Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

The EBA rightly emphasises the need to limit compliance costs wherever possible. With this in mind, we generally support a risk-based and effective approach to assessing the risk profile. 

 

Creating a risk profile for all obliged entities is a considerable challenge for both national supervisory authorities and institutions themselves. To ensure efficiency, it is important that the process remains clear and that limited resources are not consumed by unnecessarily complex data collection and analysis requirements. 

 

Like other obliged entities, Bausparkassen are already required to carry out a comprehensive risk assessment in their organisation and to update it regularly. This risk assessment should be recognised wherever possible, as it already provides valuable information for determining the inherent and residual risk profile.

 

Several national supervisory authorities in several EU member states, including the German BaFin, have already categorised the risk of the home loan and savings business as low. Please refer to Annex 1 for the justification of the low AML/CFT risk of the home savings business. The confirmation from the German supervisory authority with regard to a lower AML/CFT risk of the home savings business is enclosed in Annex 2. (the attachments will be submitted separately via email to eba.consultation@eba.europa.eu).

 

We request that Bauspar savings be included under the "Category - Products, services and transactions" as a separate sub-category. 

 

Justification:

 

  • In addition to the deposit business, the loan business of a Bausparkasse should also be listed as a new data point under this sub-category "Bauspar savings". It is not expedient to list the loans granted by the Bausparkasse for the energy-efficient or age-appropriate modernisation of private properties under the sub-category "Lending".
  • As Bausparkassen do not offer any payment services, we believe that transactions related to the Bauspar business - such as the payment of savings, the disbursement of saved credit balances and approved loans, the making of redemption payments, and the repayment of Bauspar and building loans - should be recorded as data points within a new "Bauspar savings" category, rather than, for example, under "money transfer".
  • In addition, Bausparkassen cannot have an overall view of their customers' asset situation, as the business relationship with the contract holders extends exclusively to pre-savings, the repayment of Bauspar loans granted and/or building loans granted to finance their own property in the contract holder's country of residence.
  • Payment flows to the Bausparkasse are largely characterised by the direct debit procedure: in many cases, savers authorise the Bausparkasse to collect the monthly savings instalment from their current account. In the case of loans, the direct debit procedure is an integral part of the loan agreement.
  • Individual transfers initiated by customers or their employers are usually small-volume transactions. The turnover value of an average deposit is just under 100 euros.
  • The Bauspar business is characterised by the German BaFin as a "downstream business activity". Transactions are carried out exclusively via an account held by the customer at a supervised credit institution in the European Economic Area from/to the specialised institution or via the federal bank account of the specialised institution.
  • Bauspar saving is targeted saving in order to obtain loans for housing purposes, the interest on which is low, fixed from the outset and independent of interest rate fluctuations on the capital market. For Bausparkassen, the permitted uses of such loans are strictly regulated by national Bausparkassen laws. The most important purpose is the acquisition of residential property by building or buying a flat or house. Permissible residential uses also include, for example, extensions and conversions, modernisation, debt rescheduling and the acquisition of residential rights for the elderly.
  • Based on the above, Bausparkassen are not required to operate a monitoring system. Such a data processing system would not provide Bausparkassen with any information on their customers' business activities in other financial sectors or private matters.  

 

 

 

 

 

 

 

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

We are expressly in favour of the rule, as the residual risk can never be higher than the inherent risk.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

In our opinion, the proposed data collection requirements are far too extensive. Many of the required data points go beyond existing surveys and would require considerable recording and IT effort. 

 

For example, the number of beneficial owners is currently not available in an automated manner at most Bausparkassen, which means that recording additional data fields would involve a great deal of implementation effort. Other additional details - such as a different business name or country of birth - are also not currently recorded as standard practice. The one-off implementation and ongoing maintenance of new IT data fields would entail considerable effort, especially for smaller institutions.

 

Overall, we recommend limiting data collection to essential, risk-relevant parameters. The selection of data points should be critically scrutinised and should only be made mandatory where there is clear added value for risk analysis.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

Comments on individual data fields can be found in Annex 3 (the attachments will be submitted separately via email to eba.consultation@eba.europa.eu).

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

It is doubtful whether certain data points, such as information on shareholdings or "third-party money laundering risk", can be reliably collected outside the financial sector at all. It should be examined whether some indicators could be covered by supervisory authorities or publicly accessible sources as an alternative. Overall, we recommend limiting data collection to essential, risk-relevant parameters and avoiding additional surveys in the non-financial sector wherever possible.

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

Art. 40 of the ALMD6 does not provide for an annual review cycle for the risk profile of obliged entities by default. A blanket annual review of all institutions would result in disproportionately high costs compared to a risk-based differentiation. We propose reversing the relationship between rule and exception, for example by setting a review frequency of three years and only requiring an ad hoc review of the risk profile if the criteria set out in Art. 5 (6) of the draft RTS are met.

 

The relevant risk indicators for Bausparkassen are not subject to any major changes, so that an annual review would be justified for Bausparkassen in any case. In addition, the products of Bausparkassen are subject to a low AML/CFT risk. 

 

The audit frequency has a significant impact on compliance costs: an audit would require around 160 IT hours at an hourly rate of EUR 150, resulting in costs of EUR 24,000. The reduced audit frequency in the sense of an audit every three years would therefore lead to a cost reduction of around EUR 50,000 over a three-year period.

 

We therefore call for institutions with a low AML/CFT risk, such as Bausparkassen, to have their risk profile reviewed every three years at most. Several national supervisory authorities, including the German BaFin, have already recognised a low AML/CFT risk in the Bauspar business. Please refer to Annex 1 for the justification of the low AML/CFT risk of the Bauspar business. The confirmation of the German supervisory authority with regard to a low AML/CFT risk of the Bauspar business is attached as Annex 2 (the attachments will be submitted separately via email to eba.consultation@eba.europa.eu).

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

Due to the low AML/CFT risk in the Bauspar business and the predominantly "sluggish" customer business - characterised by a low number of transactions, low volatility in the customer portfolio and low product and customer-related risks - Bausparkassen should fall under the exception and only be valued every three years. 

 

Several national supervisory authorities, including the German BaFin, have already recognised a low AML/CFT risk of the home savings business. Please refer to Annex 1 for the justification of the low AML/CFT risk of the home loan and savings business. The confirmation of the German supervisory authority with regard to a low AML/CFT risk of the home loan and savings business is attached as Annex 2 (the attachments will be submitted separately via email to eba.consultation@eba.europa.eu).

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

Yes, but no distinction should be made due to the harmonised regulatory requirements and the common supervisory regime within the EBA. This follows from the objective of the EU anti-money laundering package to create a harmonised regulatory environment, which should also be reflected in the assessment of the inherent risk profile. A differentiated assessment of cross-border transactions within the EEA would not be compatible with the harmonised legal framework. 

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

At the outset, we would like to note the current lack of precise information regarding the detailed risk assessment of individual institutions and its impact on the group as well as the specific feedback effects of the group assessment on each individual institution. Since the individual data points and their weightings have not yet been made known to obliged entitites, we are unable to provide a concrete assessment in this regard.

 

Nevertheless, we would like to take this opportunity to express our concern, as every Bausparkasse is integrated into a group and therefore there is a latent risk of group liability. We consider automatic joint liability of the Bausparkasse to be inappropriate, even in the case of a higher individual risk of sister companies within the same group or of the parent company. 

 

Due to the nature of the system, customers of a Bausparkasse have no possibility of concealing individual assets via the Bausparkasse. Business relationships with a Bausparkasse are managed exclusively in the Bausparkasse's accounting system. Each business relationship is subject to a Customer Due Diligence process. Transactions to and from the Bausparkasse take place via payment transactions and are transparent in each individual case, even if a customer has several business relationships with different institutions within a group. In this context, we refer once again to the low-risk situation of a Bausparkasse, which has been mentioned several times. 

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Section 1 contains numerous definitions and clarifications on identification data. We would like to address individual points as follows:

 

  • Art. 1 Different business name/trade name

 

The collection of the different business name/trade name does not in itself provide any recognisable added value for the prevention of money laundering. As the company name is already recorded, additional trade names should be omitted. 

 

It is almost impossible for the obligated parties to keep the trade name of a customer up to date, as it is not entered in the commercial register and can therefore be changed almost daily. 

 

Storing the trading name in the system would entail considerable IT costs. We estimate that this would require around 800 IT hours at an hourly rate of EUR 150.00, which corresponds to a total of EUR 120,000, without any apparent added value for the prevention of money laundering and terrorist financing.

 

If there is a need to store the trade name in the EU-wide AML system for the purposes of investigations, we suggest that the trade name be stored together with the company name in the respective transparency register. This would make this data field generally available and would only need to be updated in one place.

 

 

  • Art. 2: Apartment number

 

The flat number should only be recorded if it is an integral part of the postal address. Otherwise, this would collect an unnecessary amount of additional data. The recording of the flat number should be limited to cases in which it is legally recognised as part of the address.

 

  • Art. 3: Obtaining information in relation to the address

 

We assume that the obliged entities will be able to adhere to the existing practice of storing a unique country code.  With the existing storage method, the obliged entities are able to merge the country name and any other country abbreviations of a customer address, such as the ISO 3166 alpha-2 abbreviation code, if necessary, e.g. in the case of information or registration in registers or similar. The existing practice also has the advantage that if the country name is changed (e.g. from Cylon to Sri Lanka or from Swaziland to Eswatini), a change only has to be made in one place and all databases dependent on this are updated quickly. If, on the other hand, the obligated parties had to introduce new data fields in the address database of each customer, this would require an enormous IT effort, which would also require considerable ongoing IT and personnel costs.

 

  • Art. 3: Country of birth

 

Art. 3 of the draft RTS requires that comprehensive information on the place of birth be recorded in future. In addition to the name of the city, the country of birth should also be stated.

 

In practice, this poses considerable challenges for obliged entities, as there are major differences in the indication of the place of birth on legitimisation documents. In most documents, including those from Germany, only the place of birth is noted. Only in exceptional cases is the country of birth also recorded. 

 

For this reason, determining the country of birth is associated with uncertainties, especially for countries that no longer exist in their former form. The risk of incorrect data being collected due to a lack of clear standards outweighs the potential benefits of such a regulation. 

 

In addition, the system-related storage of this data requires considerable additional IT effort. We estimate that this will require around 800 additional IT hours at an hourly rate of EUR 150.00, which equates to a total of EUR 120,000. 

 

However, the added value of this measure is not apparent to us. Currently, analyses and risk-based due diligence are carried out based on the customer's current place of residence and nationality. We therefore do not consider it necessary to collect the country of birth and propose deleting this article.

 

  • Art. 4: Specification of nationalities

 

Art. 4 of the draft RTS requires obliged entities to obtain all necessary information to be aware of all nationalities of their clients. We suggest that it should be explicitly stated that obliged entities can rely on the information provided by the client. Further verification or research should only take place if there are warning signs or suspicion.

 

In this context, it should be noted that not all persons with multiple nationalities possess or can easily obtain identity documents from the relevant countries (e.g. this would be questionable in the case of refugees from various countries). The information provided by the customer must be relied upon, as there is no possibility of verification if the customer does not provide any other nationalities. 

 

It should also be made clear that 

 

  1. the collection of the relevant nationality is generally derived from the ID card used for identification by the obliged entity. This must be maintained in the usual manner in the obligated parties' existing systems. The maintenance of a national ID by the obliged entities is limited to this nationality.

     

  2. A maximum of 3 nationalities per person must be recorded in order to create clarity for the institutions with regard to the implementation of the necessary new data fields in the core banking systems. According to the principle of descent, which is usually applied when determining a nationality, most people have a maximum of two nationalities. 

     

To ensure a proportionate implementation effort, the regulation should be limited to new customers. A retrospective enquiry with existing customers is not considered sensible, as it is unlikely that many customers will respond and the implementation costs would therefore be disproportionate. 

 

For the same reason, it should also be clarified that the one-off query as part of the identification process is sufficient and that no new query needs to be made as part of the customer data update.

 

  • Art. 5: Criteria to be taken into account when applying the administrative measures listed in this Regulation

 

With regard to Art. 5 (4), we suggest changing the term "foreign language" to "a language that the obliged entity does not understand". In addition, the requirement for certified translations should be dropped if the institutions can understand the content in another way, for example through translation tools, the use of the EU's web-based system PRADO or through internal expertise.

 

  • Art. 7 - Reliable and independent sources of information

To clarify which bodies are to be regarded as reliable and independent sources of information, we suggest amending Article 7 accordingly:

The credibility of obliged entities is generally not in doubt, as the EU AML system requires obliged entities to have robust internal procedures for the prevention of money laundering, terrorist financing and compliance with sanctions, which are subject to an ongoing review and adjustment process through independent internal and external audits. Obligated entities can regularly use the integrity of the compliance officer and the money laundering officer of other obligated entities as reliable sources of information.

 

  • Art. 10 - Understanding the client's ownership and control structure

 

Art. 10 para. 2 (plausibility check): In accordance with Article 10 (2), institutions must check the plausibility of the information on the ownership and control structure, whether the structure is based on an economic logic and how the overall structure affects the AML/CFT risk associated with the customer. A plausibility check of the information on the ownership and control structure by the institutions appears appropriate, but it is unclear how the further requirements are to be implemented. In our view, checking the economic logic behind the structure is clearly too extensive and also impracticable in the context of business initiation. It is questionable whether the institutions have the necessary information and insights to be able to make a corresponding judgement. The assessment of the influence of the overall structure on the AML/CFT risk also appears too far-reaching in the context of business initiation at individual customer level. As a rule, credit institutions have risk classification procedures that systematically assess customers with regard to their AML/CFT risk on the basis of fixed parameters. Assessing the structure would mean an individual assessment for all legal entities as part of the business initiation process, as a systematised assessment would not be possible in order to meet the requirement. In addition, the institution's anti-money laundering officer would have to be involved for a well-founded assessment. This would mean a disproportionate effort for the institutions. We therefore propose limiting Art. 10 (2) to the plausibility check of the information on the ownership and control structure.

 

  • Art. 11 - Understanding the client's ownership and control structure in complex structures

 

Art. 11 para. 1a ("legal agreements at one of the levels"): The wording is unclear. It is not clear what exactly is required here - what kind of legal agreements and at which "levels" are meant. A clear definition is necessary.

 

Art. 11 para. 1d (Complex corporate structure): The term "opaque, convoluted or complex ownership/control structure" is not appropriate because it often takes a more detailed examination to determine whether a structure is complex. A clearer assessment threshold or examples of complex structures would be useful.

 

Art. 11 para. 2 (request for organisational charts): We consider the obligation to request organisational charts for complex structures to be problematic. Recognising "complexity" already requires an examination in advance; it seems unfortunate to additionally demand a detailed chart before the complexity has been quantitatively defined. This creates additional work in communication with the customer.

 

Art. 11 para. 3 (review of the organisational chart): We continue to criticise the "appropriate review" of organisational charts. The question arises as to how an institution can do this without specific industry or expert knowledge. The requirements for audit quality should be practical and, where appropriate, supported by industry-specific guidance.

 

  • Art. 12 - Information on senior managing officials

 

Art. 12 requires obliged entities to verify the identity and information of senior managing officials to the same extent as beneficial owners. We are of the opinion that a business address should be sufficient for senior managing officials. Requiring a residential address would be disproportionate and questionable in terms of data protection requirements. 

 

Furthermore, we currently consider the collection of personal data on all conceivable fictitious beneficial owners of a customer to be inappropriate due to the unclear regulatory situation within EU Regulation 2024/1624. We have summarised the details in Annex 4 (the attachments will be submitted separately via email to eba.consultation@eba.europa.eu).

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

It should be expressly possible to use other reliable identification procedures if eIDAS solutions are not universally available or are expressly not desired by the customer.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Art. 8 of the draft RTS is largely irrelevant for Bausparkassen, as most Bausparkassen do not provide natural or legal persons with a virtual IBAN (VIBAN) for use. 

 

A Bausparkasse provides its customers with a VIBAN for deposits only, which contains the Bauspar number of the actual contract in the 22-digit IBAN. The use of a VIBAN has the following accounting background: Bauspar accounts are managed in the form of a current account that has no connection to payment transactions. In this respect, payments into a Bauspar account must always be made via a business account of the Bausparkasse, which is regularly held at a universal bank. In order to technically simplify the posting to the Bauspar account and reduce errors, the Bausparkasse has been using a VIBAN procedure specially designed for deposit requirements for years. This involves creating an individual virtual IBAN from an existing Bauspar account number and a specially created bank sort code. With this procedure, the payment intended for the respective Bauspar account is separated from the other incoming payments via a sub-account of the business account every working day, resulting in faster posting to the Bauspar account. 

 

 

We therefore strongly recommend, 

 

  1. to include a restriction in the RTS according to which the disclosure of information to verify the identity of natural or legal persons when using virtual IBANs to an account-holding credit and financial institution may only take place in compliance with effective technical and organisational measures to ensure data protection and data security. In connection with the forwarding of VIBANs for the booking of incoming payments to Bauspar accounts via a sub-account at the entity managing the payment account, the entity responsible for managing the payment account is generally not authorised to receive the information on the natural or legal person that the entity issuing the VIBAN has collected. Article 8 of the draft RTS in accordance with Article 8(1) of the AMLR on customer due diligence does not give rise to a general right to transfer account opening data. In our view, the transfer of data must be interpreted very narrowly;

 

  1. to establish an obligation for users to inform obliged entities that the IBAN used is virtual. If this information is not provided, obliged entities should be authorised to refuse further use of the virtual IBAN until sufficient information on the actual bank account is available.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We partly criticise the requirements set out in Section 2 of the draft RTS, particularly with regard to their practical feasibility.

 

According to Art. 15 (b) of the draft RTS, the "source of wealth" must be identified. We are of the opinion that this should not be considered as part of the general due diligence obligations of the AMLR and should therefore be deleted. This measure is considered intrusive and should be applied selectively and only in suspicious or high-risk situations. The term high-risk situation should be interpreted very narrowly in this context. In our understanding, PePs or persons who, for professional or family reasons, have a place of residence in a high-risk country and make payments via domestic accounts, for example, do not yet fall into a high-risk scenario. The Bausparkassen see no reason, for example, to doubt the monthly transaction volumes of their customers from disposable income in the form of savings or repayments, even if they belong to a customer group with a higher risk. Treating a blanket record of the asset situation for each customer as a standard obligation would be counterproductive and would stand in the way of effective risk prioritisation. 

 

Article 15 (c) of the draft RTS requires obliged entities to consider whether the customer has additional business relationships with the obliged entity or its wider group and the extent to which this affects the obliged entity's understanding of the customer and the source of funds. However, information about additional business relationships that the customer has outside the Bausparkasse, for example in the insurance sector, does not necessarily provide relevant insights for the obligors to better understand the customer and its source of funds. Therefore, we propose to remove the request for additional business relationships that are relevant for AML purposes. Nevertheless, the question also arises as to whether a disclosure requirement for the customer regarding their business relationships with other banks and financial service providers is compatible with banking secrecy and the right to informational self-determination. 

 

With regard to Art. 15 (d) on determining the origin of assets in the event of an increased AML/CFT risk, the question arises as to how this is to be implemented in practice, as the money laundering risk is usually only determined after the transaction has been concluded. This gives rise to uncertainties as to whether and when any information is to be obtained from all affected customers. This could lead to customers being able to draw conclusions about a risk classification. It also remains unclear how to proceed if the required information is not provided.

 

Art. 16 (a) of the draft RTS provides that obliged entities shall take risk-sensitive measures to obtain information on the purpose and economic rationale of the occasional transaction or business relationship, why the customer has chosen the obliged entity's products or services, what value and benefits the customer expects from the occasional transaction or business relationship or why the transaction is being carried out. Art. 16 of the draft RTS refers to Art. 25 of Regulation (EU) 2024/1624, according to which information on the purpose and intended nature of a business relationship or occasional transaction is only to be collected from obliged entities if this is deemed necessary. This requirement should also be taken into account in Art. 16 (a) of the draft RTS and explicitly included in the wording. According to the German Bausparkassen Act (Bausparkassengesetz), for example, the statutory contractual purpose of a Bauspar contract is to obtain a low-interest and interest-safe Bauspar loan, whereby a Bauspar loan can only be granted for specific, conclusively legally defined housing industry purposes. In view of the statutory provisions, we do not consider it necessary to obtain the information specified in Art. 16 (a) on the purpose and benefits of Bauspar contracts and Bauspar financing.

 

We consider the requirements under Art. 16 (c) that obliged entities must provide comprehensive information on the origin of the funds as well as information on the activities that led to the funds to be disproportionate. This includes payslips, pensions, state benefits, savings, inheritances and other proof of assets and disposals. The collection of this information should be risk-based. We recognise that this information can be helpful for clarification in suspicious cases but is inappropriate as a standard process when concluding a Bauspar contract. 

 

Likewise, the requirements under Art. 16 (e) that obliged entities must obtain comprehensive information on the customer's business activity or profession are not proportionate. It should be decided on a risk-based basis which information must be obtained (also depending on the product concluded). However, when taking out a Bauspar product, we believe that information on employment status (employed, unemployed, self-employed or retired) is sufficient. We therefore propose that the paragraph be amended.

 

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We recommend that Art. 17 establishes a risk-based approach for relatives and close associates (RCAs) of politically exposed persons (PEPs). This approach should be based on the individual circumstances and the nature of the relationship. A clarification that offers the possibility of using information from different provider lists (e.g. Worldcheck, Dow Jones, etc.) would be extremely useful here.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

From a practical point of view, individual provisions of Section 4 do not appear to be sufficiently clear or practicable.

 

In Art. 18, it should be clarified that the obliged entities do not have to request proof of multiple nationalities, but that a simple enquiry to the customer is sufficient (see also comments on Art. 4).

 

Art. 22(2) of the draft RTS requires that all currently available customer identification data must also be updated to this status within five years of the AML Regulation coming into force. It is important to clearly define the minimum measures and steps that obliged entities must take to achieve this goal. The consequences for the customer or the business relationship with the customer should also be defined if the data is not updated by the specified deadline.

In view of the enormous administrative burden associated with a general obligation to update and continuously verify customer identity by requesting and checking identity documents, a general obligation to periodically update customer identity should be discarded. Once the identity of the Bauspar customer has been established at the beginning of the business relationship, it remains unchanged for the entire duration. Changes to the name or residential address are already available at all institutions thanks to the existing updating processes. 

The tried and tested principle of "once identified - always identified" must be adhered to.

 

Art. 23 uses the vague legal term "including where applicable the estimated amounts flowing through the account" without clarifying when and how this information is to be applied. There is a considerable need for concretisation here.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

In our view, the Bauspar business is to be categorised as particularly low-risk due to its structure and the low risks associated with it in the area of money laundering and terrorist financing. An exception for this sector should therefore be explicitly included in the RTS. 

 

Several national supervisory authorities, including the German BaFin, have already recognised a low AML/CFT risk of the home savings business. Please refer to Annex 1 for the justification of the low AML/CFT risk of the home loan and savings business. The confirmation of the German supervisory authority with regard to a low AML/CFT risk of the home loan and savings business is attached as Annex 2.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The requirements of Section 5 provided for in the draft appear to be too far-reaching and insufficiently defined in parts.

 

For example, Art. 24 (b) ("Assessment of the customer's reputation") is worded very unspecifically; it remains unclear how this is to be implemented in practice and whether, for example, enquiries to credit agencies (e.g. Schufa, Creditreform) are considered sufficient.

 

Art. 24 (c) (assessment of AML/CFT risk from past and current business activities) should, in our view, be covered by the existing customer risk classification process and monitoring; however, it remains unclear whether additional documentation is required.

 

In Art. 24 (d) (comprehensive consideration of suspected cases including family members and related persons), the scope of the information to be collected and documented is not sufficiently defined. The question arises as to whether and how all related persons must be identified and recorded, especially as this is hardly possible in practice in the case of a mere business relationship.

 

Art. 25 (b) (information on the lawfulness and transaction details of the account) raises the question of whether this information must also be obtained retrospectively if, for example, enhanced due diligence obligations apply due to a suspicious activity report. This could lead to customers drawing conclusions about the risk assessment. It also remains unclear how to deal with missing feedback and whether deviations should be systematically monitored.

 

Art. 25 c) (Understanding the nature of the client and its business) and Art. 26 (Obtaining information on the source of funds) contain very far-reaching and vague requirements that are almost impossible to implement in practice, especially for non-borrowing clients. At the very least, de minimis limits should be introduced here and it should be clearly regulated when and for whom this evidence is required. If de minimis/exempt limits are introduced, savings rates of 20% and repayment benchmarks of one third of monthly net income would not be classified as relevant for documentation purposes, as these can be derived from the statistical data of market participants.

If far-reaching documentation requirements are to be introduced by the obligated parties in future, the CDD processes would have to be changed significantly and the advisory systems at the POS and in the core banking system of the individual institutions would have to be adapted considerably. 

Estimate for the ongoing procedural effort: 1 hour for the fulfilment of additional documentation obligations for each new contract; ½ hour per existing contract and year for active accounts.

In view of the scope of processing and the requirement profiles known to date, it is not possible to reliably determine a flat-rate IT cost for adapting the advisory systems and core banking system.

 

Art. 26 of the draft RTS requires obliged entities to obtain evidence of the origin of the funds or assets of clients with enhanced due diligence obligations. Accordingly, whenever a contract is concluded with a politically exposed person (PeP) or a beneficial owner, proof of income, land register extracts or investment documents should be requested. These documents are part of a loan application, among other things, but prove to be disproportionate if they are required for the conclusion of a home loan and savings contract. As we contact the house bank as part of our monitoring in the event of conspicuous payments or high transactions that do not correspond to typical customer behaviour, or investigate the origin of the money, we do not consider it necessary to request these documents as standard during the application process. We propose that Bausparkassen be exempted from this requirement. Furthermore, in contrast to Articles 24 and 25, Article 26 does not permit evidence based on the assessment of the obligor. In our view, there is no comprehensible reason for this. In addition, Art. 26 (a) requires payslips or employment documents to be signed or notarised by the employer. This is not in line with current practice, as many companies now use digital payroll systems where a physical signature is no longer common. In this context, we also assume that the term "certified/notarised", as used in Art.n 26 (a), (b), (e) and (f), is defined to include both physical and digital certification.

 

Finally, Art. 27 is also not practicable in all cases with regard to the verification of information on transactions (e.g. proof of purchase contract for loans). In particular, the very comprehensive requirements for the documentation of related parties do not appear feasible and require a clear and practicable limitation.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

According to Annex I of the draft RTS, obliged entities are required under Article 22(1)(iii) of Regulation (EU) 2024/1624 to record other attributes in addition to nationality that relate to statelessness and refugee status or subsidiary protection status. 

 

In addition, persons with refugee status or subsidiary protection status are known as such in connection with the management of a checkings account at financial institutions. On the other hand, persons with refugee status or subsidiary protection status in connection with the management of Bauspar accounts or even loan accounts for the financing of owner-occupied housing do not regularly exist in the customer base of a Bausparkasse. In this respect, the introduction of new personal characteristics to manage attributes that do not occur in a business relationship would be more than questionable.

 

A considerable IT effort is required to store this data in the system. We estimate that this will require around 800 IT hours at an hourly rate of EUR 150.00, which corresponds to a total of EUR 120,000. However, we do not recognise the added value of this measure.

 

 

Name of the organization

LBS Landesbausparkasse NordWest