Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
Drawing up a risk profile for all obliged entities will constitute a considerable challenge for both national competent authorities and undertakings. Therefore, the process must remain manageable and should not occupy the limited resources with onerous data collection and analysis exercises which usually only confirm that obliged enti-ties of the insurance sector are exposed to moderate AML-risk by default. We would also like to note that obliged entities are already required to carry out and regularly update a business wide risk assessment. In order to prevent unnecessary bureaucracy, this risk assessment should be recognized to the extent possible as it may include relevant information to determine the inherent and residual risk profile which does not need to be raised separately from obliged entities.
Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.
We strongly agree with the rule whereby the residual risk can’t be higher than the inherent risk.
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
The procedural implementation of the data collection exercise will be a technical challenge and have a considerable impact in terms of cost for obliged insurers. Due to regulatory requirements, the structural governance of any insurance undertaking follows their products respectively their lines of business. This means that the identification of respectively the doublet consolidation on a single customer/policyholder creates tremendous effort. Quite a few of the required data points are currently not gathered or available. Data points related to the customer and data points related to FIU-inquiries are stored in different databases and must be reconciled and evaluated in a completely new database. Apart from that, the significance or meaningfulness of data points related to distribution channels is at least questionable in the era of digitalization.
3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?
Right now, there is no available data related to transaction patterns or legal entities with complex structures. Other data points require more guidance. For instance, it is not clear what “walk-in customers” is supposed to mean. The same is true for customers with “high-risk activities” or -absent a legal definition- data points on “low-risk contracts”. The granularity of data points related to the subcategory “lending” would require establishing new evaluation tools which may end up being disproportionate given the unsolved legal question whether lending by insurers is in the scope of Reg-ulation (EU) 2024/1624.
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
Article 40 ALMD6 does not impose nor imply an annual review circle for the risk profile of obliged entities by default. Therefore, Article 5 (2) of the Draft RTS is interpreting the Directive inappropriately tight. The relevant risk indicators of obliged entities from the insurance sector are not subject to material change to an extent which would justify an annual review. In addition, life insurance regularly qualifies for medium-low AML-risk. We suggest turning around the rule-exception-relation, e.g. imposing a regular review frequency of three years and only require an ad hoc-review of the risk profile if the incident-driven criteria set out in Article 5 (6) of the draft RTS are met.
Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.
No. The quantitative criteria imposed in Article 5 (3) b) iii of the draft RTS do not reflect the reality of the insurance sector on Germany. The GDV is not aware of a single obliged entity exclusively distributing contracts or products that cannot be redeemed, contracts or products that insure a lender against the death of a borrower or contracts or products the annual premium of which is not above EUR 1,000 respectively the unique premium of which is not above EUR 2,500. If such an entity would exist, it would almost inevitably have a low risk profile at inception and qualify for a reduced review frequency under Article 5 (3) d) of the draft RTS. We suggest deleting Article 5 (3) b) iii of the draft RTS and refrain from any attempt to establish static quantitative metrics or make the extension contingent on certain products.
Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.
We firmly believe that cross-border transactions linked with EEA jurisdictions should be attributed with less geographical risk compared to cross-border transactions linked with third countries. The rationale is obvious: The very purpose of the EU-anti-money laundering package is to ensure a regulatory playing field. This should be reflected in the assessment of the inherent risk profile.
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
We support the intention to focus on obliged entities with material operations under the freedom to provide services in a certain Member State. While we agree with the proposed threshold, the reference to incoming and outgoing transactions in Article 1 (1) b) of the draft RTS needs to be clarified for obliged life inurers. Annex II (2) (a) of Regu-lation (EU) 2024/1624 identifies the premium as the dominant risk factor for life insurance policies. This should be reflected in Annex I section C. of the draft RTS by clarifying that obliged life insurers meet the materiality threshold referred to in paragraph 1 point b) if they generate premiums worth more than 50.000.000 EUR.
Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.
We strongly believe that the thresholds set in Article 1 of the draft RTS should not be lowered. Doing so would overload the selection process and undermine the objective to subject only the riskiest obliged entities to direct supervision by AMLA.
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
Life or annuity insurance contracts with institutional customers as part of pension schemes for retirement benefits of their employees should not be taken into account. These schemes regularly qualify for low AML-risk as the customers/employers do not pursue an own economic interest in the business relationship and contributions are usually generated by way of deduction from employee’s wages.
Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.
Other than the draft RTS under Article 40 (2) AMLD6 to define the risk profile of obliged entities, the selection methodology under this draft RTS does not enable AMLA to increase or decrease the inherent risk score by one category. Though both RTS build on the same methodology, they serve different objectives which may justify denying AMLA any discretion on the outcome. However, bearing in mind that the selection process under this draft RTS is supposed to identify a limited number of the riskiest obliged entities and assuming that the residual risk profile will qualify more obliged entities as candidates for direct supervision, the RTS should enable AMLA to apply a justi-fied downward adjustment to meet this objective.
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 4 of the draft RTS requires obliged entities to obtain the necessary information to satisfy themselves that they know of any other nationalities their customers may hold. It should be clarified that additional investigations are only warranted if obliged entities have a clear reason to believe that the customer may hold more nationalities as indicated by the documents presented by the customer.
We acknowledge that obliged entities need to understand the ownership and control structure of legal entities and legal arrangements. This requirement is already underpinned by Article 10 and applies ir-respective from their complexity. As a result, the legal provisions of Regulation (EU) 2024/1624 do not make any reference to a complex structure of legal entities or legal arrangements nor impose additional CDD-measures if a legal entity or legal arrangement qualifies as com-plex. Therefore, we suggest deleting Article 11 of the draft RTS altogether as we do not see a mandate to define complex structures and impose additional CDD-measures upon such structures. Apart from that, the legal consequence of identifying complex structures in accordance with Article 11 of the draft RTS culminates in obtaining an organigram from the customer. Requesting an organigram is presumably part of the standard procedure in many cases anyway and does not justify requiring obliged entities to establish a costly and time consuming process.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
Article 6 (2) of the draft RTS allows obliged entities to rely on remote solutions other than electronic identification means which meet the requirements of Regulation (EU) No 910/2014 for the purpose of verifying the customer’s identity in a non-face-to-face setting. While we strongly support this option, it should not be contingent on the “reasonable expectation” that an electronic identification cannot be provided by the customer. It should not be the business of obliged entities to challenge the motives of the customer for not accepting eIDAS-compliant verification, nor should obliged entities be compelled to encourage the customer to do so. Apart from that, we believe the safeguards imposed by paragraphs (3)-(6) are sufficient and should be allowed on a permanent basis.
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
Article 8 of the draft RTS is not applicable to obliged insurers as they do not provide a natural or legal person a virtual IBAN for their use. However, we would suggest to also address the ramifications of using a virtual IBAN by customers on the inherent risk of obliged entities accepting payments from a virtual IBAN. Obliged entities cannot distinguish a virtual IBAN from a regular IBAN without proper information. The customer using it could be in a different country than the actual bank account behind the virtual IBAN. So we strongly advise also to impose an obligation on users to inform obliged entities, that the IBAN (to be) used is a virtual one. If the user doesn’t provide this information, the obliged entity should be allowed to deny the (further) use of the virtual IBAN until sufficient information about the actual bank account is provided.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 15c. of the draft RTS requires obliged entities to determine whether the customer has additional business relationships with the obliged entity or its wider group, and the extent to which that influences the obliged entity’s understanding of the customer and the source of funds. Within insurance groups, there is a legal separation between life insurance activities (subject to AML-requirements) and non-life activities (not subject to AML-requirements) due to regulatory requirements (Article 73 (1) of Directive (EU) 2009/138/EG). Hence, there are legal obstacles for obliged entities to obtain information on additional business relationships of the customer within the group. Moreover, having information about additional business relation relationships of the customer in the non-life sector does not necessarily provide relevant insights for obliged entities to better understand the customer and his source of funds. We suggest deleting or at least restricting the inquiry to additional business relationships that are relevant for AML- purposes.
Article 25 of Regulation (EU) 2024/1624 requires obliged entities to obtain information on the purpose and intended nature of a business relationship or occasional transaction only if considered necessary. This should be reflected in Article 16 of the draft RTS as well.
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 18 of the draft RTS on the customer identification in situations of lower risk just replicates the catalogue of information to be collected is situations of regular risk pursuant to Article 22 (1) of Regulation (EU) 2024/1624 with few exceptions (the national identification number and the usual place of residence for natural persons and the names of the representatives and the collection of either the tax identification number or the legal entity identifier as well as the names of persons holding shares for legal entities). We believe that this approach falls short of the mandate pursuant to Article 28 (1) (a) of Regulation (EU) 2024/1624. We suggest that only the name, surname, date of birth and the address of a natural person and the name, legal form and the address of the registered office of a legal entity should be collected at a minimum, while the other information set out in Article 22 (1) of Regulation (EU) 2024/1624 should only be collected if considered necessary by the obliged entity under a risk-based approach.
Furthermore, the scope of Article 18 of the draft RTS only covers the identification but does not address simplified measures to verify the customer’s identity. Regarding the beneficial owner or senior managing officials it is quite the other way around: While Article 18 of the draft RTS remains silent on the information and data to be collected to identify them, Article 19 of the draft RTS only allows for simplified measures to verify their identity. We consider this approach hardly comprehensible. We suggest extending the scope of Article 18 of the draft RTS to beneficial owners and senior managing officials and adding simplified measures to verify the identity of the customer, any person purporting to act on behalf of the customer and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted to the scope of Article 19 of the draft RTS.
Article 22 of the draft RTS sets out the requirements for reducing the frequency of customer identification updates. We understand that -if the monitoring of the business relationship by the obliged entity is suitable to detect the events described in 22 (1) a.-c. of the draft RTS- the reduction is not limited by a certain period between updates of customer information that shall not be exceeded. We further under-stand that the update period of 5 years mentioned in Article 22 (2) of the draft RTS only refers to the first update of CDD-information in accordance with Regulation (EU) 2024/1624 for existing customers onboarded before the draft RTS entries into force regardless of whether standard, simplified or enhanced CDD-requirements apply. However, Recital 16 of the draft RTS implies that the maximum period of 5 years provided in Article 26 (2) (b) of Regulation (EU) 2024/1624 also applies to customers representing low ML/TF risks. This is neither consistent with Article 22 (1) of the draft RTS nor with Article 33 (1) (b) of Regulation (EU) 2024/1624 and should be revised accordingly. We also suggest clarifying that legal provisions which require obliged entities to correspond with their customers at least on an annual basis may qualify as a monitoring in the sense of Article 22 (1) of the draft RTS.
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
We suggest amending Section 4 of the draft RTS as follows:
Article xx – Sectoral simplified measures: Life insurance policies for which the premium is low
Life insurance policies with annual premiums of no more than 1.200 EUR qualify as life insurance policies according to Annex II (2) (a) of Regulation (EU) 2024/1624 by default.
Article xx - Sectoral simplified measures: Insurance policies for pen-sion schemes
Where Pension schemes for retirement benefits of employees are op-erated by direct life or annuity insurance contracts between the obliged entity and the employer/customer in accordance with ANNEX II (2) (b) of Regulation (EU) 2024/1624, the obliged entity may fulfil the requirements under Article 20 (1) (a) and (b) and (i) of Regulation (EU) 2024/1624 by
a. obtaining the information pursuant to Article 18 (1) b. and
b. registering the names and surnames of persons purporting to act
on behalf of the customer if their authority can be reliably derived from the circumstances of entering the business relationship.
Once the business relationship is entered in accordance with letters a. and b., each single contract for the benefit of the employees of the customer is concluded within this business relationship. Article 19 does not apply as the business relationship serves the sole benefit of employees.
Regarding the employees/beneficiaries, due diligence requirements set out in Article 47 of Regulation (EU) 2024/1624 do apply. Obliged entities must not retain a copy of the identification document in accordance with Article 77 (1) (a) of Regulation (EU) 2024/1624. When employees maintain the insurance contract following a termination of their employment contract, obliged entities may refrain from consid-ering this as a new business relationship and may continue to treat the existing business relationship as low-risk if
a. the premiums do not exceed the tax-exempt limits,
b. the identity of the employee/customer is verified applying simpli-
fied due diligence measures when the payment becomes due and
c. the obliged entity closely monitors the business relationship and
conducts a new risk assessment if extraordinary events or trans-actions do occur.
Rationale: Pension schemes for retirement benefits of employees op-erated by direct life or annuity insurance contracts between an employer/customer and an obliged insurer qualify for low-risk-business by default (see Annex II (2) (c) of Regulation (EU) 2024/1624).
It is conducted in high volumes and constitutes an essential corner-stone of the retirement benefit system. Therefore, CDD-requirements must be proportionate and take due account of the public interest to promote and ensure sustainable retirement benefit systems. We further suggest amending Section 4 of the draft RTS as follows:
Article xx - Sectoral simplified measures: Life insurance contracts posed as collateral
When the benefits of a life insurance contract are ceded by the customer to another obliged entity pursuant to Article 3 (1) or (2) of Regulation (EU) 2024/1624 as collateral, the obliged entity must not apply due diligence measures on the cessionary as the cession does not qualify as an activity or transaction conducted on behalf of or for the benefit of the other obliged entity.
Rationale: Recital 51 of Regulation (EU) 2024/1624 clarifies that, in the context of customer due diligence, the person for the benefit of whom a transaction or activity is carried out does not refer to the recipient or beneficiary of a transaction carried out by the obliged entity for their customer. The cession is a disposition about the benefits of the life insurance contract by the customer, not different from receiving the payout first and then forwarding it to the lender/other obliged entity. In both cases the benefits of the business relationship/transaction rest with the customer. Apart from that, Article 20 (1) (h) of Regu-lation (EU) 2024/1624 requires obliged entities only to identify and verify natural persons on behalf of or for the benefit of whom an activity or transaction is being conducted.
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Although not related to Section 8, we would like to comment on Article 32 of the draft RTS as follows: Article 32 states that “Article 23 (1) shall apply to already existing customers and new customers to be onboarded after the entry into force of this Regulation. For already existing customers the information referred to in Article 23 (1) shall be updated in a risk-based manner but no later than 5 years after entry into force of this Regulation”. We assume that EBA’s intention is to refer to Article 22 (2) of the draft RTS. This would be in line with Paragraph 43 of the background and rationale-section of the draft RTS which states that the five-year transition period should apply to all business relationships which are not high- ML/TF risk and entered be-fore the RTS enter into force.