Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

The approach proposed by EBA should ensure that the cost of compliance with the new requirements does not exceed what is necessary to achieve the objective of ensuring consistent AML/CFT risk assessment methods in all member states. With regard to reporting obligations for obliged entities, it should be noted that - regardless of whether they follow a fully harmonised or only partially harmonised approach – they represent a significant bureaucratic burden, especially given that obliged entities already carry out regular business-wide risk assessments under current AML obligations. Any change to supervisory authorities’ data collection questionnaire requires insurers to make considerable efforts to be able to provide the data requested. Even a minor change in an indicator can entail significant costs and delays in upgrading internal tools. Against this background, only the data collection exercises that appear inevitable for supervisory purposes should be carried out. Additional data exercises, particularly for the life insurance sector and related to life insurance products with a low AML risk such as pension products and pure risk insurance products, often yield limited added value.

The EU Commission has also made it a priority to reduce the burdens associated with reporting obligations for companies by 25%. Should a fully harmonised reporting obligation be pursued, any new harmonised reporting obligation should build on existing practices and avoid increasing the volume of data collection, unless clearly justified by supervisory needs. Similarly, public authorities should make maximum use of data already available to them and should measure the impact on any new data request, minimising these new requests as much as possible.

Key messages

Insurance Europe is supportive of the proposed harmonised and data-driven approach to the assessment and classification of the risk profile of obliged entities.
However, the approach proposed by EBA should ensure that new reporting requirements and data collection exercises are built on existing practices and data already collected.
New requirements or new data to be collected should not exceed what is necessary for the purposes of AML/CFT.
A two-step approach for classifying the risk profile of obliged entities with (1) a preselection based on the number of retail and business clients, categorised by products and countries of residence or establishment outside the EEA and (2) a selection based on EBA’s approach should be considered.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

We strongly agree with the rule whereby the residual risk cannot be higher than the inherent risk. The AML/CFT control framework put in place by a reporting entity cannot have the effect of increasing the inherent risk to which the entity is exposed to prior to any mitigating measures, even if the entity’s AML/CFT system is deficient.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

The volume of data points listed is very large and the granularity of the questions is very high. In some cases (see details below), the requested data does not appear to be fully applicable or relevant in an insurance context. In others, the requirements would be complex, disproportionate and excessively costly to implement in order to provide a data point whose usefulness appears to be limited. Should these data points be confirmed, the necessary implementations would undoubtedly entail additional costs, as well as human and technical resources. For example: to disclose data from unstructured archived documents and register the data in a structured manner, to adjust registration processes in a more granular manner, and in some cases to reach out to clients to provide data. In that manner it is advised to EBA to support a model which financial institutions are temporarily exempted to provide some data points that are available. One simplified example: NPO’s may not be registered in a separate database field but in an archived report. That may be the cases for various datapoints.

Different countries have different currencies, even within the EU. It should be taken into consideration by the EBA for several data points which must be provided solely in EUR.

Some indicators which are common to the financial sector as a whole, are not always adapted to the insurance sector.

For distribution chains specifically, there are many different types of distributors in the insurance industry, and it can be difficult to identify them according to whether they are part of a third-party or proprietary network, once the customers have been integrated into the tools. The categories of agents, distributors and brokers should be clarified regarding EBA’s expectations of what should be included in these categories.

The notion of ‘complex structures’ is also a point of concern. The definition of complex structures which can be found in Article 11 of draft RTS on Article 28(1) of the AMLR includes elements that cannot be found in public sources such as information on ‘nominee shareholders’. In practice, this means that those elements will have to be collected with each individual client. For entities with tens or even hundreds to thousands of business clients, this will be very burdensome and disproportionate, especially in low-risk situations, even within the five-year transitional period proposed by the EBA. See further below our response to draft RTS on Article 28(1) of the AMLR. We suggest the deletion of Article 11 altogether.

What is to be understood as customers is a point of concern as well. In the context of the draft RTS, “customers” should not encompass beneficiaries. Indeed, customers should be the persons that initiate the relationship with the company. In the case of insurance, only policyholders should be considered as customers. Indeed, it would be difficult and disproportionate to report on all designated beneficiaries. In many cases, beneficiaries are not specifically designated (e.g. when inheritors are the beneficiaries). The suggestion is to report on those groups of customers if they are specifically designated and identification data (not necessarily verified) are registered.

Key messages

The list of data points should be revised to be more proportionate.
The EBA should provide a reasonable transition period for financial institutions, temporarily exempting them from providing some data points which are not currently collected.
Article 11 of draft RTS on Article 28(1) of the AMLR should be deleted.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

The relevant risk indicators of obliged entities from the insurance sector are not subject to material change to an extent which would justify an annual review. In addition, many life insurance products such as pension products and pure risk insurance products qualify for low AM-risk. We suggest, for low-risk insurance products, to reverse the rule-exception-relation, e.g. imposing a regular review frequency of three years and only require an ad-hoc review of the risk profile if the incident-driven criteria set out in Article 5(6) of the draft RTS are met.

Moreover, the timetable for implementation of the first risk assessment and classification of institutions subject to AMLD6 is as follows:

Drafting of the RTS pursuant to Article 40(2) of AMLD6 by 10 July 2026, at the latest,
Entry into force of the RTS on the 20^th day following publication in the OJEU,
Supervisors must carry out the first assessment and classification of inherent and residual risks no later than 9 months after the RTSs come into force.

Insurers will need to adapt their IT tools to enable them to collect any new data required for this assessment. However, it will not be possible to start working on tool upgrades until the list of data to be collected has been finalised, i.e. until the text has been published in the OJEU – by July 2026 at the latest. The supervisor will then have a maximum of 9 months to assess and classify risks and to collect data. It is impossible for insurers to be able to upgrade their IT tools to meet the new RTS requirements in such a short timeframe. IT projects are costly and time- and resource-consuming for companies and need to be anticipated sufficiently in advance to allow for a budget estimation and validation phase by management, and a technical implementation phase.

The timeframe set out in the RTS should therefore be adapted to take into account the budgetary and technical constraints of companies subject to the new requirements. A transition period, for the first data collection exercise should be implemented, during which reporting companies would have the option of not answering certain questions relating to new data, if they are not in a position to do so.

Key messages

For low-risk life insurance products, only a reviewed frequency of three years should be imposed with the possibility of an ad-hoc review of the risk profile if the incident-driven criteria set out in Article 5(6) of the draft RTS are met.
The EBA should introduce a transition period after the publication of the list of data to be collected to allow obliged entities to determine the cost of such data collection and to upgrade IT tool to collect such data.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

No. The quantitative criteria imposed in Article 5(3)(b)(iii) of the draft RTS does not reflect the reality of the insurance sector. Insurance Europe is not aware of a single obliged entity exclusively distributing contracts or products that cannot be redeemed, contracts or products that insure a lender against the death of a borrower or contracts or products of which the annual premium does not exceed EUR 1,000 or of which the unique premium does not exceed EUR 2,500 – such thresholds also do not reflect the different standards of living in the different member states. If such an entity would exist, it would almost inevitably have a low risk profile at inception and qualify for a reduced review frequency under Article 5(3)(d) of the draft RTS.

With respect to Article 5 of the draft RTS, please be advised that it occurs twice. “Article 5 – Entry into force” should be re-numbered as “Article 6 – Entry into force”.

Key messages

Article 5(3)(b)(iii) of the draft RTS should be deleted.
The EBA should refrain from any attempt to establish static quantitative metrics or make the extension contingent on certain products.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

We firmly believe that cross-border transactions linked with EEA jurisdictions should be attributed with less geographical risks compared to cross-border transactions linked with third countries. Commonly used sources for determining country risks include the FATF country lists, the EU list of low-tax jurisdictions, the Corruption Perceptions Index (CPI) scores of countries, and the countries subject to EU sanctions. Based on these sources, no EEA country qualifies as high-risk – taking into account that Bulgaria and Croatia are both on the grey list of the FATF, implying increasing monitoring. The rationale behind the EU-anti-money-laundering package is to ensure a regulatory level playing field. This should be reflected in the assessment of the inherent risk profile.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The customer identification requirements of the AMLR can be met in several ways. As circumstances may vary between member states, the requirements of the RTS should be proportionate, especially in a low-risk situation. Considering the specificities and customs of member states, some customer identification requirements will be difficult for obliged entities to meet, as specified below.

On information on the name of a legal entity (Article 1):

Article 22(1)(b)(i) of the AMLR only requires obliged entities to obtain the “legal form and name of the legal entity”. The obligation to obtain the commercial name if it differs from the registered name, would go further than a mere interpretation and add an additional identification obligation to the AMLR. Moreover, it could also be difficult to verify whether the obtained (commercial) name is accurate. That is why we suggest deleting the words “and the commercial name where it differs from the registered name” in Article 1(2) of the draft RTS.

On information on the city of birth (Article 3):

in several member states, identity documents (such as the driving licence which is the most commonly used identity document) do not specify the city of birth of the document holder;
not all persons are born in cities;
the country of birth should suffice to fulfil the “place of birth” requirement, in addition to the fact that it will be highly difficult and burdensome for obliged entities to collect the information regarding the city of birth of the document holder;
the city of birth is not considered as a risk factor and does not appear to be relevant information for obliged entities to collect in relation to AML/CFT;
for the reasons mentioned above, we suggest deleting the city of birth requirement.

On information on nationalities (Article 4):

in several member states, identity documents such as driving licenses do not specify the nationality(ies) of the document holder;
identity documents do not specify whether the document holder’s has multiple nationalities, information on customers’ nationalities is therefore necessarily declarative;
it should be clarified that for statelessness people, their refugee status should be collected as an alternative to the nationality requirement to ensure the highest degree of financial inclusion.

Article 5(5), in conjunction with Article 22(6) of AMLR, requires obliged entities to obtain from customers and from any person purporting to act on their behalf for the purpose of verifying the identity of this person either an original identity document/passport or equivalent or a certified copy thereof. Recital 5 of the draft RTS outlines the reliable and independent sources of information which obliged entities should consider as part of their due diligence measures for customers that are not natural persons, including copies of official/statutory documents, etc., that are certified by an independent professional or a public authority. However, there are no similar provisions/clarifications in relation to natural persons and which authorities/independent professionals would satisfy the requirement to certify copies of an identity document/passport. It is important to consider that the requirement for a certification of a copy of an identity document/passport would incur costs for customers and would create bad customer experience. It should therefore be removed.

The provisions of Article 5, which stipulate that identity documents must specify the nationality of the document holder, lead to the fact that driving licenses, which are commonly used for identification purposes, will no longer be able to be used as identity documents.

With respect to Article 6, please be advised that sub 4(c) occurs twice. Re-numbering is necessary.

The fact that certain requirements cannot be met, and that specific information cannot be verified by obliged entities should not prevent them from signing a contract with customers if obliged entities did everything in their power to collect the information required (on a best-effort basis).

On Article 11, we question the legal basis for defining ‘complex structures’ in the RTS, as the AMLR does not introduce such a concept. We would support the deletion of Article 11 altogether, given the absence of a legal mandate to impose additional CDD requirements for so-called complex structures.

Should Article 11 be retained, a minimum of three layers should be required between the customer and the beneficial owner to define complexity. Regarding Article 11(1)(b), if it is maintained, it should be clarified that ‘different jurisdictions’ refers specifically to jurisdictions outside the EU/EEA, to avoid unnecessary classification of legitimate EU cross-border structures as complex.

Key messages

The customer identification requirements should be proportionate, especially in low-risk situations.
The requirement regarding the legal entity’s commercial name should be deleted.
The requirement regarding the customer’s city of birth should be deleted.
The “nationality” requirement should be removed from the list of information that identity documents must specify.
The requirements regarding the customer’s different nationalities should be removed, or alternatively, modified to ensure that if obliged entities cannot collect the information required, despite their best efforts to collect it, obliged entities can still enter into a business relationship with the customer in question.
The requirements regarding the customer’s nationalities should also be modified to include statelessness people.
Consideration should be given to deleting Article 11 or at least revising the conditions under which the ownership and control structure is considered ‘complex’.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

The provisions set out in Article 6 lack in proportionality, especially in low-risks circumstances. Insurance Europe suggests deleting all detailed technical content and rather to refer to EBA’s guidelines on remote customer onboarding.

Considering the fact that solutions based on the eIDAS regulation are still not sufficiently available (in particular, electronic means of identification offering either a substantial or high level of guarantee), it is important that the identity verification measures authorised by the RTS in the context of entering a remote relationship are:

widely available,
reasonably priced,
not too cumbersome or complex to implement.

In addition, it is important that the RTS provides for alternative identity verification methods to those provided for in the eIDAS regulation, so that entities subject to the law can always have remote access solutions at their disposal, even if solutions based on the eIDAS regulation are not sufficiently available or cease to be available for whatever reason.

The procedures for entering a relationship with a customer are a crucial issue for an insurance company and should not be called into question for reasons relating to the availability or otherwise of remote identity verification tools for entering a relationship.

The alternative solution proposed in paragraphs 2 to 6 of Article 6:

is based on conditions that are very onerous to implement, and would represent a major change compared with the alternative solutions authorised in the various member states today;
would require very high costs;
would be disproportionate for certain products, particularly low-risk products;
could generate difficulties in accessing insurance services for certain categories of customers (vulnerable or elderly people, for example).

We suggest maintaining the alternative solutions that exist in the various member states today, especially in low-risk situations, if solutions based on the eIDAS regulation are unavailable, and in particular the possibility of using the following alternative measures:

in a non face-to-face context, insurers in Belgium are permitted to verify the information provided by the customer by consulting the information available in their national register,
insurers in Sweden use a similar solution and send a physical letter to the place of residence of the customer,
insurers in France request a copy of the identity document and require that the first payment in a transaction be made from or to an account opened in the customer’s name with a person subject to AML/CFT requirements established in a member state of the European Union or in a state party to the Agreement on EEA or in a third country that imposes equivalent obligations in terms of the fight against money laundering and the financing of terrorism.

Article 6(2) of the draft RTS allows obliged entities to rely on remote solutions other than electronic identification means which meet the requirements of Regulation (EU) No 910/2014 for the purpose of verifying the customer’s identity in a non-face-to-face setting. While we support this option, it should not be contingent on the “reasonable expectation” that an electronic identification cannot be provided by the customer. It should not be the business of obliged entities to challenge the motives of the customer for not accepting eIDAS-compliant verification, nor should obliged entities be compelled to encourage the customer to do so.

Key messages

The remote solutions currently used in member states which have been proven to work and be trustworthy should remain usable by obliged entities after the entry into force of the draft RTS and should be considered sufficient to verify the customer’s identify in a non face-to-face context, at least in low-risk situations.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Articles 15 and 16 do not reflect the business model of life insurance. Life insurance is based on a comprehensive contractual agreement. The amount and frequency of the customer's premium payments and the terms of the contract are set out in the contract. It is not comparable to a banking account where funds flow through to other recipients. In Article 15, an exemption could be included for cases where the purpose of the business relationship is evident from the product/service itself. In the case of many life insurance products, the purpose and intended nature of the business relationship are self-explanatory. Therefore, we suggest adding in the RTS that it is allowed for financial institutions based on their systematic/business-wide risk assessment, to use default descriptions of purpose and intended nature.

Article 15(c) of the draft RTS requires obliged entities to determine whether the customers have additional business relationships with the obliged entity or its wider group, and the extent to which that influences the obliged entity’s understanding of the customers and their source of funds. Article 20(1)(c) AMLR does not provide a basis for such a group-wide requirement. Although obliged entities must take “risk-sensitive measures”, as mentioned in Article 15, this provision could be interpreted widely, which would be concerning. Currently, entities within a group are only obliged to share information within the group about customers who were reported to FIUs. A general requirement to share or obtain group-wide information about any customer’s insurance contracts would be excessive and disproportionate, not only from the perspective of a risk-based approach but also from the perspective of data protection. Each insurance company within a group is a controller within the meaning of GDPR, and according to GDPR’s provisions, customer data and data on insurance contracts is only available for the respective controller. Moreover, companies within a group often use different IT systems which are strictly separated in terms of IT security, access rights, etc. Therefore, there is no central “overview” of a customer’s business relationships within a group because this would violate the very principles of GDPR. A general requirement for collecting information about a customer’s business relationships from all companies within a group would not only be excessive and disproportionate, as mentioned above, but also would create substantial difficulties and expenses with regard to the IT systems involved. That is why the wording “and its wider group” in this provision should be deleted, i.e. the provision should only apply to business relationships of the obliged entity as provided by Article 20(1)(c) AMLR. Moreover, composite insurers are active both in the life and non-life insurance sectors. Within composite insurance groups, there is a legal separation between life insurance activities (subject to AML-requirements) and non-life activities (not subject to AML-requirements) due to regulatory requirements (Article 73(1) of Directive (EU) 2009/138/EG). Hence, there are legal obstacles for obliged entities to obtain information on additional business relationships of customers within the group. Moreover, having information about additional business relationships of customers in the non-life sector does not provide relevant insights for obliged entities to better understand customers and their source of funds. Should Article 15(c) be retained, the inquiry to additional business relationships should in any case be restricted to obliged entities which are subject to AML requirements.

The wording of Article 16 is not sufficiently clear and does not help in understanding how to implement the risk-based approach with the use of the verb “shall”, followed by a very precise list of information to be collected.

Moreover, Article 25 AMLR requires obliged entities to obtain information on the purpose and intended nature of a business relationship or occasional transaction only if considered necessary. This should be reflected in Article 16 of the draft RTS as well. Indeed, it may not be necessary for insurers to collect additional information on the purpose and intended nature of the business relationship under Article 25 AMLR due to the following reasons: insurance companies are required by existing legislation (e.g. Insurance Distribution Directive (IDD)), prior to the conclusion of an insurance contract, to collect information and evaluate the customer’s demands and needs. In addition, in the case of an insurance-based investment product, a suitability test is required and the policyholder’s knowledge and experience, financial circumstances, risk tolerance, and loss-bearing capacity are evaluated. In the case of many life insurance products, the purpose and intended nature of the business relationship are self-explanatory (e.g. pension provision, biometric risk coverage, etc.).

Key messages

Section 2 should follow a more proportionate and risk-based approach and allow for requirements to be adaptable based on the level of risks the business relationship and occasional transactions are exposed to.
The requirement of Article 15(c) should be deleted due to the lack of legal basis and conflicting GDPR/Solvency II restrictions.
Article 16 should specify that, as provided under Article 25 AMLR, information on the purpose and intended nature of a business relationship or occasional transaction should be collected by obliged entities only if necessary.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The PEPs’ screening requirements for life insurance protection products and pension products should be removed due to their limited value and relevance for these products, and the disproportionate burden they create for obliged entities which provide such products.

Alternatively, Article 17(1), point (a) should be adapted to allow the identification of a politically exposed person, a family member or person known to be a close associate “before or immediately after the establishment of the business relationship (…)”.

With respect to point 17(1b) EBA should state that it is the responsibility of financial institutions to determine significant changes on the customer's side leading to an event driven PEP screening. As a consequence: based on risk profile (products, client regions etc.) of the financial institutions it may occur that a financial institution may monitor on a regular basis only.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Some life insurance products, such as pensions and pure risk insurance policies, present a low risk of ML/TF. Life insurance products with investment elements, such as unit-linked life insurance products (except for pension policies), are generally considered as having a moderate risk as they could be potentially used for ML/TF. However, they are rarely used as a ML tool due to their complexity and required sophistication. Other products, like annuities, have a long-term horizon, allowing for only small, gradual withdrawals. This makes them unattractive to money launderers, significantly reducing the risk, the focus on controls at the policy inception or withdrawal results from the product characteristics rather than an indication of low-risk awareness. These are the key moments to focus on, as money either flows in or out of the product. Any checks in between are an inefficient use of resources, especially if no major changes were made to the contract. This does not mean life insurers are not aware of the potential ML/TF risks, but rather that insurers apply a risk-based approach, where they use their resources for those products and those moments where the risks reside.

Pure risk insurance aims solely at providing protection against the risk of a certain event, such as death. These products only pay out against a pre-defined event and have no investment element. In addition, premiums are usually low and determined by the insurer. That is why they are considered as low risk for ML/TF.

Although the aim of an insurance with an investment element is that premiums and additional returns eventually will be paid out, this may take place sooner or later. In some cases, the policyholder may be prevented from accessing the funds for a very long time (lock-in). A pension product, for example, normally pays out when the retirement age is reached. In occupational pensions the flexibility may be even more restricted for instance by access through employers and predetermined contributions (in addition to retirement age being reached).

In some instances, a policy is paid up, that is no further premium payments are made. This may be the case for instance when an employee changes employers and no more contributions are made to an occupational pension provided by the former employer. The policy is then dormant (closed) until retirement (payout phase). A paid-up policy can be dormant for a long time. Until payout and since no further premium payments can be made once the policy is paid up, the policy cannot be used for ML/TF during the dormant period.

Accordingly, SDD should be the rule for low-risk life insurance products such as pure risk insurance products and pensions products. Specific sectorial simplified measures should therefore be introduced for these products (see further under question 7).

On the impact of Article 18: In order to implement a proportional and risk-based approach, the minimum information to be collected for the customer identification should not be specified in detail. In particular, information on place of birth and nationality should not be explicitly required in situations of low risk. For legal entities specifically, much of the information listed are not currently collected and would require the development of news tools, generating new costs. Moreover, commercial names can change, the only relevant name to be collected should be the one mentioned in the registration register.

According to Article 18(1)(b), the minimum requirement for a legal entity/other organisations that have legal capacity, includes not only the company number, but also the tax identification number and the legal entity identifier (LEI) where applicable. Collecting three different pieces of information in low-risk situations is not commensurate with the associated level of risk.

On the impact of Article 19: the identification and verification of beneficial owners and senior managing officials, including any measure taken to proceed to an update, can be administratively very burdensome for both customers/companies and obliged entities. We therefore welcome the EBA’s proposal to introduce a simpler approach in low-risk situations. It is a good step forward to allow, in low-risk situations, a simple confirmation of the adequate, accurate and up-to-date nature of the information available in the register (instead of requiring the obliged entities to systematically request the same information that is already available in the register from companies). Nevertheless, requiring double-checking to identify and verify the beneficial owner and managing officials or to update the information in low-risk situations seems disproportionate to the risk involved and will have an impact in terms of cost and efficiency. Article 19 should be further simplified to implement a risk-based approach, and to avoid administrative burdens for both customers/companies and obliged entities – meaning that multiple ways of identification and verification of UBOs should be allowed in case of SDD.

On the impact of Article 22: the measures relating to the regular updating of identification data for low-risk customers are disproportionate, especially for natural persons (in view of the data concerned, which, barring exceptional circumstances, is not intended to evolve over time). These measures do not follow a risk-based approach and will have an impact in terms of cost and efficiency, consuming means and resources that could be put to better use. Financial institutions should, in case of low-risk situations, be exempted from requiring information on the source of funds from customers.

Article 26(2) of the AMLR obliges insurers to update customer information every year or every 5 years depending on the risk, whereas article 33(1) of the AMLR allows to reduce the frequency of customer information updates for business relationships presenting a low degree of risk. Proceeding to a customer information update every year or even every 5 years makes little sense for low-risk life insurance contracts, such as pure risk insurance products and pensions policies which are valid for up to several decades, considering the low ML/TF risks, the long duration, the absence of occasional transactions, the low number of customer contacts and the absence of leverage over customers. For these business relationships, there is no reasonable reason to update the customer’s information on a periodic basis once their identity has been verified. Therefore, it should be possible to proceed to an update of a customer’s information on an "event-driven" basis, e.g. prior to the payment of the insurance benefit to the beneficiary, in case of risk-relevant contract changes, etc. In general, life insurance products are not comparable with other financial products that involve a large number of transactions (in unpredictable numbers and amounts). Moreover, the insurer only pays benefits in the event of an insured event or at the end of the contract.

Such unnecessary updating of customer’s information will be burdensome for the insurance company as well as for the customer. Insurance companies do not have such regular contacts with their customers for long-lasting low-risk life insurance products.

In addition, in the case of single premiums, it must be taken into account that periodic updating of customer data/source of funds does not add any value, as this is only relevant at the time of the payment of the single premium. This also applies to life insurance policies that are premium-free (e.g. paid-up policies). As the customer no longer pays any premiums due to the lack of an obligation to pay premiums, the source of funds no longer plays a role here either, meaning that there should be no obligation to update customer data in this regard.

In any case, it should be possible to go beyond the period of 5 years for low-risk situations. According to article 28(1) of the AMLR, AMLA shall develop draft regulatory standards specifying the type of simplified due diligence measures which obliged entities may apply in situations of lower risk pursuant to article 33(1) of the AMLR. In this respect, Recital 16 proposed by EBA is unnecessarily rigid. It states that, when reducing the frequency of customer information updates for low risk-situations, the maximum period of 5 years may not be exceeded. However, for many life insurance contracts including pure risk insurance policies and pension policies which can last for more than 40 years with very limited customer contact, an update of customers’ information every five years is disproportionate, as highlighted above. Such an update should only be triggered on an event-driven basis, as previously explained. Therefore, Recital 16 of the draft RTS should be amended by removing the following part of the second sentence: “without exceeding the maximum period provided in point (b) of Article 26(2) of the Regulation”. It would allow obliged entities to go beyond the current maximum 5-year period for customers’ information update, following a risk-based approach.

Alternatively, if recital 16 cannot be amended as suggested above, the suggested 5-year period for customers’ information update should not be considered as an absolute maximum for the insurance industry specifically. For the reasons explained above, there should be sector specific simplified due diligence measures specifying that for low-risk customers in the insurance sector, an update should be possible on an event-driven basis (instead of periodic updates).

As it is clarified in the AMLR, insurers do not have the ability to unilaterally terminate an insurance contract. The requirement to regularly (every one or five year(s)) update the customer's information is not compatible with long-lasting low-risk life insurance contracts (as highlighted above) and may put insurance companies in difficult situations if they are neither able to update such information due to the unresponsiveness of a customer, nor able to terminate the contract. Therefore, in case customers do not respond, it should be clarified in the RTS that customer data should be updated at the latest before the payout of insurance benefits. A possible way forward could be to clarify that, for life insurance contracts, the measure referred to in the last paragraph of Article 21(1) may be applied in case the obligation set out in Article 26 to update the customer information cannot be fulfilled.

On the impact of Article 23: In the case of many life insurance products, the purpose and intended nature of the business relationship are self-explanatory. Therefore, it should be clarified that the assessment of the purpose and intended nature in these low-risk situations may be based on assumptions about how customers normally use the products concerned or be considered self-explanatory from the contractual agreement entered into with the customer. For example, if a customer takes out a risk insurance, the purpose is to insure the customer’s life and the intended nature is the agreed premiums to be paid in accordance with the insurance contract.

Key messages

The requirements under section 4 should overall follow a more proportional and risk-based approach for low-risk situations to minimise implementing costs and administrative burdens.
Article 18 should not specify the customer identification information to be collected in details.
In situations of low risk, the collection of the company number should be the minimum requirement.
Although we consider Article 19 as a good step forward towards a simpler approach in low-risk situations, a further improvement could be to not require obliged entities to use two sources for the identification and verification of the beneficial owner or senior managing officials in low-risk situations.
Recital 16 should be modified to allow obliged entities – and insurance companies specifically – to go beyond the current maximum 5-year period for customers’ information update and to allow such update to be triggered on an event-driven basis under Article 22.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

As recognised by FATF, the life insurance sector is generally associated with lower ML/TF risks than other financial sectors. For some life insurance products, such as pensions and pure risk insurances (without any investment elements), there are low ML/TF risks due to, among other reasons, the inflexibility of the products, or the lack of any investment element in combination with low premiums (see question 6). The same applies to paid-up policies where premiums are no longer paid. Therefore, to implement a risk-based approach, these low-risk life insurance products, should benefit from specific simplified due diligence measures as is currently the case.

The SDD measures should include reducing the required information on customer identity (e.g. no requirement to collect or verify place of birth and nationality) and the purpose and intended nature of the business relationship or transaction (see also question 6).

Furthermore, the frequency of ongoing monitoring (including sanctions screening) and updating of customer information should be reduced (beyond the 5-year period); particularly for low-risk life insurance policies such as pension products, pure risk products and paid-up policies (see also question 6).

Additionally, a simplified approach for the verification of the customer in a non-face-to-face context may also be applied (see also question 2).

Occupational pension schemes (see recital 118 AMLR), such as pension schemes for the retirement benefits of employees operated by direct life or annuity insurance contracts between an employer/customer and an obliged insurer, qualify for a low-risk situation by default. It is conducted in high volumes and constitutes an essential cornerstone of the retirement benefit system. Therefore, CDD requirements must be proportionate and take due account of the public interest to promote and ensure sustainable retirement benefit systems.

Section 4 should be amended to include pension products and pure risk insurance products in the list of financial products which should benefit from specific sectoral simplified due diligence measures because they are associated with lower ML/TF risks.

The EBA should clarify how the proposed draft RTS is aligned with the ongoing FATF efforts and commitments to align AML/CFT safeguards and financial inclusion policy objectives and the acknowledgment that too rigid and excessive AML/CT measures can unintentionally exclude vulnerable populations from the financial system (for reference, see a recent FATF consultation on AML/CFT and Financial Inclusion – Updated FATF Guidance on AML/CFT measures and financial inclusion).

Key messages

Low-risk life insurance products such as personal pension and occupational pension products, pure risk insurance policies and low premium products, all considered with low-risk factors under Annex II AMLR, should benefit from specific sectoral simplified due diligence measures.
Section 4 should be amended as suggested to specifically spell out pension products and pure risk policies as low-risk products which should benefit from specific sectoral simplified due diligence measures.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

For low-risk life insurance products such as pensions, life or pension annuities paid to a policy holder established in another country, and pure risk insurance policies (without any investment elements), enhanced due diligence should not be necessary in relation to politically exposed persons (PEPs) and in third-country situations.

The obligation laid down in Article 24(a) raises questions of cost, the means available to implement it and its feasibility. The obligation to verify does not concern a document, but information. What means are available to organisations subject to the obligation to verify the authenticity and accuracy of information, such as negative media reports? The means currently made available by member states seem insufficient.

Assessing the reputation of the customer and the beneficial owner (see Article 24(b)) should be limited to what is relevant for AML purposes.

The requirement under Article 24(c) that information should enable obliged entities to assess the ML/TF risk by obtaining information about the past business activity of the beneficial owner should be deleted. There is no legal requirement in the AMLR, it is not relevant to assess the current ML/TF risk, and it will be difficult for obliged entities to obtain this information from customers.

Alternatively, assessing the ML/TF risk associated with past business activities (see Article 24(c)) should in any case be limited in time, e.g. by only assessing the business activities carried out in the past 12 months.

Article 24(d) calls for information on family members. How can information on family members be obtained? What means do member states make available to entities subject to the law? Information on family members also mean GDPR implications which should be taken into consideration.

Article 25(a) concerns the verification of the legitimacy of the destination of funds, and Article 25(b) concerns certain aspects of transactions passing through an account. As a life insurance contract is not comparable to a banking account where funds flow from/to third parties, these provisions are not suitable for insurance companies.

The obligations set out in article 26, insofar as they also concern the source of wealth, are excessive. It is the customer (company) who pays the premiums from its business activities. Thus, the beneficial owner’s private income and financial situation is irrelevant for determining whether the premiums are derived from lawful activities. In practice, such requests will create difficulties for customer relations as in many cases, companies will not be able to provide documents from the beneficial owners, especially in group structures where there is no direct contact with beneficial owners. The wording of this article could be amended to take better account of the risk-based approach, by restricting the reference to the beneficial owners to cases where the obliged entity has reasonable grounds to suspect criminal activity (similar to Article 24(d)). Besides, many of the measures (“evidence”) mentioned under Article 26, points (a) to (f) involve an obvious risk of “tipping off”.

Concerning Article 26(d), the search for information on family members is excessive. How can information on family members be obtained? What means do member states make available to reporting entities? Regarding beneficial owners, making existing registers more reliable is a priority.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The scope of Article 28, that is “customers and (…) all the entities or persons which own or control such customers”, is too broad as it may also include entities and persons whose identification is not legally required. The scope should be reduced to customers and UBOs.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

See question 2 for details on remote and electronic identification means.

On Article 32, it is very much welcomed and absolutely necessary that there will be a transition period regarding the application of Article 23 (1) of the AMLR for existing customers. However, the wording in Article 32 is incomplete.

On the one hand, the reference to Article 23 (1) of the AMLR is missing, on the other hand it should be clarified that the RTS on customer due diligence measures should not apply earlier than the AMLR. Since the application date of the AMLR is 10 July 2027, the transition period will end for high-risk customers on the 10th of July 2028 and for the other risk classes on the 10th of July 2032 and for low-risk customers in life insurance sector on event-driven basis.

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

Name of the organization

Insurance Europe