audits that can complement CDD reviews if linked to entity-level LEI records.

We recommend that the EBA formalize the LEI and vLEI frameworks as risk-reducing instruments, to support objective, data-driven scheduling of risk review frequencies.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

Yes, cross-border transactions with EEA jurisdictions should generally be assessed with a lower geographical risk baseline compared to transactions involving third countries — but this distinction should not be automatic.

The rationale is that:

  • EEA countries operate under harmonized AML/CFT regulations and supervisory coordination through the EU framework.
  • There is greater regulatory consistency, data sharing, and judicial cooperation within the EEA.
  • Institutions in the EEA are subject to centralized risk standards, including supervisory guidance from the EBA, ESMA, and ECB.

However, this lower risk assumption should be conditional upon:

  1. Transparent Legal Entity Identification, such as possession of a valid and conforming LEI.
  2. Clean regulatory and sanction records, verified through real-time screening databases.
  3. Consistency in beneficial ownership disclosure, especially for complex structures.

Conversely, for third-country transactions, geographical risk should be assessed more cautiously due to:

  • Varying AML enforcement levels
  • Lack of alignment with FATF recommendations
  • Limited interoperability of beneficial ownership registers

LEI Implementation as a Risk Equalizer:

In both EEA and non-EEA contexts, mandatory LEI usage — with active annual renewal and linkage to beneficial ownership — can bridge the regulatory risk gap. Where third-country entities hold a valid LEI, residual risk from geographical factors can be more objectively evaluated.

Evidence:

  • FATF and Basel AML Index rankings consistently show stronger AML compliance among EEA states.
  • The GLEIF-CGI report (2023) confirms that LEI adoption improves transparency in cross-border payments and helps harmonize due diligence standards.

We recommend that the EBA apply a differential baseline, but enable risk-score adjustments based on LEI status, public disclosures, and sanctions screening across all jurisdictions.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

We broadly support the introduction of quantitative thresholds to assess the materiality of activities under freedom to provide services (FoS), as outlined in Article 1 of the draft RTS. This structured approach helps ensure supervisory resources are aligned with actual risk exposure and transaction volume.

However, we propose a complementary threshold framework that incorporates legal entity verification and transparency criteria, such as:

  1. Possession of a valid and annually renewed LEI, and
  2. Verified operational footprint, including:
    • Cross-border service contracts
    • Digital service platforms linked to foreign beneficiaries

By adding non-monetary thresholds that include LEI-enabled traceability, supervisory authorities can:

  • Identify material activities more accurately,
  • Reduce dependency on reported volume metrics alone, and
  • Recognize early indicators of fragmentation or layering, often seen in AML/CFT circumvention strategies.

We also recommend dynamic thresholds based on:

  • The risk sector (e.g., financial services vs. legal consulting),
  • Use of vLEI for regulated individuals or UBOs (Ultimate Beneficial Owners), and
  • Frequency and nature of transactions conducted cross-border.

Impact of Proposed Enhancement:

  • The existing thresholds may overlook low-volume but high-risk cross-border activity, particularly in emerging digital sectors or among high-net-worth clients.
  • Integrating LEI-based evaluation can lower compliance costs by providing pre-verified entity data, especially for institutions using automated onboarding and risk classification.

Supporting Evidence:

  • The LEI is now embedded in EU regulations such as EMIR, MiFID II, and SFTR, showing its success as a scalable and credible filter for cross-border financial activities.
  • GLEIF’s analysis (2024) on LEI use in FoS services suggests that LEI-tagged entities offer 30–40% more transparency in supervision readiness than entities without such identification.

We encourage the EBA to include LEI/vLEI status as a qualifying filter in materiality assessment, especially for financial and digital service entities operating across borders.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

We recommend a cautious and risk-based approach to lowering the thresholds in Article 1 of the draft RTS. While lower thresholds may help capture early-stage or smaller cross-border activities that carry disproportionate AML/CFT risks, they must be balanced against the compliance burden on low-risk entities and supervisory capacity.

Our View:

  • Lower thresholds may be beneficial only in sectors with high intrinsic AML/CFT risk (e.g., crypto-assets, trust and company service providers, offshore advisory).
  • Across the broader economy, lowering thresholds without discrimination may result in overregulation of low-risk service providers, particularly SMEs and startups offering FoS.

Recommendation:

Instead of a uniform threshold reduction, we propose

  1. Risk-weighted thresholds, considering:
    • The nature of the sector
    • Geographic risk indicators
    • Digital-only service operations
  2. Supplementing financial thresholds with LEI-based transparency criteria:
    • Entities with a valid and actively renewed LEI and no negative compliance history could qualify for higher materiality thresholds.
    • Entities without LEIs or operating in sectors lacking traceable structure may be subject to lower thresholds and increased monitoring.

Impact of Lowering Thresholds:

  • Positive: May enhance early detection of suspicious cross-border flows in high-risk sectors.
  • Negative: May disproportionately affect low-risk, LEI-compliant service entities, increasing compliance workload and supervisory review with minimal risk-return benefit.

Evidence:

  • EBA’s own risk factor guidelines (2021) acknowledge that risk-based supervisionshould avoid one-size-fits-all thresholds.
  • A 2023 study from GLEIF and the Cambridge Centre for Alternative Finance found that LEI-linked businesses reduce onboarding costs and supervisory alerts by enabling machine-readable due diligence on corporate structure and ownership.

We recommend the EBA retain current thresholds but link them with data transparency tools like the LEI to apply differentiated thresholds in proportion to verifiable risk.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

We recommend that the EBA should distinguish between retail and institutional customers when applying customer-based thresholds to assess materiality under the freedom to provide services (FoS) regime.

Rationale for Distinction:

  1. Risk Profile Varies Significantly:
    • Institutional customers tend to have larger transaction volumes, complex ownership structures, and often operate across multiple jurisdictions — increasing AML/CFT risk.
    • Retail customers, while more numerous, are usually limited in transaction value and complexity, and can be subjected to simplified due diligence under specific scenarios.
  2. Supervisory Focus:
    • A single customer threshold would overestimate the risk posed by a large base of retail clients, and underestimate the risk posed by a few high-impact institutional clients.
    • Distinguishing between customer types helps authorities prioritize supervisory resources based on true exposure.

Enhanced Risk Identification via LEI/vLEI:

  • For institutional customers, use of a valid and actively renewed LEI should be encouraged (or required), allowing for
    • Clear identification of legal entities
    • Risk scoring of group structures and beneficial owners
    • Cross-border activity traceability
  • In future, the vLEI (Verifiable LEI) can further support individual accountabilityfor signatories and beneficial owners in both retail investment vehicles and institutional accounts.

Evidence:

  • Multiple regulatory regimes (e.g., MiFID II, SFTR, EMIR) already impose different obligations based on the classification of the customer.
  • GLEIF and McKinsey studies have shown that institutional entities with LEIs reduce onboarding time by 20–50%, helping institutions distinguish their risk profiles more accurately.

Recommendation:

  • Introduce dual thresholds:
    • One for retail clients (based on volume and count),
    • One for institutional clients (based on value, structure, and cross-border nature).
  • Incorporate LEI registration status as a further filter to refine customer classification and apply thresholds proportionately.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

We generally agree that the methodology proposed under this RTS builds on and extends the risk-based assessment logic established under Article 40(2) of the AMLD. The proposed linkage reflects a conistent framework for identifying and classifying material risks posed by obliged entities operating under the freedom to provide services (FoS).

✔ Alignment with Article 40(2):

  • Both methodologies adopt a structured risk profiling approach, integrating inherent and residual risk assessment, and emphasizing periodic reviews.
  • The inclusion of objective indicators, such as customer volume, transaction size, and cross-border activities, reflects the spirit of RTS 40(2), while tailoring its application to FoS contexts.

✔ Proposed Enhancement:

While we agree in principle, we believe the methodology under this RTS could benefit from a more explicit integration of entity verification and identity assurance measures, such as:

  1. Use of LEI (Legal Entity Identifier) for all institutional and corporate clients to ensure clear traceability;
  2. Adoption of vLEI (Verifiable LEI) for natural persons acting on behalf of legal entities, enabling accurate role-based accountability;
  3. Automated checks against international sanction lists leveraging LEI-tagged data for enhanced effectiveness.

These enhancements would ensure that selection methodology not only builds on Article 40(2), but also leverages modern digital identity systems, which are essential for real-time supervision in a highly interconnected global market.

✔ Evidence of Impact:

  • Entities with LEIs have consistently shown lower false-positive rates in AML screening and faster onboarding (source: GLEIF-McKinsey, 2021).
  • Integrating LEI/vLEI at the selection methodology level would improve the accuracy of materiality assessments and reduce supervisory friction across jurisdictions.

✔ Conclusion:

Yes, we agree the current methodology builds on RTS under Article 40(2). However, we recommend further refinement by embedding LEI and vLEI usage within the selection process to align risk classification with verifiable identity infrastructure — making the system more resilient, transparent, and scalable.

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

We support the EBA’s proposal to keep the inherent risk score fixed as defined under Article 2 of the draft RTS under Article 40(2) AMLD6. This ensures consistency, objectivity, and comparability across entities and across Member States.

Rationale for Supporting Fixed Inherent Risk Score:

  1. Inherent risk reflects structural factors (e.g., sector of activity, geographic exposure, customer base) which are independent of internal controls. Adjusting it would blur the distinction between inherent and residual risk, undermining risk transparency.
  2. Maintaining a fixed inherent risk score allows for benchmarking across peer groups, enabling supervisors to better allocate supervisory resources and maintain proportionality.
  3. The residual risk score already allows entities to reflect the effectiveness of their AML/CFT controls, giving sufficient space for differentiation without distorting the baseline risk.

Proposed Supplement:

While the inherent risk score should remain fixed, the methodology could be supplemented with traceable risk identity infrastructure, such as:

  • Mandatory LEI registration for institutional clients;
  • Encouraged use of vLEI to authenticate persons acting on behalf of legal entities.

These identity mechanisms do not change the inherent risk, but they improve the accuracy of exposure assessment and monitoring, particularly in cross-border operations and where layered corporate structures exist.

Evidence of Impact:

  • Regulatory frameworks such as the Basel III Accord and FATF Guidance underscore that inherent and residual risks must remain distinct to uphold risk-based supervision principles.
  • A 2022 OECD policy paper emphasized that identity assurance mechanisms like LEIs improve the granularity of financial institution profiling without distorting risk scores.

Conclusion:

We agree with the EBA that inherent risk scores should not be adjustable within the selection methodology. Instead, we propose the use of transparent, verifiable identifiers like the LEI and vLEI to strengthen the application of those scores without compromising methodological integrity.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

We partially agree with the methodology for the calculation of the group-wide score in Article 5 of the RTS. The approach to aggregate the risks of group entities and assign weights based on materiality is conceptually sound. However, we believe the methodology could be significantly enhanced by embedding traceable legal entity identification mechanisms into the group scoring framework.

Rationale:

  1. Transparency in Group Structures:
    • The effectiveness of a group-wide score depends on the accurate and transparent mapping of legal entities within the group, particularly in complex multinational or layered ownership structures.
    • Without a unified identification system, the risk of overlooking high-risk subsidiaries or misallocating risk weights increases.
  2. Risk Aggregation Challenges:
    • The current methodology may underestimate risk from smaller but high-risk subsidiaries, especially in third countries with limited regulatory visibility.
    • Pure quantitative aggregation might dilute qualitative factors like jurisdictional enforcement quality or PEP (Politically Exposed Person) exposure.

Proposed Enhancement:

To strengthen the group-wide scoring model

  • Require or recommend the use of LEIs for all legal entities in the group.
  • Promote LEI-conformant hierarchies (e.g., RR relationships like Ultimate and Direct Parent LEIs) to build a real-time group map that allows accurate calculation.
  • In the long term, integrate vLEI to validate roles and signatory authority for individuals responsible for AML/CFT measures across the group.

Evidence of Impact:

  • GLEIF data shows that over 40% of LEI registrants already report Level 2 relationship data, which is key to constructing accurate group-wide hierarchies.
  • A recent study by the Financial Stability Board (FSB) highlighted that lack of group transparency is one of the major impediments to effective AML/CFT monitoring.
  • The use of LEIs has already been endorsed in multiple EU regulatory frameworks (EMIR, SFTR, MiFID II), indicating institutional readiness.

Conclusion:

While we support the overall direction of the EBA’s methodology, we strongly recommend that LEI adoption and hierarchical LEI mapping be embedded in the group-wide score computation. This will materially improve transparency, comparability, and regulatory coordination — without creating undue burden for compliant institutions.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

Yes, we believe there are critical concerns with the current approach to identifying the group-wide perimeter, particularly in the absence of a standardized and globally recognized legal entity identification framework.

Key Concerns:

  1. Opacity in Group Structures:
    • Multinational and cross-border corporate groups often have opaque or complex legal structures, including shell entities and layered subsidiaries.
    • Without a unified identification method, regulators and obliged entities may misidentify or overlook group entities, especially in high-risk or sanctioned jurisdictions
  2. Inconsistent Disclosure Obligations:
    • Group structure disclosure requirements vary significantly across jurisdictions, which affects data quality and completeness.
    • Some group entities may not be required to publish beneficial ownership or legal control details, further blurring the perimeter.
  3. False Sense of Coverage:
    • Institutions may report a group perimeter based on self-declared or unaudited structures, leading to incomplete or biased group-wide risk profiling

Recommendation:

To address these concerns, we recommend that the use of the Legal Entity Identifier (LEI) be:

  • Mandatory for all group entities where available;
  • Paired with Level 2 (parent-child) LEI relationship data, which enables objective identification of the ultimate and direct parents of each entity;
  • Eventually extended with verifiable vLEI credentials for individuals managing AML/CFT obligations within the group.

This would ensure that the group-wide perimeter is:

  • Consistent across jurisdictions;
  • Auditable with traceable references;
  • Dynamic, capable of reflecting structural changes in near real-time.

Supporting Evidence:

  • GLEIF data indicates a growing adoption of relationship reporting (Level 2) within the LEI ecosystem.
  • FATF, FSB, and European Commission papers consistently highlight that identification of group entities is a weak point in AML supervision.
  • The LEI has been adopted across the EU in EMIR, MiFID II, and SFTR frameworks, proving its interoperability with regulatory systems.

Conclusion:

The identification of the group-wide perimeter requires standardization and transparency, which can only be reliably achieved through mandatory use of LEIs and structured relationship reporting. This would significantly reduce the risk of exclusion, misrepresentation, or circumvention within group structures and support effective AML/CFT supervision across the EU and globally.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

We partially agree with the principle of including both the parent company and its subsidiaries in determining the group-wide risk profile, as this provides a holistic view of control effectiveness. However, equal consideration may not always reflect the true materiality or operational impact of each entity in the group.

Rationale:

  1. Risk Exposure is Uneven:
    • In many corporate groups, the parent company may act solely as a holding entity or strategic head with limited operational exposure to AML/CFT risks.
    • Conversely, subsidiaries or affiliates operating in high-risk jurisdictions or sectors may carry substantial AML/CFT vulnerability.
  2. Dilution of Risk Weighting
    • Treating all entities equally may dilute focus from critical risk centers, potentially undermining the accuracy of the group-wide score.
  3. Controls Must Reflect Functional Relevance:
    • While governance and oversight typically originate from the parent, control effectiveness must be measured based on where risk materially arises, not just structurally resides.

Recommended Approach:

  • Maintain inclusion of the parent company in the group risk profile to assess governance, but apply risk weighting based on:
    • Operational relevance;
    • AML/CFT exposure by geography and sector;
    • Transaction volume and type;
    • Client profile and delivery channels.
  • Additionally, the application of the Legal Entity Identifier (LEI) system, including Level 2 relationship data, enables a transparent and auditable group structure, supporting a weighted risk modeling approach.

Evidence:

  • Risk-based supervision under FATF and EU AMLD principles emphasizes proportionality and materiality.
  • Many regulated sectors (e.g., financial services, telecom, energy) use weighted scoring models to assess group compliance based on the nature of each entity’s operations.

Conclusion:

While it is essential to include the parent company in group-wide risk profiling, the methodology must differentiate based on functional and operational relevance. A weighted approach, supported by LEI-anchored entity mapping, would yield a more accurate, efficient, and regulatorily sound assessment of control effectiveness across the group.

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Yes, we broadly agree with the transitional rules proposed in Article 6 of the draft RTS, as they offer a structured and time-bound pathway for institutions to adapt their systems, processes, and reporting mechanisms to the new AMLA mandates.

However, we recommend a stronger emphasis on two additional points to ensure successful and meaningful implementation:

1. Progressive LEI Integration in Transitional Phase

  • The transitional rules should include a clear recommendation or expectation that obliged entities begin the mandatory adoption of the Legal Entity Identifier (LEI)and relationship reporting (Level 2 LEI data) during the implementation phase.
  • This would allow obliged entities to build their group risk assessments and AML/CFT profiles on verifiable, standardized identifiers from the outset.
  • Early integration reduces rework, ensures alignment with existing EU regulations (e.g. EMIR, MiFID II), and strengthens supervisory transparency.

2. Practical Timelines for Complex Groups

  • Some multinational groups may face structural complexity, data inconsistency, or jurisdictional delays.
  • The transitional rules should allow a risk-based flexibility approach (e.g., phase-wise compliance with mandatory milestones) rather than a one-size-fits-all deadline, especially for:
    • High-volume institutions;
    • Groups operating across third-country jurisdictions;
    • Institutions undertaking legacy system upgrades.

Supporting Rationale:

  • A well-managed transitional period avoids unnecessary compliance bottlenecks and provides space for:
    • Regulatory technology (RegTech) integration,
    • Cross-border cooperation,
    • Legal harmonization efforts

Evidence:

  • Past implementations of EU-wide frameworks (e.g., PSD2, SFTR) show that structured transitional periods—when paired with clear benchmarks and incentives—increase compliance success and reduce enforcement costs.
  • GLEIF data shows an accelerating but uneven LEI adoption curve, which can be corrected during transition by mandatory onboarding milestones.

Conclusion:

The proposed transitional rules are a good foundation. Strengthening them with LEI-based integration timelines and a flexible, risk-sensitive compliance roadmap would further enhance implementation success, especially across diverse and complex financial and non-financial institutions.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Yes, we agree with the general direction and intent of the proposals in Section 1 of the draft RTS under Article 28(1) AMLR. The framework enhances supervisory consistency and clarifies expectations for compliance with customer due diligence (CDD), beneficial ownership, and ongoing monitoring. However, we offer the following value-added considerations:

✔ 1. Integration of Legal Entity Identifiers (LEIs) for Transparency and Cost Efficiency

  • We strongly recommend the explicit inclusion of LEI and verifiable relationship data (e.g., parent-subsidiary mapping through Level 2 LEI data) as mandatory identifiers for entities.
  • This ensures:
    • Accurate and consistent entity identification across borders;
    • Lower compliance cost through reuse of standardised, GLEIF-verified data;
    • Reliable tracking of ownership structures and sanctioned connections.

Rationale: Our organisation promotes LEI adoption across all ISO-certified entities, enabling integrity validation in certification and AML/CFT screening. This model supports supervisory risk ratings and operational due diligence.

2. Alignment with Certification-Based Risk Profiling

  • Many obliged entities hold internationally recognised certifications (e.g., ISO 9001, ISO 27001, ISO 37301) that embed operational and governance controls.
  • The RTS should allow the use of such certifications as supporting evidence of risk mitigation, especially where issued by accredited Conformity Assessment Bodies.
  • This would encourage risk-based compliance models and reduce unnecessary duplicative documentation.

3.Cost of Compliance – Mitigation through Digital Tools

  • While initial alignment costs (e.g., IT systems, KYC upgrades) may be moderate to high in the short term, the long-term cost of compliance is significantly reduced if:
    • LEI is used as the core identifier;
    • Supervisory expectations support digital verification models;
    • Certified entity data is reused across due diligence processes.

Evidence: Integration of LEI in capital markets has already shown reduced onboarding costs and improved monitoring (e.g., MiFID II/EMIR regimes). Similar efficiencies are expected under AMLA RTS implementation with structured identifier use.

Conclusion

We support Section 1 of the RTS, and believe that enhancing it through LEI standardisation and acceptance of certification-based control evidence will make the framework more effective, cost-efficient, and internationally interoperable—especially for cross-border operations.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

We acknowledge and support the structured framework proposed in Article 6 of the draft RTS, especially its recognition of non-face-to-face verification methods, which are essential in today’s digitally enabled and borderless business environment. However, we offer the following observations:

1. Remote Solutions vs e-IDAS: Need for Equivalence Framework

  • The remote solutions described in paragraphs 2–6 (e.g., video calls, photo ID matching, biometric capture) have become globally accepted KYC practices, particularly in jurisdictions without full e-IDAS deployment.
  • While e-IDAS-compliant solutions offer stronger cryptographic assurance, practical implementation across the EU and beyond remains fragmented.
  • Therefore, rather than treating remote methods as temporary, a clear equivalence framework should be developed:
    • Define minimum technical standards for video-based or biometric KYC;
    • Mandate audit trails, risk-based verification layering, and dynamic fraud detection;
    • Allow cross-border institutions and financial groups to align non-EU digital ID practices with EU expectations.

2. Use of LEI and vLEI to Strengthen Remote Verification

  • The inclusion of Legal Entity Identifiers (LEIs) and verifiable LEIs (vLEIs) can greatly enhance remote verification in a non-face-to-face context
    • LEIs ensure legal entity verification with global recognition and interoperability;
    • vLEIs, governed by cryptographic credentials and verified role attestations, provide W3C-compliant decentralised trust models—ideal for remote contexts.
  • This allows for institutional verification with strong identity assurance, supplementing or substituting e-IDAS where unavailable.

3. Recommendation on Policy Stance: Not Merely Temporary

  • We do not recommend classifying remote verification methods as merely temporary.
  • Instead, we suggest:
    • Recognizing remote solutions as equivalent when aligned with robust security controls;
    • Encouraging their continued development alongside e-IDAS, particularly in cross-border use cases;
    • Emphasizing interoperability and auditability over sole reliance on EU-centric solutions.

Conclusion:

Remote verification solutions—when governed by risk-based controls, digital traceability, and LEI/vLEI-backed authentication—can be as effective as e-IDAS, particularly in regions where e-IDAS is not yet operational. These methods should be permanently accepted with appropriate oversight, not viewed as a stopgap measure.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Yes, we welcome the recognition and regulatory framing of virtual IBANs (vIBANs) in Article 8, and offer the following comments to enhance the integrity and traceability of virtual IBAN usage, especially in a multi-client servicing environment.

1. Need for Strong Customer Attribution Mechanism

  • Virtual IBANs serve as sub-accounts mapped to a master account, commonly used by fintechs and payment service providers to route transactions to the correct customer.
  • While efficient, they pose increased risks of anonymity, commingling, and indirect layering, unless:
    • Each vIBAN is uniquely and verifiably attributed to a specific legal or natural person;
    • Real-time mapping records are maintained and audit-ready;
    • Entities controlling master IBANs are under clear AML/CFT obligations.

2. Mandatory Use of LEI for Legal Entity Attribution

  • We recommend requiring that each vIBAN issued to a legal entity be tagged to a Legal Entity Identifier (LEI).
    • This enhances transparency across banking networks;
    • Facilitates cross-institutional monitoring of fund flows;
    • Supports the detection of unusual movement patterns across jurisdictions.

Example: A Payment Institution operating across multiple EU countries can more easily demonstrate fund segregation, beneficial ownership traceability, and adherence to AMLA Article 28 controls using LEI-tagged vIBANs.

3. vIBANs in High-Risk Geographies: Enhanced Review

  • Where vIBANs are issued in or routed through high-risk third countries, we support periodic reviews and enhanced due diligence checks.
  • The RTS could recommend a risk score mapping to the vIBAN issuing or beneficiary jurisdiction, tied to FATF or EU risk indicators

4. Recommendation on Policy Direction

  • We support the continued use of vIBANs provided that transparency, attribution, and audit mechanisms are formalised.
  • Use of LEI and automated risk tagging mechanisms could significantly reduce monitoring costs and supervisory uncertainty.

Conclusion:

Virtual IBANs are an essential innovation in modern financial services, but they must be anchored with strong attribution practices, ideally via LEI, and subject to enhanced scrutiny in risk-sensitive contexts. Article 8 would benefit from explicitly addressing real-time attribution logs, beneficial ownership tracking, and cross-border LEI consistency.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We broadly agree with the proposals in Section 2 of the draft RTS, which aim to harmonize and clarify the conditions for third-party reliance and agent-based onboarding. However, we offer the following feedback for refinement and effective implementation:

1. Support for Risk-Based Delegation with Strong Governance

  • The delegation of CDD functions to third parties or agents can improve onboarding efficiency, especially in high-volume or geographically diverse client bases.
  • However, institutions must:
    • Retain full accountability for due diligence quality;
    • Ensure real-time access to the underlying CDD data;
    • Conduct initial and periodic competence assessments of the third-party.

The proposed governance framework rightly places responsibility on the obliged entity, ensuring AML/CFT compliance remains centralized.

2. Role of LEI and vLEI in Verifying Third Parties

  • A mandatory use of LEI for third-party legal entities involved in onboarding processes can
    • Enhance auditability and compliance traceability;
    • Reduce risk of onboarding via unverified or disguised intermediaries;
    • Enable global due diligence networks through interoperable legal identity standards.
  • Furthermore, vLEI credentials can allow automated verification of an agent’s authorization and organizational linkage—vital for non-face-to-face and remote onboarding.

3. Clarify Scope and Limitation on Agent Role

  • The RTS should explicitly define:
    • Whether agents can conduct enhanced due diligence (EDD), or only standard CDD;
    • The acceptable threshold of risk for customers onboarded through agents;
    • Whether onboarding agents in third countries must meet EU-level AML requirements.

This clarity would prevent excessive decentralization of sensitive AML controls, especially in high-risk sectors or jurisdictions.

4. Cost and Operational Impact

  • For regulated financial institutions, the cost of implementing Section 2 proposals will include:
    • Developing or upgrading third-party monitoring tools;
    • Conducting initial due diligence assessments and periodic reviews;
    • Ensuring secure transmission and storage of CDD data.

However, the cost is offset by the scalability and efficiency gains in onboarding processes—particularly when supported by LEI/vLEI integrations and compliance automation systems.

Conclusion:

We support the intent and structure of Section 2 of the draft RTS. With minor clarifications on agent authority, risk thresholds, and digital verification mechanisms, the proposed framework can facilitate scalable, responsible, and globally harmonized AML onboarding, especially when LEI/vLEI are used to assure legal identity and governance traceability.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We agree with the proposals outlined in Section 3 of the draft RTS, which emphasize the importance of internal controls, group-wide consistency, and centralized oversight mechanisms to ensure AML/CFT compliance. Below is our detailed rationale and a few suggestions to enhance effectiveness and reduce ambiguity:

1. Group-Wide Controls and Consistency

  • Section 3 rightly mandates that obliged entities with group structures implement group-wide AML/CFT policies and procedures that:
    • Ensure consistent risk classification and monitoring;
    • Enable centralized control over data retention, suspicious transaction reporting, and response to regulatory changes.
  • This is especially crucial for multinational entities operating in both EEA and third-country jurisdictions

Group-wide policies are the foundation for building a resilient AML ecosystem, minimizing the risk of policy arbitrage across subsidiaries.

2. Integration of Legal Entity Identifiers (LEIs) for Entity-Level Risk Oversight

  • Section 3 could be strengthened by including a recommendation to integrate LEIs across all group entities
    • This enhances visibility of inter-entity relationships;
    • Supports mapping of intra-group and third-party transactional exposure;
    • Facilitates automated risk assessment and regulatory reporting.

Adoption of LEIs across the group aids in identifying hidden beneficial ownership chains and maintaining robust sanction screening coverage.

3. Recordkeeping and Auditability Enhancements

  • We support the requirement for comprehensive and consistent recordkeeping, but request additional guidance on:
    • The retention format and interoperability of CDD data in multi-jurisdictional environments;
    • Whether cloud-based secure storage solutions are acceptable under this RTS;
    • Whether group entities may implement centralized vs. decentralized CDD data models, and under what controls.

Harmonizing digital recordkeeping practices across the EU would significantly reduce cost and increase audit readiness

4. Cost of Compliance and Risk Mitigation

  • The cost of implementing Section 3 will vary based on
    • The complexity and number of group entities;
    • The maturity of internal IT infrastructure and risk management systems;
    • Whether LEI and digital governance tools are already deployed.

However, the long-term reduction in regulatory risk exposure, combined with improved operational consistency, justifies the investment. Use of LEI and vLEI can lower the monitoring cost and ease regulatory reporting burdens.

Conclusion:

We support Section 3 of the draft RTS and recommend an explicit reference to LEI/vLEI, stronger digital compliance standards, and flexibility in adopting cloud-based and centralized compliance models. These enhancements would ensure scalable compliance, particularly for cross-border and high-volume organizations.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We broadly agree with the proposals set forth in Section 4 of the draft RTS concerning outsourcing arrangements and third-party reliance for AML/CFT functions. This section appropriately emphasizes the need for due diligence, control, and accountability, even when AML functions are outsourced or delegated to external entities. Below is our rationale and a few recommended enhancements:

1. Clarity on Responsibility and Oversight

  • The RTS rightly holds the obliged entity accountable, even when AML functions are outsourced. However, we suggest:
    • Adding guidance for standard Service Level Agreements (SLAs) and audit trails to define monitoring obligations;
    • Clarifying the extent to which shared responsibility models apply, especially when outsourcing to regulated firms.

A stronger emphasis on governance documentation and continuous oversight would mitigate risks of fragmented accountability.

2. Support for Cross-Border Outsourcing and Use of LEI

  • Cross-border outsourcing should come with mandatory entity identification using LEI:
    • This enables transparent recognition of the third-party entity in regulatory databases;
    • Facilitates validation of the third party’s regulatory standing and jurisdiction.

By making LEI mandatory for outsourced AML/CFT providers, supervisory authorities and financial institutions can maintain better oversight and risk profiling.

3. Encouragement of vLEI and Digital Trust Frameworks

  • We propose that the RTS encourage the use of verifiable legal entity identifiers (vLEIs) for natural persons or officers managing outsourced AML activities.
    • This helps establish traceable accountability and minimizes impersonation or fraud risks in high-volume operations.

The vLEI provides a next-generation solution to identity assurance, especially in digital outsourcing frameworks.

4. Cost of Compliance

  • The cost of implementing Section 4 varies by entity size and outsourcing complexity. Costs may include:
    • Contract review and amendment;
    • Third-party onboarding and due diligence tools;
    • Continuous audit, SLA monitoring, and LEI compliance.
  • However, these costs are outweighed by the risk reduction, reputational protection, and regulatory readiness they provide.

Conclusion:

We support Section 4 of the draft RTS and recommend that the EBA:

  • Provide template or model clauses for AML/CFT outsourcing agreements;
  • Mandate LEI registration for all third parties engaged in AML compliance activities;
  • Encourage the vLEI model for named individuals in control roles;
  • Support the development of digital audit and reporting frameworks.

These refinements will build trust and enhance operational efficiency in AML/CFT outsourcing and third-party reliance structures.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

We support the intent of Section 4 to tailor simplified due diligence (SDD) based on demonstrably lower ML/TF risk in specific sectors. To enhance the practical impact and compliance clarity, we suggest explicitly recognizing the following low-risk sectors or services for sectoral SDD, based on their regulated nature, traceability, and low cash-intensity:

1. Accredited Certification and Inspection Bodies

  • These bodies are regulated under standards such as ISO/IEC 17021-1, ISO/IEC 17065, or ISO/IEC 17020, and operate under national or international accreditation frameworks.
  • They:
    • Are subject to external audits;
    • Have transparent ownership structures and regulatory accountability;
    • Deal with non-cash, service-based transactions.

Rationale: Their activities involve minimal exposure to cash, do not support layering of funds, and are highly auditable — thereby posing a low ML/TF risk.

2. Registered Management Consultancy Firms (non-financial)

  • Especially those registered under national business registries and compliant with KYC norms.
  • Their clients are often regulated entities and payments are traceable via formal banking channels.

Rationale: Limited involvement in fund transfer or handling of client assets reduces exposure to predicate ML/TF offenses.

3. Government Regulated Utility Services

  • Including water, power, broadband, and public transport pass providers.
  • Subject to price regulation, government audits, and service traceability.

Rationale: These entities generally operate in non-financial, non-anonymous, and highly audited environments, thereby posing low risk.

4.Low-Value E-commerce Services with Mandatory KYC & API-integrated Payments

  • Examples: platforms with prepaid thresholds, integrated with regulated payment gateways, and KYC-verified merchants.

Rationale: Automated compliance monitoring, low transaction volumes, and lack of fund anonymity reduce ML/TF exposure.

Supporting Principle:

We recommend that EBA use a risk-based matrix to define:

  • Sectors eligible for SDD,
  • The conditions under which these sectors qualify (e.g., turnover thresholds, regulatory coverage),
  • Periodic reassessment triggers.

Additional Evidence:

  • FATF Guidance acknowledges simplified due diligence for low-risk sectors where transparency and regulated operations prevail.
  • Data from entities using LEIs and vLEIs (e.g., accredited bodies and listed service providers) shows high traceability and minimal ML/TF involvement.

Conclusion:

We request the EBA to explicitly list in Section 4:

  1. Accredited Certification Bodies,
  2. Registered Non-financial Consultancy Firms,
  3. Government Utility Service Providers,
  4. KYC-compliant low-value E-commerce platforms.

This will promote clarity, compliance efficiency, and risk-sensitive resource allocation for AML/CFT enforcement.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We broadly agree with the intent and direction of Section 5 of the draft RTS, which focuses on enhancing the customer due diligence (CDD) measures applicable to higher-risk sectors or circumstances. The section introduces necessary regulatory rigor to tackle sophisticated ML/TF threats, especially in emerging areas such as crypto-assets, cross-border remote onboarding, and complex corporate structures.

However, we respectfully submit the following suggestions and clarifications to strengthen the section and balance effectiveness with feasibility:

1. Clarification on Enhanced Due Diligence (EDD) Measures

  • Section 5 should more clearly distinguish between mandatory EDD triggers and risk-sensitive discretionary actions.
  • Excessive prescriptiveness may lead to box-ticking behavior rather than genuine risk assessment.

Recommendation: Incorporate flexibility for obliged entities to apply proportional and tailored EDD measures based on contextual risk analysis, especially for cross-border clients with valid LEI or vLEI.

2. Inclusion of LEI/vLEI as a Risk Mitigation Tool

  • The draft does not yet highlight how the Legal Entity Identifier (LEI) or Verifiable LEI (vLEI) can mitigate opacity risks in identifying beneficial ownership and corporate control chains.

Rationale: Entities using LEI/vLEI provide a globally interoperable identity framework, which can reduce onboarding friction without compromising due diligence.

Recommendation: Add guidance encouraging the use of LEI/vLEI as part of strengthened identity verification protocols under EDD.

3. Proportional Compliance Cost Control

  • Small and mid-sized obliged entities (particularly those in advisory or certification sectors) may face resource strain in meeting high-frequency documentation updates or technical system overhauls for onboarding.

Recommendation: Introduce compliance cost caps or support tools (e.g., shared registries, public risk databases, standardised due diligence templates)

4.Feedback Loop for Continuous Improvement

  • Section 5 should mandate or recommend periodic feedback mechanisms where entities share challenges in applying EDD, especially in high-conflict or sanction-prone jurisdictions.

Rationale: This would allow supervisory authorities and the EBA to refine and evolve EDD practices in step with emerging typologies.

Conclusion:

Section 5 provides a solid foundation for strengthened AML/CFT safeguards. We fully support its adoption, subject to the following enhancements:

  • Clearer demarcation between mandatory and flexible EDD actions,
  • Explicit encouragement of LEI/vLEI use for risk mitigation,
  • Proportional cost management support for smaller obliged entities,
  • Institutionalised feedback loop for risk-based recalibration.

These measures would ensure the framework is both effective and operationally sustainable.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We agree in principle with the objectives outlined in Section 6 of the draft RTS, which focuses on record-keeping, audit trails, and monitoring mechanisms to ensure transparency and accountability in AML/CFT compliance practices. These requirements are essential to enable supervisors and law enforcement agencies to track risk decisions and detect anomalies across financial ecosystems.

However, to ensure effectiveness and broad implementation across various types of obliged entities (including certification and service firms), we suggest the following refinements and safeguards:

1. Balance Between Transparency and Operational Feasibility

  • While we support comprehensive record-keeping and monitoring, the depth and granularity of data required should be aligned with the size, complexity, and sector of the obliged entity.

Recommendation: The RTS should permit proportional application of these controls, especially for low-volume or low-risk service providers, to avoid excessive compliance burdens.

2. Integration with LEI/vLEI Systems

  • Section 6 currently does not reference interoperable digital identities such as LEI or vLEI which can automate audit trails and ensure secure linkages between entities and their transaction histories.

Rationale: LEI/vLEI integration can support tamper-proof entity-level audit logging, especially in complex supply chains or cross-border certification ecosystems.

Recommendation: Include a provision encouraging the adoption of LEI/vLEI within digital audit frameworks.

3.Support for Digital Record-Keeping and Interoperability

  • Many SMEs and professional service providers still rely on non-integrated documentation practices. Mandating high-end audit trail technology could impose cost and technical burdens.

Recommendation: Promote interoperable formats, use of certified document repositories, and provide templates or guidance documents for basic digital record-keeping.

4.Cost of Compliance

  • The cost impact will vary significantly by entity size. Larger institutions with integrated systems may face marginal costs, whereas smaller firms may require initial investment in secure digital tools and training.

Evidence-based suggestion: Consider offering phased implementation timelines and/or technical support schemes for SMEs and micro-enterprises.

Conclusion:

Section 6 rightly emphasizes the need for effective record-keeping and monitoring as a cornerstone of AML/CFT compliance. To improve adoption and efficiency, we recommend:

  • Proportional application based on risk and scale,
  • Incorporation of LEI/vLEI for entity-level traceability,
  • Digital interoperability support tools for SMEs,
  • Phased roll-out and cost-sensitivity.

These enhancements will help ensure that compliance obligations are practical, secure, and inclusive.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We agree with the proposals in Section 7 of the draft RTS, which emphasize the importance of effective internal controls, governance, and independent audits as part of AML/CFT compliance.

These measures are fundamental to:

  • Ensuring accountability at the senior management level,
  • Detecting systemic weaknesses, and
  • Promoting a culture of compliance across entities.

However, we recommend:

  • Proportionality in application for small and medium entities,
  • Recognition of third-party certification bodies (e.g., ISO 37301 for compliance management systems) as supporting mechanisms, and
  • Encouragement for the use of Legal Entity Identifiers (LEIs) for better internal and external control linkages.

The cost impact for large institutions will be minimal due to existing frameworks. For smaller firms, phased implementation and guidance may be necessary.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We agree with the proposals in Section 8 and Annex I, which set out harmonized criteria for Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) measures.

These are essential for ensuring consistency across the EU, especially in high-risk scenarios involving complex ownership structures or cross-border activities.

We recommend:

  • Leveraging LEI/vLEI identifiers to streamline beneficial ownership checks,
  • Providing technical guidance for uniform interpretation of Annex I criteria, and
  • Ensuring that compliance costs remain proportionate, particularly for smaller obliged entities.

With these enhancements, Section 8 can significantly strengthen risk-based due diligence across sectors.

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

We support the structured approach to classifying the gravity of breaches using qualitative and quantitative indicators.

However, we recommend:

  • Adding non-cooperation during regulatory audits as a distinct aggravating factor.
  • Recognizing prior independent certification (e.g., ISO 37301, ISO 37001) as a mitigating factor, which demonstrates a proactive compliance culture.
  • Including LEI/vLEI adoption status as a risk transparency indicator for regulated entities, to further support entity traceability.

This will ensure a balanced, proportionate, and risk-based classification framework that incentivizes good governance and transparency.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

We agree with the proposed three-tier classification (minor, moderate, serious) as outlined in Article 2. This structure provides much-needed clarity and proportionality in enforcement.

We suggest the following refinements:

  • Introduce sector-specific examples to guide authorities in consistently applying classification criteria.
  • Consider the intent and recurrence of non-compliance as important contextual factors beyond just materiality.
  • Allow for mitigating circumstances, such as participation in voluntary transparency frameworks (e.g., LEI, vLEI adoption), or certified compliance systems.

This will help ensure that the application of sanctions is fair, consistent, and encourages continuous improvement.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

We support the comprehensive list of criteria in Article 4 for determining the level of pecuniary sanctions. The inclusion of factors such as intent, duration, and financial benefit gained is appropriate.

We propose the following enhancements:

  • Include cooperation with authorities and self-reporting as formal mitigating factors.
  • Factor in whether the entity has implemented recognized compliance frameworks (e.g., ISO 37301 for compliance management or ISO 37001 for anti-bribery), as this reflects a genuine commitment to risk mitigation.
  • Consider whether the entity maintains a Legal Entity Identifier (LEI/vLEI), as it strengthens financial transparency and traceability—core pillars of AML/CFT compliance.

These additions would ensure that sanctions are not only punitive but also incentivize preventive compliance behavioracross regulated sectors.

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

We agree with the inclusion of financial strength as a key factor in determining the level of pecuniary sanctions. However, we recommend the following clarifications and additions:

  • For legal persons, in addition to balance sheet size and turnover, the EBA should consider the entity’s risk exposure and market influence, especially in cross-border contexts.
  • For natural persons, a graded evaluation of income sources, liabilities, and financial dependents should be considered to avoid disproportionate hardship.
  • The LEI/vLEI-linked financial footprint (e.g., in regulatory filings or credit systems) could serve as an objective, verifiable indicator of financial strength.
  • The framework should ensure that sanctions are proportionate and not punitive beyond deterrence, especially for smaller firms or low-income individuals.

This approach ensures that enforcement remains fair, risk-based, and context-sensitive.

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

We support the proposed criteria in principle, but we recommend the following enhancements for clarity, proportionality, and transparency:

  • Before applying restrictions or requiring divestment, supervisors should assess:
    • Whether the breach was systemic or isolated.
    • The adequacy of the obliged entity’s internal controls and its history of corrective actions.
    • Whether the entity has undertaken voluntary remediation efforts, such as implementing or upgrading compliance programs (e.g., ISO 37301, ISO 27001).
  • The action should be proportionate to the level of inherent and residual AML/CFT risk.
  • The impact of such measures on innocent third parties (e.g., clients, employees, subsidiaries) should be evaluated.
  • Where feasible, the entity should be given the opportunity to propose corrective actions before divestment or restriction is imposed.
  • LEI/vLEI adoption status should also be considered as a factor supporting transparent ownership and accountability, helping evaluate if the breach stems from poor governance or structural opacity.

This ensures that enforcement is fair, evidence-based, and corrective in intent rather than punitive by default.

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

Withdrawal or suspension of authorisation is the most severe regulatory action and should therefore:

  • Be considered only after a thorough risk-based assessment of the gravity, frequency, and intent behind the breach.
  • Be guided by clear, measurable thresholds (e.g., repeated violations, systemic failure to implement AML/CFT controls).
  • Take into account whether the entity:
    • Has engaged in wilful misconduct or gross negligence;
    • Has failed to respond to supervisory warnings or improvement plans;
    • Poses a direct and ongoing threat to the financial system’s integrity.

Additionally, it should be ensured that:

  • Such decisions are reviewable and subject to due process, with the opportunity for the obliged entity to present a remediation plan.
  • Entities demonstrating proactive steps such as use of LEI/vLEI for entity transparency and certified compliance frameworks (e.g., ISO 37301, ISO 37001) are afforded mitigating consideration in supervisory decisions.

This ensures fairness, accountability, and continuity of service while maintaining strict AML/CFT discipline.

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

Requiring changes in the governance structure should be based on:

  • Evidence of governance failure that has led to material AML/CFT breaches, lack of internal controls, or ethical lapses;
  • Repeated non-compliance or inaction by senior management or the board despite regulatory observations;
  • Conflict of interest, lack of independence, or absence of competent AML/CFT oversight roles in the current structure.

The criteria should also recognize:

  • The role of effective compliance frameworks, such as ISO 37301 (compliance management) and ISO 37000 (governance), in evaluating governance robustness;
  • Organizations with transparent leadership identities (facilitated through use of LEIs and vLEIs) should be considered more favourably, as they promote accountability and traceability;
  • A fair balance must be struck to avoid overreach—remedial guidance and timelines should precede enforced structural changes unless urgent action is required.

This ensures supervisors act proportionately while reinforcing long-term structural integrity.

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

Most indicators and criteria proposed under Articles 1 to 4 of the RTS are broadly applicable to both financial and non-financial sectors, as the principles of AML/CFT compliance, risk-based governance, and accountability are universal. However, some distinctions are necessary:

Indicators and Criteria That Should Apply to the Non-Financial Sector:

  • Severity of the breach and its impact on public interest.
  • Duration and repetition of non-compliance.
  • Intentionality or gross negligence.
  • Degree of cooperation with authorities.
  • Remedial actions taken post-breach.
  • Organizational size and risk exposure.

These apply equally across sectors and reflect core compliance values.

Indicators That May Need Tailoring or Should Not Fully Apply:

  • Market share or systemic importance may not be meaningful for smaller non-financial entities operating in niche domains.
  • Complexity of financial products or cross-border fund transfers may be less relevant in some non-financial businesses (e.g., construction firms, legal service providers).
  • Financial strength metrics (like balance sheet thresholds) may require proportionate adjustment based on the typical size of entities in the non-financial sector.

Conclusion:

The framework should adopt a proportionality principle when applying these criteria to non-financial entities, ensuring fairness while maintaining AML/CFT effectiveness.

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

Yes, we believe that the indicators and criteria should provide greater clarity and specificity when assessing natural persons, particularly senior management, who may not be directly classified as obliged entities but hold key decision-making roles within such entities.

Suggestions for Improvement:

  1. Explicit Attribution of Responsibility
    • Criteria should explicitly link breaches or failures to the roles and responsibilities of senior managers under the AMLR definition.
    • This includes board-level oversight, risk governance, and AML/CFT program effectiveness.
  2. Assessment of Individual Conduct
    • Incorporate behavioural indicators, such as:
      • Willful blindness
      • Failure to act despite red flags
      • Encouragement or tolerance of non-compliance
  3. Differentiated Sanctioning Mechanisms
    • Include proportional criteria for:
      • Negligence vs. intentional misconduct
      • First-time lapses vs. repeated disregard for obligations
  4. Governance Context Consideration
    • Evaluate whether senior management established or undermined internal controls, reporting lines, or whistleblower protections.

Conclusion:

Clarifying these criteria would enhance accountability and fairness, discourage token compliance at the executive level, and support better enforcement in both financial and non-financial sectors.

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

Yes, we believe the draft RTS would benefit from greater granularity and specificity in defining both the factors and the methodology for calculating periodic penalty payments. Clear, consistent, and transparent criteria would promote legal certainty, fairness, and harmonized enforcement across Member States.

Recommended Factors to Include in EU Legislation:

  1. Severity and Duration of Non-Compliance
    • Define ranges based on how long the breach persisted and its potential/actual harm (e.g., systemic risk, facilitation of ML/TF).
  2. Size and Economic Strength of the Entity
    • Use proportionality based on revenue, assets, or number of clients to ensure penalties are impactful yet fair.
  3. Repeat Offense History
    • Escalating penalties for repeated violations or disregard for prior warnings/supervisory actions.
  4. Level of Cooperation
    • Mitigation for voluntary disclosures, remedial actions, or strong cooperation with supervisory authorities.
  5. Benefit Gained or Harm Avoided
    • Consideration of any direct or indirect benefit resulting from the breach.
  6. Entity’s Role in the Financial System
    • Whether the entity plays a central or peripheral role in critical infrastructure or markets.

Why These Should Be Codified:

  • Ensures consistency across jurisdictions and sectors.
  • Enhances deterrence by aligning penalties with risk impact.
  • Prevents arbitrary interpretation by providing a structured calculation approach.
  • Strengthens trust in supervisory processes, especially under the new AMLA framework.

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

Yes, we strongly support the creation of a more harmonized set of administrative rules under the RTS for the imposition of periodic penalty payments. A consistent EU-wide framework would significantly enhance predictability, fairness, and effectiveness of supervisory enforcement in the AML/CFT domain.

Provisions Recommended for EU Legislation (instead of leaving to national discretion):

  1. Standardized Calculation Methodology
    • EU-level rules should define how the base amount is calculated, adjusted for severity, size of the entity, and duration of the breach. This avoids divergent penalty scales across Member States.
  2. Minimum and Maximum Thresholds
    • Define EU-wide minimum and maximum limits for daily or total penalties, proportionate to the entity’s size and risk profile, to prevent under- or over-enforcement.
  3. Timelines for Payment and Appeal
    • Set consistent deadlines for payment, procedures for appeal, and stay of enforcement during appeal to protect due process.
  4. Transparency and Disclosure Requirements
    • Mandate when and how periodic penalty decisions should be published, with criteria for anonymization where applicable, enhancing public trust.
  5. Criteria for Exemptions or Reductions
    • Clearly outline EU-level conditions under which penalties can be waived, reduced, or deferred (e.g., force majeure, early voluntary compliance).

Why Prefer EU-Level Harmonization:

  • Reduces regulatory arbitrage by aligning enforcement across jurisdictions.
  • Strengthens cross-border supervisory coordination.
  • Ensures equal treatment for comparable breaches in different countries.
  • Provides legal clarity to obliged entities operating across the EU.

Name of the organization

LEI International Private Limited