Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

No comments

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

No comments

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

Overall, it will be challenging for insurance undertakings to collect the data points proposed in Annex 1 of the consultation paper which are very granular. Any systems’ adjustments that would be necessary for the electronic collection of the required extensive data would result in significant costs for insurance undertakings. 

In addition, insurance undertakings which have legacy books will need to carry out a mapping exercise in order to be able to collect the required data.

The data points for risk assessment included in Annex 1 – under Category ‘Products, Services and Transactions’, mention only Life Insurance Contracts (with regard to insurance). Clarity is needed on whether all types of insurance products with a life aspect should be included in this section such as portfolio bonds, unit-linked products etc. In addition, no definition is provided on what constitutes ‘low-risk contracts’. 

Last but not least, there are different distribution models in the different Member States and some alignment with the definitions of the Insurance Distribution Directive (IDD) should be considered in relation to the required data points for life insurance contracts.

Section A: Inherent risk - Category ‘Customers’

Data point “Number of customers with high-risk activities” – the application of Section 4 SDD measures (collect customer identification and the minimum information to identify the purpose and intended nature of the business relationship), does not and should not include requesting information about the customer’s activities. There is also no definition on what constitutes ‘high-risk activities’. 

Similarly, there will be considerable challenges to collect and store “Number of legal entities with complex structures” in such a way that will provide a specific number/metrics. 

***

Section B: AML/CFT Controls – Category ‘AML/CFT Policies and procedures’

Sub-category ‘3A: Customer Due Diligence’

“Number of customers for whom no information has been obtained on the nature of the customers’ business, or of their employment or occupation”

An obliged entity does not need to request these pieces of information when a customer is taking out a mortgage protection policy. It will also be an expensive compliance burden to retrospectively collect this information and there are considerable challenges to store this information in such a way that can be used in order to provide a metric. 

There is no differentiation between the application of SDD or indeed EDD and it is unclear how same would reflect on the obliged entity’s risk profile assessment and scores. 

It is unclear what is meant and required by ‘…entered in the institution’s database’ - is the saving of the ID sufficient, or are details from the ID/Beneficial Ownership ID meant to be entered into a database? This is a significant change in processes and a massive departure in how information has been stored currently.

Overall, there are a number of concerns with the metrics required under 3A:

• A significant concern lies in the capturing of customer due diligence (CDD) metrics, which places a disproportionate burden on insurance undertakings. The questions asked requires identification of customers with incomplete or missing identification and verification (ID\&V), but fails to account for the operational nuance that, in many cases, ID&V is collected later—at the claims stage—particularly for protection products.
• Moreover, the metrics do not reflect instances where SDD is appropriately applied, nor do they recognise that information such as nature of business or employment is typically irrelevant and not collected for most low-risk protection policies.
• As a result, it is unclear what exactly must be ‘entered’ into internal databases to satisfy compliance raising questions about whether this refers to full CDD data, minimum viable ID&V, or merely the presence of a due diligence flag. This ambiguity not only risks inconsistent implementation but also undermines the purpose of a risk-based approach.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

No comments

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

NA

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

No comments

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

No comments

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

No comments

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

No comments

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

No comments

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

No comments

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

No comments

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

No comments

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

No comments

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

No comments

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

No comments

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

No comments

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

General comments

Insurance Ireland welcomes the opportunity to provide feedback on the EBA consultation on Proposed Regulatory Technical Standards in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates. 

We note that the EBA work on the proposed four draft RTSs was guided by important principles among which are:

• Proportionality and risk-based approach;
• Focus on effective, workable outcomes;
• Maximum harmonisation across supervisors, Member States and sectors; and
• Limiting disruption by building on existing EBA standards where possible, whilst aligning with global AML/CFT benchmarks.

However, our view is that the approach taken in the draft RTSs seems to be significantly misaligned with the EU’s simplification agenda. For instance, adopting the level of prescriptiveness on ID&V requirements, as set out in the draft RTS will require obliged entities to introduce even more complex processes and procedures than before. This would ultimately result in additional reporting, compliance burden and costs for the industry and would have a negative impact on the competitiveness of EU firms. 

It is also our view that the ongoing FATF efforts and commitment to align AML/CFT safeguards and financial inclusion policy objectives and the acknowledgement that too rigid and excessive AML/CFT measures can unintentionally exclude vulnerable populations from the financial system should be reflected in the draft RTSs.

Based on the above, we believe that the EBA needs to review and reconsider the draft RTSs in light of the new EU agenda and priorities on simplification, as well as recent developments at FATF level. 

***

Section 1: Information to be collected for identification and verification purposes 

The proposed requirements for collection of documents in respect of customers, beneficial owners and people acting on customers’ behalf would result in an excessive administrative burden for low ML/TF-risk obliged entities/products (e.g. an insurance undertaking with a predominantly protection insurance business), with significant GDPR implications. 

Article 3 specifies that the information on the place of birth should include both, the city and the country name. This is problematic for the Irish market as it does not correspond with the information presented on the commonly used document for identification which is the Irish Driving License. The driving license specifies the country as the place of birth, not the city. 

We would like to understand the rationale behind the requirement to collect information on ‘other nationalities’ under Article 4 of the draft RTS. A clear and concise definition is required on what constitutes ‘other nationalities’ and what is the ‘necessary information’ required in order for obliged entities to satisfy themselves that they know of ‘other nationalities’ their customers may hold. 

In our view, the provisions and requirements under Article 5 are very prescriptive and would create significant administrative and compliance burden for insurance undertakings. We understand and support the overarching objective of the draft RTS, which is to establish a harmonised and consistent customer due diligence (CDD) framework. However, this framework should be strongly aligned and not contradict the well-established risk-based approach to AML/CFT. 

In addition, there seems to be an attempt to limit photographic identification/verification solely to identity cards or passports (i.e. Article 5 - Documents for the verification of the identity). 

This presents several challenges: 

1. Not all citizens possess passports particularly those who do not travel internationally. In many cases a significant portion of the population may rely on national ID cards, driver licenses and residence permits. However, not all of them would meet the prescriptive criteria set out in paragraph 1(a)-(g) under Article 5.
2. This restriction could disproportionately impact lower-income households and those without the means or need to obtain a passport.
3. Vulnerable populations including refugees, migrants and stateless may not have access to passports, leading to exclusion from essential financial services.
4. This could disproportionately affect elderly individuals or those will disabilities who may lack a passport.
5. Concentrating reliance on a single form of ID could encourage targeted fraud and forgery efforts. Various forms of ID provide greater resilience to identity theft and other types of fraud.
6. Currently, many national laws recognise multiple forms of identity documents. While the draft RTS aims to enhance and standardise identification and verification requirements, practical implications could undermine accessibility, financial inclusion and operational efficiency. There needs to be careful consideration given to exemptions and alternative ID options.

Article 5(5), in conjunction with Article 22(6) of Regulation (EU) 2024/1624, requires obliged entities to obtain from customers and of any person purporting to act on their behalf for the purposes of verifying the identity of this person either an original identity document/passport or equivalent or a certified copy thereof. We note that Recital 5 of the draft RTS outlines the reliable and independent sources of information which obliged entities should consider as part of their due diligence measures for customers that are not natural persons, including copies of official/statutory documents, etc. that are certified by an independent professional or a public authority. However, there are no similar provisions/clarifications in relation to natural persons and which authorities/independent professionals would satisfy the requirement to certify copies of an identity document/passport. It is important to consider that the requirement for a certification of a copy of an identity document/passport would incur costs for customers, would create bad customer experience, and should be removed. Accordingly, we call for a proportionate approach whereas obliged entities would be allowed to accept uncertified copy documents in situations of lower risk, or where no high risk factors are present - e.g. where standard or simplified due diligence is being applied.

We also note that the concept of certification - a static, manual process of verifying documentation - originated in a time when digital systems lacked the ability to prove identity, or conformance.

Technological advancements (such as geolocation verification and zero-knowledge proofs to name but two) are enabling systems to prove compliance or authenticity dynamically, contextually, and without disclosure.

As new and better tools emerge, obliged entities will be forced to comply with outdated requirements just because the law says so. AMLA must avoid hardcoding outdated mechanisms into law and instead focus on outcomes and capabilities, to allow the most effective and current technologies to fulfil compliance needs more robustly and efficiently.

In relation to the requirements under Article 11, our view is that an ownership and control structure where there are only two layers between the customer and the beneficial owner should not be considered as a ‘complex’ structure as this would be disproportionate. 

In our opinion, instead of the criteria set out in Article 11(1), it would be more helpful for obliged entities if the EBA proposes a non-exhaustive list of criteria of what constitutes non-transparent and opaque ownership and control structures as this would assist obliged entities in identifying and assessing the lack of transparency of these structures.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

No comments

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

NA

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

In our view, the proposed requirements in relation to identifying and understanding the purpose and intended nature of the business relationship or the occasional transactions in Section 2 of the draft RTS would place an unreasonable administrative burden on obliged entities with a low risk rating. For example, under Article 16(a) and (b), obliged entities are required to ask customers of the reasons for taking a withdrawal and what they intend to do with the proceeds. Our view is that this is definite overreach - it is the customer’s money at that point and wouldn’t be appropriate for an insurer to be asking them what they are planning on doing with it. The requirement is also pointless in the context of combating ML/TF - a bad actor is never going to give an honest response to that question and the answer they give would be impossible to verify/reject in practice. It makes more sense for obliged entities to continue with their usual TF-related checks instead as these involve checks on the destination of the money already e.g. verifying the ownership of the payee bank account, checking the jurisdiction of the account, etc.

While Article 23 allows for the minimum information to identify the purpose and intended nature of the business relationship (Article 15), it is not clear if/how Article 23 correlates to Article 16 - Understanding the purpose and intended nature of the business relationship.

In cases where insurance undertakings use intermediaries for the distribution of their products, they will need to review and update their KYC forms and questionnaires in order to be compliant with the proposed requirements under the draft RTS which would result in administrative and compliance costs for the firms.

Finally, the impact of the provisions under Section 2 on the retail customer is not taken into consideration and as a corollary, a lot of the proposed requirements would not lead to good customer outcomes. 

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Insurance Ireland calls for a removal of the PEPs’ screening requirements for life insurance protection products and pension products due to their limited value and relevance for these products and the disproportionate burden they create for obliged entities which provide such products.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

In Ireland there is no other identity document apart from the passport that contains information on ‘nationality’. If this is the minimum requirement for the customer identification in situations of lower risk, as per Article 18(1) of the draft RTS, then driving license and public services card, which are currently used for identification purposes, will no longer be acceptable. 

‘Place of birth’ and ‘nationality’ should not be a minimum simplified due diligence requirement as this would restrict photographic identification to passports and exclude other forms of identification such as a driving licence.

In addition, according to Article 18((1)(b), the minimum requirement for a legal entity/other organisations that have legal capacity includes not only the company number, but also the tax identification number and the legal entity identifier (LEI) where applicable. Collecting three different pieces of information in low-risk situations is not commensurate with the associated level of risk. In situations of low risk, the collection of the company number should be the minimum requirement.

Further clarity is needed in relation to the requirements for obliged entities in Article 22 and the wording ‘at all times’ in paragraph 2 in relation to the obligation to keep up-to-date CDD data. Also, it is important to understand what is meant by ‘data’ in the context of Article 22.

Our view is that there should be a reference to Article 26(2)(b) AMLR which sets out the period between customer information updates which should not exceed 5 years for all customers except high-risk ones. 

Clarity is also needed as to whether obliged entities should monitor the expiration dates of the ID documents or update the CDD information every 5 years. Currently, not all insurance undertakings have systems in place to monitor the expiration dates of customers’ ID documents and any system enhancement would result in increased costs for entities.

Furthermore, it is important to understand what steps obliged entities should take in situations where a customer does not respond when updated CDD documents are requested from them and whether in such situations, obliged entities can wait until the next trigger event in order to update the CDD information on this customer. Similar to Article 21(1) AMLR, the specificities of life insurance contracts and the insurance sector should also be reflected in Article 22 of the draft RTS.

Finally, it is important to note that the requirements under Article 23 of the draft RTS are disproportionate and burdensome in the context of low-risk business relationships/occasional transactions. It is also unclear how these requirements should be applied to situations where brokers/intermediaries are used by insurance undertakings for the distribution of their products.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

A risk-based approach is critical in the application of simplified due diligence (SDD) and due consideration should be given in the draft RTSs on the specificities and inherent risk of different products, e.g. life insurance policies. We call for a pragmatic, proportionate, and risk-based approach to the measures defined in Section 4 of the draft RTSs and for the inclusion of specific simplified due diligence measures for life insurance policies and pension products.

Term assurance and income protection policies (including mortgage protection and serious illness cover) are significantly low risk from an ML/TF perspective: 

• Payments are contingent on a life event (upon the death of the insured individual or a specified event, such as a serious illness). Term assurance policies only pay out in the event of death. Mortgage protection policies are explicitly linked to the repayment of outstanding mortgage debt, typically disbursed directly to a regulated financial institution.
• There is no early cash surrender value or regular access to funds, reducing the risk of money laundering. The absence of liquidity reduces the opportunity for misuse within the financial system. Unlike investment-linked insurance products, these policies do not accumulate cash value or provide withdrawal options. This means there is no opportunity for funds to be laundered through these products.
• The EU has a commitment to facilitating financial inclusion and consumers have a right to access essential insurance protection. Applying SDD in these instances ensures that undue burdens are not placed on consumers. 

We believe that the introduction of specific SDD measures for life insurance protection products and pension products in Section 4 of the draft RTS would be appropriate and reflective of their low ML/TF risk level, as well as in line with the risk-based approach of the EU AML framework.

Finally, we would like to understand how the proposed draft RTS is aligned with the ongoing FATF efforts and commitment to align AML/CFT safeguards and financial inclusion policy objectives and the acknowledgement that too rigid and excessive AML/CFT measures can unintentionally exclude vulnerable populations from the financial system (for reference see a recent FATF consultation on AML/CFT and Financial Inclusion – Updated FATF Guidance on AML/CFT measures and financial inclusion).

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The requirements under Article 24 of the draft RTS raise a number of questions/issues, including:

•  Article 24 letter c. - “past and present business” – how far back are obliged entities required to go?
• Article 24 letter d. - what information is required to be collected on family members, persons known to be a close associate or any other close business partners or associates? How obliged entities would retain personal date (e.g. on family members, etc.) and comply with the obligations under the GDPR?
• Currently, obliged entities carry out extensive research in the public domain instead of asking extended questions in relation to family members/close associates. There is a risk that the requirements for additional information might result in tipping off and this needs to be considered by the EBA when finalising the draft RTS.

Following on from the above, we would also recommend the inclusion of a reference to the use of public sources, where possible/available in Article 24 of the draft RTS.

Clarification is needed in Article 25(1)(a) on which authorities obliged entities might contact in order to verify the legitimacy of the destination of funds.

Under Article 25(1)(c), obliged entities are required to understand the nature of the ‘beneficial owner's business, which may consist of more information on the customer's key customers, contracts and business partners or associates. It is unclear how exactly obliged entities are meant to collect such information on ‘key customers and contracts’.

In our view, applying Section 5 EDD measures to a person taking out a low-risk mortgage protection/serious illness/term assurance product, contradicts the principle of a risk-based approach and will lead to inefficiencies and unnecessary friction. The required measures will not yield the proportionate benefit of risk mitigation. On the contrary, they will lead to a misallocation of resources and will divert attention from (high-risk) areas where it is actually needed. 

It is important to clarify/distinguish in Article 26 between the information and evidence that obliged entities should obtain on the source of funds and source of wealth of the customer/beneficial owner. The level of risk is different for the different customers and clarity is needed as to what level of information/evidence is needed for source of funds and source of wealth in order for obliged entities to satisfy their obligations under Article 26.

Finally, the requirements for certified copies would incur costs for customers and the EBA might consider providing for the use of reliable open sources as an alternative to a certified copy of the documents set out in Article 26.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The requirements under Article 29(a)(iii) are excessive and burdensome and they are not part of the current AML framework. It is important to note that obliged entities could screen/act on data that is collected from customers during the CDD process. In order for the measures under Article 29 to be effective, the right parameters for the data that is screened against (and provided by sanctions screening providers) should be established. 

In addition, the proposed approach to screening requirements should be proportionate and product/service-specific. Otherwise, there is a significant risk that the proposed requirements are moving from a risk-based to a rule-based approach to AML/CTF.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comments

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comments

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

No comments

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

No comments

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

No comments

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

No comments

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

No comments

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

No comments

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

No comments

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

No comments

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

No comments

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

No comments

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

No comments

Name of the organization