Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

It is essential that AML/CFT requirements are applied in a proportionate manner, and that any requirements are imposed in a way that is proportionate to the role that reporting entities can play in preventing ML/FT. Policies, procedures and controls should be proportionate to the nature of the activities, including their risks and complexity, and to the size of the reporting entity, and should respond to the AML/CFT risks faced by the entity (recitals 28 and 29 of regulation 2024/1624).

In principle, the introduction of a standardized European assessment and a risk-based approach for the EBA to assess and classify the risk profile of obliged entities is to be welcomed. However, the planned automated scoring system is based on a very high number of data points (as detailed in Annex I to the RTS under Art. 40(2) AMLD). Considering that the introductory recitals to the RTS clarify that RTS do not specify how the relevant data is to be obtained, this is an important and impactful practical question. It is not at all unlikely that the data collection exercises will ultimately have to be fulfilled by the respective institutions/obliged entities on a regular (generally at least annual) basis. The obliged entities will require significant financial and human resources to provide these data points, which will most likely be drawn from the persons/departments in charge of AML/CFT within the obliged entities. This, in turn, will negatively impact the resources that are available for the actual prevention of money laundering and terrorism financing, particularly in mid-sized to smaller obliged entities.

In addition, some data points are quite difficult to define, determine and interpret correctly, or they are simply not yet available for analysis. Examples for this are provided in the answer to question 3.

Therefore, the Deutscher Factoring-Verband e.V. (DFV) would welcome a clarification that the numerous data points required by the RTS first and foremost have to be provided by the national competent authorities and that the obliged entities should only be asked to provide data in exceptional cases when neither the AMLA nor the national competent authorities already have access to the required data.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

As already stated in response to question 1, providing this data will require significant financial as well as human and time resources if the data collection exercises required under these RTS will ultimately have to be fulfilled only or to a large extent by the respective institutions/obliged entities on a regular (probably annual) basis. The obliged entities will require significant financial and human resources to provide these data points, and these human resources which will most likely be drawn from the persons/departments in charge of AML/CFT within the obliged entities. This, in turn, will (at least in the short and medium term) negatively impact the resources that are available for the actual prevention of money laundering and terrorism financing, particularly in mid-sized to smaller obliged entities. In the long term, it is likely that obliged institutions will need to allocate more financial and human resources to regularly provide the required data, i.e. more employees and/or technological solutions will be needed to fulfil the data collection exercises. Therefore, it is essential to clarify that both the AMLA and the national competent authorities should primarily access and use data which is already available to them, and obliged entities should only be asked to provide data in exceptional cases when the AMLA or the national competent authorities do not already have access to the required data.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

Some data points are quite difficult to define, determine and interpret correctly, or they are simply not (yet) available for analysis. Here are some examples of unclear or unobtainable data points:

Section A – inherent risk

Data on/ category customers:

Number of legal entities with complex structure (this data will only be available when the AMLR enters into force and is to be complied with)
Number of customers with cross border transactions involving non-EEA countries (despite the factoring company’s close contact with the factoring client and although the factoring company purchases receivables stemming from the factoring client’s transactions, not all the factoring client’s receivables may be purchased and not all their transactions may therefore be known to the factoring company)
Number of customers with requests from FIU whose matter or nature of the request is linked with AML/CFT (this requires the possibility of specifically searching databases for such FIU requests which is currently not generally possible)

Data on/category factoring:

Total Value (EUR) of factoring contracts granted during the previous year (which value does this refer to: the overall volume of purchased receivables or of advances?)
Total value (EUR) of factoring contracts granted to obligors established in non-EEA countries during the previous year (cf. the remarks for factoring above)

Data on/category geographies:

Number of incoming transactions in the previous year by country (this should not apply to factoring; if applicable, it is unclear whether this refers to the purchased/financed receivables or to the payments received from debtors. If it refers to debtors’ payments, international SWIFT payments as well as payments by cheque can make the allocation of a certain country to a certain payment difficult.)
Total value (EUR) of incoming transactions in the previous year by country (cf. the remarks on non-applicability for factoring above)
Total value (EUR) of outgoing transactions in the previous year by country (cf. the remarks on non-applicability to factoring above, coupled with the additional lack of clarity whether this should be considered from the centre of main interest of the factoring client or of the client’s bank/PSP)

Section B – AML/CFT controls

Data on/category AML/CFT policies and procedures

Number of customers with incomplete identification and verification documentation/ information (does this also include cases where e.g. the tax identification number has not been collected yet due to the implementation periods set by the AMLR?)
Average number of hours between the publication of the TFS by the authorities and the implementation of these changes in the institution's screening tools (this would require the third party provider of most screening tools to disclose this average timeframe, so it is data that is not readily available to the obliged entities)

The DFV advocates to add corresponding clarifications for the aforementioned data points.

Even though more detailed regulations regarding the data points are still outstanding, the aforementioned examples show that there will be considerable problems with individual data points and that this will lead to a significant and disproportionate amount of work for the obliged entities if they were to be the only or main persons responsible for providing these data points.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

The low to (at most) medium ML/FT risk with factoring is not taken into consideration sufficiently in the context of this data collection. The risk profile of the factoring institutions generally does not change often, so that an annual review of the risk profiles and hence of the data points is not appropriate; a reduced frequency of three or more years would be sufficient, also considering that e.g. the national FIU can make ad hoc requests for information. This would also significantly lower the costs incurred by obliged entities through this data collection and regular review, and it would furthermore ensure that (especially small and medium-sized) obliged entities can have appropriate resources.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

The size of an obliged entity and that it only carries out certain activities (specialization such as e.g. providing only/mainly factoring) should not be the only relevant criteria for reducing the frequency of reviews. Further criteria should be e.g. the ML/FT risk category of the product, whether the product undergoes material changes fast or remains generally unchanged for longer periods of time and the extent of international or cross-border transactions of an obliged entity.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

The possibility of a different assessment for transactions linked with EEA jurisdictions seems reasonable due to the level of harmonization of AML/CFT regulation and supervision in this geographical area. Risks are inherently lower when the same or similar rules apply.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

The materiality thresholds of 20.000 customers or the transactions‘ total value of over 50 million Euro for activities exercised under the freedom to provide services in other member states seems reasonable, but (again) requires a substantial evaluation and analysis effort on the part of the obliged entities. Furthermore, the DFV wishes to point out that for factoring, we assume that the total value of a transaction is composed only of the outgoing payments to factoring clients, but not of the incoming payments from debtors, since these two are intrinsically connected to each other through the purchased receivable and adding both kinds of payments together would be misrepresenting and misleading.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

These thresholds should not be lowered, also because there are factoring companies which specialize in industries and sectors such as the health sector with relatively small claim amounts, but a much larger number of factoring clients than in other sectors. It would not be proportionate and risk adequate to include these factoring companies in the scope of direct supervision by the AMLA simply because they provide factoring services in other EU member states to a large number of clients. Similar to the direct supervision of credit institutions by the ECB and just as stated in chapter 3.2 para. 27 of the consultation paper, direct supervision by the AMLA should focus on large(r) obliged entities which provide their goods and services on a multinational level and therefore have a large geographic footprint, but it should not include small to medium -sized obliged entities that simply happen to have a large number of customers and provide their services cross-border because their customers are in a certain industry and located in e.g. a region close to a border.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

Adding a distinction between (larger) institutional customers and other customers categorized as microenterprises under EU law (rather than retail as this would not cover all relevant industries and sectors) would be helpful to ensure the aforementioned focus of the AMLA on large(r) obliged entities which operate on a multinational level.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Para. 43 of chapter 3 of the consultation document and recital 16 of the RTS on customer due diligence allow for updates for already existing customers to the new CDD standards in a risk-based manner within 5 years after the RTS’ entry into force, prioritizing updating higher ML/TF risk business relationships - this is to be welcomed. Such a transition period for updating data on already existing customers is highly important from a practical point of view of both obliged entities and customers. However, this should ideally also be stated clearly in the articles of the RTS themselves, particularly those addressing customer due diligence measures in average risk situations, i.e. section 1. Currently, only art. 22 (2) on customer identification data in low-risk situations as well as art. 32 referencing art. 23(1) regarding information on the purpose and intended nature of the business relationship in low-risk situations explicitly mention this 5 year transition period.

According to art. 3, the place of birth shall consist both of the city’s and country’s names. Up until now, the data point of “birth country” was not required, so this new interpretation of “place of birth” in the sense of art. 22 (1)(a)(ii) AMLR will inter alia require IT/software changes, which takes time and creates costs for the obliged entities, while the added value of this new data point is questionable. In most cases, information about the birth country of the customer or beneficial owner will not in the least improve the ML/FT risk management. To cover those few cases where information about the birth country may help to e.g. avoid confusion due to a duplication of place names in different countries, the RTS on customer due diligence could foresee the optional addition of “country of birth”.

Art. 11 of the RTS on customer due diligence contains clarifications on understanding the ownership and control structure of customers in cases with complex structures. One of the (additional) conditions for classifying an ownership and control structure as complex is that “there is a legal arrangement in any of the layers” between the customer and the beneficial owner (cf. art. 11 (1)(a) of the RTS). Unfortunately, the RTS do not elaborate further and do not clarify what this means; further clarification of this condition is necessary since every layer or intermediate company between the customer and the beneficial owner is ultimately based on a legal arrangement. Such a clarification could e.g. refer to legal arrangements regarding the capital or voting rights which deviate from the legal norm or standard. Moreover, the status of a complex structure must in future also be recorded as a structured (data) field in order to fulfil the data requirements which requires IT/software adaptations (cf. above).

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

With regard to fulfilling CDD requirements in a non face-to-face context, we wish to point out that the process of reliance on another obliged entity for meeting certain CDD requirements as it is laid down in art. 49 AMLR requires that the obliged entities conclude a written agreement, specifying the conditions for the transmission of the information and documents. This can be very cumbersome in certain constellations and countries, e.g. in the case of a one-off identification being conducted by a German credit institution for another obliged entity. Due to the high number of credit institutions in Germany (or in all of Europe, for that matter), it is not feasible to enter into written agreements with all or even just the most widely represented of these banks, but simultaneously, the ongoing trend in the financial sector to downsize the amount of physical branches makes it necessary to be able to rely on other obliged entities, preferably in a flexible way to ensure customer friendliness. It would be helpful if the RTS on customer due diligence would clarify this point and perhaps show up options that allow for customer-friendly flexibility while still complying with the AMLR.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

Factoring should generally be considered as associated with lower ML/TF risk since the main risk relevant for AML/CFT purposes is the risk of fraudulent invoices, aimed at the factoring client receiving more liquidity from the factoring company than corresponds with the services provided or goods delivered (if any). Factoring is however not well-suited for actually laundering money to hide the sources or origins of certain amounts of money: Factoring companies keep close contact to their customers, including regular field audits, and have an intrinsic interest to know the details and background to their clients’ transactions since the factoring company purchases the receivables stemming therefrom, in the majority of cases also assuming the credit/default risk of the debtor (factoring without recourse).

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Art. 28 of the RTS on customer due diligence states that to comply with Article 20(1)(d) of Regulation (EU) 2024/1624, obliged entities are to “apply screening measures to their customers and to all the entities or persons which own or control such customers”. This would mean that all shareholders (even with a very small amount of shares) would have to be recorded and screened. This contradicts art. 20 of the AMLR, which stipulates the concept of “control” or a threshold of 50%. It should therefore be clarified that ownership per se does not require screening measures to be fulfilled.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Para. 43 of chapter 3 of the consultation document and recital 16 of the RTS on customer due diligence allow for updates for already existing customers to the new CDD standards in a risk-based manner within 5 years after the RTS’ entry into force, prioritizing updating higher ML/TF risk business relationships - this is to be welcomed. Such a transition period for updating data on already existing customers is highly important from a practical point of view of both obliged entities and customers. However, this should ideally also be stated clearly in the articles of the RTS themselves, particularly those addressing customer due diligence measures in average risk situations. Currently, only art. 22 (2) on customer identification data in low-risk situations as well as art. 32 referencing art. 23(1) regarding information on the purpose and intended nature of the business relationship in low-risk situations explicitly mention this 5 year transition period.

Neither Annex I nor any other article of the RTS on customer due diligence elaborate further on CDD data points which are labelled “where applicable” or “where available” in art. 22 AMLR. These comprise e.g. tax ID numbers or LEI. Unfortunately, it remains unclear what efforts need to be undertaken by the obliged entity to obtain and verify this information (e.g. whether asking the customer for this information is sufficient), and it also remains unclear what consequences follow if the customer cannot or will not provide such a tax ID number or LEI.

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

Name of the organization

Deutscher Factoring-Verband e.V.