Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
From the executive summary, we note that, when putting together its proposals, the EBA was guided by the principles of a proportionate, risk-based approach that can be applied effectively by financial institutions and their AML/CFT supervisors and is conducive to limiting the cost of compliance where possible. This is much appreciated by industry.
The CfE asks for evidence of the impact that various sections would have, including the cost of compliance, if adopted as such. While it is not possible to estimate in a meaningful way, we would make a number of points regarding impact.
- We welcome that the EBA’s work on the call for advice is guided by five principles:
- A proportionate, risk-based approach.
- A focus on effective, workable outcomes.
- Technological neutrality.
- Maximum harmonisation across supervisors, Member States and sectors.
- Limiting disruption by building on existing EBA standards where possible, whilst aligning with global AML/CFT benchmarks.
- Impact on existing customers - due to the additional AML/CFT requirements, all obliged entities will need to reach out to each of their customers to uplift AML. This will involve significant cost.
- System Development - Typically changes to AML/CFT/FS requirements trigger IT system changes (systems will have to be reconfigured to include and search for required information such as industry, nationalities, place of birth, etc) which in turn require a lead in time for designing, testing, updating, rolling out, training, updating disclosures, informing customers and implementing – this can take years and can only begin when requirements are finalised. If not automated, this will be a manual investor by investor exercise with overall manual assessment/subjectivity risks.
- Specific provision needs to be made for customers who have moneys or other assets with obliged entities and who may be unable to comply with new requirements for reasons unrelated to AML/CFT/FS risk. For example, new / refreshed requirements can be particularly difficult for older investors / investors who are now unwell and who may not have latest technology / documentation. In such cases, provisions for how this scenario can be resolved without disenfranchising the customer or resulting in the customer being unable to access the financial product, should be made explicit.
- The RTS are drafted by the EBA and therefore, in some places, tend to reflect the perspective of the banking sector and do not allow for flexibilities appropriate to other financial services.
- It is desirable to consider effectiveness and limiting additional costs when mitigating AML/TF risks on low / standard risk customers, particularly bearing in mind the Savings and Investment Union initiative and the renewed focus on EU competitiveness. Each requirement should be relatable to AML/CFT risk, should be justified as being necessary and should be checked for practicality in each Member State and beyond, given the serious consequences where customers are unable to meet requirements.
- It would be very helpful to have worked examples of how the requirements of the RTS might be satisfied in practice.
- Data Minimisation – We have seen a concerted effort over a number of years to reduce data collection / storage. The addition of prescriptive requirements runs against this and must be rigorously considered in terms of the value add from an AML/CFT/FS perspective.
Section 1: Information to be collected for identification and verification purposes
1. Draft RTS Article 2 3 – Specification on address requirements
The requirements for a 1. postal code, 2. city, 3. street name in the context of address are too prescriptive and do not allow for the different ways of expressing a “postal address at which the natural person can be reached” in practice. Not all countries have postal codes; not all people live on streets or in cities. The RTS need to accommodate non-EU jurisdictions.
The words “as appropriate” should be added after postal code, city and street name. We believe that this will be more effective, workable and inclusive.
==================================================================================
2. Draft RTS Article 3 – Specification on the provision of the place of birth
Article 3 mandates that the information on the place of birth as referred to in Article 22 (1) (a) point (ii) of Regulation (EU) 2024/1624 shall consist of both the city and the country name.
The city of birth does not add value in terms of CDD and the requirement is overly prescriptive. People who were not born in a city will not be able to supply a city name. Verification of city of birth, where a person was born in a city, is likely to involve significant practical difficulties in some cases. In Ireland, for example, an Irish passport only shows the city of birth if the person was born in a city. In other instances, it will show the county of birth. British passports often show a Borough as the place of birth. There is no obligation to hold a passport in some countries, including Ireland.
The words “both the city and” should be removed.
==================================================================================
3. Draft RTS Article 4 – Specification on nationalities
As regards the requirement for obliged entities to obtain necessary information to satisfy themselves that they know of any other nationalities their customers may hold, it would be helpful to have guidelines or worked examples showing how obliged entities can obtain necessary information to satisfy themselves that they know of any other nationalities their customers may hold. It is difficult to see how obliged entities can satisfy themselves on this point.
The word “shall” should be replaced by “shall take reasonable measures to”.
==================================================================================
4. Draft RTS Article 5 – Documents for the verification of the identity
We suggest that, in practice, the document described in Article 5,1 is not an alternative to a passport because very few documents other than a passport would fulfil the criteria outlined in the RTS. As an example, it is noted the requirement for place of birth (i.e. city and country) is information often not included on a country’s driving licence or national ID in some countries. This is of particular importance in the context of financial inclusion. The RTS needs to ensure sufficient flexibility exists to allow obliged entities to accept digital identification where it is appropriate on a risk-based approach.
==================================================================================
5. Draft RTS Article 6 – Verification of the customer in a non-face-to-face context
Article 6 (1) of the draft RTS refers to the “requirements of Article 22 (6) of Regulation (EU) 2024/1624”. Hence it appears to apply to the requirements of both Article 22 (6) (a) and Article 22 (6) (b) of Regulation (EU) 2024/1624. This needs to be clarified. If this is the correct interpretation, then it seems that obliged entities will be required to (i) use a “remote solution” (such as video identification services) under Article 6 (2) of the draft RTS, in all instances where verification of customer identity in a non-face to face context. This is likely to require a significant change in remote onboarding practices in certain sectors such as funds which may not currently utilise remote onboarding solutions/ tools.
In addition, Article 6 (3) requires that the obliged entity must obtain from the person to be identified their explicit consent to the use of remote solutions. This is not addressed in the EBA’s Guidelines on the use of Remote Customer Onboarding Solutions under Article 13 (1) of Directive (EU) 2015/849.
This explicit consent would require a significant repapering exercise and, in some cases (age, ill health), for existing customers, consent might not be possible to obtain. It would be important to clarify whether there will be a requirement to obtain this consent from existing investors, for example on a “refresh” of AML / CFT documentation? It would be important to explicitly deal with how obliged entities should deal with existing customers who need to undergo a refresh but encounter difficulties. Alternatively, is it intended that this should be captured within the tool?
==================================================================================
6. Draft RTS Article 9 – Reasonable measures for the verification of the beneficial owner
Requirements for certification should be removed. The requirement for certification by an independent professional in a non-high-risk scenario is overly prescriptive. More flexibility should be incorporated as these are reasonable measures and as such will depend on the circumstances. For example, it is possible to publicly verify data in many instances. The draft RTS approach appears to be heavily document based, which is overly prescriptive where industry is providing innovative solutions that are not document based, and so flexibility should be built in.
The meaning and purpose of the clause “and where the identity of the named person is certified by an independent professional or sources using a combination of public and private records” is unclear and should be rewritten.
Article should be reconsidered.
==================================================================================
7. Draft RTS Article 10 – Understanding the ownership and control structure of the customer
The provisions here are overly prescriptive. Such provisions should be risk based. It should be noted that most large company group ownership and control structures contain more than one legal entity or legal arrangement and therefore these types of structures should not be considered to be complex or unusual. They should apply insofar as appropriate, rather than in all circumstances. It is unnecessary and undesirable to be so prescriptive. Article 10 (b) should be amended by the addition of the words “where appropriate” after the first clause to read
..“with respect to each legal entity or legal arrangement within the referred intermediary connections, where appropriate, ..”
Article should be reconsidered.
==================================================================================
8. Draft RTS Article 11 – Understanding the ownership and control structure of the customer in case of complex structures
The circumstances where obliged entities “shall” treat an ownership and control structure as complex are extremely broad and would capture so many structures that the truly complex structures are more likely to be missed. This should not be mandatory. Provisions should leave flexibility.
The circumstances where obliged entities are mandated to treat an ownership and control structure as complex should be risk -based.
==================================================================================
9. Draft RTS Article 12 – Information on senior managing officials
Senior Managing Officials should not need to be verified in the same way as an underlying beneficial owner because of the difference in financial interest and because there may be a number of senior managing officials for an entity. The use of “reliable/reputable” public sources such as government website/Company website, etc. should be an option.
==================================================================================
10. Draft RTS Article 14 - Identification and verification of beneficiaries of discretionary trusts
Requirements should be reasonable and proportionate.
Where the trustee is regulated (and absent indicators of concern), it should be adequate to obtain a comprehensive declaration from the trustee including provision of documents upon regulatory request promptly and without delay.
The introductory words at paragraph 1 should be amended to read:
“For the purposes of Article 22 (5) of Regulation (EU) 2024/1624 information obliged entities shall obtain from the trustee of the discretionary trust, taking risk-sensitive measures, may include”
The introductory words at paragraph 2 should be amended to read:
“To comply with paragraph 1, taking risk-sensitive measures, obliged entities may:”
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context?
Please see response above in Qs 1.
Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
We have no comment.
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
We have no comment.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
11. Draft RTS Article 15 - Identification of the purpose and intended nature of the business relationship or the occasional transactions
Requirements of Article 15 appear banking centric. It would be helpful to have clarity on whether “source” in Article 15 (b) refers to, for example, an EU bank account.
It is not clear what purpose is served by Article 15 (c) in terms of purpose and intended nature of the business relationship. This could be very difficult to achieve in the context of large multinationals with headquarters/branches outside EU which are not subject to EU regulation. Even if they agreed to share, systems would not be set up to share such data so this would likely be manual collection of information which would inevitably encounter legal and technological barriers.
Article should be reconsidered.
It may also be helpful to provide examples of the nature of the “risk-sensitive measures” to determine why the customer has chosen the obliged entity’s products and services. It would be helpful to clarify whether customer representation will suffice where the representation is to the satisfaction of the obliged entity?
==================================================================================
12. Draft RTS Article 16 - Understanding the purpose and intended nature of the business relationship or the occasional transactions
It would be helpful to receive further clarity, for example, is it sufficient for the obliged entity to rely on customer representations and is this in the context of standard due diligence only?
==================================================================================
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
We have no comment.
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Please see comments below in Qs 7
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
The provisions included in Article 21 are most welcome. Please see comments below.
Section 4: Simplified Due Diligence measures
13. Draft RTS Article 21 – Sectoral simplified measures: Collective investment undertakings
This provision (we think) aims to implement the provisions of section 16.20 of the EBA’s ML/TF Risk Factors Guidelines, which will be very valuable. If so, the text might be rewritten as below.
Article 21 – Sectoral simplified measures: Collective investment undertakings
When an intermediary credit or financial institution is investing in a collective investment undertaking is, acting in its own name, but for the benefit of its underlying investors, the collective investment scheme may fulfil the requirement under Article 20(1)(h) of Regulation (EU) 2024/1624 by being satisfied that the intermediary will provide CDD information and documents on the underlying investors immediately upon their request, and provided that:
a. the intermediary is subject to AML/CFT obligations in an EU Member State or in a third country that has AML/CFT requirements that are not less robust than those required by Regulation (EU) 2024/1624.
b. the intermediary is effectively supervised for compliance with these requirements.
c. the risk associated with the business relationship is low.
d. the fund or fund manager is satisfied that the intermediary applies robust and risk-sensitive CDD measures to its own customers and its customers’ beneficial owners.
==================================================================================
14. Draft RTS Article 22 - Customer identification data updates in low-risk situations
The obligation on obliged entities to take the measures necessary to ensure that they hold up-to-date customer identification data at all times is extremely onerous, given that this is a low-risk situation. It would be helpful if accompanying guidelines or worked examples could clarify how this can be achieved. By way of example, in circumstances of low risk, could this be achieved by requesting customer to update the obliged entity of any changes when they occur? The customer as distinct from the obliged entity should have the obligation to keep the information up to date.
In the context of a collective investment scheme, in investor might have invested many years ago, nothing might have changed in their circumstances. There might be no need for the investor to transact at this time. The resources needed to ensure that the obliged entity holds up-to-date customer identification data at all times might be better used otherwise.
“Reasonable” should be inserted before “measures”. “At all times” should be replaced by “taking risk-sensitive measures.”
==================================================================================
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Section 5: Enhanced Due Diligence measures
15. Draft RTS Article 24 - Additional information on the customer and the beneficial owners
Requirements here are too prescriptive. While Regulation (EU) 2024/1624 is a harmonising regulation, it is not intended to take the place of the risk- based approach. These provisions are not grounded in an AML/CFT imperative. Flexibility should be available where practicable and will assist in the important goal of financial inclusion.
The words “shall, at least” should be replaced by “may include.”
The Article 24 (c) requirement for the “obliged entity to assess the ML/TF risk associated with the customer’s or beneficial owner’s past and present business activities”. It is not clear to what extent and for how many years, the obliged entity should collect information on the customer’s and beneficial owner’s past business activities to assess ML/TF risk.
Article 24 (d) should be deleted. It is not the responsibility of obliged entities to investigate criminal activity. The obliged entity is obliged to report suspicious transactions. There is a risk of “tipping off”.
==================================================================================
16. Draft RTS Article 25 – Additional information on the intended nature of the business relationship
Again, requirements here are too prescriptive. While Regulation (EU) 2024/1624 is a harmonising regulation, it is not intended to take the place of the risk- based approach. It would be helpful to understand the specific risks being mitigated here. These provisions are not grounded in an AML/CFT imperative. Flexibility should be available where practicable and will assist in the important goal of financial inclusion.
Arguably, the prescriptive nature of this article goes beyond the mandate in Article 34 (4) point (b) of Regulation (EU) 2024/1624.
Again, it would be helpful to have guidance/ examples of how the requirements of this article can be met in practice.
The words “shall, at least” should be replaced by “may include.”
==================================================================================
17. Draft RTS Article 26 - Additional information on the source of funds, and source of wealth of the customer and of the beneficial owners -
These requirements here are too prescriptive. While Regulation (EU) 2024/1624 is a harmonising regulation, it is not intended to take the place of the risk- based approach. It would be helpful to understand the specific risks being mitigated here. These provisions are not grounded in an AML/CFT imperative. Flexibility should be available where practicable and will assist in the important goal of financial inclusion.
Arguably, the prescriptive nature of this article goes beyond the mandate in Article 34 (4) point (c) of Regulation (EU) 2024/1624.
Again, it would be helpful to have guidance/ examples of how the requirements of this article can be met in practice.
The word in the second sentence “shall” should be replaced by “may.”
==================================================================================
18. Draft RTS Article 27 - Additional information on the reasons for the intended or performed transactions and their consistency with the business relationship
Again, requirements here are too prescriptive. While Regulation (EU) 2024/1624 is a harmonising regulation, it is not intended to take the place of the risk- based approach. The role of the obliged entity is to report suspicious transactions and not to investigate. There is a risk of “tipping off”. These provisions are not grounded in an AML/CFT imperative. Flexibility should be available where practicable and will assist in the important goal of financial inclusion.
Arguably, the prescriptive nature of this article goes beyond the mandate in Article 34(4) point (d) of Regulation (EU) 2024/1624.
Again, it would be helpful to have guidance/ examples of how the requirements of this article can be met in practice.
The word in the second sentence “shall” should be replaced by “may.”
Article 27 (d) should be deleted. It is not the responsibility of obliged entities to investigate criminal activity. The obliged entity is obliged to report suspicious transactions. There is a risk of “tipping off”.
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Section 6: Targeted Financial Sanctions
19. Draft RTS Article 28 - Screening of customers
The word “all” should be deleted. It should not be mandatory to screen signatories and other persons/entities who only have perhaps minor levels of operational control over the customer.
We suggest that “control” is defined to mean overall strategic control of the entity.
==================================================================================
20. Draft RTS Article 29 - Screening requirements
In order to avoid multiplicities of hits it would not be desirable to screen date of birth, aliases or wallet addresses. Such multiple hits reduce effectiveness.
For the same reason the words “at least” should be deleted from Article 29 (a).
We question why the system must be automated given that some obliged entities are very small and have small levels of customers.
Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
We have no comment
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
We have no comment other than to re-iterate that obliged entities should be enabled to take risk-sensitive measures and have flexibility to ensure financial inclusion and to achieve effective, workable outcomes in a dynamic and constantly evolving environment.