Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
We appreciate the opportunity to provide input for the EBA's consultation on proposed RTS.
Overall, we support the proposed approach, however, there are some uncertainties that need to be clarified.
It is necessary to specify at what level the reporting of data must occur: at the group level, country level, or for each obliged entity (within a group). Furthermore, it is not clear whether there is a grace period for the data and reporting following the grace period proposed for the CDD requirements in the RTS under Article 28(1) of the AMLR. In order to report the data points, the obliged entities need to have the data as well as the legal basis for collecting it. The first reporting of the data points will be based on the current directive’s terms and definitions. This is relevant in relation to the proposed RTS article 5 as it is not clear when the first report of the datapoints is supposed to happen and if the first report is expected to be fully compliant, which is not possible in practice.
Furthermore, the parameters of how the work between national FSA and AMLA will work would need to be clearly defined and set out, to avoid overlapping and unduly onerous requests on obliged entities.
We also recommend further elaboration on the process for the justification mentioned in Article 2(4). Specifically, is there a right of appeal for the obliged entity? Additionally, considering the possibility of adjustments, if an obliged entity disagrees with the assessment based on the objective indicator, is it the entity's responsibility to justify a change? If so, what is the procedure for doing this?
Finally, will AMLA and/or national supervisors publish the assessments of obliged entities?
Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.
NA
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
In relation to cost when providing the data compared to current/previous reporting requirements (at least in Denmark), more data points have now been introduced, which will result in increased costs for data collection. It is still unclear whether all data can be gathered and stored using existing systems or if IT development will be required - most likely the latter. Also, it is uncertain whether the desired information will necessitate contacting customers. If this proves to be the case, it will lead to higher costs.
In relation to the data points that are not available to credit and financial institutions the first time it is required to report regarding the data points in Annex 1, the answers will be based on the current directive's terms and definitions. Due to that, what is stored now. The data points in the annex's are written based on definitions in the new regulation (AMLR), which will make the first responses either difficult to provide or based on a different understanding (definition in the old directive). The national FSA’s and AMLA need to be aware of this when they receive the first set of data points from all the institutions, because it will make it more difficult to compare datapoints. Additionally, the datapoints could be understood differently in different countries and institutions.
There is uncertainty in the interpretation of several of the data points. Even though the data points are written down in the annex’s, they can still be understood differently by different recipients also after the implementation. Therefore, it is important with clear definitions as well as guidance in the upcoming interpretive note to Annex 1. Attention should also be made to the fact that availability of Annex 1-data may vary between obliged entities, e.g., due to system limitations. This may call for transitional rules/period (at least if interpretive notes are not made available in time for obliged entities to prepare) or other flexibility in the data to be provided. Entities must also be provided with a reasonable timeline for providing data.
Moreover, it is crucial that the flexibility provided in how data is collected does not lead to the risk of using outdated data. In page 7, section 3, point 19, it is stated that AMLA will not specify how supervisors collect data points to establish the required risk indicators.
Lastly, the fact that the weighting is not public means there is a lack of transparency regarding what is considered to constitute a high risk. This creates opacity for institutions regarding the criteria on which they are assessed. There should be transparency to enable understanding of the basis for evaluations, for one's own institution.
3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?
Regarding the specific datapoints in the annex:
“Invest. Services and Activities - reception and transmission of orders”, “Invest. Services and Activities – custody account keeping” & “Invest. Services and Activities - Portfolio management”:
There is a need for a more specific (maybe even country specific) definition of this datapoints in order for the obliged entities/banks to be able to report on this.
Products, services and Transactions”:
“TCSP services”, “Exchange crypto-fiat”, “Exchange fiat-crypto” and “Management of UCITS”:
There is a need for clarification and more detailed definition of these datapoints.
3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?
NA
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
NA
Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.
NA
Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.
NA
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
NA
Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.
NA
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
NA
Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.
NA
Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.
NA
Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
NA
Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.
NA
Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?
NA
Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
NA
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Regarding article 3:
In the AMLR art. 22, 1, (a) (ii), obliged entities are required to obtain the place and date of birth. In the proposed RTS article 3 EBA defines place of birth as city and country. The definition that includes the city name, we believe, goes beyond the legal requirement in the AMLR.
The consequence of this new requirement is that obliged entities must collect the new information, as details about the place of birth are not currently a legal requirement. This means that all customers will need to be contacted, and there is a need to develop IT systems to accommodate the new data point. It is costly and it also disrupts the customer experience. Furthermore, it is unclear what the information specifically adds to the verification and assessment process of a customer, and collecting data that is not used can be an issue in relation to the GDPR.
Regarding article 4:
It is not possible to verify a person’s nationalities or to ensure that all nationalities have been disclosed. Collecting information about nationality will require contacting and collecting the information from the customer. There is no register, list, database or similar register that contains the information. This means that all customers will need to be contacted, and there is additionally a need to develop IT systems to accommodate this data point. This is costly and disrupts the customer experience.
It is unclear what the information is needed for, including how it is used in the risk assessment. Collecting information that is not used can be an issue in relation to the GDPR. Moreover, asking and collecting data on nationalities in relation to a costumer’s risk assessment could also raise fundamental human right issues and concerns about discrimination.
Regarding article 5:
National identification documents do not meet the criteria:
Article 5 (1) states that any non-passport, non-eID substitute must include a series of datapoints when verifying the identity. The requirements eliminate the vast majority of applicable ID in Denmark and the Nordics.
As an example, place of birth is mandatory (Article 5, 1 b), and the description in article 3 makes this difficult to carry out in practice without using a passport. (Article 3 states that the place of birth is defined as city and country). This assumes that place of birth is globally aligned. An ID document that could be used in Denmark would be driver’s license, but this does not contain information on the city.
It is possible to obtain an ID card in Denmark through a municipality, which will conduct an identification of the customer. However, this card is not widely used in Denmark, and it can only be issued to individuals over the age of fifteen. Furthermore, this ID card will not fully meet the requirements described.
Finally, the requirement for facial image is a challenge as well.
Customers without passport and eID:
The requirements outlined in Article 5 (1a-g) regarding verification will cause significant challenges for vulnerable customers, such as the homeless, as well as for older customers and minors. These customer groups often do not possess a passport, making compliance with these requirements particularly difficult.
Issues regarding how controls should be performed under the conditions listed in Article 5 (1a-g):
Staff will need be trained to recognise authentic documents and detect forgeries. The draft mandates will likely increase the administrative load and compliance costs for the bank. It is important that EBA considers this in its draft RTS and seeks effective yet resource-efficient solutions.
To conclude there will be a need for further guidance for handling situations referred in this Article where customers cannot provide standard identity documents due to legitimate reasons.
Regarding article 5(4)
It would be helpful with further guidance on what constitutes reasonable steps. The example – certified translation – seems overburdensome in various situations. Would e.g., an automated/AI translation be OK in most cases?
Regarding article 5(5)
Clarification on the concept of “certified copy” is needed, as this is not really a possibility in Denmark. Most documents are registered online, and while physical copies can be ordered, certified copies are not necessarily available.
Regarding article 6 (comments below to question 2).
Regarding article 9
It is unclear which register is being referred to in the local context. The wording “public registers, other than the central registers” causes uncertainty as to whether it is a requirement to use a register other than the central register, or if the central register can be used for verification. Furthermore, it raises the questions if it is possible to use a public/central register where the customer has submitted the information on their beneficial owner(s) in the register themselves?
Regarding article 10
It needs to be confirmed that Section a) is met by obtaining an organisation chart, and that no further obligation is introduced by the wording “intermediary connections”. There is no requirement to verify the collected documents, but they must be assessed as plausible (art 10(2)).
Regarding article 11:
This definition results in many customers being included in the understanding of having a complex structure. It is, however, understood that a complex structure does not automatically lead to EED due to the wording in AMLR Article 34. Confirmation of this would be helpful.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
We are generally very satisfied with the proposed Article 6(1). In Denmark, we have a fully functioning eID. However, there is a need for confirmation that an eID meeting the necessary eIDAS requirements can also be used in a face-to-face situation with a customer, as well as a passport can be used.
Regarding section 3: "Explicit consent".
It is unclear what this involves in practise. There is a need for guidance on how the consent should be documented, and if the consent itself should be video recorded?
Remote verification may involve biometric and other sensitive data. How has EBA considered that the processing of this can happen in a secure and GDPR compliant manner?
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
NA
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Regarding article 15:
There is a need to determine whether the article can be interpreted in such a way that obliged entities do not need to directly ask the customer about all products. Instead, they can assume that certain products (e.g., a children's savings account) are self-explanatory. Additionally, assess if it is sufficient to ask initially, without follow-up in the ODD, if the customer has not changed the product(s).
If this is not the understanding of the Article, it will be relevant with further guidance from EBA on how this information is practically obtained from the costumer and assessed?
Regarding article 15c
In relation to the new requirement about the information on if a customer is a customer elsewhere in the Group. Is the requirement to be understood as a legal basis for sharing information about customers in other legal entities within a group - and without GDPR accept from the customer to do that?
Regarding article 15 d.
It should be clearly stated that, in relation to 'source of wealth', it refers to the wealth involved in the customer relationship with the obliged entity, and not the source of wealth for the customer’s total assets (including those held elsewhere).
Regarding article 16:
It is essential to clarify whether the provision should be interpreted in conjunction with article 25 of the AMLR, which allows for discretion due to the wording 'when necessary'. This needs to be confirmed as discretionary.
Additionally, it should be clarified what is meant by 'category of funds' under item b (this is a new requirement). It is important that the gathering of information can follow the risk-based approach.
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
NA
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Regarding article 22:
It is relevant that it is confirmed by EBA that the understanding of the wording “hold up-to-date customer identification at all times” means when an entity is obliged to perform the ODD because of a time trigger, or if there is an event trigger such as the customer changes name or gender.
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
NA
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Regarding article 24:
It is contradictory that the proposed RTS Article 24 imposes requirements that must be met (using the wording 'shall, at least'), while these requirements originate from Article 34(4) of the AMLR, where the wording is 'may'. This discrepancy creates uncertainty regarding the understanding of the obligation. We request confirmation that it is a 'may'-requirement, thereby allowing the obliged entity to conduct its own assessment of what is necessary.
The wording in article 24, 1, b) is unclear: “enable the obliged entity to assess the reputation of the customer and the beneficial owner;”. The obligation on “reputation” needs to be further clarified.
The wording in article 24, 1 d): “in case the obliged entity has reasonable grounds to suspect criminal activity, enable the obliged entity to obtain a more holistic view on ML/TF risks by obtaining information on family members, persons known to be a close associate or any other close business partners or associates of the customer or the beneficial owner.”
There is a GDPR-related challenge in processing personal data of individuals who may not necessarily be customers of the obliged entity. Additionally, guidance is needed on how to approach and obtain this data from such individuals.
Moreover, what is the obligation if the information cannot be obtained from the individual/customer? Should the customer then be rejected/terminated? This should be clarified in the RTS.
Furthermore, it is unclear what is meant by 'information'. Does it solely refer to basic details such as who is the mother, father, partner, etc. or does it also include more detailed information about these relationships?
Regarding article 25:
The comment above regarding Article 24 is relevant to this article as well. The RTS elaborates on a 'may'-provision in the regulation, but the wording in the RTS is 'shall, at least’.
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
NA
Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
NA
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Regarding article 32:
Entry into force:
We would like the EBA to confirm that the referenced Article 22(1) is Article 22 of the regulation and not of the proposed RTS.
Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.
In Denmark, the legal system does not allow administrative fines. Instead, such fines are imposed by competent national courts as criminal penalties. However, the Danish FSA may issue administrative fine notice, which can be settled with an administrative fine if the bank in question agrees.
We believe administrative fines in general should not be of a magnitude so that they could lead to the closure of a bank.
Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.
NA
Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.
NA
Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.
NA
5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?
NA
5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?
NA
5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?
NA
Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.
NA
Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.
NA
Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?
NA
Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?
NA