Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
Regarding the data points on AML/CFT risk, and namely with reference to the Annex 1 “Data Points to be collected for the purpose of the RTS under Article 40(2) of the AMLD and Article 12(7) of the AMLA Regulation”, we think that too many data points are requested and incomprehension as to whether these data points are to be collected for the evaluation of articles 12 of the AMLAR and 40 of the AMLD.
Moreover, it is not clear if these data points are mandatory or optional in order to assess and clarify the risk profile and, namely, which are the consequences in case they are unavailable (if a sanction should be applied or there will be a sort of tolerance).
In addition, we consider that the data categories are not proportionate: most of them are referred to products/services data and only a few data are referred to other risks' categories; in this context, we wish that the weighting will be proportionate with the quantity of data in each category.
Regarding the obliged entity, we note that any room for self-assessment by obliged entity is left; therefore, we think that it could lead to the deletion of all the self-assessment data provided by the risk assessment exercises, including those instituted by the supervisor (e.g. French exercise QLB in the past). In addition, we think that the scope of the obliged entities needs to be clarified: namely, it should be clarified if this provision shall be applied only to entities subject to AML/CFT within a group (in and outside of the European Union) or also to non-subject entities.
Regarding the data points on AML/CFT controls, we consider that there is an excessive focus on quantitative metrics to detriment the detriment of data related to the evaluation of the framework, including in particular the quality of the framework, which could influence the scoring.
Regarding the possibility of adjustment by national supervisors on inherent risks and quality of controls scores, we think that the proposed RTS creates a risk of subjectivity in relation to a methodology based on objective data. Considerations that may justify such adjustment are subject to interpretation.
We believe there is a real risk of unequal treatment between obliged entities depending on the strictness of the national supervisory authority, even though the AML Package was designed with the aim of harmonization. Therefore, we expect supervisory authorities to promptly clarify their position regarding the discretion granted to them in data collection. In this context, we ask whether local regulatory risk assessment exercises are destined to disappear, replaced by this single assessment methodology.
Lastly, concerning the supervisory authorities' assessment, we consider that the end date alone is not sufficient and that a clear time period must be defined for the organization of the obliged entities.
Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.
We agree with the relationship between inherent risk and residual risk proposed by EBA, whereby residual risk can be lower, but never be higher, than inherent risk. Indeed, considering that the residual risk is calculated as follows:
Inherent risk - Control effectiveness = Residual risk,
the consequence is that the residual risk can be lower, but never be higher, than inherent risk.
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
Regarding the impact in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term, we think that providing this new set of data in the short, medium and long term would require the mobilization of many full-time employees on this task due to the relevant number of data points, who will not be able to manage other AML/FT obligations. If on one hand, recruitments would therefore have to be expected, on the other hand, the number of staff allocated to the AML/CFT is not expected to increase.
Moreover, an additional workload is anticipated due to exercises or an additional set of data that could be asked for by local supervisory authorities (even within the European Union) and this latter will be particularly challenging for smaller entities with more limited resources and budgets.
3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?
Regarding the data points listed in Annex I to this consultation paper, it should be noted that it is not possible to establish an exhaustive list of unavailable data points. This inventory work is tedious and should be considered as a long-term effort. Moreover, the experience of past risk assessment exercises has already shown that many data points are not available and will require costly and time-consuming IT developments, especially since data that cannot always be centrally collected (e.g. entities abroad with different systems).
3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?
Regarding the possibility of providing the data points listed in Annex I by the non-financial sector, we strongly believe that the data points listed in Annex I are not adapted for the non-financial sector, as mentioned in paragraph no. 6 of section 3.2 of the consultation paper, where it is specified that "The proposed draft RTSs focus on the financial sector".
For this reason, we ask the reason why the EBA proposed the extension of the data points to the non-financial sector considering that the direct supervision applies on credit institutions, financial institutions and groups of credit and financial institutions and given the choice of a common methodology between articles 12 of the AMLAR and 40 of the AMLD.
Lastly, we would like to highlight that the data points listed in Annex I don’t include data about sanctions circumvention, while the data's weighting is based on the assessment of the AML/CFT risks and evasion of targeted financial sanctions conducted by the European Commission. In addition, it should be noted that some data points about the financial sanctions in the section AML/CFT Controls are included even in Category "AML/CFT governance structures". Considering the above, we would like to ask EBA to provide clearer guidance on the inclusion of the financial sanction’s framework in the assessment activity.
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
Regarding the proposed frequency at which risk profiles would be reviewed, we consider the criteria for reduced frequency review (from every year to every three years), accordingly to paragraph no. 3 of article 5, to be too restrictive. In this regard, we note that:
- the criteria of letter (a) is too low and unsuitable for the payroll sizes of most obliged entities;
- financial institutions will not be affected by out-of-scope activities, making the criteria irrelevant for them.
In addition, regarding the one-year cycle, we think this latter is too short, with little risk of changes in the risk profile and risk of continuous exercise given the quantity of data over such a short period. The one-year cycle could pose problems of articulation with the internal risk assessment exercises, staggered from the classic cycle because of trigger event.
Therefore, we suggest modifying the evaluation cycle and, namely, making the three-year cycle as the main frequency of review for all obliged entities and the annual assessment as possibility of review only in case of material change. In addition, we suggest clarifying the notion of "material change" for the "major events or developments in the management and operations of obliged entities" which can trigger an ad hoc assessment for the three-years cycle.
Regarding the difference in the cost of compliance, we consider that it will be significant. As mentioned in the previous question, we reiterate that the need to return the full data points annually would require the mobilization of many full-time employees on this task, who will not be able to manage other AML/FT obligations. Recruitments would therefore have to be expected, while the number of staff allocated to the LCB/FT is not expected to increase.
Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.
Regarding the reduced frequency, we reiterate our response to the previous question, highlighting that reduced frequency should be considered from another perspective. Specifically, we suggest a three-year review cycle for all entities, with one-year cycle applied in case of material change.
Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.
We believe that being an EEA jurisdiction does not necessarily imply a lower risk. For example, Bulgaria and Croatia are EEA countries but are currently listed on the FATF grey list. Furthermore, it should be noted that others EEA countries have previously appeared on this list (e.g. Hungaria, Malta, Iceland, Liechtenstein). Likewise, not all non-EEA countries are to be considered high-risk or necessarily higher-risk.
Therefore, we suggest adopting a more appropriate approach in order to assess cross-border transactions linked with countries designated in the articles 29,30 and 31 of the AMLR.
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
First of all, we would like to emphasize that the freedom to provide services is a fundamental principle of European Union Law and this principle doesn’t include the use of thresholds. We believe that introducing thresholds could lead to the possibility of derisking practices that undermine the freedom to provide services. Furthermore, we would like to highlight that the freedom to provide services is characterized by the temporary nature of the activities (in contrast to the freedom of establishment). We note that no temporality criterion is included in article 1; therefore, we suggest incorporating cumulative criteria rather than an alternative criterion to best target the entities most concerned by the freedom to provide services.
Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.
In our view the possibility of lowering the thresholds set in article 1 of the proposed RTS draft would not be relevant for temporary activity. We believe that it would be more effective introducing a risk factor related to the freedom to provide service in high-risk EU countries (e.g. those listed on the FATF List).
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
We would like to point out that, in retail banking, legal persons generally present a higher risk than natural persons; in wholesale banking, corporates tend to be riskier than institutional customers, as most of them are regulated entities, which mitigates their risk.
However, we suggest making a distinction between natural persons and legal persons, rather than a distinction between retail or institutional customers.
Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.
We believe that there is an incomprehension regarding whether the data listed in Annex 1 are to be collected for the evaluation of articles 12 of the AMLAR and 40 of the AMLD. In this regard, we refer to page no. 84, where there appears to be a contradiction between two statements: "Data Points to be collected for the purpose of the RTS under Article 40(2) of the AMLD and Article 12(7) of the AMLA Regulation" as title of the Annes 1 and "The data points in this annex are not the same as the indicators supervisors will use to calculate the ML/TF risk of each financial institution".
Considering the above, we support the use of unified methodology to reduce the reporting burden on obliged entities by polling the data.
Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.
Regarding the adjustments of the inherent risk score, we emphasize that the inherent risk score is derived from data points, thus based on objective data.
Adjustment of the score by the national supervisory authority carries a risk of subjectivity.
For this reason, the possibility of adjusting the controls' quality score based on supervisory judgement should not be allowed. In this context, we would like clarification on whether the adjustment can be a downgrade or an upgrade. We recommend exercising great caution in allowing such adjustments.
Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
We believe that the methodology laid down in article 5 places greater emphasis on quantitative data. However, risk is not necessarily correlated with quantity: activities marketed to a small portfolio of clients may be at high risk (ex-private banking).
Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.
Regarding the identification of the group-wide perimeter, we have some doubts about which entities should be included in the group-wide perimeter and, specifically, we ask whether the entities belonging to a non-EU group should be included. Given that, this is a European regulation, we reckon that only the European entities of the group should be concerned.
However, this approach would not reflect the entire intrinsic risk of the group, which may arise from a presence in high-risk countries. In this context, we suggest clarifying the scope of obliged entities to clarify if this applies only to entities subject to AML/CFT within a group or also to non-subject entities. At this end, please see our response to consultation on article 40 of AMLD.
Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?
We believe that a score’s weighting is necessary considering both the relevance of each entity and the risky activities within the entity. The aim is to avoid a dilution of the risk favored by a calculation model with only quantitative criteria. We would like to highlight - as highlighted in our response to question no. 6 - the risk is not necessarily correlated to quantity: small entities may have a higher intrinsic risk than larger entities.
Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
We do not agree with the transitional rules set out in article 6 of this RTS. The exclusion of supervisory assessment and external controls can result in a decrease in the hypothesis of an improvement in the control quality score. More generally, we have several questions regarding the purpose of this transactional rule.
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Please find in the following our comments on the proposal set out in Section 1 of the draft RTS.
Regarding the whereas no. 10 according to which “The identification of SMOs is allowed by Regulation (EU) 2024/1624 only in cases where the obliged entity has been unable to identify beneficial owners having “exhausted all possible means of identification” or where “there are doubts that the persons identified are the beneficial owners”. Finding it difficult to identify the beneficial owner, for example in cases of complex structures, does not amount to such ‘doubts’ and therefore will not provide a sufficient basis for the obliged entity to identify the SMOs instead.”, we believe that the notion of "doubt" shall be specified otherwise article wouldn't be applicable. Therefore, we suggest EBA defining the meaning of doubt.
Regarding article 1 (1) concerning the information to be obtained in relation to names, we understand that there is no need to apply the same for other persons different from the client, as persons purporting to act on behalf of our client, UBOs, directors, etc..
In this context, we think that the RTS should clarify exactly who is caught, the scope of information that is to be obtained, the identification of persons purporting to act on behalf of the customer and of natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted. Further, the proposed RTS should define “persons purporting to act on behalf of a customer” to ensure maximum harmonization and avoid a continuation of the present state where Member States continue to interpret this term differently.
Regarding article 1 (2) concerning the name of a legal entity as referred to in article 22(1)(b) point (i) of Regulation (EU) 2024/1624, we believe that the "commercial name" for legal entities is not indicated in the AMLR. We understand that such information is required in the screening process (articles 28-29). The "commercial name" should be collected "where available" and its lack shouldn't be blocking.
Regarding article 2 concerning the information to be obtained in relation to addresses, we note that there is no indication of a document and therefore we should rely on a self-declaration only; in addition, it should be noted that many details are required for address but without pertinence for ML/TF risk. In this context, we suggest EBA modifying the article making only information mandatory for risk assessment and identification purpose to be required. Otherwise, additional information regarding the address could be intrusive with a risk of GDPR breach and for the client's security.
Regarding article 4 concerning the specification on nationalities, we believe that banks cannot go further on nationalities than information provided by the customer itself; therefore, we would like to ask EBA to confirm that nationalities should be obtained on best-effort, based on information and documentation provided by the customer and on a risk-based approach in particular concerning the information about the several nationalities.
Regarding article 5 concerning the documents for the verification of the identity, it should be noted that many ID documents worldwide do not contain machine-readable zone, security features or biometric data. In this regard, we would like to ask EBA to confirm that in absence of these data (letters e, f, g) on the identification document issued by the country could be a legitimate reason in order to consider a document equivalent to an identity document or passport. Furthermore, we suggest EBA to reword the alternative (2) because place of birth is not systematically indicated in the ID document, including within the EU (e.g., Portuguese ID Card).
Regarding article 6, please see our response provided in the answer to question no. 2.
Regarding article 8, please see our response provided in the answer to question no. 3.
Regarding article 9 concerning the reasonable measures for the verification of the beneficial owner, we believe that in point b. related to the collection of information from other sources, it appears that all the sources are put on the same level without reference to a risk-based approach. Hence, we get references to certified documents and then to public/private records; we suggest adding in point b. the wording "on a risk-based approach", thus a certified document could be used to comply with article 34 of AMLR.
Regarding article 10 related to the understanding of the ownership and control structure of the customer, on a more general comment, we consider that any precise information regarding the ownership structure that doesn't allow to manage the risk shouldn't be an obligation. We already have the obligation to look for a large scope of UBOs including individuals with sufficient shares in a shareholder exercising the control over our client (please, see from article 51 to 54 of the AMLR). Hence, such risk will be managed through the application of those articles. Specifically, in our view, the information required in points b. and c. are disproportionate. For instance, the listing information on shareholders doesn't bring any added value to the ML/TF risk assessment of the client. Moreover, the information on floating shares volume could be very complex to obtain for non-large companies. Regarding the paragraph 2 of the article, it should be noted that it applies to all entities and therefore to non-complex structures too, appearing disproportionate regarding the ML/TF risk generated. It would require an expert team to take position on most files and goes against the risk-based approach.
In this context, we suggest EBA modifying the proposed RTS providing more flexibility and allowing firms to take a risk-based approach (employing reasonable measures) when assessing a customer’s structure and its plausibility and economic rationale. A firm should be able to tailor their assessment based on the customer type, sector, and potential status as a regulated or listed entity. Specifically, we suggest rewording point b. and c. of the paragraph no. 1, while regarding the paragraph 2, we suggest this latter should be deleted in article 10 and moved to article 11; in alternative, we suggest EBA re-drafting the proposed RTS on article 10 (2) in order to require firms to assess whether a structure might have been set up only in order to avoid or reduce the transparency of beneficial ownership with no other likely or possible legitimate justification.
Regarding article 11 concerning the understanding the ownership and control structure of the customer in case of complex structures, we believe that all the large company groups would be impacted. We suggest that the article should precise “unusually complex” to require additional step. This should be studied with article 10 paragraph 2 to characterize the unusual part. In our view, the ‘two plus one’ assessment criteria should be removed and the responsibility should be placed on firms to determine the complexity of the structures taking a risk-based approach. Alternatively, the definition of “complex structures” should be tailored to genuinely higher risk scenarios (e.g., presence of entities incorporated or domiciled in a high-risk jurisdiction), rather than applying (as in the proposed draft) broadly to large institutions. Moreover, while obtaining an organigram from the customer could be one way to assess the customer’s structure, the proposed RTS should be sufficiently flexible and allow firms to draft organisational charts based on client-provided information, with client attestation or on reliable public information. This could address the practical challenges of obtaining organisational charts directly from clients.
Regarding article 12 concerning the information on senior managing officials (“SMOs”), personal data on SMOs could be sensitives and could be a breach with GDPR, with an important security risk for SMOs if their personal address is provided. In this context, we ask EBA whether the company's registered address could be used for the residential address of SMOs. The requirement to treat all SMOs as beneficial owners in the event that no beneficial owners of the customer are identified, and to collect and verify their identity information as if they are a beneficial owner, will be particularly impactful for our wholesale business given the nature of the entities that our wholesale bank services (i.e. legal entities, often multinational corporations, rather than natural persons). The proposed RTS should recognise the difference between SMOs and beneficial owners. As it is not possible to amend the definition of an SMO, which is defined at Level 1, the proposed RTS should be narrowed so that the ID&V requirements only apply to SMOs that have significant control of the entity (i.e., those would have a meaningful influence) and the extent of the ID&V should reflect the customer’s risk.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
Regarding article 6 concerning the verification of the customer in a non-face-to-face context, we believe that the alternatives (provided by the paragraph 2) were not indicated in the AMLR, thus opening broad possibilities for a non-face-to-face identification. In addition, we note that, whilst the proposed RTS refers to “the customer”, article 22(6) of AMLR refers to both “the customer” and “any person purporting to act on their behalf”; therefore, in our view, the EBA should make the relevant proposed RTS clearer in order to specify whether article 6 applies to just customers or both customers and persons purporting to act on behalf of the customer. Furthermore, article 22(6) of AMLR specifies that a customer’s identity can be verified through either electronic means or by utilising identity documents provided by the customer or accessed directly. Obtaining “consent” to proceed with using alternative remote solutions appears beyond the AMLR requirements and will be challenging in the wholesale environment where there may be multiple parties on a customer record.
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
Regarding article 8 concerning the identification and verification of the identity of the natural or legal persons using a virtual iBAN (“vIBAN”), the situation mentioned in the proposed RTS is different than the one described in the AMLR. Indeed, the AMLR covers a situation where a "Bank B" hold an account to which a vIBAN issued by a "Bank A" redirects payments, while the proposed RTS covers a situation where a "Bank C" provides to its client a vIBAN issued by the "Bank A" and that will be used to make payment on an account held by "Bank B".
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Please find in the following our comments on the proposal set out in Section 2 of the draft RTS.
Regarding article 15 concerning the identification of the purpose and intended nature of the business relationship or the occasional transactions, we believe that requirements appear to be overly prescriptive and go beyond the AMLR: indeed, whilst the AMLR requires firms to assess and, as appropriate, obtain information on and understand the purpose and intended nature of the business relationship, the proposed RTS limits the ability of firms to take a risk-based approach. In this context, we reckon that to better reflect the requirements under article 20(1)(c) of AMLR, the opening sentence should be updated to clarify that firms should take a risk-based approach and assess which of the measures, if any, should be taken and to what extent. We would like to ask EBA whether the notion of risk-sensitive measures should be considered equal to the risk-based approach which allows the obliged entities not to collect information systematically.
Regarding article 16 concerning understanding the purpose and intended nature of the business relationship or the occasional transactions, as per the proposed RTS on article 15, the proposed RTS is overly prescriptive, goes beyond the AMLR and limits the ability of firms to take a risk-based approach. We believe that measures cannot be suitable for all customers and sectors (e.g. article 16(c) appears more appropriate in a retail context). The RTS should mirror article 25 of AMLR and provide that any measures should be taken where determined to be necessary. In addition, in our view the application of this article to the occasional transaction seems to be inappropriate due to the lack of customer knowledge and consequently the difficulties collecting information listed. In this context, we keep insisting on asking (i) if the notion of risk-sensitive measures should be considered equal than the risk-based approach which allows the obliged entities not to collect information systematically as already asked for article 16; (ii) in order to avoid any doubt, to replace in any case, risk-sensitive measure with risk-based approach. In addition, we would like to ask EBA making this article more precise, specifying what is the information required for regular business relationships versus information required for occasional transactions and to reword point e. in order to understand which the information is expected for natural persons and those required for legal entities.
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Please find in the following our comments on the proposal set out in Section 3 of the draft RTS.
Regarding article 17 concerning the identification of Politically Exposed Persons, we recommend EBA, for the avoidance of doubt, defining "for the benefit of whom" or deleting this reference.
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Please find in the following our comments on the proposal set out in Section 4 of the draft RTS.
Regarding article 18 concerning the minimum requirement for customer identification in situations of lower risk, we keep insisting on defining "for the benefit of whom" or deleting this reference for the avoidance of doubt as per article 17.
Regarding article 22 concerning the customer identification data updates in low-risk situations, we suggest rewording (a) to mention "material change" rather than any “change”.
Regarding article 23 concerning the minimum information to identify the purpose and intended nature of the business relationship or occasional transaction in low-risk situations, we strongly reckon that information appears to be disproportionate for occasional customers. We suggest EBA making this article more precise by defining the information required for regular business relationships versus information required for occasional transactions.
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
No comment.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Please find in the following our comments on the proposal set out in Section 5 of the draft RTS.
Regarding article 24 concerning additional information on the customer and the beneficial owners, we believe that the reference to the customer's past business activities appears to be disproportionate in its application. With reference to the UBO's business activities, this latter seems disproportionate in its application and would not help to manage ML/TF risk. Regarding letter d., we propose to EBA discussing in order to determine if this represents a common practice, asking in addition if there could be a risk of tipping-off or non-compliance with GDPR. In this regard, we suggest EBA deleting both reference to past business activities and to UBOs business activities.
Regarding article 25 concerning the additional information on the intended nature of the business relationship, we would emphasize the consistency of the destination of funds regarding the customer knowledge than the legitimacy.
Regarding article 26 concerning additional information on the source of funds and source of wealth of the customer and of the beneficial owners, we would ask EBA precising that for UBOs this is on a risk-based approach and only the point g.
Regarding article 27 concerning additional information on the reasons for the intended or performed transactions and their consistency with the business relationship, we think that the terms "including the legitimacy of its intended outcome" must be deleted because it is not relevant for the prevention of AML/CFT risk and in contradiction with the principle of non-interference of the bank in customer's affairs. Therefore, we would suggest EBA rewording as such "including the consistency with the relationship or the activity of the customer". In addition, in our view it is difficult to assess the legitimacy of the parties, therefore we suggest EBA rewording as such: "Assess the consistency of the parties involved".
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
No comment.
Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Please find in the following our comments on the proposal set out in Section 7 of the draft RTS.
Regarding article 30 concerning the risk-reducing factors, we would like to ask EBA whether these factors should be applied cumulatively. We believe that it is relevant that the supervisory authorities consider the risk alternatively. Consequently, we suggest EBA replacing the terms “the following risks” with "shall consider one or several following risks".
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Please find in the following our comments on the proposal set out in Section 8 of the draft RTS.
Regarding article 32 concerning entry into force, we would like to highlight that the mention "entry into force" is not aligned with article 22 and recital 16 of the proposed RTS which talks about application date. In this regard, we would like to suggest replacing "entry into force" by "application date". Due to the late publication of the RTS expected for the implementation of the single rulebook, it is appropriate to start the five-year period from the date of application of this regulation for all existing customers regardless of the risk profile.
Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.
No comment.
Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.
No comment.
Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.
No comment.
Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.
No comment.
5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?
No comment.
5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?
No comment.
5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?
No comment.
Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.
No comment.
Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.
No comment.
Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?
No comment.
Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?
No comment.