Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

ABBL answer:

We have not received specific comments to this question from our members.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

ABBL answer:

We have not received specific comments to this question from our members.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

ABBL answer:

We have not received specific comments to this question from our members.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

ABBL answer:

We have not received specific comments to this question from our members.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

ABBL answer:

We have not received specific comments to this question from our members.

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

ABBL answer:

We have not received specific comments to this question from our members.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

ABBL answer:

We have not received specific comments to this question from our members.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

ABBL answer:

We have not received specific comments to this question from our members.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

ABBL answer:

We understand the rationale of the materiality thresholds contemplated under Article 1. However, we believe that their contemplated value and articulation are primarily oriented towards the retail sector. In the current stand of the drafting, we believe that these thresholds would catch a higher number of private banking institutions and wholesale banking institutions operating under the freedom to provide services. The thresholds should be reviewed accordingly to correct the resulting distortion to ensure that the sample of selected financial institutions is reasonably representative and diversified.

In particular:

  • We believe that the financial threshold contemplated under article 1(1)(b) should be substantially increased considering the volume of transactions in wholesale and private banking.
  • We further believe that the thresholds contemplated under article 1(1)(a) and article 1(1)(b) should be cumulative for the purpose of the materiality assessment. A standalone application of the financial threshold under (b) would potentially lead to distortions considering applicable externalities, such as the effect of foreign exchange rate variations as regards transactions carried out in foreign currencies or the incidence of one-off transactions (corporate deals, trust liquidations, etc…). These variations would have a potential incidence on whether or not a given entity would qualify for direct supervision while the volume of relevant transactions or its risk exposure globally would not change.
  • Finally, the applicable reference period with respect to both thresholds under (a) and (b) should be specified (e.g. the average amounts on the past three years) to ensure clarity and certainty regarding the scope of direct supervision. 

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

ABBL answer:

We are not in favor of the possibility to lower the value of the thresholds set in Article 1.

As mentioned in our response to Question 1, we are of the view that the value of the thresholds set in Article 1 is already too low. A further lowering of these values would to our view exacerbate a potential distortion towards the retail sector and would potentially overstretch the population of entities eligible for direct supervision. We believe that the scope of direct supervision should be clear and certain over time, while the number of entities directly supervised by AMLA should remain manageable to ensure effective supervision. A lowering of the thresholds under Article 1, or the possibility to lower these thresholds, would yield the opposite outcome.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

ABBL answer:

We believe that a distinction between the type of customers to assess the materiality of the activities exercised under the freedom to provide services could help reducing a potential bias towards the retail sector. Considering the volume of transactions in non-retail segments, we believe that any such distinction should be contemplated in the first instance with respect to the financial threshold contemplated under Article 1(1)(b) in the draft RTS. Reference is made to our response to Question 1.

We question, however, the validity of the distinction between retail and institutional customers in the absence of definitions and considering the variety of customer profiles. Any distinction should draw to our view on pre-existing and stable definitions / concepts, such as, for instance, client categories under MiFID.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

ABBL answer:

We agree that the selection methodology should be based on the outcomes of the risk assessment conducted in accordance with the RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40(2) of the AMLD.

Additionally, we consider it essential that the RTS and/or subsequent technical documents should address the parametrisation and calibration methodology to provide more relevant weight to the inherent risk in the computation of the residual risk, as well as define a clear and transparent communication process for informing obliged entities selected for direct supervision by AMLA.

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

ABBL answer:

We consider it appropriate that supervisory authorities are not granted the discretion to adjust the level of inherent risk in the context of the risk assessment methodology under Article 40(2) of the AMLD, particularly in the absence of precise and harmonised criteria for doing so.

In line with our previous comments on the RTS on the assessment of the inherent and residual risk profile of obliged entities, we also recommend reviewing the provision that allows supervisors to adjust the score assigned to the quality of controls, to ensure consistency, objectivity, and comparability across jurisdictions.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

ABBL answer:

We have not received specific comments to this question from our members.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

ABBL answer:

We have not received specific comments to this question from our members.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

ABBL answer:

The current draft lacks sufficient clarity on the definition of the group-wide perimeter, leading to several implementation uncertainties. Key open points include:

  • Whether and how non-EU entities (subsidiaries, branches) should be included.
  • The role of the parent company in consolidating and submitting data.
  • Whether EU-based subsidiaries and branches located in Member States other than the one of the parent company should be treated as separate legal entities for reporting purposes, or whether their data must be consolidated and submitted by the parent company.
  • Risks of duplication if data already reported by local entities must be resubmitted centrally.
  • Whether non-obliged entities fall within scope.
  • Standards for currency conversion and data formatting.

Limiting the perimeter to EU entities may exclude material risks; however, including non-EU components raises feasibility and legal questions.

To ensure consistency and proportionality, the RTS should clearly define:

  • The perimeter of entities included.
  • Data consolidation responsibilities.
  • Treatment of non-EU and non-obliged entities.
  • Reporting and formatting standards.

Without this clarity, there is a high risk of fragmentation, duplicated effort, and distorted risk assessments.

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

ABBL answer:

We have not received specific comments to this question from our members.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

ABBL answer:

 

General comments on the draft RTS

We believe that several provisions in the draft RTS lack sufficient proportionality and risk-based nuance. Requirements such as collecting detailed data on intermediate entities in a structure for parties with whom there is no business relationship, extensive documentation obligations in non-face-to-face onboarding, or exact information on addresses and country of birth, without regard to the risks, impose a significant operational and cost burden.

If adopted as currently drafted, the lack of flexibility would lead to disproportionate compliance costs, unnecessary customer outreach, and delays in onboarding, with limited corresponding risk-mitigating effect. There is also a risk of financial exclusion.

We therefore recommend incorporating clearer references to the risk-based approach, allowing institutions to tailor measures to actual risk exposure, particularly in instances where the current wording appears to go above and beyond the Level 1 text. Without such clarification, implementation would involve disproportionate costs and operational challenges with limited added value for AML/CFT effectiveness.

Greater attention should be given to the stated EU objectives of administrative simplification and reduction of costs. We would therefore encourage competent authorities to contemplate additional simplifications of customer due diligence requirements in low and medium risk situations to avoid an increase of the cost of compliance without tangible benefits.

We take note of the fourteen articles of Section 1 of the draft RTS and submit the following comments.

 

General comments on the scope of identification and verification requirements

Article 22(1) of the AMLR requires obliged entities to obtain specific information to identify “the customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted”. Article 1 (1) of the draft RTS cites Article 22 (1) AMLR but then sets out requirements citing only “the customer”, with no mention of the additional classes of persons set out in Article 22 (1) AMLR. It is unclear whether this is an oversight, or whether the EBA intends to target measures at a more limited population than that identified in the AMLR. These questions apply mutatis mutandis to Articles 1 to 6 in the draft RTS. 

We request:

  • a clarification of the scope of the information to be obtained with regard to the identification of persons purporting to act on behalf of the customer and of natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted as well as a simplification of that information; and
  • a clarification of whether the requirements set out for “customers” similarly applies to beneficial owners.

As further discussed below, we believe that subjecting all the persons listed above to the same level of identification and verification, irrespective of the disparity of roles, responsibilities, benefits and degree of control, would go beyond current practices and would eventually put a significant strain on AML ressources available at the level of obliged entities.

 

Article 1 – Information to be collected in relation to names

Article 1(2) of the draft RTS requires obliged entities to obtain the registered name, and, when it differs, the commercial name. The commercial name may not always be available, and where available, may be written in varying ways. The final RTS should recognize the potential unavailability of the commercial name by introducing further flexibility regarding this requirement.

 

Article 2 – Information to be obtained in relation to address

Regarding residential address, the requirements are very detailed and therefore do not appear suitable for the customer’s representatives, beneficial owners (UBOs) and senior managing officials (SMOs).

Such extensive residential information of UBOs and SMOs are sensitive data points for corporate customers and regulated entities. For screening purposes, it should be sufficient to obtain the country of residence and – only to the extent where available when taking reasonable measures – the name of the city. Further investigations could be restricted to hits where further data are required to assess the hit. 

 

Article 3 – Specification on the provision of the place of birth

In practice, not all official identity documents include both the city and country of birth. We therefore submit that it should be sufficient to obtain at least one of these two data points, unless both are demonstrably required for risk mitigation purposes. We would further emphasise that nowhere in the Level 1 text is “place of birth” defined as country and city. Therefore, the RTS should allow for flexibility in terms of what components of the place of birth are considered risk-relevant.  

In cases where a customer has been verified by an e-IDAS solution (Article 22 (6)(b) AMLR), obliged entities will not possess any identity documents. In other words, the natural person has to inform the obliged entity of the customer’s city and country of birth. It would be preferable to collect the country of birth in order to rule out false matches in the context of financial sanctions. 

 

Article 4 – Specification on nationalities 

Regarding the knowledge of the nationality-ies of the customer, obliged entities are depending on the customer to obtain the required information and shall only use their best endeavour to obtain that information. To ensure clarity and consistency, it would be helpful if the article explicitly stated that institutions may rely on customer-provided information unless there are risk factors or red flags that would warrant additional verification. In our view, this would support a proportionate, risk-based application.

It would be beneficial to provide examples of acceptable forms of information that an obliged entity can use to satisfy the requirement of verifying additional nationalities. This guidance would assist obliged in understanding what constitutes sufficient evidence.

 

Article 5 – Documents for the verification of identity

Documentary requirements should be interpreted with sufficient flexibility to accommodate valid identity documents commonly accepted under domestic legislation. For instance, regarding Article 5(2) and Article 3 of the draft RTS, we note that not all identification documents provide the country of birth or nationality. We interpret Article 5(2) to allow for reasonable flexibility, whereby such identification documents are still acceptable, and any missing data can be supplemented by information provided by the customer. 

The use of a simple copy, as opposed to certified ones, for the purpose of verifying the identity of the person should be authorized as long as it cannot be altered, modified and is secured. In addition, the requirement of providing certified copies should not be applicable in all instances, but only where there is high risk at stake, or should allow a risk-based approach in that respect.

The reference to a certified translation should be removed, a simple translation should be sufficient to understand an original document in a foreign language. Each entity should be able to define where it requires certified translations depending on the availability of internal competencies within its organization (internal auto-certification should be possible or use of certified services/tools). If accurate Artificial Intelligence solutions exist within the entity that are able to translate documents in an efficient and reliable manner, the draft RTS should allow that they can replace the certification of the translation.

 

Article 6 – Verification of the customer in a non face-to-face context

See our response to question 2 below.

 

Article 7 – Reliable and independent source of information

The draft RTS requires obliged entities to assess the “reputation, official status and independence of the information source”. We consider that obliged entities should decide for themselves what measures they take, in-line with the risk-based approach. Additionally, the "ease with which the identity information or data provided can be forged" is very difficult to establish. This would require obliged entities to create a "reliability policy". We therefore request the removal of these requirements from the RTS to place an emphasis on “risk-sensitive measures”.

With reference to Recital 5 in the draft RTS, it is unclear how “recent" the information must be. In certain cases, old documents may still be up to date. There is no consistent practice across Member States on this question. We seek additional clarity.

Each professional should be able to define its own policy regarding source of information it considers as reliable and independent considering the variety of sources of information depending on the type of information and concerned country.

 

Article 8 – Identification and verification of the identity of the natural or legal persons using a virtual IBAN

See our response to question 3 below.

 

Article 10 – Understanding the ownership and control structure of the customer

Article 10(1)(a) of the draft RTS requires firms to reference all legal entities and arrangements.  This goes beyond reasonable expectations and the focus should be on intermediary layers owning more than 25% to identify the ultimate beneficial owner. We submit that the identification of intermediaries should be required for high-risk customers, while a reduction of the administrative burden for low-risk scenarios should be contemplated.

In case of well-known listed or regulated entities, the detailed approach to ownership contemplated in the provision at hand would create significant administrative and operational burdens. This requirement may lead to missing genuine risks if the focus is on exhaustive ownership structure analysis rather than risk-based assessment.

The absence of a regulated market exemption in the article, despite its mention in intermediary layers analysis, raises questions about whether there is an implied level of comfort for regulated entities. Clarification is needed.

Article 10(2) is understood to apply to all entities and so to non-complex structures. This requirement is to our view disproportionate and would require an expert team to take position on most entities. This would go against the risk-based approach.

Article 10 of the draft RTS sets requirements to build understanding of the ownership and control structure of the customer in standard cases. The level of information which obliged entities must obtain for standard and complex cases is therefore essentially the same at both levels. This is not in line with the risk-based approach and suggests that the requirements set out in Article 10 for standard cases are excessive.

We therefore suggest that the text of this Article be redrafted to focus on understanding the ownership and control structure of customers, particularly in complex and higher-risk situations, as follows:

For the purposes of understanding the ownership and control structure of the customer in accordance with Article 20(1) (b) of Regulation (EU) 2024/1624 where the customer’s structure appears unusually complex given the nature of the customer’s business and may pose a higher risk of ML/TF , obliged entities shall take reasonable measures to obtain where necessary the following information:

  1. the names of the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners that are relevant for the determination of the beneficial owner and which own or control a substantive share of the customer structure, if any;
  2. with respect to each legal entity or legal arrangement within the referred intermediary connections, the legal form of each legal entity or legal arrangement, and reference to the existence of any known nominee shareholders; the jurisdiction of incorporation or registration of the legal person or legal arrangement, or, in the case of a trust, the jurisdiction of its governing law. 

 

Article 11 – Understanding the ownership and control structure of the customer in case of complex structures

We find the definition of “complex structure” overly broad. Applying this definition without a risk-based assessment could lead to unnecessary burden.

Many international clients naturally have multiple ownership layers across jurisdictions and the layering of structures does not necessarily increase the risks involved. The current definition would result in many entities being included in the understanding of having a complex structure. It is, however, understood that a complex structure does not automatically lead to enhanced due diligence due to the wording in Article 34 AMLR. Confirmation of this would be helpful.

All in all, we believe that the definition should be refined to take into account the specificities of investment structures and larger corporates, while providing for an increased focus on higher risks.

In particular:

  • Carve-outs or deeming rules should be contemplated when there is presence in the structure of regulated financial intermediaries and listed group of entities within the European Economic Area (EEA);
  • The conditions set out in Article 11(1) under (a) to (d) should be made cumulative as those conditions taken individually are not deemed to be independently representative of a higher risk situation;
  • The condition set out in Article 11(1)(a) should be specified to refer to unusual arrangements.
  • The condition set out in Article 11(1)(b) should be specified to exclude EEA jurisdictions from the test and to focus on high-risk countries;
  • As regards the condition set out in Article 11(1)(d), obliged entities should be able to rely on the assessments made under DAC 6 under hallmark D2 in relation to arrangements involving a non-transparent legal or beneficial ownership chain.

As an alternative we would propose to replace the text of these provisions by an entirely new Article 11, which would require obliged entities to define, within their specific context, the criteria for what constitutes a complex ownership and control structure. 

Article 11 – Understanding the ownership and control structure of the customer in case of complex structures 

To understand the complexity level of the ownership and control structure of the customer in accordance with Article 20(1)(b) of Regulation (EU) 2024/1624, obliged entities shall establish adequate policies and procedures specifying the criteria that make ownership and control structures complex for the business relationships for which the obliged entity provides products and services. These procedures shall provide: 

  1. the number of layers between the customer and the beneficial owner that may be an indicator of complex ownership structure;
  2. the high-risk third countries in which these entities are incorporated or domiciled, if any ;
  3. indications of non-transparent ownership with no legitimate economic rationale or justification; and
  4. the presence of known nominee shareholders and / or directors that are involved in the structure.

 

Article 12 – Information on senior managing officials

The role and responsibilities of SMOs differ significantly from those of UBOs. Article 12 of the draft RTS does not, however, recognise this distinction, requiring obliged entities to collect the same information as for beneficial owners pursuant to Article 22(2) AMLR. Given the disparity of roles, responsibilities, benefits and degree of control, we find this requirement disproportionate.

In particular:

  • We consider that a business address should suffice for SMOs. Requiring a residential address is disproportionate and adds limited value.
  • Similarly, we believe that nationalities and place of birth of SMOs are not necessary for identification purposes. We believe that name and date of birth, plus business address, are sufficient to identify SMOs. There should not be a verification requirement.
  • We do not consider that obliged entities should be required to collect an identification document for SMOs, noting that SMOs would in many cases be unwilling to provide such personal data and considering potentially adverse consequences for customers.

In case where SMO are identified as UBO, the situation is different as for simple SMO (i.e a SMO not being a UBO at the same time). Both types of related persons must be differentiated in the draft RTS. For SMO as UBO, the same standards as for UBO should be applicable however there should be the possibility to provide the business address or SMO acting as an UBO. For simple SMO, only information regarding the identity should be provided (name, first name, if available date and place of birth), for the purpose of name screening (not identification).

 

Article 14 – Identification and verification of beneficiaries of discretionary trusts

Article 64 of the AMLR provides that trustees shall “provide the information on the beneficial owners and on the assets of the legal arrangements that are to be managed in the context of a business relationship or occasional transaction to obliged entities when the obliged entities are applying customer due diligence measures in accordance with Chapter III”. 

Accordingly, Article 14 (2)(b) in the draft RTS should be amended to recall that this obligation falls primarily on the trustee – and not on obliged entities - who must also fulfil it promptly.

The provision of the trust deed should be considered as sufficient for the purpose of identifying and verifying which are the beneficiaries of discretionary trusts. 

The draft RTS would require the obliged entity to obtain the letter of wishes and verify the actions of the Trustee. However, this is neither required nor desirable, as the obliged entity does not want to be held liable for the actions of the Trustee, who has entered into an agreement with the Settlor.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

ABBL answer:

We suggest the EBA consider proportionality and practicality in non face-to-face situations, allowing a risk-based approach when verifying documents that do not naturally contain advanced security features. While we acknowledge the importance of secure identity verification, the current drafting risks creating rigid, operationally challenging requirements that may undermine customer experience and limit the flexibility of obliged entities to tailor their onboarding process.

In particular:

  • Regarding Article 6(3), we request further guidance on what is meant by “this consent must be recorded”, specifically, what form of recording (written, electronic, audio/video) is considered appropriate and sufficient. Additionally, the purpose of the consent is ambiguous: consent under EU law must be freely given, implying a real alternative. If no fallback process is provided, the consent becomes de facto mandatory. This may reduce transparency for the customer and lead to meaningless, default consent similar to those seen in cookie policies. It should also be clarified whether such consent may be withdrawn, and if so, what the consequences are for verification and account access.
  • Article 6(5) appears inconsistent with the context of non-face-to-face identification. If the original document is not presented physically, features such as holograms cannot be examined as indicators of authenticity. We recommend clarifying how institutions are expected to assess such security features in practice.
  • Article 6(6) requires clarification on how institutions are expected to demonstrate compliance with the obligation to “examine the security features of the document.” In many cases, especially when onboarding international legal entities, obliged entities rely on copies of foundational documents. These will lack security features and may not lend themselves to authenticity verification without access to external databases or tools not readily available.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

ABBL answer:

Article 22(3) of the AMLR requires a credit or financial institution servicing the account to which a virtual IBAN issued by another credit or financial institution redirects payments to ensure that it can obtain from the credit or financial institution issuing the virtual IBAN the information identifying and verifying the identity of the natural person using that virtual IBAN within five working days.

It is not clear that a servicing credit or financial institution will know what given IBAN is a virtual IBAN. It is also not clear how the servicing credit or financial institution can ensure that it will receive the information, since the completion of the action relies on prompt action of an external party.

We request that the RTS clarify how a servicing institution may differentiate between virtual and non-virtual IBANs and to explain how the servicing institution may fulfil the responsibility set out by Article 22(3) of the AMLR in the absence of control over the actions of the issuing institution.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

ABBL answer:

As currently drafted, we believe Articles 15 and 16 of the draft RTS read more as a template for extended due diligence in high-risk situations and not as a proportionate and risk-based framework for standard customer due diligence. We are concerned that resulting obligations would create unnecessary friction in business relationships with well-intended customers, negatively impacting customer experience and diverting resources from higher risk cases. These obligations might also warrant unnecessary client outreach even when the purpose and intended nature can already be inferred from the product and existing or intended relationship.

We urge the EBA to revise these Articles in line with the risk-based approach and allow obliged entities the opportunity to tailor their information collection based on actual risk. Article 25 of the AMLR already defines what information must be obtained and assessed to understand the purpose and intended nature of the business relationship. Expansion beyond this without clear high-risk indications undermines the principle of proportionality. 

In particular:

  • Where the purpose and intended nature of the relationship or transaction is evident from the products and services themselves, there should be no requirement to collect any further information. This simplification should at least apply to low-risk situation where simplified due diligence is applied.
  • Regarding Article 15(c) in the draft RTS, we request the deletion of the mention to the “wider group” as this goes beyond the AMLR requirements and is a source of legal uncertainty considering banking confidentiality rules.
  • Regarding Article 16(e) in the draft RTS, the reference to “key stakeholders” should be clarified. We question the practicabilty of contemplated information requirements.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

ABBL answer:

We have not received specific comments to this question from our members.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

ABBL answer:

 

Article 18 – Minimum requirement for the customer identification in situations of lower risk

As a general comment, we seek clarification on the difference between “lower risk situations” as referenced in Article 18 and “low risk situations” as referenced in the title of Article 19. Further, we seek clarity on how both relate to the terminology used in Article 33 of the AMLR, which refers to a “low degree of risk”. We believe it is important that terminology across regulatory instruments is consistently aligned or clearly distinguished.

In practice, obliged entities use varying definitions and categories for customer risk levels. It would be helpful if the final RTS acknowledge this variation. We assume that the term “low(er) risk” under Section 4 of the RTS implies any situation that is not considered “high risk”. Confirmation of this interpretation would be useful to ensure consistent application across the industry.

We seek at Article 18(2) clarification of the reference to “persons on whose behalf or for the benefit of whom a transaction or activity is being conducted”. The wording seems to introduce a new category of persons in addition to beneficial owners. This would add undue complexity to due diligence requirements.

 

Article 19 – Minimum requirements for the identification and verification of the beneficial owner or senior managing officials in low-risk situations

We understand this provision to mean that where the obliged entity holds official data from a reliable public register, a simple confirmation by the customer of this information or, as the case may be, a confirmation of the same information based on publicly available, reliable sources of information, is sufficient. We support this interpretation and seek confirmation of this understanding. 

In line with previous comments with respect to Article 18 of the draft RTS, we seek confirmation that the simplification at hand would be available in any situation that is not considered as “high risk”. 

We would also appreciate clarification on which standard applies for companies in formation process (that are not yet registered) or that are not registered at all.

 

Article 21 – Sectoral simplified measures: Collective investment undertakings

We urge the EBA to contemplate a withdrawal of this provision.

This provision mandates in essence a look-through of regulated intermediaries by collective investment undertakings and hence disregards customer due diligence measures effected at the level of the said intermediaries with respect to underlying investors. This would be highly disruptive of current distribution patterns of investment funds. Such an outcome would eventually put a critical strain on the stated objective of developing retail investor participation to capital markets across the EU.

Besides, the stated simplification contemplated for low-risk situations, requiring regulated intermediaries to provide the collective investment undertaking with customer due diligence information and documents with respect to underlying investors “immediately” and “upon request” goes beyond current market practices and would raise significant operational and legal challenges considering data privacy and banking confidentiality rules.

The condition in Article 21 (c) of the draft RTS is very problematic. The business relationship with a collective investment undertaking is a mix of the relationship with the collective investment undertaking itself, and with the relevant investment manager. If rated other than low, then the overall relationship could be out of the scope of simplified due diligence. This would mean that the RTS envisages the possibility of not performing due diligence on final clients only if the relationship is low. In other word, if this condition is not in place, the Asset Manager would not be able to rely on the due diligence performed by the distributor. This would lead to an enormous and unmanageable impacts for asset managers (which are not structured to perform due diligence on final retail clients – as relying on distributors has always been allowed). Failing a complete withdrawal of Article 21, we therefore request the removal of the condition (c). 

 

Article 22 - Customer identification data updates in low-risk situations

We interpret this provision to mean that in low-risk situations – i.e., where there are no indicators of high risk – the obliged entity may rely on its automated risk and event triggers (e.g., transaction monitoring systems). Where no risk triggers have been identified, there should be no need to actively update customer identification information, meaning that data correctness does not expire until there are reasons to doubt the correctness of client data and information. Paragraph 2 of this Article would need to support this reading, in that if the monitoring process is effective, it would have flagged any relevant events, eliminating the need for additional outreach to customers. Routine refreshing of ID documents without a specific justification would unnecessarily increase operational costs and negatively affect the customer experience.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

ABBL answer:

 

Subsidiaries of listed entities, public entities

With reference to lower risk factors contemplated under Annex II to the AMLR, simplified due diligence is applicable with respect to public companies listed on a stock exchange and subject to disclosure requirements ensuring adequate transparency of beneficial ownership.

We understand that this simplification is not directly available with respect to subsidiaries of qualifying listed companies, even if the said subsidiaries are wholly owned by the listed company. This outcome contrasts with current practices in several Member States and disregards economic substance.

We seek clarity regarding the availability of the simplification applicable with respect to listed companies to their (wholly-owned) subsidiaries (or with a threshold > 75%). 

By extension, clarification is sought that the same principle applies for entities owned by government or public institutions.

 

Institutional banking 

With reference to lower risk factors contemplated under Annex II of the AMLR, simplified due diligence may be applied with respect to public administrations and enterprises. 

In this context, we seek additional clarity regarding the availability of simplified due diligence requirements in the context of institutional banking, notably in transactions involving central banks, other public counterparties but also with regards to regulated and listed counterparties.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

ABBL answer:

 

General comments

We are particularly concerned that several enhanced due diligence (EDD) provisions impose overly rigid requirements. As noted in earlier comments, we recommend incorporating clearer references to the risk-based approach to allow obliged entities to tailor EDD measures to actual risk exposure. EDD is only meaningful when it is targeted to mitigate specific risks. In certain cases, existing information already held by banks may be sufficient to meet EDD requirements. This observation applies to all EDD-related articles discussed below.

 

Article 24 – Additional information on the customer and the beneficial owners

We note that the wording “at least” in Article 24 introduces what appears to be a mandatory minimum list of additional information to be obtained by obliged entities. This appears to conflict with Article 34(4) AMLR, which states that EDD measures shall be proportionate to the higher risks identified. 

The phrasing in Article 24, specifically “shall, at least” and the use of “and/or”, is ambiguous. It is unclear whether obliged entities are required to obtain all the information listed under subparagraphs (a) to (d), or any one of them. To resolve this conflict and improve clarity, we recommend replacing “at least” with “where necessary”, thereby aligning the article with the proportionality principle in Article 34 AMLR.

With specific reference to Article 24(c), we seek clarity regarding the nature of the information to be obtained with respect to the customer’s or beneficial owner’s past activities.

 

Article 25 – Additional information on the intended nature of the business relationship

We question how the requirements under Article 25(1)(c) align with the already extensive obligations contemplated under Articles 15 and 16 concerning the purpose and intended nature of the business relationship as there appears to be overlap. Additionally, we seek assurance that this article does not imply a requirement to perform customer due diligence on the customer’s clients or counterparties, as this would expand the scope of due diligence obligations beyond what is intended under the AML/CFT framework. Specifically, the concept of “key customer” should be specified.

 

Article 26 – Additional information on the source of funds, and source of wealth of the customer and of the beneficial owners

Article 26 lists the documentary evidence that may be accepted for proof of source of funds / wealth in extended due diligence business relationships. Unlike Article 24 and Article 25, the wording of Article 26 does not allow evidence according to the assessment of the obliged entity. There is no apparent reason for this distinction and in light of the risk-based approach, obliged entities should be able to use other documents that have been referred to in order to verify source of funds / wealth.

Specifically:

  • The expectation under Article 26(1)(a) that pay slips or employment documentation must be signed by the employer is outdated and incompatible with modern digital payroll systems, where physical signatures are not the norm.
  • Requiring certified copies of audited accounts at Article 26(1)(b) raises the question of who is expected to provide the certification. If the accounts are already audited by an audit firm, their signature should suffice – additional certification should not be necessary.
  • Similary, we question requirements to obtain certified copies when the information can be retrived via other, reliable sources, such as, for instance, public registers. Certified copies can hinder the digitization of KYC processes.

For qualifying the quality of documents to corroborate the source of wealth or source of funds, each professional should be able to define its own policy and risk-based approach.

 

Article 27 – Additional information on the reasons for the intended or performed transactions and their consistency with the business relationship

Point a) requests the verification of the accuracy of the information on legitimacy of the intended outcome of an intended or performed transaction. It is unclear how an obliged entity should verify if the funds are genuinely being used as intended and announced to the obliged entity. This level of investigation is not legitimate for an obliged entity as these are tasks typically allocated to FIUs and law enforcement.

With reference to c), the obligation to assess the legitimacy of the parties involved in a transaction, including intermediaries and their relationship to the customer, appears to imply a requirement to conduct cuustomer due diligence on the customer’s business partners. This is neither feasible nor appropriate for obliged entities and should not form part of the enhanced due diligence requirements.

Furthermore, where the counterparty is a customer of another financial institution, especially when located in the EU, obliged entities should be permitted to rely on the presumption that the counterparty’s bank has fulfilled its own customer due diligence obligations in line with EU regulations. 

We propose that even in high-risk situations requiring enhanced due diligence, if a transaction clearly falls within the expected transaction profile of the customer and is consistent with the nature of the business relationship, it should not trigger an obligation to conduct additional scrutiny. Enhanced due diligence should be focused on deviations from expected behaviour.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

ABBL answer:

 

Article 28 – Screening of customers

With respect to persons owning or controlling customers, we seek clarification regarding the applicable threshold triggering screening obligations.

 

Article 29 – Screening requirements

Regular screening obligations contemplated under Article 29(c)(iii) of the draft RTS should be limited to significant changes of name, residence or nationality. By contrast, changes of business operations cannot be screened based on a monitoring of the basic data set available at the level of obliged entities.

In addition, Article 29 (a) (i) of the draft RTS mentions the screening of all names and first names, and their transliteration: should we understand that all possible combinations of names and first names must be screened individually? As transliteration is hardly available in systems, making this point operationally difficult to implement. Furthermore, for point (a) (iii), trade names are not necessarily available, and screening might therefore be difficult.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

ABBL answer:

We have not received specific comments to this question from our members.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

ABBL answer:

We have not received specific comments to this question from our members.

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

ABBL answer:

 

Article 1 – Indicators to classify the level of gravity of breaches

Article 1(e) of the drat RTS proposes that “the impact of the breach on the exposure of the obliged entity (or its group) to money laundering and terrorist financing risks” be used as a criterion to assess the gravity of breaches. However, since the overarching aim of the AML package is precisely to reduce such exposure, it is difficult to imagine a breach that would not have such an impact. As this indicator would apply to virtually all breaches, it lacks discriminatory value and should be removed.

Similarly, Article 1(g) of the drat RTS refers to “whether the breach could have facilitated or otherwise led to criminal activities.” Given that the AML package seeks to prevent money laundering and terrorist financing, almost any breach could be seen as potentially facilitating criminal activity. This, too, renders the indicator ineffective in distinguishing levels of severity and it should therefore be removed.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

ABBL answer:

 

Article 2 – Classification of the level of gravity of breaches

 Classifying breach severity is supported but the current definition of Category 1 breaches is too narrow to be meaningful. In practice, it is unlikely that any breach would meet the criteria, as most would have at least some impacts on the entity or its exposure to ML/TF risk and could conceivably facilitate criminal activity given the AML Package’s broad objectives.

The proposed definition of Category 2 breaches is too restrictive. Given the AML Package’s broad objective of reducing money laundering and terrorist financing, most breaches could plausibly be seen as facilitating or leading to criminal activity, making it unlikely that breaches would clearly fall within this category.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

ABBL answer:

Article 4(3)(e) of the drat RTS includes “risk of loss” as a criterion, but we could argue that while actual loss is a valid measure, assessing unrealized risk of loss is overly broad, uncertain, and should be removed.

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

ABBL answer:

We have not received specific comments to this question from our members.

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

ABBL answer:

 

General comment

Article 5(2)(c) of the drat RTS appears to envisage that serious administrative measures could be imposed for a potential breach. In our view, the words “or the potential breach” should be deleted from that provision as administrative measures of this nature should be reserved for actual breaches only.

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

ABBL answer:

See our answer to question 5a above.

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

ABBL answer:

See our answer to question 5a above.

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

ABBL answer:

We have not received specific comments to this question from our members.

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

ABBL answer:

We have not received specific comments to this question from our members.

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

ABBL answer:

We have not received specific comments to this question from our members.

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

ABBL answer:

We have not received specific comments to this question from our members.

Name of the organization

Association des Banques et Banquiers, Luxembourg (the Luxembourg Bankers' Association)