Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

We welcome the EBA’s initiative to develop a common, risk-based methodology to assess and classify the risk profile of obliged entities, but stress that its practical success will hinge on clarity, proportionality and flexibility. On behalf of our members, we make the following points and requests.

Need for additional details

The rationale underpinning the EBA’s decision not to include a granular description of the methodology is understood. However, the absence of details around the scoring methodology (the algorithm and ‘weights’) that will be assigned to each indicator prevents industry from giving a truly informed view of the EBA proposal. It is difficult to assess the significance and validity of certain points without a view on what aspects are to be considered higher risk than others, and on the factors of a firm’s control environment that are evaluated as more material in managing the identified risk.

Such a lack of detail also prevents obliged entities from fully assessing certain items in Annex I Parts A and B. The quantity of data points to be identified is significant, and does not appear to have been selected in accordance with the risk based-approach. Certain data points may not be appropriate to score (e.g. number of STRs filed, CRA distribution, number of FTE) as they do not offer a direct indication of controls quality, but can be useful – if substantiated by other qualitative context – in getting a general sense of an entity’s AML/CFT function, including year-on-year developments.

Similarly, unless it is clear that the response would not be given a positive or negative score, data points such as the number of non-profit customers may raise concerns (including from a de-risking perspective) if associated with inherent risk. AFME members’ final view on their inclusion in the Annex would depend on this consideration.

In addition, should this scoring methodology not be made transparent in the future, there is a risk that the outcomes of supervisors’ assessments will be misaligned with that of an entity’s own assessment (which will be performed as outlined in Article 10 AMLR). This would go against the objective of achieving a single and homogenous understanding of risk which would result in a misalignment of the controls designed to manage such risk. In terms of implementation, this lack of transparency would also prevent financial institutions from simplifying and aligning internal policies and procedures, thus resulting in additional costs for industry.

We note that, at the start of Annex I Part A, the EBA specifies that ‘the data points in this annex are not the same as the indicators supervisors will use to calculate the ML/TF risk of financial institutions’. We request that the EBA clarify the meaning of this statement (is the intent to explain that the data points will be turned into indicators once the weights and other considerations are applied?), and whether this also applies to Annex I Part B.

Definition of data points in Annex I

The Consultation Paper explains that an interpretative note providing further context to the data points listed in Annex I will be available in the EBA’s response to the European Commission.

As set out in our response to Question 3, additional clarity is needed on the specifics of various data points. Overall, the guidance document should feature a detailed list of definitions, any applicable criteria (e.g. around materiality), a description of what is in scope for each indicator and, to the extent possible, justification for inclusion.

This will be fundamental to ensure a clear and shared understanding of the risks and controls intended to be captured and measured. We firmly believe that industry should be actively engaged in the drafting of these definitions. AFME stands ready to assist the EBA in the drafting of this interpretive note and is able and willing to help in whatever manner the EBA considers most appropriate.

Scoring methodology – volume-based vs. risk-based

When scoring and assigning a weighting to an indicator or risk factor, we understand that the ‘exposure’ (i.e. the value or volume reported) will be used to score the indicator or risk factor, and that the ‘ML/TF sensitivity’ of the indicator or risk factor will be used for setting its respective weighting.

If this is correct, we are concerned that the principle used for scoring relies more on a volume-based approach, where the ML/TF sensitivity is only used to weight the indicator or risk factor, rather than relying on a truly risk-based approach.

We consider that the ML/TF sensitivity of the indicator or risk factor should instead be reflected in the threshold applicable to the value or volume used for scoring the indicator or risk factor. We request that the EBA confirm the applicability of this approach – or if not, that it provide further explanation of how the risk-based approach is to be used for the scoring of indicators and risk factors.

Setting the weighting – dynamic approach vs. predefined (Wolfsberg) approach

In the calculation of the overall ML/TF inherent risk score, we understand that the weighting given to the combined score of each category will be proportionate to the score obtained for the category (i.e. the higher the risk score of the category, the higher the weighting of the category in the calculation of the overall ML/TF inherent risk score).

We request clarification of the reasons for the adoption of this dynamic approach in setting the weighting and not relying on predefined weighting, as used in the Wolfsberg approach (see for example the Wolfsberg ‘Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption’ 2015), assuming that a category in itself may have a stronger impact or influence when assessing an ML/TF inherent risk.

Major events or developments

We agree with the proposed approach to re-evaluating an entity’s risk profile if fundamental changes occur in its management and operations. However, we do not think the definition in Article 4 (6) draft RTS offers sufficient clarity on what constitutes a major event or development, particularly for points (a) and (b) – as the only way to assess a change in the risk profile (inherent or residual) is to carry out the assessment.

We also highlight that the RTS should ensure that sufficient time is allowed from the event to ensure that the reassessment is carried out on up-to-date data.

Finally, we would welcome clarity as to how the ad hoc assessment would affect the normal frequency assessment. Would the clock be reset, or would the assessment be repeated within a short timeframe?

Timeline for application

We request that the EBA clarify the timing of the first assessment to be carried out using the proposed methodology. A first submission in in Q3 2027 – which would be on data from 2026 – would be extremely challenging. Automated processes for extracting this data must be built, implemented and adapted. Numerous data points are not captured today, or not at the requested level of granularity. To allow sufficient time for data to be captured and to avoid falling into manual processes of extraction, we request the first submission should not be until Q3 2028, and based on 2027 data.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

We agree with the proposed relationship between inherent and residual risk, such that residual risk can be lower, but never higher, than inherent risk.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

We make comments on individual proposed data points in the table set out in Annex 1 of this consultation response. As agreed in written correspondence with the EBA's IT service, we will submit this table directly to the IT service, who will then forward it to the policy team, noting that the EBA online submission tool does not accept tables.

Number of data points to be collected

We consider the number of data points to be collected to be excessive and not in keeping with a proportionate, risk-based approach. To collect all the data points currently proposed would lead to a significant impact in terms of costs and effort, with particular challenges arising from proposed data points related to products, services and transactions.

Consistency of interpretation

The experience of previous risk assessment exercises shows that many data points are interpreted differently by various public authorities, are not always available, and will often require costly and time-consuming IT developments. If the data to be collected are to deliver value, there must be clear guidance to ensure consistency of interpretation, to allow comparability between obliged entities and across national contexts.

Specifically,

- What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

We note that the Conclusion of the explanatory text accompanying the draft RTS states

‘For obliged entities, the draft RTS is not expected to create significant costs. The main costs will be borne by competent authorities […] Overall, therefore, the impact assessment on the draft RTS suggests that the expected benefits are higher than the incurred expected costs.’

We do not agree with this conclusion.

The technical and operational changes that would be necessary for firms to provide all that is proposed to be required would likely come at very considerable cost for firms. These costs will vary widely and will depend on

the size, scale, nature, and existing maturity level of reporting solutions within the obliged entity
whether (and to what extent) the information is extracted currently
whether (and to what extent) an obliged entity needs to design and build a bespoke solution
the intended frequency and depth of supervision
whether (and to what extent) the responses need to be derived from other data fields or can be directly extracted.
whether (and to what extent) information is held in digital format or in multiple databases
whether (and to what extent) data require cleaning before using
whether (and to what extent) the systems of the obliged entity are compatible with that of the supervisor
whether (and to what extent) relevant historical quantitative data or the data requested is retained by the entity in the form requested by the supervisor.

To collect and regularly report all new data points in Sections A and B, firms will in most cases have to onboard new fields and data sources, establish a maintainable and auditable data processing flow, train staff, promote the uniform use of systems across all locations, assure the quality of what is produced, and ensure global alignment between entities.

Manual effort in obtaining and collating the data points will also be required. Across industry, this is likely to require a large number of experienced FTE staff solely dedicated to this task. This may result in resources not being efficiently used to mitigate overall financial crime risk.

In addition, as per our understanding, Annex I is the minimum set of data requirements across the EU Member States. We understand the intention of the AML package is to create a single, harmonised AML rulebook across the EU. However, national supervisors may continue to require additional data requirements as part of their supervisory role. This means that – if national competent authorities do not defer to the EU approach – a firm may be required to continue developing and enhancing separate bespoke EU and national solutions.

We therefore request in the strongest terms that EU authorities, national competent authorities, prudential and AML/CFT supervisors and FIUs agree to follow a harmonised EU approach and establish effective co-operation mechanisms to ensure appropriate information exchange for the purposes of supervision and risk assessment.

The true benefit of the AML package in terms of harmonisation, cost and effort can only be realised when there are no additional data requests from supervisors other than those set by AMLA. We very much encourage relevant authorities to work toward this end.

We also request that out of the list of questions, EBA identify a minimum set of core or critical data points / questions that will need to be prioritised and provided during the initial iterations.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

We flag data points that are not currently available to (or will be very challenging to obtain for) most credit and financial institutions in our comments on the data points set out in Annex 1.

We request the removal of the risk categories listed in section 2B (low risk, medium-low risk, medium-high risk, high risk). This categorisation is not universally applied across EU Member States, and introducing such a standard would create significant challenges for those that do not currently use it. In particular, it would be especially burdensome for the first submission, as a complete reassessment of clients would need to be conducted before submitting the 2026 customer data for the 2027 reporting cycle.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

As AFME members are financial sector entities, we do not submit a response to this sub-question.

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

Proposal for alternative frequency of review cycle

We consider that the normal frequency at which risk profiles would be reviewed could and should be reduced to a less than annual frequency (either once every two or every three years, with a data-driven decision to set the frequency).

We note that where major events or developments in the management and operations of an obliged entity occur, Article 5 (4) draft RTS requires supervisors to conduct an ad hoc assessment and classification of the inherent and residual risk profile of the relevant obliged entity. In the absence of such an event or development – that is to say, where the management, operations and risk profile of the obliged entity have remained largely unchanged since the last assessment – it is not clear what value would be added by repeating the exercise annually.

We particularly note the heavy burden in staff hours and IT resource that such assessments are likely to place on competent authorities and obliged entities. With this burden in mind, we suggest that resources could be used more efficiently if the normal frequency were set at a less than annual frequency.

Discrepancy in consultation document text – risk of increased frequency of review cycle

We also highlight a discrepancy in the consultation document text. Question 4 refers to ‘once per year’ as the normal frequency. This is repeated (with a slight textual change to ‘once every year’) in the accompanying explanatory text on page 8 (paragraph 20 (b)) and page 67 (option 4a, 4c and concluding paragraph).

Recital 10 and Article 5 (4) draft RTS refer however to ‘at least once per year’, which is repeated (again with a slight textual change to ‘at least once every year’) on page 67 (option 4b).

We are concerned that this could leave room for a still higher review frequency. Noting that – especially for larger entities – the process of data collection, validation, governance and approval can easily add up to several months, any frequency higher than once per year would be disproportionately challenging and would not bring significant value added in terms of supervisors’ understanding of risk.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

We do not propose alternative criteria for the application of the reduced frequency at this point. We suggest however that once implemented, the criteria should undergo assessment and revision based on the evidence and experience that will be gained, with a potential for stakeholders to provide feedback and suggestions for improvement.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

We do not agree that cross-border transactions linked with third countries should necessarily be assessed differently than transactions linked with EEA jurisdictions. We consider that the assessment of geographical risks linked with cross-border transactions should focus on jurisdictions with higher ML/TF risks identified in accordance with Articles 29, 30 and 31 AMLR.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

We consider that the thresholds appear to focus predominantly on retail banking, do not consider the diversity of obliged entities, and do not sufficiently accommodate the size, nature and operations of wholesale banking activities. For wholesale banking firms, although the number of customers may be smaller, the value of transactions will in general be much higher. For recently established firms, particularly in non-financial sectors, the value/volume may be less than the thresholds, but the firm may still have a high overall risk exposure.

We therefore request that the thresholds be amended to take account of the realities of wholesale banking with separate retail and wholesale thresholds established if necessary and suggest that the risk assessment methodology should also consider the date of establishment of a firm / how long the firm has been operating.

Proposed thresholds to determine whether operations in a Member State are material

The draft RTS proposes thresholds to determine whether operations under the freedom to provide services in a Member State are material. These thresholds require that the number of customers served that are resident in a Member State must be above 20,000, and the total value of incoming and outgoing transactions generated by these customers must be above 50,000,000 euros.

We consider that these thresholds appear to focus predominantly on retail banking, do not consider the diversity of obliged entities, and do not sufficiently accommodate the size, nature and operations of wholesale banking activities. For wholesale banking firms, although the number of customers may be smaller, the value of transactions will in general be much higher. For recently established firms, particularly in non-financial sectors, the value/volume may be less than the thresholds, but the firm may still have a high overall risk exposure.

We therefore request that the thresholds be amended to take account of the realities of wholesale banking, with separate retail and wholesale thresholds established if necessary, and suggest that the risk assessment methodology should also consider the date of establishment of a firm / how long the firm has been operating.

We note that in some instances the text refers to the ‘volume of transactions’, and in others, the ‘value’. We request clarification if any nuance is intended by the varied use of these terms.

We also note that the thresholds do not take into account the population of countries. It is not clear why the serving of 20,000 customers in six Member States would automatically increase the risk profile of an entity to a higher level than that of a peer serving 120,000 customers (or more) in fewer than six Member States. We would welcome further explanation of the rationale underlying this choice.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

As noted above, we consider that a distinction should be made between the retail and wholesale sectors. Lowering the value or volume of thresholds may not give what we infer is the Authority’s desired outcome in the context of wholesale banking.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

As noted in our previous responses, we consider that a distinction should be made between the retail and wholesale sectors. The types of customer profiles and the risks they present differ significantly in the retail and wholesale contexts. It would be appropriate for the RTS to recognise this.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

We broadly agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under Article 40 (2).

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

We consider that there should be scope for adjustment when duly justified.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

It is difficult to comment on the calculation of the group-wide score as the weightings of relevant data points are not yet known.

We request that the EBA clarify the workings of the formula set out in Article 5 (2) draft RTS by providing numerical worked examples.

We suggest that the methodology itself should be reviewed based on the evidence and experience which shall be obtained through implementation.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

We read that non-EU credit or financial institutions which are subsidiaries of an EU credit or financial institution are not in scope of this exercise. We request that the EBA

confirm this understanding, and
clarify whether this also holds true for a non-EU branch of an EU credit or financial institution.

We understand that the collection of data points will be organised by national authorities – including for obliged entities or a group which are to be subject to direct AMLA supervision. We request that the EBA confirm this understanding.

If this is correct, AFME members would like to avoid being forced to submit the same data set numerous times – in particularly for an EU bank which has several branches in other EU member states.
With this in mind, AFME members understand that submission shall be made at entity level. If we consider for example Bank A which has its headquarters in Italy and several branches in other EU member states, then
- Bank A has to provide the information related to Bank A in Italy plus the information related to all its branches in other EU Member States to the Italian national competent authority.
- If Bank A has subsidiaries deemed to be credit or financial institutions situated in other EU Member States, each of these subsidiaries would need to submit their data to the national competent authority where the subsidiary is headquartered.

We would be grateful if the EBA could confirm this understanding.

With reference to Article 5 - Group-wide risk assessment, as per our understanding of the formula, the risk score of each entity is weighted by its relevance within the group, and the parameter 𝛼 amplifies the impact of riskier entities on the overall risk score. This formula considers the residual risk score of each entity and its relevance within the group. The parameter 𝛼 may be adjusted by AMLA to prioritize the riskier entities and ensure that they have a greater impact on the overall risk score.

We would be grateful if the EBA could confirm this understanding.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

We do not submit a response to this question.

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

We consider that there should be scope and a mechanism for regular industry feedback to be provided and considered by relevant authorities during the transitional period.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 1 – Information to be obtained in relation to names

Focus on retail business

The current drafting appears to be primarily oriented towards the retail sector, which may not be fully applicable to all customer types. We recognise the challenge the EBA faces in drafting regulation applicable to all sectors. We request that in finalising the texts of the RTS, the EBA remain mindful of the distinct needs and operational realities of wholesale institutions and ensure that the requirements can be implemented effectively in both wholesale and retail banking contexts.

Clarity of targeted population

Article 22 (1) of the Anti-Money Laundering Regulation (‘AMLR’) requires obliged entities to obtain specific information to identify ‘the customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted’. Article 1 (1) of the draft RTS cites Article 22 (1) AMLR, but then sets out requirements citing only ‘the customer’, with no mention of the additional classes of persons set out in Article 22 (1) AMLR. It is unclear whether this is an oversight, or whether the EBA intends to target measures at a more limited population than that identified in the AMLR.

We therefore request that the EBA clarify

whether the reference in Article 1 (1) draft RTS to a more limited population (of ‘customer[s]’) than that cited in Article 22 (1) AMLR is an oversight, or a deliberate choice,

the scope of the information to be obtained with regard to the identification of persons purporting to act on behalf of the customer, and of natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted, and

whether the requirements set out for ‘customers’ similarly apply to the identification of

natural person trustees of an express trust or persons holding an equivalent position in a similar legal arrangement, pursuant to Article 22 (1) (c) AMLR, and
- beneficial owners pursuant to Article 22 (2) AMLR, in combination with Article 62 (1) AMLR and/or also, where appropriate, to the identification of individuals as per Article 22 (1) (c) AMLR, in combination with Articles 57 to 60 AMLR.

These questions apply mutatis mutandis to Articles 1 to 6 draft RTS.

We have understood that EBA is bound by its mandate as set out within Article 28 AMLR when drafting the present RTS. However, since Article 28 (1) (a) AMLR clearly references Article 22 AMLR, including Article 22 (1) and (2) AMLR, we assume that clarifications on the complete population of roles as outlined above should be within EBA’s mandate.

Clarity of definition – person purporting to act

The RTS should explicitly define ‘any person purporting to act on behalf of the customer’. It should also clarify that this definition includes only external third parties acting via proxy or power of attorney (e.g. agents). The clear definition of the ‘person purporting to act on behalf of the customer’ is key to ensuring maximum harmonisation and will avoid a continuation of the present state where Member States continue to interpret this term differently.

In light of AFME members’ experience stemming from the implementation of Directive (EU) 2015/849 and Directive (EU) 2018/843), it would be sensible and proportionate to limit the definition to third parties acting via proxy or power of attorney. In the context of wholesale banking, capturing individuals acting in their professional capacity belonging to the customer’s sphere (e.g., authorized signers, senior managers), in particular those employed with regulated financial institutions, has proved disproportionately burdensome and ineffective in leading to preventative financial crime outcomes. Internal individuals acting only as authorised signatories, operations staff, and senior managers generally do not add value to money laundering or terrorist financing (ML/TF) risk assessments and focusing attention on them from a baseline and universally applied regulatory perspective is not in keeping with the risk-based approach.

Regulated financial institutions employ many internal personnel who are authorised to sign contractual documents (e.g. ISDAs) or place trading orders to execute transactions (as principal or agent) within domestic and international wholesale banking markets. These are internal employees and act on the financial institution’s behalf as part of their day-to-day professional activities. Within the EU and other regulated financial centres, such individuals are generally subject to additional regulatory obligations concerning market conduct, fitness and propriety on an ongoing basis. Such individuals are generally vetted and monitored within both corporates and regulated financial institutions.

On this basis, when undertaking CDD on corporate clients and regulated financial institutions within wholesale banking/ markets, the identities of internal personnel who are authorised to sign contractual documents should not need to be collected. There should be no general requirement to identify and verify internally authorised employees of a body corporate customer.

We therefore suggest that a clear definition of a ‘person purporting to act’ should be:

‘legal representative(s) (e.g., legal guardians) of a natural person customer; any natural person, other than an internal employee or senior manager of a legal person, authorised to act on behalf of a legal person customer pursuant to a contractual mandate (e.g. an agent), or any natural person authorised to act on behalf of legal person customers pursuant to a bilateral proxy agreement.’

This definition (or other similarly agreed definition) should be applied consistently across the AMLR and RTS. Further information can always be requested as part of enhanced due diligence (EDD), where relevant money laundering or terrorist financing (ML/TF) risks arise.

Level 1 differentiation between obtaining and verifying

Article 22 (1) AMLR requires obliged entities to ‘obtain’ various pieces of information, which are to be collected ‘in order to identify’ three classes of natural persons. The use of separate verbs, and the statement that the obtaining is done to make possible (‘in order to’) the verifying, make clear these are separate actions, with the first undertaken so as to permit the second.

It is possible that a particular identification document may not contain all the information set out in Article 22 (1) AMLR. In that case, the identification document should still be usable for verification of identity, and the obliged entity should not have to verify the data points that are not available.

For instance, a German passport does not contain an address. In that case, it should be sufficient to obtain the address from the individual and to verify the individual’s identity using the passport, but not to obtain a second document for the purpose of verifying the address. This is already existing practice and is a sensible, pragmatic approach. To require otherwise would be very burdensome, particularly for retail clients, and would require the presentation of multiple documents with very little value added.

Data point variability – limit collection of names to those on ID documents

Article 22 (1) (a) (iv) AMLR requires obliged entities to obtain for a natural person ‘all names and surnames’. Article 1 (1) draft RTS repeats this obligation to obtain ‘all of the customer’s [see targeted population point above] full names and surnames’, but then limits the requirement to ‘at least those names that feature on their identity document, passport or equivalent’.

Naming conventions vary across cultures and around the world. Passports and identification documents also vary in the data points they provide, in accordance with the choices of the issuing authority.

As such, the RTS should acknowledge this variability and require obliged entities to obtain only those names that appear on identity documents, passports, or equivalents.

We therefore suggest amending the text as follows:

Article 1 (1) draft RTS

‘In relation to the names and surnames of a natural person as referred to in Article 22 (1) (a) point (i) of Regulation (EU) 2024/1624, obliged entities shall obtain all of the customer's full names and surnames. Obliged entities shall identify ask the customer to provide at least the those names that feature on their the relevant person’sidentity document, passport or equivalent".

Transliteration / transcription

The names of natural persons may be written in non-Latin scripts in their original form. Western languages often differ in how they transcribe identical names originally written in non-Latin scripts (consider the various spellings of Mohammed/Muhammad, or the use of Latinised Pinyin script etc.). Individuals from diverse backgrounds may hold documents issued by different EU Member States, in different EU languages, with different transliteration choices made in each.

Where names originally written in non-Latin scripts have been transliterated in different ways, we request that the RTS clarify that obliged entities may take a risk-based decision as to the probability that the documents in question refer to the individual presenting them.

We also request that the RTS clarify whether screening in different scripts can occur, in accordance with the risk-based approach.

With regard to consistency in the use of terms in the draft RTS – we note that Recital 3 draft RTS refers to the ‘transcription’ of names, which we interpret to be broad in scope, and that Article 29 draft RTS refers to the ‘transliteration’ of names, which we interpret to refer to the conversion of text from one script to another. If particular nuances are intended by the use of these separate terms, we request that the EBA clarify these in the RTS. If no nuance is intended, we request that one term be used consistently.

Use of official registers / constitutional documents

For legal entities, the identification and verification process should rely on official commercial registries, or equivalents. Since commercial names are not always included in these registries, the scope of identification should be limited to data points available in official registers.

A company’s constitutional documents (articles of incorporation, company constitution etc.), when drawn up in accordance with relevant law, should also be considered an adequate source to identify and verify a legal entity.

Commercial name – consistent use of terms

Article 1 (2) and Article 18 (1) (b) draft RTS refer to ‘commercial name’. Article 29 refers to ‘trade name’. If ‘trade name’ is intended to be synonymous with ‘commercial name’, we suggest that the RTS uses one term consistently.

We note that the Wolfsberg Payment Transparency Standards offer a definition of ‘trade name’ as ‘[t]he name a business uses for advertising and sales purposes that is different from its legal name. A trade name can also be referred to as a doing business as – DBA’.

We note that the Level 1 texts make no use of either ‘commercial name’ or ‘trade name’.

Availability of commercial name

Article 1 (2) draft RTS requires obliged entities to obtain the registered name, and where it differs, the commercial name. The commercial name may not always be available, and where it is available, may be written in varying ways. The RTS should recognise the potential (un)availability of the commercial name and be amended as follows:

Article 1(2) – ‘For legal entities, firms must obtain both the registered name, and where available , other alternate names, as applicable the commercial name where it differs from the registered name.’

Commercial name – applicability of requirements by analogy

We note that according to Article 18 draft RTS, the requirement to collect the commercial name shall also apply to other organisations (‘…for a legal entity and other organisations that have legal capacity under national law…). We assume that the requirements of Article 1 (2) draft RTS apply to these organisations by analogy. We would welcome confirmation of this assumption in the text of the final RTS.

Clarification of requirements relating to beneficial owners

A short note on scope - we have understood that EBA is bound by its mandate as set out within Article 28 AMLR when drafting the present RTS. However, since Article 28 (1) (a) AMLR clearly references Article 22 AMLR, including Article 22 (7) AMLR, we would assume that clarifications on the complete population of roles as outlined above should be within EBA’s mandate.

As per our earlier statement (‘clarity of targeted population’), the draft RTS is unclear on what requirements (if any) are to be met regarding the names of beneficial owners.

Article 22 (7) AMLR does not require obliged entities to collect copies of identity documents of the beneficial owners (lit a), but also allows them to take other ‘reasonable measures’, as laid down in lit (b).

In practice, obliged entities experience difficulties in obtaining copies of identification documents for beneficial owners. This is particularly the case in certain jurisdictions with strong privacy protections – which in other contexts usually includes the EU.

A general obligation to obtain identification documents from all beneficial owners would go significantly beyond international market practice, is unhelpful for EU competitiveness, and is unlikely to foster effective use of scarce AML resources. We therefore request that the RTS clarify that obliged entities are not required to collect copies of identity documents of beneficial owners and may instead take ‘reasonable measures’, as per the AMLR.

Summary of requests – Article 1

Ensure requirements are suitable for both wholesale and retail banking contexts.
Clarify whether Article 1 (1) RTS intentionally narrows the in-scope population compared to Article 22 (1) AMLR.
Confirm whether obligations in Articles 1–6 RTS apply to:
- persons purporting to act on behalf of the customer
- natural persons on whose behalf a transaction is conducted.
- trustees or equivalent, and beneficial owners.
Define ‘person purporting to act’ narrowly, as per our suggestions – limited to third parties acting via proxy or power of attorney. Exclude internal employees and signatories.
Clarify that ‘obtaining’ and ‘verifying’ are distinct steps. Permit verification with available documents only, as per relevant practice and document format in the relevant context.
Limit name collection to names on official ID documents. Amend Article 1 (1) RTS accordingly, as per our suggestions.
Allow risk-based approach for name transliteration/transcription. Clarify or unify terminology.
Accept official registers and constitutional documents for entity identification. Recognise commercial name may not always be available – amend RTS as per our suggestions.
Use consistent term (‘commercial name’ or ‘trade name’) throughout RTS.
Confirm ‘commercial name’ obligations apply to all organisations with legal capacity.
Clarify that ID documents for beneficial owners are not always required; ‘reasonable measures’ are sufficient under Article 22 (7) AMLR.

Article 2 – Information to be obtained in relation to addresses

Clarity of targeted population

Article 22 (1) AMLR requires that address information be obtained for the customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted. These groups are envisaged as being natural persons, legal entities, trustees of an express trust or equivalent, or other organisations that have legal capacity under national law. Article 22 (2) refers to obligations relating to beneficial owners as set out in Article 62 (1) AMLR.

The draft RTS however only makes reference to the AMLR’s categories of natural persons and legal entities. We request that the RTS clarify if the obligations set out here are intended also to apply to trustees of an express trust or equivalent, other organisations that have legal capacity under national law, and beneficial owners.

Potential focus on retail business – residential address requirements

The requirement to collect full residential addresses appears to be drafted from a retail perspective. It may not be necessary or appropriate for related parties in a wholesale context, where only the country of residence might suffice. The RTS should consider this distinction and provide flexibility accordingly.

Place of residence for representatives

The AMLR and draft RTS require the collection of the usual place of residence for natural persons purporting to act on behalf of the customer. As already outlined above, we strongly recommend that only third parties acting on behalf of the customer should be considered as persons purporting to act on behalf of the customer. Otherwise, in many cases, this individual is an employee of the client, and in any case, collecting their personal residence may not add value for risk mitigation. It may also expose that individual to increased personal risk, particularly in high-risk jurisdictions, and generally leads to an extensive collection of personal data which is not in line with data protection objectives. The RTS should clarify that the registered address of the legal entity client can be used in such scenarios.

Place of residence for UBOs / SMOs

A short note on scope – we have understood that EBA is bound by its mandate as set out within Article 28 AMLR when drafting the present RTS. However, since Article 28 (1) (a) AMLR clearly references Article 22 AMLR, including Article 22 (7) AMLR, we would assume that clarifications on the complete population of roles as outlined above should be within EBA’s mandate.

The specifications in the RTS are more prescriptive than the Level 1 text, which only requires (Article 22 (1) (a) point (iv) AMLR) obliged entities to obtain

‘the usual place of residence or, if there is no fixed residential address with legitimate residence in the Union, the postal address at which the natural person can be reached and, where available the tax identification number’.

The collection of the personal address of ultimate beneficial owners (UBOs) and senior managing officials (SMOs) is unlikely to advance the fight against money laundering and financial crime. Data which help to prevent such crime are those which identify the individuals who may benefit from a transaction. Such identification of relevant individuals is clearly possible without obtaining their full personal residential address. More concerningly, full residential information for UBOs and SMOs are sensitive data points for corporate customers, in particular in jurisdictions with heightened kidnap or blackmail risk (such as Mexico).

The sharing of certain details regarding the place of residence – particularly the street name – would increase the personal risk (e.g., kidnap risk, risk of other violence against the person) faced by certain UBOs and SMOs to an unacceptable level, in particular in high-risk jurisdictions. In these cases, these individuals may prefer that their firms decline to enter into a business relationship, rather than provide the details requested. This would not be an efficient outcome and would transfer commercial activity which would otherwise take place in Europe (with associated benefits for EU prosperity and growth) to other major financial markets which do not request this level of personal data.

For screening purposes it should be sufficient to obtain the country of residence and – only to the extent where available when taking reasonable risk-based measures – the name of the city. Further investigations could be restricted to hits (i.e., the results of searches) where further data are required to assess the hit.

Suggested amendment

As a general principle, address information should be sufficient to identify clearly the location of the party/parties for sanctions screening and AML/CTF monitoring. We note that the AMLR requires obliged entities to obtain the ‘place’ of residence. This need not be as specific as the draft RTS currently suggests – and need not include ‘city’ in all circumstances. In situations where the provision of ‘city’ could pose security risks to the individuals concerned, or in jurisdictions of such a size as to render the inclusion of ‘city’ irrelevant (small island states such as Bermuda, or microstates such as Monaco, where the jurisdiction itself is simply one single settlement) then ‘city’ should not be required. Obliged entities should retain the ability to judge what is required to ascertain the ‘place’ of residence, in keeping with the risk-based approach.

We hope the EBA accepts the rationale set out here. If, however, the preceding point is not accepted, we then suggest amending Article 2 draft RTS at least to read as follows:

The information on the address as referred to in Article 22(1) (a) point (iv) and 22(1) (b) point (ii) of Regulation (EU) 2024/1624 shall consist of the following information: the full country name or the abbreviation in accordance with the International Standard for country codes (ISO 3166) (alpha-2 or alpha-3), city, and where available other aspects of the address in accordance with the resident country conventions such as postal code, city, street name, and where available building number, building name and the apartment number.

Summary of Requests – Article 2

Clarify whether address requirements apply to trustees, other legal organisations, and beneficial owners.
Ensure requirements are suitable for wholesale – avoid retail-style address expectations. Country of residence should often suffice.
Representatives – limit ‘persons purporting to act’ to third parties. Don’t require employees’ personal addresses – use the client’s registered address instead.
UBOs/SMOs – avoid going beyond AMLR. Full residential details offer limited AML value and raise serious security risks in high-risk jurisdictions.
Proportionality – adopt a risk-based approach. City or street details should only be required if relevant and safe. ‘Place’ need not necessarily mean ‘city’. Let firms assess what is appropriate.
Secondary option – if certain preceding points are not accepted, amend text as per our suggestions.

Article 3 – Specification on the provision of the place of birth

Clarity of targeted population

Variability in identification documents

Passports and identification documents vary in the data points they provide. The RTS should provide flexibility around specific data points such as place, city, and country of birth. This flexibility is important to address sanctions and screening risks without creating an additional burden for collecting data points that may not be present on certain countries' documents.

Carve-out for city of birth

The specifications in the draft RTS are more prescriptive than the AMLR which only requires ‘place’ of birth. The co-legislators did not specify the extent to which the ‘place’ should be defined – and did not suggest the level of precision implied by ‘city’.

Given that some passports and identity documents may not provide such detail, we suggest that the RTS require

the collection of city of birth only where available on the ID document, noting that there is no requirement to collect ID documents for UBOs, or
whatever is standard in the relevant country (e.g., US passports contain State rather than city).

Either of these approaches would ensure that the requirement will be practical and reasonable.

Notwithstanding the suggestions above, if the choice is made to require city as well as country name to be identified for a natural person customer, there should nevertheless be alleviated requirements for UBOs and SMOs. Requiring such data from these classes of persons would be disproportionate, intrusive, and would go above and beyond requirements set by the co-legislators.

Change of name of cities / states which cease to exist

The names of cities and states occasionally change – and so do international borders between them. Most obliged entities could recognise that a reference in a document to ‘Leningrad, Soviet Union’ should be regarded as referring to the same place later known as ‘Saint Petersburg, Russian Federation’. The journey of Chemnitz to Karl-Marx-Stadt and back to Chemnitz may however be less well known, and some situations – particularly where border changes are disputed – may be emotive.

We request that the RTS recognise that the names of cities and states (and in the case of the latter, their ongoing existence) may evolve over time, and permit obliged entities to use open-source information to verify such changes and take risk-based decisions on the location information presented to them.

We also request that the RTS clarify that obliged entities may rely on naming conventions provided on official documents submitted to them for the purpose of identification and verification of customers and related parties.

Summary of Requests – Article 3

Clarify scope – confirm if place-of-birth requirements also apply to trustees, other legal organisations, and beneficial owners.
Document-driven flexibility – allow for variation in ID formats – not all include city or even country of birth.
City of birth – require only if listed on the ID, or accept standard national formats (e.g. US state-level). Avoid applying this to UBOs/SMOs – it is disproportionate and goes beyond AMLR.
Evolving geography and politics – allow firms to interpret place names based on official documents and open-source info, especially where names or borders have changed.

Article 4 – Specification on nationalities

Clarity of targeted population

Article 22 (1) AMLR refers to the ‘customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted’. Article 4 draft RTS cites Article 22 (1) (a) point (iii) AMLR, but then refers only to ‘customers’.

We request that the RTS clarify if Article 4 is intended to apply to the other classes of persons cited by Article 22 (1) AMLR, and to beneficial owners.

Ability to rely on declarations made by the relevant individual

There is no central record to verify nationalities which may or may not be held by an individual. As such, obliged entities must rely on declarations made by the individual.

The draft RTS requires obliged entities to ‘obtain necessary information to satisfy themselves that they know of any other nationalities their customers may hold’. Given the limitations to verify nationalities, we understand the RTS to imply that obliged entities will not be held to account for not discovering any additional nationalities held by an individual, where such are not disclosed by the individual, and in the absence of any other source to verify the existence of such possible additional nationalities.

We request that the RTS confirm that sourcing nationality information from the relevant individual, and verifying that information with one data source provided by the individual, should be deemed to fulfil the requirement to verify the nationality(-ies) of that individual, unless – in accordance with the risk-based approach – the obliged entity has reasons to doubt the completeness or correctness of information provided by the individual.

Summary of Requests – Article 4

Clarify scope – confirm whether Article 4 applies only to ‘customers’ or also to other persons, as suggested by the AMLR.
Reliance on declarations – confirm that nationality information provided by the individual, verified against one data source, satisfies the verification requirement – unless there is a risk-based reason to doubt it.

Article 5 – Documents for the verification of the identity

Clarity of targeted population

Article 22 (6) AMLR refers to the customer and to any person purporting to act on their behalf. Article 22 (7) AMLR refers to the beneficial owner and, where relevant, the persons on whose behalf or for the benefit of whom a transaction or activity is being carried out.

Article 5 (1) draft RTS refers to ‘the person’ and ‘natural persons’. Article 5 (2) draft RTS refers to ‘the customer’. Article 5 (3) draft RTS refers to ‘the person pursuant to Article 22(6) (a) and Article 22(7) (a) [AMLR]’. Article 5 (5) draft RTS refers to ‘the person referred to in Article 22 (6) [AMLR]’.

We request that the draft RTS clarify whether

the reference to ‘the customer’ in paragraph 2 is intended to cover all other natural person roles covered by Article 22 (6) and (7) AMLR
the reference to ‘the person’ in paragraph 3 is intended to cover both natural and legal persons, and therefore encompasses all legal persons pursuant to Article 22 (1) (a), (b) and (c) AMLR
the reference to ‘the person referred to in Article 22 (6) [AMLR]’ in paragraph 5 includes the various relevant roles a natural person may have, which may include that of a beneficial owner or a natural person on whose behalf a transaction or activity is conducted, due to the reference in Article 22 (7) AMLR to Article 22 (6) AMLR.

Prescriptive nature of conditions for document equivalency

The requirements set out in Article 5 (1) draft RTS are very prescriptive and would significantly limit the verification possibilities available to obliged entities to verify the identity of natural persons. The list aims to clarify what an equivalent document to an identity document or passport should be, but by doing so it sets the standard higher than what currently is deemed an identity document (including by public authorities, and which currently works well) in EU jurisdictions.

In certain countries, driver’s licences – or a birth certificate for a minor – are accepted as an identity document, but these documents do not generally contain the nationality of the holder. Driver’s licences also rarely contain details on the place of birth. Driver’s licences and other documents currently used effectively for identification purposes may or may not contain ‘a machine-readable zone’ and ‘security features’ (which we note are not defined in this Article, or elsewhere in the draft RTS). Such documents also may or may not contain ‘all names and surnames’ an individual may use, noting that cultural practice around naming conventions on additional ancestral, religious, customary and marital names varies around the world (see our comments on names and associated requirements in our response to Article 1).

The requirement for a document to contain ‘biometric data’ is also problematic. It is unclear whether all identity documents from jurisdictions outside of the EU would or should contain this data – and in the absence of a central registry, it is equally unclear how obliged entities would be expected to verify this. Obliged entities do not have the computer hardware to read biometric data stored in microchips embedded within identification documents – and if such were available, the legal basis which would permit such reading is unclear. We recognise the qualification provided by the EBA via the inclusion of ‘where available’, but suggest nevertheless that this criterion be deleted.

It would not assist the fight against financial crime for longstanding and well-functioning practice in accepting and using documents to verify the identity of natural persons (including by public authorities, for public purposes) to be disrupted. We therefore recommend that longstanding use of these documents be permitted to continue – and so request that Article 5 (1) be amended as follows:

For the purposes of verifying the identity of the person in accordance with Article 22(6) (a) and Article 22(7)(a) of Regulation (EU) 2024/1624 a document, in the case of natural persons, shall be considered to be equivalent to an identity document or passport where all of the following conditions are met:
it is issued by a state or public authority,
it contains the legal name (first and surname) at least all names and surnames, and the holder’s date and place of birth and their nationality,
it contains information on the period of validity and a document number,
it contains a facial image and the signature of the document holder,
it contains a machine-readable zone,
it contains security features and,
it contains, where available, biometric data

Clarity regarding ‘legitimate reason’ and of ‘state or public authority’

Article 5 (2) draft RTS speaks of ‘situations where the customer cannot provide a document that meets the requirements in paragraph 1 of this article for [a] legitimate reason…’. It is not clear what a ‘legitimate reason’ for such a situation might be. Is this intended to encompass cases where the passport or identity document equivalent does not include all conditions listed in paragraph 1 (a to g)? Or is it intended to be limited to cases of asylum seekers or persons in similar situations, as the example given in Recital 7 draft RTS may suggest? We request that the RTS clarify the intended meaning of this phrase.

We also request clarification of the scope of the provision which states that ‘a state or public authority’ may provide a document that is equivalent to an identity document or passport. Is this intended to refer only to national level entities, or are sub-national authorities also in scope?

Inappropriate narrowing of scope through ‘legitimate reason’

We consider the use of ‘legitimate reason’ in Article 5 (2) draft RTS to inappropriately narrow the scope of when an obliged entity may accept a document issued by a state or public authority. Under the current draft, an obliged entity may only accept an alternative document under paragraph 2 if the customer is unable to provide one meeting the criteria in paragraph 1 for a ‘legitimate reason’.

There is however no clear reason for this. Notwithstanding the lack of clarity as to what would constitute a ‘legitimate reason’, as noted above, a document which has been issued by a state or public authority and which is sufficient for the purposes of the state – establishing civil status, gaining employment, paying taxes, participating in legal proceedings, receiving state payments, starting a business and so on – should be sufficient for the purposes of the private sector.

It is not appropriate to hold the private sector to a higher standard than the public sector. If a public authority has issued a valid identity document – whether or not a ‘legitimatereason’ is present – that should be sufficient and acceptable for the private sector.

Obligation to take reasonable steps to ensure authenticity

Article 5 (3) draft RTS requires obliged entities to take ‘reasonable steps’ to ensure that documents are authentic and have not been forged or tampered with. There is no known source of expertise or central register to verify every possible document issued by every possible global public authority. In the absence of such, we request that the EBA clarify what would constitute obliged entities taking ‘reasonable steps’, as used in this context.

Potential recourse to certified translation – ability to understand / translate in-house

We understand Article 5 (4) draft RTS to require a certified translation of an identity document only in those situations ‘when deemed necessary’ by the obliged entity – i.e., it should only be required if the mandatory content of the information in Article 5 cannot be understood through other measures (e.g. internal translation by the obliged entity). We request that the RTS confirm that obliged entities can rely on other (including internal) measures.

Acceptability of simple copy vs. certified copy

Article 5 (5) draft RTS states that obliged entities must see an original identity document, passport or equivalent, or a certified copy thereof, or must verify in accordance with Article 6.

The reference to ‘certified copy’ is not included in Article 22 (6) AMLR. It is unclear whether obliged entities can accept simple copies if verified through other sources, in keeping with the risk-based approach, or if only certified copies are deemed acceptable for verification of identity. We request that the EBA clarify if simple copies can be used for this purpose.

Acceptability of certified copy provided by client vs. received from notary / qualified lawyer

If a certified copy is required, it is unclear whether obliged entities may accept (in a non-face-to-face context) a certified copy directly from the relevant person, or if the certified copy must be received directly from the relevant notary / qualified lawyer. We request clarification from the EBA and suggest that – in the absence of any other risk indicators – the former is pragmatic, resource-efficient, and sensible.

In this context, we also want to bring to the EBA’s attention that it is common practice, especially in the US, that certified copies are often produced by company secretaries – i.e. not necessarily by a qualified lawyer or notary. We would welcome a clarification that these copies, in line with the current practice, are deemed certified. If not, this potentially could result in a significant competitive disadvantage for entities operating in the EU.

Summary of Requests – Article 5

Clarify scope of ‘customer’, ‘the person’, and ‘the person referred to in Article 22(6) [AMLR]’.
Document equivalency conditions – amend overly prescriptive requirements in Article 5 (1) as per our suggestions.
Clarify what constitutes a ‘legitimate reason’ under Article 5 (2) and whether sub-national authorities qualify as a ‘state or public authority’.
Remove the ‘legitimate reason’ threshold and allow obliged entities to rely on any official identity document issued by a public authority.
Clarify what ‘reasonable steps’ means for verifying authenticity of identity documents in the absence of a global register.
Confirm that certified translations are only required where deemed necessary by the obliged entity and that internal translation measures are acceptable.
Certified vs. simple copies – confirm that simple copies of ID documents may be accepted where verified via other sources under a risk-based approach.
Source of certified copies – confirm that certified copies can be accepted from clients or must be received directly from the certifying party. Recommend allowing receipt from the client in non-face-to-face contexts and recognition of company secretaries (especially in US) as certifying parties.

Article 6 – Verification of the customer in a non face-to-face context

[see our response to Question 2]

Article 7 – Reliable and independent sources of information

Requirement to assess the reputation, official status and independence of the source

We note that Article 7 draft RTS requires obliged entities to assess ‘the reputation, official status and independence of the information source’.

It is not clear how an obliged entity is to assess reputation, official status or independence, or how an entity could document this to provide evidence of appropriate completion to a supervisory authority. We consider that obliged entities should decide for themselves what measures they take, in line with the risk-based approach. We therefore request that it be deleted from the Article, and greater emphasis placed on simply ‘risk-sensitive measures’ to make clear that obliged entities are expected to use their judgment, in accordance with the risk-based approach.

Definition of ‘up-to-date’

Article 7 draft RTS requires obliged entities to assess the extent to which information is ‘up-to-date’. There is no consistent practice across EU Member States regarding the acceptable age or ‘up-to-datedness’ of legal entity data and supporting documentation used for KYC reviews. This includes both the duration of the acceptable age and the starting point for determining ‘up-to-datedness’.

In practice, the meaning of ‘up-to-date’ can vary by documentary requirement across natural persons and body corporates. Leaving the term open-ended permits firms to adopt their policy in a flexible and risk-based manner. But in the absence of a clear definition, auditors and supervisors may interpret this as requiring confirmation of real time accuracy, or default to ‘latest available’. If this were to happen, many documents currently used for this purpose simply could not be used on their own any more (like annual reports), even in low risk SDD scenarios, without additional customer confirmation or verification by other means through further documents.

We therefore request that the RTS confirm that obliged entities may take a flexible, risk-based approach to evaluating whether a document is ‘up-to-date’.

Assessment of potential risk of forging

Obliged entities will in practice usually not have sufficient information from KYC data providers or adverse media providers to assess ‘the ease with which the identity information or data provided can be forged’. In the absence of such information, it is unclear how obliged entities could perform such assessments. We therefore request that the RTS set out how obliged entities should perform such an assessment – or simply, that the requirement be removed.

Summary of Requests – Article 7

Assessment of sources – delete requirement to assess source reputation, status, and independence; permit reliance on risk-based judgment instead.
Definition of ‘up-to-date’ – permit flexible, risk-based approach to what qualifies as up-to-date.
Forgery risk – request deletion or clearer guidance on assessing forgery risk, as obliged entities often lack necessary information.

Article 8 – Identification and verification of the identity of the natural or legal persons using a virtual IBAN

[see our response to Question 3 – a bespoke question on virtual IBANs]

Article 9 – Reasonable measures for the verification of the beneficial owner

Certification by independent professionals

Certification of identity by an independent professional should only be required for documents originating in certain high-risk jurisdictions. For other risk classes, such certification should only be necessary in case of reasonable doubts about the authenticity of the document deriving from indications that the document could have been forged.

Such an approach would be excessively burdensome and would have a negative impact on the competitiveness of EU financial institutions, due to the additional cost and burden of certifications on the side of the customer.

We therefore request that the requirement to provide certified copies be restricted to

situations where reasonable doubt about the authenticity of the document exists deriving from indications that the document could have been forged (irrespective of the customer risk), and
in cases of EDD, but only if the document had been set up or signed by one of the parties in a high-risk country as listed under Regulation 2016/1675.

We request that the draft RTS be amended to make clear that if an obliged entity has direct access to a public register, information taken from that register shall be deemed as an official copy coming from the applicable register.

Clarification of legal base for information sharing

We note the statement in Article 9 draft RTS that ‘reasonable measures’ may include

‘…up-to-date information from credit or financial institutions as defined in Article 3(1) and (2) of Regulation (EU) 2024/1624, which confirm that the beneficial owner has been identified and verified by the respective institution’.

We welcome the possibility for credit and financial institutions to be able to share beneficial owner KYC information to avoid unnecessary duplication. We understand that Article 22 (7) (b) AMLR and Article 9 draft RTS provide a clear basis for such data sharing in the absence of any suspicious ML/TF activity. We request that the RTS confirm this understanding.

Summary of Requests – Article 9

Certified documents – limit certification by independent professionals to high-risk cases or where forgery is suspected; confirm that direct access to public registers counts as reliable evidence.
Information sharing – confirmation that RTS and AMLR provide a legal basis for KYC data sharing between financial institutions in non-suspicious cases.

Article 10 – Understanding the ownership and control structure of the customer

Challenges for wholesale business – departure from the risk-based approach

For wholesale clients, many of whom are well-known listed or regulated entities, the detailed approach to assessing ownership and control structures set out in the draft RTS is likely to create significant administrative and operational burdens. The requirement as currently drafted may lead to missing genuine risks if the focus is on exhaustive ownership structure analysis, rather than on undertaking a more proportionate, targeted and risk-based assessment.

Article 20 (1) (b) AMLR sets the taking of ‘reasonable measures’ as the starting point for the obliged entity to satisfy itself that it understands the ownership and control structure of the customer. The approach set out in the RTS goes however significantly beyond the AMLR text and introduces the requirement to obtain specific information, which may not in all cases be required or appropriate for understanding the customer’s ownership structure.

We request that the RTS consider the wholesale customer base and provide flexibility regarding the situations when assessment of all ownership layers is to be required. The level of such assessment should vary according to the customer type, customer risk, sector, and potential status as a regulated or listed entity.

Clarification of ‘a reference’

Article 10 (1) (a) draft RTS requires obliged entities to obtain ‘a reference to all the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners…’. It is not clear what is meant by ‘a reference’ in this context. The term is not used elsewhere in the draft RTS. If it is intended that obliged entities shall collect the names of the legal entities and/or legal arrangements cited, we request that the word ‘name’ be used.

Scope of identifying intermediary layers

Article 10 (1) (a) draft RTS requires obliged entities to reference all the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners, if any. We consider this to be excessive and not in line with the risk-based approach.

We request instead that the focus should be on intermediary layers that are relevant for the determination of the beneficial owner – that is to say, layers which own or control a substantive share (with obliged entities to take a view on what should constitute substantive based on the facts of the situation at hand) – and that the identification of intermediaries should apply to higher risk customers, thus reducing the administrative burden for lower risk scenarios.

Nominee shareholder guidance

We recognise that if nominees are reasonably identified as part of CDD, then appropriate action is required. The existence of nominee shareholders is, however, not always apparent. We therefore request that the RTS clarify whether firms are expected to proactively inquire about potential nominee arrangements. If this is not expected, we request that the draft RTS be amended to refer to ‘any known nominee shareholders’.

Information on the regulated market

In cases where a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, Article 10 (1) (c) draft RTS requires obliged entities to obtain information on the regulated market on which the securities are listed.

It is not clear what risk management outcome the EBA is looking to achieve by requiring obliged entities to gather this information. Noting that the relief for listed entities has been removed from the regime, we do not understand the risk mitigation that is expected to be derived by obtaining this information

For most customers, such a requirement then would not add benefit proportionate to the cost imposed. We suggest that information on the regulated market should only be required if the fact that a customer is listed on such a regulated market is used as the basis for assessing the customer as low risk.

Regulated market exemption

The absence of a regulated market exemption in the article, despite its mention in intermediary layers analysis, raises questions about whether there is an implied level of comfort for entities listed on a regulated market. We suggest that re-introducing a UBO exemption for customers listed (and their controlled and consolidated subsidiaries) on appropriately regulated markets subject to robust transparency requirements is likely to proportionately reduce operational burdens and would be in keeping with the risk-based approach, whilst also being globally aligned. The removal of this exemption is non-risk-based regulatory divergence in its current form.

Beneficial ownership reporting

It is not clear from the draft RTS what is to be considered in beneficial ownership reporting. We request that the RTS clarify acceptable information that an obliged entity can obtain to satisfy this requirement

Plausibility assessment

Article 10 (2) draft RTS requires obliged entities to assess whether the information included in the description is ‘plausible’.

In any clarification of how the ‘plausibility’ of such information should be assessed (which may be provided by the final text of the RTS, or in future guidance), we request that obliged entities retain the ability to apply a risk-based approach and not be forced to follow a rules-based alternative.

It would be an error to imagine that the extent of all such situations which may arise can be anticipated, and appropriate rules written, ex ante. It would be better to permit obliged entities to tailor their assessment to the facts of the situation at hand, in accordance with the risk-based approach.

Obligation to assess the economic rationale behind the structure

Article 10 (2) draft RTS requires obliged entities to assess the economic rationale behind the structure presented by a customer. We do not consider it appropriate – or feasible – to require obliged entities to perform such an assessment. We also note the wording in Article 20 (1) (b) AMLR which requires simply ‘understanding’ the ownership and control structure. Assessing the economic rationale and performing a plausibility check (see above) go significantly beyond having an understanding of the control structure.

There are many reasons a customer (or other legal entity) may choose to structure itself as it does. The choice of structure will often arise from internal information known only to the customer (or other legal entity) itself. It should not be expected for obliged entities to understand – or even to infer – the economic rationale behind the structure, as such an understanding (or inference) would require knowledge of internal information of the customer (such as tax implications or political and market considerations relevant to particular jurisdictions) which the customer is not obliged and would not expect to disclose.

We recommend that the obligation to assess whether ‘there is economic rationale behind the structure’ be deleted and replaced with an obligation to assess whether a structure might have been set up only in order to avoid or reduce the transparency of beneficial ownership with no other likely or possible legitimate justification. As with the plausibility assessment, this would be triggered by the facts of the situation and in accordance with the risk-based approach.

Little differentiation between requirements of Articles 10 and 11

Article 10 draft RTS sets requirements to build understanding of the ownership and control structure of the customer in standard cases. Article 11 sets requirements to build understanding in complex cases. The sole additional provision for higher risk entities as set out in Article 11 (2) draft RTS is that an organigram must be obtained. The level of information which obliged entities must obtain for standard and complex cases is therefore essentially the same at both levels. This is not in keeping with the risk-based approach, and suggests the requirements set out in Article 10 for standard cases are excessive.

Suggested amendments

We suggest that the text of this Article be redrafted to focus on understanding the ownership and control structure of customers, particularly in complex and higher-risk situations, as follows:

For the purposes of understanding the ownership and control structure of the customer in accordance with Article 20(1) (b) of Regulation (EU) 2024/1624, where the customer's structure appears unusually or excessively complex given the nature of the customer’s business, and may pose a higher risk of ML/TF and in situations where the customer’s ownership and control structure contains more than one legal entity or legal arrangement, obliged entities shall take reasonable measures to obtain where necessary the following information:

a. a reference to all the names of the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners that are relevant for the determination of the beneficial owner and which own or control a substantive share of the customer structure, if any;

b. with respect to each legal entity or legal arrangement within the referred intermediary connections, the legal form of each legal entity or legal arrangement, and reference to the existence of any known nominee shareholders; the jurisdiction of incorporation or registration of the legal person or legal arrangement, or, in the case of a trust, the jurisdiction of its governing law and; where applicable, the shares of interest held by each legal entity or legal arrangement, its sub-division, by class or type of shares and/or voting rights expressed as a percentage of the respective total, where beneficial ownership is determined on the basis of control, understanding how this is expressed and exercised.

c. information on the regulated market on which the securities are listed, in case a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, and the extent of the listing if not all the legal entity’s securities are listed on a regulated market’.

If the suggested deletion of (c) set out above is not accepted, then we suggest at least reducing the scope of the requirement to the ultimate parent, as follows:

c. information on the regulated market on which the securities of the ultimate parent are listed, in case the ultimate parent a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, and the extent of the listing if not all the ultimate parent legal entity’s securities are listed on a regulated market’.

2. Where warranted by the facts of the situation at hand, obliged entities shall assess whether the information included in the description, as referred to in Article 62(1)d of Regulation (EU) 2024/1624, is plausible, there is economic rationale behind the structure, and it explains how the overall structure affects the ML/TF risk associated with the customer whether a structure might have been set up only in order to avoid or reduce the transparency of beneficial ownership, with no other likely or possible legitimate justification apparent.

Summary of Requests – Article 10

Wholesale context – permit flexibility for when assessment of all ownership layers is required; suggest risk-based, proportionate ownership assessments in keeping with Level 1 ‘reasonable measures’, rather than exhaustive checks.
Clarify ‘reference’ – depending on intended meaning, request use of ‘name’ to avoid ambiguity.
Intermediary layers – limit identification of intermediary entities to those relevant to beneficial ownership, and only for higher-risk cases.
Nominee shareholders – clarify that firms are only expected to act on known nominee arrangements, not proactively investigate; amend text as per our suggestion.
Regulated markets – remove or limit the requirement to gather regulated market information, unless it is used to justify low-risk status.
Reintroduce exemption –reinstate UBO exemption for listed entities and their subsidiaries on transparent regulated markets.
Clarify beneficial ownership reporting – clarify what satisfies the obligation to report beneficial ownership.
Plausibility assessment – permit plausibility checks to be risk-based and not overly prescriptive.
Economic rationale – delete requirement to assess economic rationale; propose a risk-based assessment only where structures reduce transparency with no apparent legitimate justification.
Overlap with Article 11 – note duplication between Articles 10 and 11; request Article 10 requirements to be reduced to focus on standard cases, and Article 11 on complex/high-risk ones.
Suggested amendments – amend text as per our suggestions.

Article 11 – Understanding the ownership and control structure of the customer in case of complex structures

Overly broad definition of ‘complex structure’ – request for industry to determine complexity

The definition of a complex structure as one which has ‘two or more layers’– even when qualified by the conditions set out in Article 11 (1) draft RTS – is too broad.

In a wholesale context, it is possible that almost all ownership structures could be classified as ‘complex’ under the criteria as set out, noting that multinational companies and large financial entities typically have multiple layers of ownership. To classify all such structures as ‘complex’ would not be aligned with the risk-based approach and would require the obtaining of detailed and potentially certified ownership structure charts – a significant administrative burden – for almost all clients, for little benefit.

In the first instance, we request that the assessment criteria be removed, and the responsibility placed upon obliged entities to determine the complexity of the structures they encounter. This would allow obliged entities to apply specialist knowledge and experience to identify (and allocate resources to) cases which involve genuinely higher risk structures. This would be in keeping with the risk-based approach and allow the most efficient use of resources, the better to advance the fight against financial crime.

If this request should not be accepted, we then request that the definition of ‘complex structure’ be tailored to genuinely higher risk scenarios, rather than applying (as in the present draft) broadly to large institutions. We make drafting suggestions below to this end. This approach would allow better use of resources and ensure that the focus is on genuinely complex and high-risk structures.

Removal of ‘legal arrangement’ condition

We do not consider that the condition set out in Article 11 (1) (a) draft RTS – that of having a ‘legal arrangement’ in any of the layers – to be an appropriate signifier of complexity. Legal arrangements are common in ownership structures – particularly in wholesale contexts. We therefore suggest that this condition be amended to take account of the reality of wholesale business, or simply removed.

Clarity on ownership structure assessment / organigrams

We request that the RTS clarify how obliged entities may ensure that an organigram provides a comprehensive understanding of the ownership and control structure, including effective assessment and validation measures.

Allowing banks to draft organisational charts based on client-provided information, with client attestation, or on reliable public information, could address the practical challenges of obtaining organisational charts directly from clients. This approach would streamline the process while ensuring accuracy and would be in keeping with the risk-based approach.

Suggested amendments

We note the very constructive discussion that AFME and AFME members had with EBA colleagues on 31 March 2025. In that discussion, the EBA stated that it would be open to proposals for entirely new text for Article 11.

With that in mind, we propose text for an entirely new Article 11. This would require obliged entities to define, within their specific context, the criteria for what constitutes a complex ownership and control structure. This reads:

Article 11 – Understanding the ownership and control structure of the customer in case of complex structures

To understand the complexity level of the ownership and control structure of the customer in accordance with Article 20(1)(b) of Regulation (EU) 2024/1624, obliged entities shall establish adequate policies and procedures specifying the criteria that make ownership and control structures complex for the business relationships for which the obliged entity provides products and services.

These procedures shall establish:

the number of layers between the customer and the beneficial owner that may be an indicator of complex ownership structure
the high-risk third countries in which these entities are incorporated or domiciled, if any
indications of non-transparent ownership with no legitimate economic rationale or justification and
the presence of known nominee shareholders and / or directors that are involved in the structure.

Summary of Requests – Article 11

Overly broad definition of complex structure – delete requirement and permit obliged entities to take risk-based approach, or amend as per our suggestions.
Legal arrangements – not an indicator of complexity in wholesale structures – amend to take account wholesale realities, or remove.
Organigrams – permit obliged entities to compile and validate ownership charts using public or client-attested information.
New drafting – as invited by EBA, we propose text for a new Article 11 to allow firms to define complexity based on firm-established policies, procedures and risk factors.

Article 12 – Information on senior managing officials

Clear definition of ‘senior managing officials’

We request that the RTS provide a clear definition of SMOs and their powers. This is particularly important for application in a wholesale environment, where roles and responsibilities vary greatly across the sector.

We note that in the public hearing the EBA held on 10 April 2025, there was a suggestion that SMOs could be defined in accordance with Article 63 AMLR. This would suggest that ‘senior managing officials’ would include executive members of the management body, as well as the natural persons who exercise executive functions within a legal entity and are responsible and accountable to the management body for the day-to-day management of the entity.

Such an interpretation would capture in some instances a very large number of natural persons and would be very burdensome for obliged entities to implement. This would not be in keeping with the risk-based approach or the proportionality principle and would not further efforts to prevent and detect financial crime. On the contrary – by requiring the use of resources for largely unnecessary and unhelpful work, it would likely reduce the efficacy of wider financial crime risk mitigation efforts.

We therefore request a more targeted interpretation, consistent with the risk-based approach, that limits the scope of the definition to individuals who exercise actual executive power. This would help ensure that resources are allocated efficiently and effectively in the fight against financial crime.

Distinction between senior managing officials and beneficial owners

The roles and responsibilities of SMOs differ significantly from those of natural person economic beneficial owners. SMOs manage the legal entity, but do not personally own or control it. Article 12 of the draft RTS does not however recognise this distinction, requiring obliged entities to ‘collect the same information as for beneficial owners’ pursuant to Article 22 (2) AMLR.

Given the disparity in roles, responsibilities, benefits and degree of control, this is disproportionate. We request that the data elements to be collected for SMOs be tailored to the extent that they may exercise control over the entity, in keeping with the risk-based approach.

Requirement to collect identification documentation and personal address

We do not consider that obliged entities should be required to collect an identification document for SMOs – noting that SMOs would in many cases be unwilling to provide such personal data, and the risk of tipping off the customer to the existence of concerns that such a request would entail.

We consider that the registered address of the legal entity should be deemed as the residential address of its SMOs, where such addresses are to be recorded. We also note the potential personal risk provision of such information could have for the SMO (e.g., kidnap risk – please see our earlier remarks relating to Article 2 draft RTS noting this point for both UBOs and SMOs).

Summary of Requests – Article 12

Definition of SMOs – provide a clear, risk-based definition limited to individuals who exercise actual executive power.
SMOs vs UBOs – differentiate requirements for SMOs from beneficial owners and avoid requiring same data set for both, given differing roles and risks.
ID and address requirements –remove obligation to collect ID documents and home addresses from SMOs; use entity’s registered address instead (privacy and safety concerns).

Article 13 – Identification and verification of beneficiaries of trusts and similar legal entities or arrangements

Clarification on scope of AMLR in relation to trusts

It is unclear whether the AMLR refers to trusts as direct customers or trusts in the ownership structure. We therefore request that the RTS clarify the scope of the AMLR in relation to trusts. We suggest that the focus should be on trusts as direct customers, as applying requirements to ownership structures would be significant and challenging to implement.

Limited applicability of beneficiary information

We request that Article 13 (1) draft RTS be amended to clarify that Article 22 (4) AMLR requires the collection of sufficient information to establish the identity of beneficiaries only when they are designated by particular characteristics or class, and not in all circumstances. This limits the applicability to specific cases and is in keeping with the risk-based approach.

Documentation for Article 13 (1) (b)

Article 13 (1) (b) draft RTS cites ‘…relevant documents to enable the obliged entity to establish that the description is correct and up-to-date’.

It is unclear what documents would satisfy Article 13 (1) (b). While an updated trust deed may contain beneficiary information, it may not always be available. In most instances, obliged entities would rely on trustees to attest that the documentation is correct and up-to-date.

We request therefore that the RTS allow obliged entities to complete verification using reasonable measures. This would permit obliged entities to tailor their verification processes to the facts of the situation at hand, the better to ensure appropriate verification is undertaken without pre-judging how best any particular description received may be verified.

Definition of ‘up-to-date’

Article 13 draft RTS requires obliged entities to assess the extent to which a description of the class of beneficiaries and its characteristics is ‘up-to-date’. There is no consistent practice across EU Member States regarding the acceptable age or ‘up-to-datedness’ of information provided and supporting documentation used for KYC reviews. This includes both the duration of the acceptable age and the starting point for determining ‘up-to-datedness’.

In keeping with our comments on other Articles, we request that the RTS specify that obliged entities may take a flexible and risk-based approach to what is to be regarded as ‘up-to-date’.

Measures to be taken for updates

Article 13 (2) draft RTS requires obliged entities to ‘take risk-sensitive measures to ensure that the trustee, the legal entity or the legal arrangement provide timely updates’. We request that the RTS provide examples of what would constitute such ‘risk-sensitive measures’ in order to ensure shared understanding between industry and supervisory authorities of how this requirement may be fulfilled.

Treatment of private foundations

Private foundations are customary legal forms used notably in Austria, Germany, Liechtenstein and Switzerland. We request that the RTS clarify if such foundations are intended to be treated as ‘trusts’ for the purpose of this Article.

Summary of Requests – Article 13

Clarify scope of AMLR in relation to trusts
Beneficiary identification – clarify identity information is only needed when beneficiaries are of particular class or characteristics.
Documentation for verification – permit flexibility to verify beneficiary descriptions using reasonable measures, including trustee attestations.
‘Up-to-date’ – permit a flexible, risk-based approach to assessing whether information is current.
Risk-sensitive measures – provide guidance as to acceptable measures.
Clarify whether private foundations to be treated as trusts.

Article 14 – Identification and verification of beneficiaries of discretionary trusts

Feedback to Article 13 also relevant to Article 14

Several points made in relation to Article 13 are also relevant to Article 14. We do not propose to repeat them in full. As a brief recap, they include

the need to clarify the scope of the AMLR in relation to trusts,
the intended treatment of private foundations,
the need to provide examples of ‘relevant documents’,
how firms should judge what is to be deemed ‘up-to-date’,
the measures to be taken for updates.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

Potential limiting of scope of Article 22 (6) AMLR

Article 22 (6) AMLR sets out two means for verification of the identity of the customer or any person purporting to act on their behalf. Only the second of these is ‘electronic identification means’.

Article 6 draft RTS cites Article 22 (6) AMLR but initially appears to limit the scope to only the second means set out in that Article (‘…obliged entities shall use electronic identification means…’).

The RTS should avoiding any suggestion of limiting the scope of the options set out by the co-legislators. We therefore request that the final RTS text be amended to make clear that both options set out in Article 22 6) AMLR are available. We suggest drafting such as:

Article 6 (1) draft RTS

‘To comply with the requirements of Article 22(6) of Regulation (EU) 2024/1624 in a non-face to face context, obliged entities shall apply specific and additional measures to compensate the potentially higher risk that this type of customer relationship presents, or may use electronic identification means, which meet the requirements of Regulation (EU) No 910/2014 with regard to the assurance levels ‘substantial’ or ‘high’, or relevant qualified trust services as set out in that Regulation’.

Clarity of targeted population

Article 22 (6) AMLR refers to ‘the customer and of any person purporting to act on their behalf’. Article 6 (3) draft RTS refers only to ‘the customer’.

If the scope of Article 6 (3) draft RTS is intended to match that of Article 22 (6) AMLR, or indeed is intended to cover additional roles that a natural person may have (including, notably, that of beneficial owner), we request that the text be amended to make this clear.

Possible focus on retail banking

The draft Article appears to have been written with predominantly retail banking scenarios in mind. We request that in finalising the Article – and others noted elsewhere in our response – that the characteristics and practices of wholesale banking scenarios also be considered.

Definition of ‘non face-to-face’

There is a need for clarity on what constitutes a non-face-to-face interaction. Historically, interpretations have varied – particularly in the wholesale context. For example, meeting a customer representative at a site visit may be considered ‘face-to-face’, even if the ultimate beneficial owner is not met. Clear definitions are crucial, especially if some competent authorities may consider wholesale interactions non face-to-face. We therefore request that the RTS clarify what constitutes ‘face-to-face’ – with a particular focus on the wholesale context.

Premature reliance and excessive focus on eIDAS – need for other solutions to be equal alternative

We welcome the acknowledgement that tools and solutions that are not eIDAS-compliant can be used to verify the identity of customers and other roles in an online context. This is and shall be an important and permanent approach, in particular for customers and other persons not resident in the EU.

Paragraph 42 of the EBA document accompanying the draft RTS recognises that electronic identities are not mandatory for individuals or for legal persons under the eIDAS Regulation, and that some groups (such as those not resident in the EU, the disadvantaged, or other vulnerable groups) may not be able to obtain an electronic identity. Nevertheless, and notwithstanding the fact the eIDAS solutions are a choice and not an obligation for natural and legal persons, the phrasing of Article 6 (2) draft RTS states that ‘remote solutions’ (which we interpret to include video identification) may be used ‘[i]n cases where the solution described in paragraph 1 [i.e., an eIDAS solution] is not available, or cannot reasonably be provided…’.

This inappropriately limits the use of non-eIDAS solutions, placing them in a second order of preference, to be used only in certain circumstances. This is unhelpful and unwelcome. eIDAS solutions are not yet widely available. When they are rolled out, it remains to be seen whether they will be accepted by the public. Video identification is however already widely used, is understood and accepted by the public, and is already built into banks’ systems and controls.

A reliable, independent digital ID system with appropriate risk mitigation measures in place which meets the standards equivalent to eIDAS (and not necessarily fully compliant with eIDAS) should in general be considered acceptable for non face-to-face customer identification and transactions. We therefore request that the draft RTS be amended to make clear that remote solutions, including video identification, are an equal alternative to eIDAS solutions, and in all cases their use should not be limited to situations only where eIDAS solutions are unavailable or cannot reasonably be provided – or at least to allow for a transition period of several years in the case of EU natural persons of whom eIDAS solutions can reasonably be expected to be provided.

Consent requirement

After setting out possibilities for verifying the customer’s identity in paragraphs 1 and 2, Article 6 (3) draft RTS requires obliged entities to obtain the customer’s explicit consent – but only with regard to the solutions set out in paragraph 2. We request that the RTS specify what type of consent should be recorded (privacy-type or data protection-type consent), and clarify why consent is required in relation to the solutions set out in paragraph 2 but not those set out in paragraph 1.

Clarity on ‘commensurate’ solutions

The RTS permits

the use of electronic identification means, which meet the requirements of Regulation (EU) No 910/2014 with regard to the assurance levels ‘substantial’ or ‘high’,
relevant qualified trust services as set out in that Regulation,
remote solutions that meet the conditions set out in paragraphs 3-6 of Article 6 draft RTS. In this possibility, solutions are required to be ‘commensurate to the size, nature and complexity of the obliged entity’s business and its exposure to ML/TF risks’.

We request that the RTS clarify what ‘commensurate to the size, nature, and complexity of the obliged entity’s business and its exposure to ML/TF risks’ means in this context.

Proposal to replace ‘commensurate’ with ‘proportionate’

The FATF recently consulted and finalised a review to replace use of the word ‘commensurate’ with ‘proportionate’ in FATF Recommendation 1. It explained its change as follows:

Replacement of the term ‘commensurate’ with ‘proportionate’, defined as a measure or action that appropriately corresponds to the level of identified risk and effectively mitigates the risks, throughout the Recommendations in order to provide clarity on how the concept should be applied in the context of a risk-based approach and align the FATF’s language more closely with that of financial inclusion stakeholders and frameworks.

We request that the draft RTS uses FATF language to better ensure shared understanding and global consistency between standards setters.

Verification of security features embedded in official documents

Article 6 (5) draft RTS requires obliged entities to verify the security features (such as holograms) embedded in the official document to verify their authenticity.

Security features vary significantly depending on the jurisdiction producing the document. Although we recognise the mention as illustrative, ‘holograms’ are not a feature that is generally used in the identification and verification of legal persons. It is also not clear how an obliged entity would verify the authenticity of a hologram (or similar) on a document.

Where obliged entities accept ‘reproductions’ of original documents, the draft RTS requires them to take ‘steps’ to ascertain that the reproduction is reliable. We do not consider that obliged entities are likely to be in a position where they are able to validate the integrity and authenticity of reproductions of documents. In most instances, the process of adding reliable and independent sources to internal procedures should be sufficient.

Where documents are obtained directly from the customer, it is not realistic or reasonable to ask obliged entities to accept the burden of checking the authenticity of documents – especially given the rise of the capabilities of artificial intelligence. We therefore request that this provision be removed from the RTS.

Should this request not be accepted, we request that the RTS provide criteria to define what we assume must be reasonable ‘steps' to ensure the authenticity and integrity of reproductions of documents. This will help ensure consistent and effective implementation across different business contexts.

Use of terminology – ‘customers that are not natural persons’

We also note the reference to ‘customers that are not natural persons’. This is not a term that is used elsewhere in the draft RTS, or in the broader AML package. If this is intended to refer to legal entities, or other organisations that have legal capacity, we suggest that it may be more appropriate to use such terms.

Definition of ‘up-to-date’

Article 6 draft RTS (and other subsequent Articles) requires obliged entities to assess the extent to which information is ‘up-to-date’. There is no consistent practice across EU Member States regarding the acceptable age or ‘up-to-datedness’ of legal entity data and supporting documentation used for KYC reviews. This includes both the duration of the acceptable age and the starting point for determining ‘up-to-datedness’.

We therefore request that the RTS confirm that obliged entities may take a flexible, risk-based approach to evaluating whether a document is ‘up-to-date’.

Consistency of terminology

The title of Article 6, and Article 6 (2) draft RTS, refer to ‘the customer’. In Article 6 (3), reference is made first to ‘a customer’, and subsequently to ‘the person to be identified’. We recommend that terminology be used consistently and precisely to avoid possible confusion.

Summary of Requests – Article 6

Dual verification options – clarify that both options under Article 22(6) AMLR are available, not just electronic identification; amend RTS as per our suggestion.
Scope of persons – confirm that provisions apply to both customers and persons acting on their behalf, as per AMLR.
Wholesale relevance – request that wholesale banking scenarios be considered in finalising the RTS.
Face-to-face definition – clarify what qualifies as ‘face-to-face’, especially in wholesale contexts.
eIDAS parity – request that remote solutions like video ID be treated as equal alternatives to eIDAS, not subordinate options.
Consent – clarify the type of consent required under paragraph 3 and why it applies only to certain solutions.
‘Commensurate’ vs ‘proportionate’ – request replacement of ‘commensurate’ with ‘proportionate’ to align with FATF terminology.
Document authenticity – remove requirement to verify embedded security features; if retained, request clear criteria for reasonable verification steps.
Terminology – request consistent and appropriate use of terms instead of ‘customers that are not natural persons’.
Definition of ‘up-to-date’ – request flexible, risk-based approach.
Terminology consistency – request uniform use of terms like ‘customer’ and ‘person to be identified’ throughout the Article.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Clarity on roles and obligations

Article 22 (3) AMLR and Article 8 draft RTS identify several roles relating to virtual IBANs. These are

‘credit or financial institution servicing the account’
‘issuer of a virtual IBAN’
‘entity that provides a virtual IBAN to a person’.

We understand ‘credit or financial institution servicing the account’ (the term used in the RTS, hereinafter ‘account servicing institution’) or the ‘institution servicing the bank or payment account to which a virtual IBAN issued by another institution redirects payments’ (the term used in the AMLR, hereinafter also referred to as ‘account servicing institution’) as the party servicing the bank account to which virtual IBANs are linked.

This party is a credit or financial institution holding a license that permits the holder to offer bank accounts and to have access to payment systems. Virtual IBANs provided by this party to the issuers of virtual IBANs carry the BIC / sort code of this institution. This party can be regarded as the provider of a virtual IBAN solution as it provides the technical foundation and network capabilities, such as clearing reachability or transaction processing capabilities that are a prerequisite for market participants to use virtual IBANs.

In our reading of both AMLR and RTS the ‘issuerof a virtual IBAN’ must be either a financial or credit institution that holds a payment services or comparable license.

As long as neither the holder of the bank or payment account to which a virtual IBAN is linked nor any other party involved in the relationship is a financial or credit institution, the issuer of the virtual IBANs is identical to the account servicing institution (AMLR & RTS).

In case the account holder of the payment account to which the account servicing institution (AMLR & RTS) has associated a set or range of virtual IBANs is either a financial or credit institution that holds a payment services or comparable license, this is the entity that actually distributes and communicates a specific virtual IBAN to any users of virtual IBANs, and therefore is to be regarded as the issuer of virtual IBANs.

When this entity is servicing users of virtual IBANs located in the EU, the issuers hold EU licenses. When no user is located within the EU, the issuer may hold licenses from other jurisdictions. The issuance of virtual IBANs takes place after the institution servicing the payment account (see above) has associated a set or range of virtual IBANs to the payment account that it is servicing to the account holder.

In result, this means the account servicing institution (AMLR and RTS) has the following insights and data:

data of the payment account with which the virtual IBANs are associated
data and full identification and verification of the party in whose name the payment account is being held, which can be a credit or financial institution
knowledge of the set or range of virtual IBANs that has been associated with, and respectively reserved, for this party and payment account.

In cases where this party is not also the issuer of the virtual IBAN, it:

has no information as to which specific virtual IBAN out of the set or range of virtual IBANs that was associated to the issuer’s payment account has been issued to which exact user of a virtual IBAN by the issuer of the virtual IBAN
holds a right vis-à-vis the issuer of the virtual IBAN to be provided with data of identification and verification of the user of any virtual IBAN.

In result, this means the issuer of a virtual IBAN (RTS and AMLR) has the following insights and data:

exact knowledge and control as to which specific virtual IBAN out of the pre-assigned set or range of virtual IBANs that was associated with the issuer’s payment account has been issued to which exact user of a virtual IBAN.

If an ‘entity that provides a virtual IBAN to a person’ (RTS) other than any of the two parties mentioned above is involved, this means this entity is a sub-contractor or partner of the issuer of a virtual IBAN and can also be a sub-issuer of a virtual IBAN.

For completeness, we consider that the term ‘using a virtual IBAN’ implies an active role and awareness of the affected party over the existence and abilities to ‘use’ a virtual IBAN. Therefore, any party that has passively been communicated a virtual IBAN that purely serves as a reconciliation ID in the payment processing cannot be regarded as a user. Using a virtual IBAN as beneficiary account number in a payment cannot be regarded as usage by an ordering party, since paying to an ordinary or a virtual IBAN is of no relevance to the payer.

We understand the AMLR and draft RTS place responsibility both on the ‘issuer of a virtual IBAN’ as well as on the account servicing institution (AMLR and RTS) for identification and verification processes of any legal or natural person that is a user of a virtual IBAN.

We further understand that this responsibility to identify and verify users of virtual IBANs is immediately and primarily placed upon the issuer of a virtual IBAN and that the account servicing institution (AMLR and RTS) can rely on the identification and verification checks conducted by the issuer of virtual IBAN(s) as long as it has been ensured that the required data can be provided to the account servicing institution (AMLR & RTS) within five working days.

We request that the RTS confirm this understanding.

RTS requirements to align with changes to FATF Recommendation 16

The Financial Action Task Force (FATF) is currently processing feedback received to its consultation on changes to Recommendation 16, which concerns payment transparency. The FATF consultation focused on ensuring that the account number or payment message data which are transmitted as part of a transaction can identify the financial institution and the country where the funds are held. FATF is expected to publish the results of its consideration of feedback in June 2025 – which will coincide with the EBA considering feedback received to this consultation.

We request that to the extent possible, the EBA look to align the final requirements of Article 8 with final changes to Recommendation 16 expected to be published by FATF in June 2025. Global alignment is helpful in ensuring effective compliance and reinforces the benefit of FATF’s work to set standards at the global level.

Summary of Requests – Article 8

Roles and definitions – clarify the distinction between ‘account servicing institution’, ‘issuer of a virtual IBAN’, and ‘entity providing a virtual IBAN’, and confirm these align with their respective regulatory responsibilities.
Issuer responsibility – confirm that the issuer of a virtual IBAN is primarily responsible for identifying and verifying the user, and that the account servicing institution may rely on this if data can be provided within five working days.
Definition of 'user' – clarify that only persons with active use or control of a virtual IBAN should be considered users; those passively receiving or processing payments should not.
Global alignment – ensure, where feasible, alignment of final RTS requirements with forthcoming FATF updates to Recommendation 16 on payment transparency (expected June 2025).

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 15 – Identification of the purpose and intended nature of the business relationship or the occasional transactions

Requirements not in keeping with approach of AMLR; requirement to first assess appropriateness / necessity

Article 20 (1) (c) AMLR requires obliged entities to obtain information on and understand the purpose and intended nature of the business relationship or the occasional transactions ‘as appropriate’. Article 25 AMLR similarly requires obliged entities to obtain information ‘where necessary’.

In both Articles, it is clear that the co-legislators did not intend obliged entities to take the actions set out in all instances. Rather, obliged entities are required to apply their judgement and take action in certain circumstances, in accordance with a risk-based approach.

The drafting of Article 15 draft RTS does not sufficiently reflect the risk-based approach evident in the AMLR. We recognise that the text makes reference to ‘risk-sensitive measures’. It is not however clear in the text of the draft RTS that obliged entities should first assess whether the measures need to be applied at all.

We request that the text of the RTS be amended to reflect the risk-based approach chosen by the co-legislators. In particular, we request that the text clarify that obliged entities should first assess whether the specific situation warrants the application of any of the listed measures, and if so, that a proportionate and risk-based approach should be applied, with obliged entities exercising judgment in determining which topics or points to seek information on – and to what extent – and which may be reasonably excluded from further inquiry.

Where the purpose and intended nature of the relationship or transaction is self-evident from the products and services themselves, there should be no requirement to collect any further information.

Request for definition of ‘occasional transaction’

We request that the RTS provide a definition of ‘occasional transaction’ . We note that Directive 2015/849, Article 11 (b) states

(b) when carrying out an occasional transaction that:

(i) amounts to EUR 15 000 or more, whether that transaction is carried out in a single operation or in several operations which appear to be linked; or

(ii) constitutes a transfer of funds, as defined in point (9) of Article 3 of Regulation (EU) 2015/847 of the European Parliament and of the Council ( 1 ), exceeding EUR 1 000;

An updated definition would assist obliged entities in understanding their requirements. We note that the definition previously provided by Directive 2015/849 is very low for wholesale banking contexts and should be amended to take account of the reality of wholesale banking transactions.

Requirement to determine why the customer has chosen the obliged entities’ products and services

We understand the RTS to be in line with the risk-based approach set out in the AMLR and assume that further determination of why the customer has chosen the obliged entities' products or services is not required in such cases. In other cases, where the reason for which the customer has chosen the obliged entities’ products and services is evident from the context, we understand the RTS to permit obliged entities to draw the appropriate conclusion without further investigation. We request that the RTS confirm our understanding.

Requirement to assess relationship with the ‘wider group’

The requirement in Article 15 (1) (c) draft RTS to assess whether the customer has additional relationships with the ‘wider group’ is excessively broad. It would be particularly unrealistic in certain sectors of banking, where high-volume business is usual.

In cases where the obliged entity is a subsidiary of a third country entity, obtaining this information may conflict with local data sharing and banking secrecy provisions (e.g., Switzerland). For obliged entities based in the EU, there may be significant issues regarding data sharing with third country jurisdictions which do not adhere to similar data protection standards and data deletion requirements (e.g., China). We therefore request that Article 15 (1) (c) draft RTS be deleted – or if this should not be accepted, then amended to read:

whether the customer has additional business relationships with the obliged entity or its wider group, and the extent to which that influences the obliged entity’s understanding of the customer and the source of funds, provided information sharing is permitted and not in breach of confidentiality, data protection and use of information; and [...]

Requirement to assess source of wealth

The requirement set out in Article 15 (1) (d) draft RTS to obtain information relating to the source of wealth goes beyond the scope of Article 20 (1) (c) AMLR, which is explicitly cited as setting the scope of Article 15. Assessment of the source of wealth is only required for EDD and is not to be required for the purposes of Article 20 (1) (c) AMLR. We therefore ask for Article 15 (d) draft RTS to be clarified, to read

where the ML/TF risk is higher such that EDD is necessary, to determine the source of wealth.

Summary of Requests – Article 15

Risk-based application – clarify that obliged entities must first assess whether any measures are needed, in line with AMLR Articles 20 (1) (c) and 25.
Proportionality – confirm that measures, if applied, should be proportionate, with entities exercising judgment on relevance and depth.
Self-evident purpose – no further information should be required where the purpose of the relationship or transaction is clear from context
Definition of ‘occasional transaction’ – provide an updated definition suitable for wholesale banking, reflecting Directive 2015/849 but adjusting thresholds.
Customer choice – confirm there is no requirement to determine why a customer chose a product or service unless relevant and evident.
wider group relationships – delete or limit the requirement to assess group relationships to cases where relevant, accessible, and legally shareable.
Source of wealth – limit this requirement to high-risk cases requiring enhanced due diligence.

Article 16 – Understanding the purpose and intended nature of the business relationship or the occasional transactions

Requirements not in keeping with approach of AMLR

As per our comments to Article 15, the requirements of Article 16 draft RTS are not in keeping with the risk-based approach of the AMLR. Article 25 AMLR sets out measures that obliged entities shall take ‘where necessary’. Notwithstanding the use of ‘risk-sensitive measures’ in the opening paragraph, the requirements set out in Article 16 draft RTS are excessive, overly-detailed, and unrealistic for high volume business – and this particularly so in banking.

We request that the text be amended to mirror the language of the AMLR and to make clear that obliged entities should apply their judgement to form a view on whether any particular measure is necessary in a given situation, and if so, should then assess the extent of information required to obtain an appropriate level of assurance. This would be sensible, proportionate, and in keeping with the risk-based approach chosen by the co-legislators.

Clarity on terms used

When speaking of transactions that are likely to be executed during the business relationship, Article 16 (b) draft RTS cites ‘the category of funds that such transactions relate to’.

When speaking of the destination of funds, Article 16 (d) draft RTS cites the ‘intermediaries used’.

When speaking of the business activities or the occupation of the customer, Article 16 (e) draft RTS cites ‘whether they are actively engaged in business’.

We request that the RTS provide further clarification of the intended meaning of these terms as used in these contexts.

Clarity regarding ‘key stakeholders’ and other information in Article 16 (e)

Article 16 (e) draft RTS requires obliged entities to obtain information on the business activity or occupation of the customer, which shall include information on the industry, operations, products and services, regulated status, key stakeholders, geographical presence, revenue streams, and (where applicable) employment status.

This information is not straightforward to obtain (even for the customer themselves) and would not significantly impact the customer’s risk profile (e.g., in the case of an employed natural person). Several of the data fields listed also apply only to certain categories of customers. We therefore consider that to require obliged entities to seek to obtain such information would lead to cost without benefit.

We therefore request that the scope of the information to be obtained be significantly reduced, with obliged entities required instead to apply judgment on what information is appropriate to obtain, in accordance with the risk-based approach.

Summary of Requests – Article 16

Risk-based application – clarify that obliged entities should assess whether any specific measure is necessary before applying it, in line with AMLR Article 25.
Proportionality – confirm that information should be collected only to the extent needed to achieve an appropriate level of assurance.
Clarification of terms – clarify the meaning of the terms ‘category of funds’, ‘intermediaries used’, and ‘actively engaged in business’ as used in the RTS.
Scope of stakeholder information – reduce the scope of information required under Article 16(e), especially for low-risk customers such as natural persons
Judgement on ‘key stakeholders’ and data fields – allow obliged entities to use judgment to determine which fields are relevant.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 17– Identification of Politically Exposed Persons

Clarity regarding SMOs

As per our earlier comments, we request clarification on the treatment of SMOs when no beneficial owner can be identified.

The exposure of beneficial owners to politics and political decision-making may entail a heightened risk of financial crime. But SMOs – who do not own assets, inject personal funds, control the customer’s resources, or offer or stand to benefit from political influence to the same extent as beneficial owners – do not pose equivalent risks.

Applying the same measures to individuals who pose a lower risk as those who present a higher risk would be an inefficient use of resources and would divert attention away from the most significant sources of risk.

Notwithstanding considerations relating to proportionality, following the text of the AMLR, we understand that SMOs are not beneficial owners. This understanding is reinforced by Recital 9 of the RTS and by Recital 125 AMLR, which states ‘[w]hile SMOs are not beneficial owners…’.

Article 20 (1) (g) AMLR only makes reference to the beneficial owner. This is in contrast to Article 22 (2) AMLR, which explicitly makes reference to SMOs. Therefore, we understand that SMOs are not subject to PEP screening. We request that the RTS confirm this understanding.

Clarity regarding ‘manual check’

Article 17 (2) draft RTS requires obliged entities to put in place automated screening tools and measures, or a combination of automated tools and manual checks. We request that the RTS clarify whether enquiring with the client or conducting independent-source research is to be considered a ‘manual check’.

Potential typographical error

Article 17 (1) (b) refers to situations ‘when the obliged entity has any indications that the customer beneficial owner of the customer…’. We assume that there is a missing comma or ‘or’ intended between ‘customer’ and ‘beneficial owner of the customer’. We suggest that this be amended for clarity.

Summary of Requests – Article 17

Clarification on SMOs – confirm that SMOs are not beneficial owners and are not subject to PEP screening under Article 20 (1) (g) AMLR.
Manual checks – clarify whether client enquiries or independent-source research qualify as ‘manual checks’ under Article 17 (2).
Correction of typographical error – amend Article 17 (1) (b) to correct the apparent omission between ‘customer’ and ‘beneficial owner of the customer’.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 18 – Minimum requirement for the customer identification in situations of lower risk

We provided detailed comments on requirements relating to names, place and date of birth, nationalities and statelessness, refugee or subsidiary protection status in our comments on Articles 1 to 4.

We refer the EBA (and other readers) to those comments at this point. We do not consider it necessary to repeat them in full. We do, however, offer a brief summary of key points to recap the detailed explanation offered earlier in our response.

Names
- to be limited only to those names that appear on identity documents, passports, or equivalents
- to take risk-based decisions on potential variations in transliteration of non-Western names
- for legal entities, to rely on official public registries, or equivalents

Place and full date of birth
- place to be collected only where and as given on ID document

Nationalities and statelessness, refugee or subsidiary protection status
- ability to rely on declarations made by relevant individual
- obliged entities not accountable for inability to discover nationalities or statuses where such are not disclosed by the individual.

Suggested amendment

We suggest that Article 18 (b) draft RTS be amended to read as follows:

for a legal entity and other organisations that have legal capacity under national law, the legal form and registered name of the legal entity including its commercial name and where available other alternate names, in case it differs these differ from its registered name; the address of the registered or official office and the registration number, the tax identification number or the legal entity identifier where applicable available.

Summary of Requests – Article 18

Requests as summarised above.
Amend text as per our suggestions immediately above.

Article 19 – Minimum requirements for the identification and verification of the beneficial owner or senior managing officials in low-risk situations

We consider the requirements set out in Article 19 draft RTS to be excessively prescriptive.

As drafted, obliged entities would be required to use a central register or company register to identify the beneficial owner or SMOs (a), and then a confirmatory statement from the customer (b) or publicly available reliable sources of information (c) to verify that information.

We do not consider that such a tiered process is appropriate. We consider instead that an obliged entity should have the choice of taking ‘appropriate measures’ to identify and verify the beneficial owner and SMOs in situation of lower risk, without a limitation to any of the methods mentioned under lit (a) to (c).

The limitation of methods as per lit (a) to (c) would limit obliged entities in particular where, for example, a suggested method is not available at all (e.g. there is no central register or company register). At the minimum, obliged entities should be able to use a combination of (a), (b) and (c), with the exact choice made according to the facts of the situation at hand. We request that the RTS permit such flexibility, the better to promote an efficient and risk-based approach.

We also suggest to expand the scope of Article 19 draft RTS to include persons on whose behalf or for the benefit of whom a transaction or activity is being conducted. To apply full identification and verification requirements on these persons does not appear appropriate in SDD cases. This would also go significantly beyond practice as currently conducted in many member states and would significantly weaken the EU’s competitiveness, without being justified by underlying money laundering or terrorist financing risks.

Suggested amendment

We therefore suggest that the opening sub-paragraph of Article 19 draft RTS be amended to read as follows:

In situations of lower risk, the obliged entity may consult one two or more of the following sources for the identification of, and use another sources from the same list under b. or c. for the purposes of verification of the beneficial owner or the senior managing officials:

Summary of Requests – Article 19

Prescriptive process – remove tiered identification and verification sequence to allow greater discretion in low-risk cases.
Method flexibility – permit obliged entities to choose freely among (a), (b), and (c), or to use a combination, based on the specific context.
Source limitations – recognise that some sources may not be available and avoid mandating their use in all cases.
Scope – expand to include persons on whose behalf transactions are carried out.
Textual amendment – amend as per our suggestions.

Article 20 – Sectoral simplified measures: pooled accounts

Focus on obliged entities

We welcome the possibility to apply SDD for pooled / escrow accounts, as set out in Article 20 draft RTS. However, the focus on customers who are obliged entities themselves limits this possibility unnecessarily.

There are other types of pooled accounts or collective trust accounts (e.g. rent deposit accounts, collective trust accounts of debt collection agencies) which may also be subject to SDD from a risk perspective. We therefore request that the condition set out in Article 20 (a) draft RTS be deleted.

Inclusion of accounts held by non-obliged entities in low-risk cases

There are many cases where non-obliged entities hold (pooled) accounts for their clients which should also benefit from SDD. This applies, for example, for rental deposit accounts, accounts for school classes or (senior) home residents, insolvency administrators or collection agencies.

In all of these cases, only low ML/TF risks exist and in all of these cases, the full identification and verification of the persons on whose behalf or for the benefit of whom the account is set up is not feasible or not possible. We therefore request that the RTS provide a general possibility to apply SDD measures in such cases. If this is not done, there will be severe damage, both in an economic sense, and for the financial inclusion of certain groups, without adding to the reduction of ML/TF risk.

Clarification on transactions for legal entities

Article 20 AMLR refers to transactions conducted on behalf of a natural person other than a customer but does not address transactions conducted on behalf of a legal entity different from the client. We request that the RTS clarify whether the article applies when the transaction is conducted on behalf of an underlying legal entity.

Potential extension of applicability / inclusion in general CDD section

The article is currently included in the simplified due diligence section and is not applicable to customers rated medium risk. It would be preferable to extend its applicability to customers that do not pose a high risk of ML/TF. This would include medium-risk customers, allowing for a more comprehensive application of due diligence measures.

We therefore suggest removing the article from the SDD section and including it in the general CDD section. This would ensure that the requirements are applicable to a broader range of customer risk profiles, not just those classified as low-risk.

Request to define ‘third country with an AML/CFT requirements that are not less robust’

If the EBA declines to delete the criterion set out in Article 20 (a), as per our earlier request, we then request that it (or an appropriate authority) issue a list of third countries with AML/CFT requirements that are not less robust than those required by the AMLR. As the EU AML package is a world-leading regime, it is not clear which third country jurisdiction (if any) would meet the required standard. We also note that reaching such a judgment may well be politicised or controversial, and as such, may be most appropriately taken by a public authority.

Request to define ‘effectively supervised’

In a similar manner, the decision as to whether a customer is ‘effectively supervised’ could be equally politicised or controversial, as it is possible to interpret the criterion as a requirement to form a judgment on the competence of the local competent authority. Again, given the potential political consequences of such a judgment, such a decision may be most appropriately taken by a public authority.

Clarification of ‘the credit institution is satisfied’

An obliged entity assesses the AML/CFT risk posed by its customer. It does not generally audit the internal workings of its customer. It is therefore unclear how an obliged entity may ‘satisfy’ itself that the customer ‘applies robust and risk-sensitive customer due diligence measures to its own clients and its clients’ beneficial owners’. We request that the RTS clarify how such satisfaction is to be achieved – or that this condition be deleted.

Summary of Requests – Article 20

Focus on obliged entities – delete condition that pooled accounts must be held by obliged entities.
Accounts held by non-obliged entities – permit SDD for pooled accounts held by non-obliged entities in low-risk cases, such as rental deposit or school group accounts.
Transactions for legal entities – clarify whether Article 20 applies to transactions conducted on behalf of legal entities other than the client.
Applicability to medium-risk customers – move the article to the general CDD section to enable use for medium-risk customers, not just low-risk.
Definition of robust third-country regimes – issue a list of third countries whose AML/CFT regimes are not less robust than the EU's, if Article 20 (a) is retained.
Definition of ‘effectively supervised’ – assign responsibility for this determination to a public authority.
Clarification of ‘the credit institution is satisfied’ – clarify how obliged entities can be expected to assess their customer’s CDD practices, or delete the requirement.

Article 21 – Sectoral simplified measures: Collective investment undertakings

The substance of two of our comments to Article 20 also apply to Article 21. We do not consider it necessary to repeat them in full, but as a brief recap:

‘third country…not less robust’ – a potentially political or controversial decision, best taken by a public authority
‘effectively supervised’ – also a political or controversial decision, as in effect a judgment on the competence of the local competent authority.

Challenge of assessing business relationship risk as ‘low’

We consider the condition set out in Article 21 (c) draft RTS – that is, to judge that the risk associated with the business relationship is ‘low’ – to be problematic and requiring a more nuanced definition.

The business relationship with a collective investment undertaking is a mix of the relationship with the collective investment undertaking itself, and with the relevant investment manager.

If one entity in this pair were rated other than ‘low’, then the overall relationship could be judged to be outside the scope of SDD – even if a more holistic assessment would deem the overall risk to be negligible.

We therefore request that the ‘business relationship’ be better defined, or for the condition in (c) to be deleted.

We also suggest to remove the article from the SDD section and include it in the general CDD section. This would ensure that the requirements are applicable to a broader range of customer risk profiles, and not just those classified as low-risk.

Clarification of wording

The phrase ‘When a collective investment undertaking is acting in his own name’ is misleading. We suggest it be amended to read ‘…collective investment undertaking investor in a collective investment undertaking is acting in his its own name…’.

Summary of Requests – Article 21

Definition of robust third-country regimes – request that this determination be made by a public authority.
Assessment of ‘effectively supervised’ – request that this assessment also be made by a public authority.
Business relationship definition – clarify or delete the condition in (c), as the risk rating should consider the overall relationship, not individual entities in isolation.
Placement of article – move to general CDD section to extend applicability beyond low-risk customers.
Clarification of wording – amend text as per our suggestions.

Article 22 – Customer identification data updates in low-risk situations

Potential ability to reduce frequency of customer identification data updates

There is ambiguity as to whether the frequency of customer identification updates can be reduced to less than every five years when applying SDD.

Article 33 (1) (b) AMLR and Article 22 (1) draft RTS allow a reduction in the frequency of customer identification updates specifically in cases of SDD, without setting a maximum period. However, the reduction of the frequency of customer identification updates beyond five years if applying SDD is not explicitly addressed.

Obliged entities will monitor the relevant circumstances, potential trigger events, and transactions and activities of the customer on an ongoing basis. If a change in circumstances, trigger event or transaction or activity were to occur, obliged entities would conduct a customer identification update. In the absence of such, and where a low-risk relationship continues in a stable manner, permitting obliged entities to reduce the frequency of customer identification updates for low-risk customers would permit more resources to be allocated to more significant sources of risk, in keeping with the risk-based approach.

In line with the overarching guiding principles to have a proportionate and risk-based approach, as well as the focus on effective, workable outcomes, we request that the RTS clarify if such an approach is permissible.

Clarity on customer identification updates

We request that the RTS clarify how firms should perform ‘customer identification updates’. This includes specifying the information that needs to be updated for clients with different risk profiles (high, medium, and low risk), and the frequency of these updates.

Definition of ‘at all times’

We request that the RTS clarify the concept of ‘at all times’ in the context of customer identification updates. This will ensure that firms understand the expectations for maintaining current and accurate customer information and can implement processes that align with regulatory requirements.

Summary of Requests – Article 22

Frequency of identification updates – clarify whether customer identification updates may be conducted less frequently than every five years in low-risk SDD cases.
Process for updates – clarify what information must be updated, how this varies by risk level, and the required frequency for each.
Definition of ‘at all times’ – clarify the meaning of this phrase in the context of customer identification updates to ensure consistent implementation.

Article. 23 – Minimum information to identify the purpose and intended nature of the business relationship or occasional transaction in low-risk situations

RTS exceeds scope of / removes possibility present in AMLR

Article 33 (1) (c) AMLR allows obliged entities to reduce the amount of information collected to identify the purpose and intended nature of the business relationship or occasional transaction, or to infer it from the type of transactions or business relationship established.

Article 23 draft RTS appears to remove this second possibility by setting out minimum requirements and seemingly requiring the collection of certain information to identify the purpose and intended nature of the business relationship – that is to say, to remove the possibility to infer otherwise granted by Article 33 (1) (c) AMLR.

It is possible that this is inadvertent, and removal is not intended. It is also possible however that supervisory authorities may read it as removing the possibility to infer. In this way, the RTS may remove a possibility the co-legislators chose to include.

We therefore request that the RTS be amended to clarify that obliged entities may infer the purpose and intended nature of the business relationship or occasional transaction from the nature of the type of transactions or business relationship established.

Clarity regarding ‘risk-sensitive measures’

Article 23 draft RTS requires obliged entities to ‘…take risk-sensitive measures…’. We request that the RTS provide examples of what would constitute such ‘risk-sensitive measures’ in order to ensure shared understanding between industry and supervisory authorities of how this requirement may be fulfilled.

Suggestion to replace ‘source’ with ‘origin’

The ‘risk-sensitive measures’ discussed above are to be applied inter alia to understand ‘…the source of the funds used in the business relationship or occasional transaction…’. We suggest that it would be more appropriate to the majority of intended contexts (and in our reading, would come closer to what we understand the EBA is seeking to achieve) to apply such measures to the origin of the funds in question. We therefore suggest that ‘source’ be replaced by ‘origin’.

Inadequate simplification of measures

Article 23 draft RTS is part of Section 4 on Simplified Due Diligence. As such, it should permit the obliged entity to put in place substantially simplified measures for lower risk situations when compared with those required for standard CDD.

The measures set out in Article 23 draft RTS appear however to be substantively the same as those set out in earlier Articles for standard CDD.

In Article 16 (a) draft RTS (standard CDD), obliged entities are required to obtain information on why the customer has chosen the obliged entities’ products and services (or two other largely equivalent options, which are presented as alternatives via the use of ‘or’). This is substantively repeated in Article 23 draft RTS (SDD).

In Article 16 (b) draft RTS (standard CDD), obliged entities are required to obtain information on the estimated amount of funds to be deposited, with some secondary additional details. In Article 23 draft RTS (SDD), obliged entities are also required to obtain information (‘where applicable’) on the estimated amounts which will flow through the account.

In Article 16 (c) draft RTS (standard CDD), obliged entities are required to obtain information on the activity that generated the funds and the means through which the customer’s funds were transferred. In Article 23 draft RTS (SDD), obliged entities are required to obtain information on the source of the funds.

In Article 15 (b) draft RTS (standard CDD), obliged entities are required to obtain information on how the customer plans to use the products or services provided. This requirement is repeated verbatim in Article 23 draft RTS (SDD).

Given the above, and noting that SDD allows greater resources to be dedicated to more significant sources of risk, in keeping with the risk-based approach, we request that the alleviations set out in Article 23 be strengthened to permit genuinely simplified due diligence, the better to ensure efficient allocation of resources to further the fight against financial crime.

Industry-specific wording

The phrase ‘...estimated amounts flowing through the account’ is more appropriate for the banking industry. We suggest however that this wording be tailored to fit the context of the various industries to which it will apply.

Requirement to determine why the customer has chosen the obliged entities’ products and services

In many cases, there may be no specific reason for a customer choosing a certain service provider. Where a reason is present, it may be known only known to the customer, who may not (or may not wish) to provide it. For example, a customer may choose a bank because of branding, a particular advertisement, the available offers on the market, or simple physical convenience due to proximity to a branch of the institution. We understand the RTS to be in line with the risk-based approach set out in the AMLR and assume that further determination of why the customer has chosen the obliged entities' products or services is not required in such cases. In other cases, where the reason for which the customer has chosen the obliged entities’ products and services is evident from the context, we understand the RTS to permit obliged entities to draw the appropriate conclusion without further investigation.

Applicability of requirement to very low risk products

Some products – such as private old age pension products or employer or employee sponsored or financed pension schemes – are so low risk as a product category that few if any other risk factors could raise the overall risk to high. We request that with regard to such products, the RTS clarify that obliged entities may infer the information which Article 23 draft RTS requires them to understand.

Summary of Requests – Article 23

Ability to infer purpose and nature – clarify that obliged entities may infer the purpose and intended nature of a business relationship or transaction, as permitted by Article 33 (1) (c) AMLR.
Risk-sensitive measures – provide examples to illustrate what constitutes ‘risk-sensitive measures’.
Terminology – replace the term ‘source’ of funds with ‘origin’ to better reflect practical and risk-relevant understanding.
Genuine simplification – strengthen simplifications under Article 23 to ensure they are meaningfully lighter than standard CDD obligations.
Sector-appropriate language – adjust the phrase ‘estimated amounts flowing through the account’ to suit non-banking sectors.
Rationale for customer choice – clarify that firms are not required to investigate the customer’s reason for choosing a product or service where it is not known, not disclosed, or evident from context.
Very low-risk products – confirm that for inherently low-risk products, such as certain pension schemes, information may be inferred rather than explicitly obtained.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

SDD should be in general possible for lower risk factors, i.e., with regard to customer risk factors such as government agencies, publicly listed entities and their majority-owned subsidiaries, or domestic organisations funded by governments, as indicated in Annex II (1) AMLR.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 24 – Additional information on the customer and the beneficial owners

Exceeding Level 1 requirements – need for a proportionate, risk-based approach

Article 24 draft RTS should be read in conjunction with Article 34 (4) AMLR, which states that ‘in cases of higher risk … obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures…’. Appropriate measures which obliged entities may take are then set out in points (a) to (g) of that paragraph.

From this, it is clear that the co-legislators intended obliged entities to follow a proportionate, risk-based approach, tailored to the specific circumstances of each situation. It is also clear that list of measures is illustrative, and it was not intended that all the measures set out be undertaken in every case.

The approach set out in the draft RTS is however very different. The use of ‘shall’ and ‘at least’ in Article 24 is very prescriptive and is not in keeping with the approach chosen by the co-legislators.

We therefore request that the text be amended to make clear that obliged entities may tailor the measures they take, in accordance with the risk-based approach.

Requirement to verify the authenticity and accuracy of information

Article 24 (a) draft RTS states that the additional information obliged entities obtain on the customer and the beneficial owners shall ‘enable the obliged entity to verify the authenticity and accuracy of the information on…[etc]’.

It is not within the power of obliged entities to verify such information to the level of certainty that the text of the draft RTS suggests. We therefore suggest that this requirement would be better set out with language requiring that where necessary, obliged entities take reasonable steps to validate via independent and reliable sources or check the plausibility of the information via independent and reliable sources, rather than verification in the sense of Articles 22 (6) and (7) AMLR.

Scope of investigations and information collection

The requirement in Article 24 (b) draft RTS to obtain information to enable the obliged entity to assess the reputation of the customer and the beneficial owner is unclear. In general, reputational risk is a separate risk category that sits outside of AML obligations. We therefore request that it be removed from the RTS, or at least, be the subject of an adverse media / information search and not full reputational risk assessment.

Request for removal / clarification of ‘past’ business activities

The term ‘past’ business activities in Article 24 (c) draft RTS is vague. It is unclear how far into the past obliged entities would have to perform such an assessment, or the limits of what would and would not be deemed relevant. We therefore recommend that it be deleted from the Article.

If this request for deletion is not accepted, we request that the RTS at least clarify the scope and relevance of ‘past’ activities, as well as whether it is intended to relate to adverse news screening (in which case, guidance would be required to assist with risk rating of the age and seriousness of the negative news).

In addition, if the request for deletion is not accepted, we request that the RTS clarify that this requirement would apply only to the customer and not the BO. There is no contractual relationship between the BO and the obliged entity. The obliged entity only has limited possibilities to obtain information on ‘past’ business activities, if at all.

Risk of clash with tipping off prohibition

The requirement in Article 24 (d) draft RTS when criminal activity is suspected to obtain additional information on relatives and close associates could clash with the prohibition against tipping off. While it may be appropriate (and expected) for a PEP, it would be highly unusual – and likely serve as a warning – in other circumstances. As with other aspect of the draft, it also appears to have been written with retail banking in mind, and is less appropriate for wholesale contexts.

If this requirement is taken forward, we request that the RTS clarify how obliged entities may apply this requirement in the wholesale context, and how they may comply with the provision without breaking the tipping off prohibition.

Potential focus on retail business

The requirement in Article 24 (d) draft RTS appears to have been drafted with retail business in mind. It may not however be practical for wholesale contexts, where obtaining information on a beneficial owner's family members could involve multiple layers below the client entity in the ownership chain.

We therefore request that the RTS clarify how the requirement should be interpreted for entities in the wholesale sector.

Summary of Requests – Article 24

Align with risk-based approach – amend the draft to clarify that obliged entities may tailor EDD measures in proportion to the specific risks identified, consistent with Article 34 (4) AMLR.
Reasonable verification standard – replace the current requirement to ‘verify the authenticity and accuracy’ with language requiring reasonable validation or plausibility checks using independent and reliable sources.
Remove or clarify reputational assessment – remove the requirement to assess the customer’s or beneficial owner’s reputation, or clarify it refers only to adverse media checks, not a full reputational risk review.
Delete or define ‘past’ business activities – remove the vague reference to ‘past’ business activities or clarify its scope, relevance, and applicability (limiting it to customers, not beneficial owners).
Avoid tipping off risk – clarify how to implement the requirement to gather information on relatives and close associates when criminal activity is suspected, particularly in ways that avoid breaching the tipping off prohibition.
Adapt to wholesale context – clarify how the RTS requirements, particularly on family members and close associates, should be applied in wholesale financial contexts where such information may not be available or appropriate.

Article 25 – Additional information on the intended nature of the business relationship

Exceeding Level 1 requirements – need for a proportionate, risk-based approach

Article 25 draft RTS should be read in conjunction with Article 34 (4) AMLR, which states that ‘in cases of higher risk … obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures…’. Appropriate measures which obliged entities may take are then set out in points (a) to (g) of that paragraph.

The approach set out in the draft RTS is however very different. The use of ‘shall’ and ‘at least’ in Article 25 is very prescriptive and is not in keeping with the approach chosen by the co-legislators. We therefore request that the text be amended to make clear that obliged entities may tailor the measures they take, in accordance with the risk-based approach.

Requirement to verify legitimacy of the destination of funds and expected number (etc.) of transactions

Article 25 (1) (a) and (b) draft RTS states that the additional information obliged entities obtain on the intended nature of the business relationship shall enable them to ‘verify the legitimacy of the destination of funds’ and ‘verify the legitimacy of the expected number, size, volume and frequency of transactions that are likely to pass through the account, as well as their recipient’.

It is not within the power of obliged entities to verify such information to the level of certainty that the text of the draft RTS suggests.

We therefore suggest that this requirement would be better set out with language requiring that where necessary, obliged entities take reasonable steps to validate via independent and reliable sources or check the plausibility of the information via independent and reliable sources, rather than verification in the sense of Articles 22 (6) and (7) AMLR.

Clarification on information sources

The suggestion in Article 25 (1) (a) that the information obliged entities are to obtain ‘may include information from authorities and other obliged entities’ raises questions as to whether this language allows or expects firms to approach former or other banks of the client to enquire about customer behaviour and products.

We request that the RTS clarify whether this language is intended to create an expectation that obliged entities reach out to other entities for EDD – and whether there is an obligation for obliged entities to respond to such requests.

If this is the expectation, we also request the RTS to explain how this will work in practice. Are obliged entities expected to simply reach out to other obliged entities and query if they have such information available? We note that the obliged entity will not always know which other obliged entities the customer has business relationships with. Does this mean the obliged entity would need to ask any other obliged entities who may have (or have had) a business relationship with the customer?

Summary of Requests – Article 25

Align with risk-based approach – clarify that obliged entities may tailor enhanced due diligence measures proportionately, rather than apply all measures in every case.
Soften verification requirements – replace the ‘verify legitimacy’ language with a requirement to take reasonable steps to validate or check plausibility via independent, reliable sources.
Clarify information sources – confirm whether firms are expected to reach out to other obliged entities or authorities for EDD information and explain how such exchanges should work in practice

Article 26 – Additional information on the source of funds, and source of wealth of the customer and of the beneficial owners

Exceeding Level 1 requirements – need for a proportionate, risk-based approach

Article 26 draft RTS should be read in conjunction with Article 34 (4) AMLR, which states that ‘in cases of higher risk … obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures…’. Appropriate measures which obliged entities may take are then set out in points (a) to (g) of that paragraph.

The approach set out in the draft RTS is however very different. The use of ‘shall’ in Article 26 is very prescriptive and is not in keeping with the approach chosen by the co-legislators. We therefore request that the text be amended to make clear that obliged entities may tailor the measures they take, in accordance with the risk-based approach.

Requirement to verify that the source of funds or source of wealth is derived from lawful activities

Article 26 draft RTS states that the additional information obliged entities obtain on the source of funds, and source of wealth of the customer and of the beneficial owners, shall enable them ‘to verify that the source of funds or source of wealth is derived from lawful activities’.

It is not within the power of obliged entities to verify such information to the level of certainty that the text of the draft RTS suggests.

Focus on retail business

The possibilities set out in Article 26 (1) (a) to (g) appear largely to be focused on retail banking. Most of the documentation listed is unlikely to be appropriate for the wholesale context.

We note the potentially broad scope of the term ‘any other authenticatable documentation’ in (g). In a wholesale banking context, however, a credible and comprehensive source of wealth narrative may often be corroborated through publicly available information, such as reputable media publications. Additionally, where a client has a long-standing relationship with the obliged entity – typically exceeding ten years – detailed notes from the Accountable Client Owner (ACO), or their delegate, may serve as sufficient evidence, provided they include appropriate narrative, rationale, and context demonstrating the ACO’s knowledge of the client.

We therefore recommend that the RTS be amended to clarify this or, alternatively, that the list be removed and replaced with the substance of (g).

Paper-based requirements vs. digitalisation

The draft requirements appear to emphasise paper-based process, with reference to ‘certified copies’ or documents ‘signed by the employer’. This appears to be at odds with the EU’s efforts to reduce bureaucracy and promote digitalisation through various omnibus laws.

Wholesale banks support these efforts, and note the positive impact on the environment and improved security the shift to digital documentation will offer. With this in mind, we request that the RTS consider other EU policy ambitions, including expected omnibus legislation seeking to promote digitalisation.

Summary of Requests – Article 26

Align with risk-based approach – clarify that obliged entities may tailor enhanced due diligence measures proportionately, rather than apply all listed measures in every case; ensure Article 26 reads consistently with Article 34(4) AMLR’s illustrative measures, avoiding prescriptive ‘shall’ language.
Reasonable verification standard – replace ‘verify that the source of funds or wealth is derived from lawful activities’ with a requirement to take reasonable steps to validate or check plausibility via independent, reliable sources.
Adapt to wholesale context – clarify that ‘any other authenticatable documentation’ may include credible public information or annotated relationship notes, or replace the list with the substance of clause (g).
Support digitalisation – request removal of paper-centric requirements (e.g., certified copies, employer-signed documents) and allow digital documentation in line with EU digitalisation policy.

Art. 27 – Additional information on the reasons for the intended or performed transactions and their consistency with the business relationship

Exceeding Level 1 requirements – need for a proportionate, risk-based approach

Article 27 draft RTS should be read in conjunction with Article 34 (4) AMLR, which states that ‘in cases of higher risk … obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures…’. Appropriate measures which obliged entities may take are then set out in points (a) to (g) of that paragraph.

From this, it is clear that the co-legislators intended obliged entities to follow a proportionate, risk-based approach, tailored to the specific circumstances of each situation. It is also clear that the list of measures is illustrative, and it was not intended that all the measures set out be undertaken in every case.

The approach set out in the draft RTS is however very different. The use of ‘shall’ and ‘at least’ in Article 27 is very prescriptive and is not in keeping with the approach chosen by the co-legislators. We therefore request that the text be amended to make clear that obliged entities may tailor the measures they take, in accordance with the risk-based approach.

Requirement to verify the accuracy of the information for why the transaction was intended or conducted

Article 27 (a) draft RTS states that the additional information obliged entities obtain on the reasons for the intended or performed transactions and their consistency with the business relationship shall enable them to ‘verify the accuracy of the information for why the transaction was intended or conducted including the legitimacy of its intended outcome’.

Clarity of expectations and terms

It is unclear how obliged entities should validate the ‘customer’s turnover’, or whether ‘assets representing higher risks’ (both in Article 27 (b) draft RTS) is intended to mean assets domiciled in or coming from high risk third countries. We request that the RTS clarify the intended meaning and expectations related to and arising from these terms.

We also note the use of the term ‘intermediaries’ in Article 27 (c) draft RTS. We request that the EBA clarify whether this term is intended to refer to transaction execution, and thus to payment service providers (which are not always known and not relevant for ML/TF), or to intermediaries in the broader economic sense.

Requirement to assess ‘legitimacy’

Article 27 (a) draft RTS suggests that obliged entities should verify the ‘legitimacy of [a transaction’s] intended outcome’. Article 27 (c) draft RTS suggests that obliged entities should verify ‘the legitimacy of the parties involved’.

An activity may be lawful or unlawful, and obliged entities rightfully look for evidence of any activity that may be unlawful. It is not however for obliged entities to take a view on whether a transaction is ‘legitimate’. We therefore request that the word be removed, or amended (perhaps to ‘legality’ or ‘lawfulness’), to clarify the EBA’s intentions.

Requirement to obtain a deeper understanding – potential clash with tipping-off prohibition

The requirement in Article 27 (d) draft RTS to obtain a deeper understanding of the customer or the beneficial owner, including of relatives or close associates, is unlikely to be relevant in the wholesale context. Any outreach to this end could also serve as a warning – and thus risk breaching the tipping off prohibition.

If this requirement is taken forward, we request that the RTS clarify that wholesale entities should proceed according to the risk-based approach, and explain how obliged entities may comply with the provision without breaking the tipping-off prohibition.

Suggested alternative

We propose alternative text for Article 27 to set out requirements more in keeping with the risk-based approach and which take into account that what is complex or unusual depends on the particular circumstances of the obliged entity, the customer, and the situation at hand. This reads:

Article 27 – Additional information or assessment on the reasons for the intended or performed transactions and their consistency with the business relationship.

The additional information obliged entities obtain on the reasons for the intended or performed transactions and their consistency with the business relationship, in accordance with Article 34(4) point (d) of Regulation (EU) 2024/1624 shall enable the obliged entity to:

determine the transaction activity and whether this activity is consistent with the expected behaviour for this customer or category of customers
determine whether transactions that are assessed by the obliged entity to be complex or unusually large follow a suspicious pattern without any apparent economic or lawful purpose

Summary of Requests – Article 27

Align with risk-based approach – clarify that obliged entities may tailor enhanced due diligence measures proportionately, rather than apply all ‘shall’ and ‘at least’ requirements in every case.
Reasonable verification standard – replace the strict ‘verify the accuracy’ language with a requirement to take reasonable steps to validate or check plausibility via independent, reliable sources.
Clarification of terms – define expectations for validating ‘customer’s turnover’, explain ‘assets representing higher risks’, and clarify the intended meaning of ‘intermediaries’.
Legitimacy language – remove or amend the word ‘legitimacy’ (e.g., to ‘legality’ or ‘lawfulness’) to avoid obliging entities to judge transaction intent.
Tipping-off risk – clarify how obliged entities, particularly in wholesale contexts, can obtain deeper understanding of customers, relatives, or associates without breaching the tipping-off prohibition.
Alternative drafting – consider adopting alternative AFME’s proposed text that focuses on consistency of transaction activity and identification of complex or unusually large transactions while maintaining the risk-based approach.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 28 – Screening of customers

Alignment with EBA work already produced and implemented

We recommend that the points that the EBA covers in Articles 28 and 29 draft RTS be aligned with existing EBA Guidelines on internal policies, procedures, and controls to ensure the implementation of Union and national restrictive measures under Regulation (EU) 2023/1113 (EBA/GL/2024/15), and the Council of the European Union Best Practices for the effective implementation of restrictive measures (‘EU Best Practices’).

Focus on Relevant Screening

Article 28 draft RTS requires screening of customers and ‘all the entities or persons which own or control such customers’. This could suggest screening all intermediary layers between the UBO and the customer. This would not lead to effective use of scarce resource.

We request that screening be limited to relevant layers, such as the direct shareholder and the ultimate parent entity, or based on a percentage of ownership, such that focus is on entities or persons that ultimately own or control customers. This approach would focus efforts on meaningful control and ownership and would be in keeping with the risk-based approach evident in the Level 1 text.

Summary of Requests – Article 28

Alignment with existing guidelines – recommend aligning Articles 28 and 29 with the EBA Guidelines on internal policies, procedures, and controls under Regulation (EU) 2023/1113 and the Council’s EU Best Practices.
Focus on relevant screening – request limiting screening to relevant layers such as direct shareholders or ultimate parent entities, rather than screening ‘all the entities or persons which own or control such customers’.

Article 29 – Screening requirements

Alignment with EBA work already produced and implemented

Consistency of terms

We note that Recital 3 draft RTS refers to the ‘transcription’ of names, which we interpret to be broad in scope, and that Article 29 (a) draft RTS refers to the ‘transliteration’ of names, which we interpret to refer to the conversion of text from one script to another.

Similarly, Article 29 (a) draft RTS refers to ‘trade names’, whereas Articles 1 and 18 refer to ‘commercial name’ and ‘registered name’.

If particular nuances are intended in this Article, we request that the RTS clarify these.

Clarity on screening requirements

Article 29 (a) draft RTS requires screening of first names, surnames, and date of birth for natural persons. Noting that date of birth is not always included in listings of sanctioned persons, we request that the RTS clarify whether the date of birth should be used in the screening match process, or only in alert management to confirm true hits. We suggest that it may be preferable to remove date of birth from initial screening requirements.

Definition of beneficial ownership

A literal reading of Article 29 (a) (iv) draft RTS may exclude screening of related parties (e.g., directors) other than beneficial owners. We request that the RTS provide a clear definition of ‘beneficial ownership’ in this context which follows the risk-based and targeted screening approach to ensure comprehensive screening and shared understanding between obliged entities and supervisory authorities.

Importance of maintaining acceptability of transliteration

We note that Article 29 (a) (i) and (ii) require names to be screened ‘…in the original and/or transliteration of such data…’. We interpret the use of ‘and/or transliteration’ to mean that transliterated forms can be used for screening and the use of original forms (in non-western scripts) is not required to comply with this Article.

For banks with international clients, the names of customers are frequently written in non-Latin scripts in the native language. In such cases, the banks’ systems record only the Latin transliteration. Different transliteration variants (e.g Aleksey or Aleksej for the Russian name Алексей) are covered by fuzzy logic in the screening process. Furthermore, external list providers such as World-Check or Bloomberg usually provide several transliteration variants to be screened against. If one were to require the screening of customer names in their original literation, an extensive and costly adaptation of the core banking system and an extension of the screening software would be necessary.

Screening customer names in their original literation is therefore neither required nor (given the significant additional efforts and costs) proportionate. As stated above, capturing the customer's name in its transliteration is sufficient to ensure the detection of a sanctioned customer. The capture of different transliteration variants is ensured through fuzzy logic and extended sanctions list delivered by external providers.

In reviewing this Article, we request that the EBA maintain the ability to fulfil the requirement through screening transliterated names and do not amend to require screening solely in the original script.

Alignment of SEPA instant screening with draft RTS

The SEPA Instant Payments Regulation requires payments service providers to undertake immediate and frequent (at least once a day) sanctions screening of customer lists. This does not appear compatible with Article 29 (d) draft RTS, which is more pragmatic and which takes account of technical and organisational realities by requiring screening ‘without undue delay’.

We request that the interpretation of the SEPA Instant Payments Regulation immediate calendar day requirements be further defined to align with the reference to ‘undue delay’ in Article 29 (d) draft RTS to harmonize customer screening requirements and to take account of technical and organisational realities. This can be done via the issuing of a formal FAQ clarifying the interpretation of the SEPA Instant Payments Regulation.

No obligation for UBOs to inform of change of residency / nationality

Article 29 (c) (iii) draft RTS requires that obliged entities screen their customers and beneficial owners regularly, at least in the following situations:

[…]

iii. if significant changes occur in the customer due diligence data of an existing customer, or beneficial owner, such as but not limited to change of name, residence, or nationality or change of business operations.

UBOs (and SMOs) by extension) are under no obligation to inform banks of a change of residency or nationality. This requirement introduces a complexity that is unhelpful. We therefore request that the specific examples cited be removed.

Re-drafting suggestions

Given the points above, we propose that the text be amended as follows:

Article 29 draft RTS (selected)

‘(a)(i). in the case of a natural person: all the first names and surnames, in the original and/or transliteration of such data; and date of birth;

…

(a)(iv). in the case of a legal person: beneficial ownership information, in accordance with Article 51 Regulation (EU) 2024/1624.

…

(c) (iii) if significant changes occur in the customer due diligence data of an existing customer, or beneficial owner, such as but not limited to change of name, residence, or nationality or change of business operations.

(d). ensure the screening as well as the verification is performed using updated targeted financial sanctions lists without undue delay.

Summary of Requests – Article 29

Alignment with existing guidelines – recommend aligning Articles 28 and 29 with the EBA Guidelines on internal policies, procedures, and controls under Regulation (EU) 2023/1113 and the Council’s EU Best Practices.
Consistency of terminology – clarify distinctions between ’transcription’ and ’transliteration’, and harmonise terms like ’trade names’, ’commercial name’, and ’registered name’.
Screening data fields – clarify whether date of birth is required for initial screening or only for alert validation, and consider removing it from the match criteria.
Definition of beneficial ownership – provide a clear, risk-based definition of ‘beneficial ownership’ to ensure related parties (e.g., directors) are appropriately screened.
Transliteration acceptability – confirm that screening transliterated names (using fuzzy logic and multiple variants) satisfies the requirement and that original script screening is not mandatory.
SEPA instant screening alignment – clarify interpretation of the SEPA Instant Payments Regulation’s daily screening requirement in accordance with the ‘undue delay’ standard of Article 29 (d), potentially via a formal FAQ.
Residency/nationality change obligation – remove the examples requiring UBOs/SMOs to be screened after changes of residence or nationality, as UBOs/SMOs have no obligation to inform obliged entities of such changes.
Amend text as per our suggestions.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 30 – Risk reducing factors

Varying weight to be attributed to factors

We request that the EBA provide clarification as to which of the listed factors can be considered sufficiently consequential when present alone, and which should be combined with others.

For the factors listed, we make the following comments:

we suggest either that this should be considered in combination with a rule guaranteeing the non-accumulation of transactions, or at least, that that this should not be considered as sufficient when present as a single factor

[no comment]

it is unclear how the absence of charge is thought to lower the risk.

this should not be considered as sufficient when present as a single factor

this should not be considered as sufficient when present as a single factor

there is no incentive to have an exemption after the KYC has already been completed

this should not be considered as sufficient when present as a single factor (consider for example the risk posed by an instrument with a coupon with a very high value and a time limit)

this should not be considered as sufficient when present as a single factor

there is no incentive to have an exemption after the KYC has already been completed

if electronic money is created, it will only be valid at EU level. Inconsistent under the exemption

this should not be considered as sufficient when present as a single factor.

Summary of Requests – Article 30

Clarify which of the listed factors are consequential when present alone, and which should be combined with others.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 31 – Electronic identification means and relevant qualified trust services

Clarification regarding use of electronic means in a face-to-face context

Electronic identification means can also be used for the verification of the customer in a face-to-face context. We request that this be made explicit in this article.

Summary of Requests – Article 31

Clarify electronic identification means can also be used in a face-to-face context.

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

We do not submit a response to this question.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

We do not submit a response to this question.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

Article 3 (a) draft RTS states that the level of pecuniary sanctions shall increase in situations where (inter alia) the relevant person ‘did not disclose to the supervisor anything the supervisor would have reasonably expected’. This is potentially very far reaching, and risks being defined ex post. We request that the EBA or AMLA provide guidance as to what a supervisor may reasonably expect, the better to ensure that obliged entities make appropriate and timely disclosures.

Certain legal advisors have highlighted certain criteria in Articles 3 and 4 (‘did not disclose to the supervisor anything the supervisor would have reasonably expected’ and ‘whether the natural or legal person has quickly and effectively brought the complete breach to the supervisor’s attention’) and raised questions as to how these criteria will interact with the nemo tenetur protection against self-incrimination. For their part, AFME members are accustomed to pro-active disclosure requirements as set out in a variety of relevant financial services legislation and regulation and will continue to fulfil what is required of them.

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

We do not submit a response to this question.

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

We do not submit a response to this question.

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

We do not submit a response to this question.

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

We do not submit a response to this question.

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

We note that entities in the non-financial sector – which may be large firms within their sector – often serve as gatekeepers to the financial system. Not being specialised in financial services, their AML/CFT systems and controls may on occasion be weaker than equivalently-sized financial sector firms.

With this in mind, we underline that risk does not sit solely or even always predominantly with financial sector actors. Non-financial sector firms may introduce vulnerabilities for the financial sector if insufficient attention is focused on them. With this in mind, we encourage the EBA to give careful consideration to the non-financial sector, the better to foster a safer and cleaner financial environment and to advance the fight against financial crime.

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

We do not submit a response to this question.

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

We do not submit a response to this question.

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

We do not submit a response to this question.

Name of the organization

Association of Financial Markets in Europe (AFME)