Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

The approach proposed by EBA should ensure that the cost of compliance with the new requirements does not exceed what is strictly necessary to achieve the objective of ensuring consistent AML/CFT risk assessment methods in all member states. With regard to reporting obligations for obliged entities, it should be noted that – regardless of whether they follow a fully harmonised or only partially harmonised approach – they represent a significant bureaucratic burden, especially given that obliged entities already carry out regular business-wide risk assessments under current AML obligations. Any change to supervisory authorities’ data collection questionnaire requires insurers to make considerable efforts to be able to provide the data requested. Even a minor change in an indicator can entail significant costs and delays in upgrading internal tools. Against this background, only the data collection exercises that appear inevitable for supervisory purposes should be carried out. Additional data exercises, particularly for the life insurance sector and related to life insurance products with low AML risks often yield limited added value.

The EU Commission has also made it a priority to reduce the burdens associated with reporting obligations for companies by 25 %. Should a fully harmonised reporting obligation be pursued, any new harmonised reporting obligation should build on existing practices and avoid increasing the volume of data collection, unless clearly justified by supervisory needs. Similarly, public authorities should make maximum use of data already available to them and should measure the impact on any new data request, minimising these new requests as much as possible.

Any new harmonised reporting obligation should build on existing practices and avoid increasing the volume of data collection, unless clearly justified by supervisory needs.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

The volume of data listed in Annex I is very large and the granularity of the questions is very high. 

Therefore, the provision of certain data could prove to be difficult, such as:

  • Number of investors by country (for AMCs)
  • Total value of investments (EUR) by country (for AMCs)
  • Number of legal entities with complex structures

Some indicators which are common to the financial sector as a whole, are not always adapted to the insurance sector. Examples:

  • Number of walk-in customers
  • Number of occasional transactions carried out by walk-in customers 

In general, we would like to refer to the testing exercise which is currently done by EBA and NCAs. The results with regard to the availability of data points should be considered when selecting the data points in Annex I for life insurance companies. 

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

The relevant risk indicators of obliged entities from the insurance sector are not subject to material change to an extent which would justify an annual review. In addition, many life insurance products such as pension products, pure risk life insurance products, etc. regularly qualify for low AML-risk. We suggest to turn around the rule-exception-relation, e.g. imposing a regular review frequency of three years and only require an ad-hoc review of the risk profile if the incident-driven criteria set out in Article 5(6) of the draft RTS are met.

Moreover, the timetable for implementation of the first risk assessment and classification of institutions subject to AMLD6 is as follows:

  • Drafting of the RTS pursuant to Article 40(2) of AMLD6 by 10 July 2026, at the latest,
  • Entry into force of the RTS on the 20th day following publication in the OJEU,
  • Supervisors must carry out the first assessment and classification of inherent and residual risks no later than 9 months after the RTS come into force.

Insurers will need to adapt their IT tools to enable them to collect the new data required for this assessment. However, it will not be possible to start working on tool upgrades until the list of data to be collected has been fixed, i.e. until the text has been published in the OJEU – by July 2026 at the latest. The supervisor will then have a maximum of 9 months to assess and classify risks. It is impossible for insurers to be able to upgrade their IT tools to meet the new RTS requirements in such a short timeframe. IT projects are costly and time-consuming for companies and need to be anticipated sufficiently in advance to allow for a budget estimation and validation phase by management, and a technical implementation phase.

The timeframe set out in the RTS should therefore be adapted to take into account the budgetary and technical constraints of companies subject to the requirements. A transition period, for the first data collection exercise could be implemented, during which reporting companies would have the option of not answering certain questions relating to new data, if they are not in a position to do so. 

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

The quantitative criteria imposed in Article 5(3)(b) iii of the draft RTS does not reflect the reality of the insurance sector. We are not aware of a single obliged entity exclusively distributing contracts or products that cannot be redeemed, contracts or products that insure a lender against the death of a borrower or contracts or products of which the annual premium does not exceed EUR 1,000 or of which the unique premium does not exceed EUR 2,500. If such an entity would exist, it would almost inevitably have a low risk profile at inception and qualify for a reduced review frequency under Article 5(3)(d) of the draft RTS.

The quantitative criteria imposed in Article 5(3)(b) iii of the draft RTS does not reflect the reality of the insurance sector and should be amended.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The requirements set out in Section I regarding the information to be collected for identification and verification purposes are too excessive. 

In recital 8 it is stated that “Obtaining beneficial owner information for all customers that are not natural persons is essential for complying with anti-money laundering and countering the financing of terrorism (AML/CFT) requirements and with targeted financial sanctions obligations. For this reason, consultation of the central registers for information on the beneficial owners is necessary but not enough to fulfil the verification requirements.” Given the purpose of the central registers it should be ensured that the information included the register is complete, correct and up-to date. Obliged entities should be allowed to rely on the information from the register without having the duty of verification, especially in low risk situations.

The requirement in Article 1 regarding the legal entity’s commercial name should be deleted. Article 22(1)(b) point (i) of the AMLR only requires obliged entities to obtain the “legal form and name of the legal entity”. The obligation to obtain the commercial name if it differs from the registered name, would go further than a mere interpretation and add an additional identification obligation to the AMLR. Moreover, it could also be difficult to verify whether the obtained (commercial) name is accurate. 

There should be a clarification in Article 3 that „place of birth“ means „country of birth”. The definition comprising also the city of birth is excessive since the city of birth is not a risk factor at all. 

The provisions of Article 5 lead to the fact that driving licenses will no longer be able to be used as ID documents (although there are commonly used in several member states as ID documents), as it is stipulated that ID documents must contain the nationality. We request that the requirement “nationality” will be removed from the list of information that ID documents must contain. Furthermore, we do not see any added value in the mandatory indication of nationality on the ID document because an ID document only proves one nationality and not several that a customer might have.

Article 5(5), in conjunction with Article 22(6) of AMLR, requires obliged entities to obtain from customers and from any person purporting to act on their behalf for the purpose of verifying the identity of this person either an original identity document/passport or equivalent or a certified copy thereof. Recital 5 of the draft RTS outlines the reliable and independent sources of information which obliged entities should consider as part of their due diligence measures for customers that are not natural persons, including copies of official/statutory documents, etc., that are certified by an independent professional or a public authority. However, there are no similar provisions/clarifications in relation to natural persons and which authorities/independent professionals would satisfy the requirement to certify copies of an identity document/passport. It is important to consider that the requirement for a certification of a copy of an identity document/passport would incur costs for customers. Apart from the negative customer experience, certified ID-copies would significantly disrupt the whole (automated) onboarding-process of standard customers. So far, a certification of an ID-copy is completely unusual in providing standard financial services, like opening a bank account or issuing a life insurance policy. A general requirement of "certification" of a copy would mean a huge step backwards towards manual processes, hardly mitigating any AML/CTF-risk. It should therefore be removed.

On Article 11, we question the legal basis for defining ‘complex structures’ in the RTS, as the AMLR does not introduce such a concept. Should Article 11 be retained, a minimum of more than two layers should be required between the customer and the beneficial owner to define complexity. Regarding Article 11(1)(b), if it is maintained, it should be clarified that ‘different jurisdictions’ refers specifically to jurisdictions outside the EU/EEA, to avoid unnecessary classification of legitimate EU cross-border structures as complex. However, we would support the deletion of Article 11 altogether, given the absence of a legal mandate to impose additional CDD requirements for so-called complex structures. 

  • Obliged entities should be allowed to rely on the information from the register without having the duty of verification, especially in low risk situations.
  • The requirement regarding the legal entity’s commercial name should be deleted.
  • There should be a clarification that „place of birth“ means „country of birth”.
  • The requirement “nationality” should be removed from the list of information that ID documents must contain.
  • The requirement for a certification of a copy of an identity document/passport should be removed from Article 5(5).
  • The definition of “complex structures” should be deleted or at least amended.

 

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Section 2 sets out requirements in order to identify and understand the purpose and intended nature of the business relationship or the occasional transaction.

However, Articles 15 and 16 do not reflect the business model of life insurance. Life insurance is based on a comprehensive contractual agreement. The amount and frequency of the customer's premium payments and the terms of the contract are set out in the contract. It is not an account where funds flow through to other recipients.

Article 15(c) of the draft RTS requires obliged entities to determine whether the customers have additional business relationships with the obliged entity or its wider group, and the extent to which that influences the obliged entity’s understanding of the customers and their source of funds. We would like to point out that Article 20 (1) (c) AMLR does not provide a basis for such a group-wide requirement. Although the measures mentioned in Article 15 shall be taken “risk-sensitive”, there is a great concern that this provision may be interpreted widely. 

Currently according to the Austrian AML law, entities within a group are only obliged to share information within the group about customers who were reported to FIUs. A general requirement to share or obtain group-wide information about any customer’s insurance contracts would be massively excessive, not only from the perspective of a risk-based approach but also from the perspective of data protection. Each insurance company within a group is a controller within the meaning of GDPR, and as a basic GDPR rule, customer data and data on insurance contracts is available only for the respective controller. Companies within a group often use different IT-systems which are strictly separated in terms of data protection, IT security, access rights etc., so there is no central “overview” of a customer’s business relationships in a group because this would violate the very basic principles of GDPR. A general requirement for collecting information about a customer’s business relationships from all companies within a group would not only be massively excessive as mentioned above, but would also create enormous difficulties and expenses with regard to the IT systems involved. Therefore, the wording “and its wider group” in this provision should be deleted, i.e. the provision should only apply to business relationships of the obliged entity as provided by Article 20 (1) (c) AMLR.

Composite insurers are active not only in the life insurance sector but also in non-life insurance sector. However, having information about additional business relationships of customers in the non-life sector does not provide relevant insights for obliged entities to better understand customers and their source of funds. In addition, there are legal restrictions to access data from other lines of business within an insurance company. We suggest restricting the inquiry to additional business relationships with the obliged entity that are subject to AML requirements.

Article 25 AMLR requires obliged entities to obtain information on the purpose and intended nature of a business relationship or occasional transaction only if considered necessary. This should be reflected in Article 16 of the draft RTS as well, as it may not be necessary for insurers to collect additional information on the purpose and intended nature of the business relationship under Article 25 AMLR due to the following reasons: Insurance companies are required by existing legislation (e.g. IDD), prior to the conclusion of the of the contract, to collect information about and evaluate the customers’ demands and needs. In addition, in the case of an insurance-based investment product, an appropriateness or suitability test is required and the policyholder's knowledge and experience, financial circumstances, risk tolerance, and loss-bearing capacity are evaluated. In the case of many life insurance products, the purpose and intended nature of the business relationship are self-explanatory (e.g. pension provision, biometric risk coverage, etc.).

  • Article 15 a) and b) should be amended in order to reflect the business model of life insurance.
  • The wording “and its wider group” in Article 15 c) should be deleted, i.e. the provision should only apply to business relationships of the obliged entity as provided by Article 20 (1) (c) AMLR and only to business relationships that are subject to AML requirements.
  • Article 16 should specify that, as provided under Article 25 AMLR, information on the purpose and intended nature of a business relationship or occasional transaction should be collected by obliged entities only if necessary in order to reflect the business model of life insurance. 

 

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 18: In order to implement a proportional and risk-based approach, the minimum information to be collected for the customer identification should not be specified in detail. In particular, information on place of birth and nationality should not be explicitly required in situations of low risk. For legal entities specifically, much of the information listed are currently not collected and would require the development of news tools, generating new costs. Moreover, trade names can change, the only relevant name to be collected should be the one mentioned in the registration register.

Article 19: The identification and verification of beneficial owners and senior managing officials can be administratively very burdensome for both customers/companies and obliged entities. We therefore welcome the EBA’s proposal to introduce a simpler approach in low-risk situations. It is a good step forward to allow, in low-risk situations, a simple confirmation of the adequate, accurate and up-to-date nature of the information available in the register (instead of requiring the obliged entities to systematically request the same information that is already available in the register from companies). Nevertheless, requiring double-checking to identify and verify the beneficial owner and managing officials in low-risk situations seems disproportionate to the risk involved and will have an impact in terms of cost and efficiency. Article 19 should be amended to implement a risk-based approach.

  • In order to implement a proportional and risk-based approach, the minimum information to be collected for the customer identification should not be specified in detail in Article 18.
  • Article 19 should be amended to implement a risk-based approach.

 

Sector specific simplified measures for the insurance sector:

The ML / TF risk in the life insurance sector is generally low for the following reasons:

  • Life insurance is based on a comprehensive contractual agreement. The amount and frequency of premium payments, additional payments, benefits, and surrenders, as well as the term of the contract, are specified in the contract.
  • Life insurance contracts typically have a term of several decades.
  • Payments are generally made via bank accounts (often by direct debit), which are also subject to comprehensive provisions to prevent ML/TF, and not in cash.
  • Payouts are made upon the occurrence of the insured event (survival or death). Prior to payout, the contractually specified beneficiaries are checked according to the existing legislation.
  • During the term of the contract, no payments are made to the policyholder, except in the case of (lifetime) pension insurance. In the case of single-premium insurance products, no further payments are made by the policyholder. A life insurance contract is not comparable to an account on which transactions with different objectives and purposes take place.
  • Early surrender is possible under insurance law, but may result in losses, particularly in the early years, due to the business model. In addition, in Austria, early termination of a single premium products may result in significant tax disadvantages.
  • The average life insurance premium per capita per year in Austria was € 562 in 2023.
  • In the case of many life insurance products, the purpose and intended nature of the business relationship are self-explanatory: e.g. pension provision, biometric risk coverage, etc.
  • The business model, legal structure, and the self explanatory purpose of life insurance products show that life insurance contracts are only suitable for GW/TF purposes to a limited extent.

For the insurance sector, it should be explicitly stated in the RTS that sector specific simplified due diligence measures might be applied at least for the following life insurance product types: 

  • Pure risk life insurance products aim solely at providing protection against the risk of a certain event, such as death. These products only pay out against a pre-defined event (e.g. death) and have no investment element. In addition, premiums are usually low and determined by the insurer. That is why they are considered as low risk for ML/TF.
  • Occupational pension products: Occupational pension products are subject to a comprehensive legal and regulatory framework and are based on entitlements under employment law. The AML / TF risk by legal entities and their beneficial owners can be considered to be non-existent to very low for the occupational pension products. This is generally due to the clear purpose of the insurance benefits (company pension scheme, financing of statutory severance entitlements, etc.), extensive statutory documentation requirements for cash flows and the specific legal requirements for these products. The source of funds for premium payments to the insurance company is based on the business activities of the legal entity.  In addition, there are also limits on the amounts that can be paid into certain occupational pension schemes. In Austria, in the case of the occupational group life insurance (BKV), for example, the employer can pay a maximum of up to 10 % of total wages and salaries into either a pension fund and/or an occupational group life insurance. In the context of the Austrian “Zukunftssicherung according to Article 3 para. 1 no. 15 lit. a Austrian Income Tax Act”, the contributions per employee and per year may not exceed EUR 300(!). The premium payments made by the employer for the employee are nonlapsable.
  • Private pension product: The state-subsidized pension provision in accordance with Article 108g et seq. Austrian Income Tax Act have a precisely defined legal framework with legally limited premium payments as well as a clearly defined purpose, conditions and beneficiaries.
  • Life insurance contracts with low premium payments: already to date, simplified due diligence measures can be applied to life insurance contracts with a premium volume up to EUR 1,200 per year for regular premium payments and up to EUR 2,500 for a single premium payment in accordance with the current legal provisions on the AML / TF prevention.

Simplified due diligence measures in the insurance sector:

For customers who invest exclusively in life insurance products for which simplified due diligence measures can be applied due to the product characteristics, a balanced consideration of the risk factors should be possible. If the product characteristics of a life insurance product result in a low ML/TF risk, it should be possible to give priority to product-specific over customer-specific risk factors (e.g. PEP characteristics) when assessing the risk.

The measures in Article 22 relating to the regular updating of identification data for low-risk customers seem disproportionate, especially for natural persons (in view of the data concerned, which, barring exceptional circumstances, is not intended to evolve over time). These measures do not follow a risk-based approach and will have an impact in terms of cost and efficiency, consuming means and resources that could be put to better use. Article 26(2) of the AMLR obliges insurers to update customer information every year or every 5 years depending on the risk, whereas Article 33(1) of the AMLR allows to reduce the frequency of customer information updates for business relationships presenting a low degree of risk. Proceeding a customer information update every year or even every 5 years makes little sense for low-risk life insurance contracts (see list above). Such unnecessary updating of customer’s information will be burdensome for the insurance company as well as for the customer. Insurance companies do not have regular contacts with their customers for long-lasting low-risk life insurance products.

Ideally it should be possible to proceed to an update of customer information on an "event-driven" basis (e.g. in the event of risk-relevant contract changes), or prior to payment of the insurance benefit to the beneficiary. The insurer only pays benefits in the event of an insured event or at the end of the contract. Life insurance products are not comparable with other financial products that involve a large number of transactions (in unpredictable numbers and amounts).

In addition, in the case of single premiums, it must be taken into account that periodic updating of customer data / source of funds does not add any value at all, as this is only relevant at the time of the payment of the single premium. This also applies to life insurance policies that are premium-free. As the customer no longer pays any premiums due to the lack of an obligation to pay premiums, the source of funds no longer plays a role here either, meaning that there should be no obligation to update customer data in this regard.

In any case, it should be possible to go beyond the period of 5 years for low-risk situations. According to Article 28(1) of the AMLR, AMLA shall develop draft regulatory standards specifying the type of simplified due diligence measures which obliged entities may apply in situations of lower risk pursuant to Article 33(1) of the AMLR. In this respect, Recital 16 proposed by EBA is extremely worrying. It states that, when reducing the frequency of customer information updates for low risk-situations, the maximum period of 5 years may not be exceeded. For life insurance products, such as pension policies which can last for more than 40 years with very limited customer contact, an update of customers’ information every five years is disproportionate. Such an update should only be triggered on an event-driven basis, as previously explained. Therefore, Recital 16 of the draft RTS should be amended by removing the following part of the second sentence: “without exceeding the maximum period provided in point (b) of Article 26(2) of the Regulation”. It would allow obliged entities to go beyond the current maximum 5-year period for customers’ information update.

Alternatively, if recital 16 cannot be amended as suggested above, it should be clarified the suggested 5-year period for customers’ information update should not be considered as the mandatory maximum for the insurance industry specificallyFor the reasons explained above, there should be sector specific simplified due diligence measures specifying that for low risk customers in the insurance sector an update should be possible on an event-driven basis (instead of periodic updates). 

Furthermore, as it is clarified in the AMLR, insurers do not have the ability to unilaterally terminate an insurance contract. The requirement to regularly (every one or five year(s)) update the customer's information is not compatible with long-lasting low-risk life insurance contracts (as highlighted above) and may put insurance companies in difficult situations if they are neither able to update such information due to the unresponsiveness of a customer, nor able to terminate the contract. Therefore, in case customers do not respond, it should be clarified in the RTS that customer data should be updated before the payout of benefits at the latest.

Article 23: In the case of many life insurance products, the purpose and intended nature of the business relationship are self-explanatory. Therefore, it should be clarified that the assessment of the purpose and intended nature in these low-risk situations may be based on assumptions about how customers normally use the products concerned or be considered self-explanatory from the contractual agreement entered into with the customer. For example, if a customer takes out a risk insurance, the purpose is to insure the customer’s life and the intended nature is the agreed premiums to be paid in accordance with the agreement. 

 

Specific simplified due diligence measures for the life insurance sector should include:

  • If the product characteristics of a life insurance product result in a low ML/TF risk, it should be possible to give priority to product-specific over customer-specific risk factors (e.g. PEP characteristics) when assessing the risk.
  • There should be sector specific simplified due diligence measures specifying that for low risk customers in the insurance sector an update of customer data should be possible on an event-driven basis (instead of periodic updates) (Article 22).
  • In case customers of insurance companies do not respond when proceeding data updates, it should be generally clarified in the RTS that customer data should be updated at the latest before the payout of benefits since insurance companies are not allowed to terminate the contract unilaterally.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

There should be sectoral simplified due diligence measures at least for the following life insurance products because of the arguments listed in the answer to question 6:

  • Pure risk life insurance
  • Occupational pension products
  • Private pension products
  • Low premium life insurance products

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Articles 24 – 26:

For low-risk life insurance products such as pension insurance products, pure risk life insurances (without any investment elements) etc., enhanced due diligence should not be necessary in relation to politically exposed persons (PEPs) and in third-country situations (see arguments for the low risk in the answer to question 6 regarding section 4).

 

  • Article 24 c): The requirement that information should enable obliged entities to assess the ML/TF risk by obtaining information about the past business activity of the beneficial owner should be deleted. There is no legal requirement in the AMLR, it is not relevant for the current AML / TF risk and it will be difficult to obtain this information from customers.
  • Article 25 a) concerns verifying the legitimacy of the destination of funds, and Article 25 b) concerns aspects of transactions passing through an account. As a life insurance contract is not an account where funds flow through from/to third parties, these provisions are not suitable for insurance companies.
  • The obligations set out in Article 26, insofar as they also concern the beneficial owner, are excessive. It is the customer (company) who pays the premiums from its business activities, so the beneficial owner’s private income and financial situation are irrelevant for determining whether the premiums are derived from lawful activities. In practice, such requests will create difficulties in customer relations as in many cases the companies will not be able to provide documents from the beneficial owners, especially in group structures where there is no direct contact with the beneficial owners. The wording of this article could be amended to take better account of the risk-based approach, by restricting the reference to the beneficial owners to cases where the obliged entity has reasonable grounds to suspect criminal activity (similar to Article 24 d).

The requirements for additional information set out in Articles 24 – 26 are too excessive. In general, they should allow for a risk based approach and mainly address the customer and not the beneficial owner. 

 

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

With regard to Annex I we would like to submit the following comments:

  • Place of birth: see remarks to Article 3
  • Resident state: We suggest do delete the resident state from the list of minimum corresponding attributes. The resident state is not a risk factor at all. The risk is derived from the resident country.

 

Article 32: It is very much welcomed and absolutely necessary that there will be a transition period regarding the application of Article 23 (1) of the AMLR for existing customers. However, the wording in Article 32 is incomplete. 

On the one hand, the reference to Article 23 (1) of the AMLR is missing, on the other hand it should be clarified that the RTS on customer due diligence measures should not apply earlier than the AMLR. Since the application date of the AMLR is the 10th July 2027, the transition period will end for high risk customers on the 10th of July 2028 and for the other risk classes on the 10th of July 2032 and for low-risk customers in life insurance sector on event-driven basis (see answer to question 6).

 

Name of the organization

Austrian Insurance Association