Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Swedish Fintech Association has the following input on section 1 of the draft RTS:
Regarding article 1(1):
We would suggest that the wording is changed, from:
“In relation to the names and surnames of a natural person as referred to in Article 22(1)(a) point (i) of Regulation (EU) 2024/1624, obliged entities shall obtain all of the customer’s full names and surnames. Obliged entities shall ask the customer to provide at least those names that feature on their id entity document, passport or equivalent”
To:
“In relation to the names and surnames of a natural person as referred to in Article 22(1)(a) point (i) of Regulation (EU) 2024/1624, obliged entities shall obtain all of the customer’s full names and surnames that feature on their identity document, passport or equivalent”.
The reasoning for this is that we believe that mandating that the customer must be asked to provide the information is an unnecessarily detailed rule (in our experience, this type of information can often be fetched from a database, or, where the customer is identified using a solution referred to in article 6.1 of the RTF, from the trust service provider). Requiring that the customer is asked to provide information can lead to less user-friendly services for the customers.
It is also our experience that the rules concerning first and family names are not fully harmonized in the EU, meaning that the same individual may hold different names in different member states, and thus it should be enough to obtain all of the names and surnames used in an identity document, passport or equivalent (presumably the same one that is then used to identify the customer as you would check that the name of the customer and the name of the identified person are identical). If the wording is not changed, it could be costly for the obliged entities since input fields and internal systems/customer databases must be adapted to allow for several differing names for the same customer. If the wording is not changed, it should be clarified how situations with differing names should be handled.
Regarding article 4:
We would suggest that the wording is changed, from:
“For the purposes of article 22(1)(a) point (iii) of Regulation (EU) 2024/1624, obliged entities shall obtain necessary information to satisfy themselves that they know of any other nationalities their customer may hold”
To:
“For the purposes of article 22(1)(a) point (iii) of Regulation (EU) 2024/1624, obliged entities shall obtain necessary information about the customer's nationalities. Such information could be obtained from the customer or through other independent and reliable sources”.
The reasoning for this is that there is not, as far as we are aware, any reliable way to obtain information about the existence of multiple nationalities. Asking the customer is one way but, to allow for flexibility in case a good solution for this is available, it should be considered to also enable the use of other independent and reliable sources. The proposed wording also more closely aligns with the Regulation (EU) 2024/1624 (“the AMLR”) as it uses the term “nationalities” rather than “any other nationalities the customer may have”, the latter which may be construed as having a wider meaning. If the wording of article 4 is not changed, it should be clarified how obliged entities should satisfy themselves that they know of any other nationalities their customer may hold.
Regarding article 5(2):
We would suggest that the wording is changed, from:
“In situations where the customer cannot provide a document that meets the requirements in paragraph 1 of this article for legitimate reason, a document shall be considered equivalent to an identity document or passport if it is issued by a state or public authority and it contains at least all the customer’s names and surnames, place and date of birth, nationality and a facial image of the document holder”.
To:
“In situations where the customer cannot provide a document that meets the requirements in paragraph 1 of this article for legitimate reason, a document shall be considered equivalent to an identity document or passport if it is issued by a state or public authority and it contains at least all the customer’s names and surnames, place of birth (stated in the form used by the issuing state or public authority), date of birth, nationality and a facial image of the document holder”.
The reasoning for this is that in our experience, many common identity documents used in the EU do not meet all the criteria in either article 5(1) or 5(2), in particular in relation to place of birth. In article 3 of the draft RTS, it is highlighted that information on the place of birth as referred to in Article 22(1) (a) point (ii) of Regulation (EU) 2024/1624 shall consist of both the city and the country name. In Sweden, neither Passports nor National ID cards contain information about the country of birth and the place of birth mentioned is not always the actual place of birth but the local (church) parish where the mother of the customer had her registered address at the time of the birth. If the wording is not changed, article 3 should instead be changed to clarify that place of birth should contain info about city (stated in the form used in the birth Member state) and (where available) country name. Alternatively, if the wording is not changed, article 5 should be amended to clarify how obliged entities should proceed in case there is no identity document or passport that is issued by a state or public authority that contains all the required information.
Regarding article 5(4):
We would suggest that the wording is changed, from:
“Obliged entities shall take reasonable steps to understand, when original documents are in a foreign language, their content, including through a certified translation, when deemed necessary”.
To:
“When deemed necessary, obliged entities shall take reasonable steps to understand, when original documents are in a foreign language, their content, including through a translation of sufficient quality for the obliged entity to be able to understand the content”.
The reasoning for this is that headlines in identification documents are typically written in multiple languages (such as the official language of the issuing state or public authority and other EU languages such as English and/or French) so normally there is no need for a translation. Thus, the order of the sentence should be turned around to make it clearer that steps to understand the documents are only needed when deemed necessary. Specifically mentioning a certified translation as a way to understand the content (even though this should only be done when deemed necessary) is, in our opinion, an unnecessarily detailed regulation that could create uncertainty on whether or not an obliged entity that has e.g. employees that are fluent in the foreign language (but who are not certified translators) or access to digital tools that can process translations can use such solutions. We would therefore instead suggest a wording which focuses on the quality of the translation, thus enabling obliged entities to use different methods for translation.
Regarding article 11
It is our assessment that the criteria in article 11(1), in particular article 11(1)(b), will lead to a much higher number of ownership and control structures being classified as complex than what is the case today. When the directive (EU) 2015/849 was implemented into Swedish law, the Swedish regulator wrote in the preparatory works that “complex ownership structures refers inter alia to the existence of a parent company or a subsidiary of the customer that makes it hard to investigate the existence of an ultimate beneficial owner or to complicated ownership structures that do not seem to be commercially motivated (prop. 2016/17:173 p. 513 [our translation from Swedish to English])”.
We believe that there are many ownership structures where there are two or more layers between the customer and the beneficial owner and where the customer and any legal entities present at any of these layers are registered in different jurisdictions that are not particularly complex and do not make it hard to investigate who the ultimate beneficial owner is. We also note that since the AMLR will harmonize the definition of a beneficial owner, it should generally become easier to identify beneficial owners in the future, even in case the customer and any legal entities present at any of these layers are registered in different jurisdictions, at least while all of those jurisdictions are within the EU. It could therefore be questioned if the criteria in article (11)(1)(b) should be amended to only apply in scenarios where the customer and any legal entities present at any of these layers are registered in different jurisdictions, at least one of these jurisdictions being outside of the EU/EEA, to better catch scenarios that are associated with higher risk-levels.
In terms of the actions that will be required in case an ownership and control structure is complex (article 11(2)-11(3)), we have no objections to the proposal in the draft RTS. In fact, we believe that the collection of an omnigram will often be required to determine if the criteria in 11(1) are met, so such a document will most likely be collected either way.
Regarding Article 12
Information on senior managing officials provides for collecting, in relation to senior management, the same information as for beneficial owners. We would like to ask you to consider that, for SMO, there is no collection of Source of Wealth and Source of Funds as this is not applicable.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
Regarding article 6(2) and 6(3)
We would suggest that article 6(3) is removed and that the wording of article 6(2) is changed, from:
“In cases where the solution described in paragraph 1 is not available, or cannot reasonably be expected to be provided, obliged entities shall acquire the customer’s identity document (or equivalent) using remote solutions that meet the conditions set out in paragraphs 3-6 of this Article. Such solutions shall be commensurate to the size, nature and complexity of the obliged entity’s business and its exposure to ML/TF risks”.
To
“As an alternative to the solution described in paragraph 1, obliged entities may acquire the customer’s identity document (or equivalent) using remote solutions that meet the conditions set out in paragraphs 3-5 of this Article. Such solutions shall be commensurate to the size, nature and complexity of the obliged entity’s business and its exposure to ML/TF risks”.
The reasoning for this is that we believe that making the use of the solution in 6(2) dependent on the solution in 6(1) not being available or reasonably expected to be provided will lead to uncertainty in terms of when the solution in 6(2) can be applied. Would the use of the solution in 6(2) e.g. be allowed in a scenario where there is a solution that meets the requirements in 6(1) but it has low availability/limited operating hours, is very expensive to use (for the obliged entity or the customer), is not set up technically in a way that is compatible with the obliged entities services etc.? It also raises questions on timing as the implementation of a new identification solution is often a very time-consuming process for an institute. The process may e.g. require updates of internal policies, updates of the AML/CTF general risk assessment, update of the model used for customer risk classification, vendor assessments, NPAPs, DPIAs etc. so it makes it unclear how fast an obliged entity, that has previously been using a solution under 6(2), would be required to switch to a new solution in case a solution that meets the requirements of 6(1) becomes available.
Long term, we believe that to ensure a level playing field and consistent protection level across the Member States, it is of the uttermost importance to require the usage of e-IDAS compliant solutions. At the same time, taking into account development and implementation timelines of such solutions, as well as the cost attached, flexibility is suggested where obliged entities are given the option to choose between e-IDAS compliant solutions and Article 6 paragraphs 2-6. As the solution providers become more mature the implementation cost is expected to decrease, and the customer expectation is expected to drive a continued shift towards the usage of e-IDAS compliant solutions. With time, and as such solutions become more widely available, we believe that obliged entities will therefore shift to the solutions described in 6(1) but we do not believe that it is realistic that such solutions will be in place in all member states by the time the AMLR enters into force.
In terms of article 6(3) we see no need for why the mode of obtaining consent or recording it must be specifically regulated when using the solution described in 6(2) but not when using the solution in 6(1). As any identification requires processing of the customer’s personal data, the principles of the GDPR must in any case be observed, and we thus see no need for having the specific regulation in article 6(3).
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Regarding Article 17
We agree with the proposal in Article 17.2. It is good to see a harmonization determining that “self-declaration” is not a necessary part of PEP determination.
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Regarding article 21
A majority of fund distributors on the Swedish market apply nominee registration of fund units. In light of this, we see certain practical and legal challenges with a potential requirement to share registers containing information about underlying customers with fund management companies.
These details often constitute sensitive personal data, and any data sharing must therefore be carried out with great caution. There is a significant need for clear frameworks on how such information should be handled, particularly as the technical and organizational capacity to receive and safeguard this type of data may vary between parties.
Furthermore, the data is subject to banking secrecy and therefore cannot be shared without restrictions. There is often no direct contractual relationship between the fund companies and the end customers, which in turn can complicate the assessment of the legal basis as well as the ability to ensure proper handling of personal data in accordance with applicable data protection rules, particularly the GDPR. In addition, bilateral agreements between fund companies and distributors are decreasing, as more are using 'fund platforms' (e.g., MFEX, Allfunds). The proposal would then entail a considerable administrative burden, as separate data processing agreements (DPAs) would need to be entered into individually with each fund company.
In light of this, we propose that the final design of the regulation takes these practical and legal considerations into account, as well as the established distribution model used in countries like Sweden. In our view, future regulation should explicitly allow simplified customer due diligence without requiring sensitive personal data to be shared between the distributor and the fund management company in such cases.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Regarding Article 24
SweFinTech notes that article 34.4 in AMLR stipulates that in such a case a higher risk is at hand, an obliged entity shall undertake enhanced due diligence measures that may include certain measures as set out in the article. Article 24 of the RTS mandates a minimum level of measures, which follows from the wording, “shall, at least” in the first paragraph. In our view, it is essential to align these provisions to bring clarity to whether the measures are mandatory or optional.
Further, in accordance with article 24 (b) in the proposed requirement, an obliged entity shall obtain additional information on the customer or the beneficial owner that enables the obliged entity to assess the reputation of such.
From the recent legal developments in Sweden, we note that personal integrity is being given increasing leeway when it comes to private individuals. In Sweden, we have both seen that the Data Protection Authority has raised this issue when it comes to third parties providing background check services as well as recent decision coming from the Supreme Court stipulating that there are cases where an individual’s privacy shall prevail. We suggest therefore that a clarification or example is added as to what measures are deemed eligible/sufficient to assess the reputation. For example, it can be specified as follows
“enable the obliged entity to assess the reputation of the customer and the beneficial owner by for example means of adverse media or [similar/ other available means];”
Further, in our view, it is necessary to clarify what is meant by “reputation”. The word “reputation” can be interpreted widely, and we see that there is a risk that this leads to arbitrary judgements by the obliged entities, which in turn may lead to discrimination and off-boarding of customers. The way this provision has been worded, this may mean that an obliged entity may refuse to provide a service to a customer following certain reputational aspects. Given this, we find it necessary to clarify what reputational aspects are to be considered and how.