Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
The number of data points proposed—156 for Inherent Risk and 112 for Quality of Controls—is disproportionately high, especially considering the burden this would place on obliged entities (OEs) in terms of cost and operational effort. Data collection on products, services, and transactions will be particularly resource-intensive.
We strongly advocate for a more proportionate, risk-based approach, in line with the Commission’s simplification goals. In this context, timing is critical: with the first assessment expected in Q1 2027 based on 2026 data, it is essential that the final list and definitions of data points be provided as soon as possible. System adaptations and reporting workflows require significant lead time, nearly impossible by 2026 or even 2027.
3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?
Concerning Annex I, Section B – Risk Assessment Sub-Category 2B, the proposed categorisation of customer risk (low, medium-low, medium-high, high) does not reflect all CRA methodologies. The reporting framework should allow flexibility for OEs to map their internal risk categories accordingly.
Moreover, we propose the data points “Number of customers per ML/TF risk category” (Cluster 2B) and Number of high-risk customers that are legal entities” (Cluster 3A) to be moved from the Controls Section (Section B) to the Inherent Risk Section (Section A), as they pertain to inherent risk.
Clarification is needed for:
- % of contracts (amount) that are not used for low risk contracts (in Section A - Inherent Risk, sub-category Life insurance contracts).
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
The combined reading of Article 1 of the draft RTS and Annex I, Section C, doesn’t allow to clearly understand how to determine the total transactions value for the purpose of the thresholds.
In order to calculate the transaction-value accurately, clarification is needed as to which transactions are part of the calculation quantity for the transaction-threshold.
Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.
We do not consider it appropriate, efficient, or effective to lower the thresholds, which have to keep the current level, in coherence with the materiality principle stated by EBA. Lowering the thresholds would merely result in a larger number of obliged entities (OEs) being included in the selection pool, thereby increasing compliance costs for those entities - without a realistic likelihood of being selected.
Furthermore, we believe that lowering the thresholds is not appropriate in the context of temporary activities, which are characteristic of the freedom to provide services. Instead, we recommend introducing a risk-based factor linked to the provision of services in high-risk EU Member States - such as those listed by the FATF - as a more targeted and proportionate approach.
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
We support the requirement to collect the names as stated on official identification documents, such as passports or equivalent, as this aligns with established market practice. However, we recommend removing the reference to “all of the customer’s full names and surnames”, as this phrasing introduces ambiguity and may conflict with the minimum standard set out in the RTS, i.e. the name as it appears on the identity document.
We therefore propose amending Article 1(1) to state that “In relation to the names and surnames of a natural person as referred to in Article 22(1)(a) point (i) of Regulation (EU) 2024/1624, obliged entities shall obtain the customer’s full names and surnames as featured on their identity document, passport of equivalent”.
Article 2 specifies the collection of “full country name”, “postal code”, “city”, “street name” and “where available, building number and the apartment number”. While the inclusion of apartment numbers may be relevant in specific cases, we consider the combination of street name and building number to be a sufficiently robust standard for meeting the mandatory address requirement.
Requiring both the city and country of birth to satisfy the 'place of birth' criterion may generate disproportionate compliance costs relative to its limited value in accurately identifying individuals, and for addressing money laundering and terrorist financing overall.
A practical concern arises when identification documents only display the city of birth without specifying the country, raising questions about how obliged entities are expected to verify the country of birth in the absence of supporting documentation such as a birth certificate. For example, cities often exist in more than one country, which could create ambiguity.
Given that the information included on passports and identity documents varies depending on the jurisdiction and whether the customer resides within or outside the EU, the RTS should account for such differences and allow flexibility where specific data points are unavailable.
We therefore propose that Article 3, Section 1 of the RTS require only the country of birth as a minimum, while permitting entities to collect the city of birth at their discretion when it is relevant and feasible.
We do not see how requesting all of a customer's nationalities would enhance customer identification or contribute to combating money laundering and terrorist financing. On the contrary, this requirement would complicate implementation within the customer journey.
The obligation to obtain sufficient information to determine whether a customer holds additional nationalities may entail significant implementation costs. This is because it would require financial institutions to ask targeted questions beyond the information available in standard identification documents, which typically display only one nationality.
Moreover, there is no centralised register to confirm all nationalities an individual may possess, meaning institutions would need to rely entirely on the customer’s self-declaration.
This raises a number of operational uncertainties, for instance, what methods are acceptable for verifying additional nationalities, how extensive such checks must be, and what consequences arise during onboarding. If a client discloses dual nationality, must they present a passport for each? Can the process move forward without documentation for the second nationality, and what if that passport is expired or no longer available?
Moreover, financial institutions will not be notified in the case of a customer subsequently obtaining a new nationality.
The text should be changed to “obliged entities shall ask customers to disclose any other nationalities they may hold”. Moreover, it should also be clarified that “obliged entities will not be held to account for not discovering additional nationalities, where such are not disclosed by the individual, and in the absence of any other source to verify their existence”.
In cases where identity verification relies on physical (paper-based) documents such as passports, it is unclear how obliged entities are expected to confirm the existence of a machine-readable zone (MRZ). Further clarity is also needed on the applicable standards used to define what constitutes a valid MRZ. Additionally, it should be specified whether obliged entities are required to assess the authenticity of the MRZ itself.
The phrase "it contains, where available, biometric data" suggests that identification documents lacking biometric features are permissible in cases where such data is not embedded in the document. This raises the question of whether obliged entities are expected to keep an up-to-date inventory of all identification methods issued by each country and determine, for each case, whether biometric data is included. If so, clarification is needed on the extent of this obligation and how it should be operationalised in practice.
The criteria as set out under paragraphs (e), (f) and (g) appear to be both unclear and excessive (i.e. document containing a ‘machine-readable zone’, ‘security features’ and ‘biometric data’), thereby excluding the use of any alternative document for identity verification
Furthermore, cumulative criteria (‘where all of the following conditions are met’) coupled with apparent non-mandatory in paragraph (g) (‘it contains, where available, biometric data’) gives rise to confusion.
We suggest either deleting the criteria outlined in paragraphs (e), (f), and (g), or revising the provision to eliminate the cumulative requirement, so that it is not necessary for all the specified conditions to be fulfilled.
It would be welcomed a clarification, allowing a broad interpretation, as to what is to be considered legitimate in relation to the situation outlined in Article 5(2).
In accordance with Article 5(3), obliged entities are required to “take reasonable steps” to ensure that the documentation obtained for identity verification is authentic and has not been altered. We recommend providing further clarity on the expected obligations through a non-exhaustive list of examples. This would offer useful guidance while preserving the necessary flexibility and avoiding excessive specificity, which could inadvertently aid fraudulent behaviour.
A certified translation of a document´s foreign language content is to be obtained when deemed necessary, in accordance with Article 5(4). However, it is not clear as to when this could be necessary. Moreover, a certified translation would be qualified by what standards? In the situation where an internal translation can be expected to be adequate due to internal resources, would a certified translation be unnecessary?
Article 5(5), by referencing Article 22(6), states that individuals must provide the obliged entity with an original identity document, passport, or an equivalent, or a certified copy thereof. However, it remains unclear what criteria or standards obliged entities should rely on to determine whether a copy qualifies as certified. Requiring certified copies to be attested by a notary, solicitor, or similar authority would create a significant barrier to onboarding and undermine the aim of ensuring a customer journey that is as seamless as possible.
If the use of electronic identities or eIDAS-compliant solutions is only required where such tools are available and their use can be reasonably expected, several questions arise. Not least, which authority will be responsible for determining and publishing whether eIDAS-compliant solutions exist for a given country of issuance? Or, alternatively, will obliged entities be expected to make this determination independently based on their own assessment?
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
We appreciate the statement concerning alternative remote solutions, different from e-IDAS compliant solutions, to verify customers in a non face-to-face context, and appreciate the recall to proportionality and risk-based approach in applying those alternative solutions.
We support the explicit recognition in the RTS of multiple methods for verifying the identity of natural persons in non-face-to-face scenarios, particularly where appropriate to the level of risk and in the context of low-value, standardised consumer credit products. These should include methods such as:
a) Acceptance of a first payment initiated from an account held in the sole or joint name of the customer with an EEA-regulated credit or financial institution, or with a credit institution located in a third country whose AML/CFT framework is not less robust than that required under Directive (EU) 2015/849; or
b) Use of an account information service provider (as defined under PSD2) to confirm the customer's identity based on verified account ownership and transaction history.
These approaches are effective, traceable, and widely used across the EU. Their inclusion in the RTS would enhance legal certainty, improve customer experience, and facilitate proportional and practical compliance by obliged entities. They should also generally be used alongside a copy of the identity document or passport, in line with good practice.
In this context, we would like to emphasise the importance of maintaining flexibility in light of the relevant market context, particularly regarding the use of secure video identification technologies.
In our opinion the solutions listed under Article 6 paragraphs 2-6 (as the ones suggested above) provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 and, for this reason, they should not be considered temporary, but permanent and alternative to e-IDAS compliant ones.
Furthermore, we consider coherent to the risk based approach obliged entities to be allowed to implement only some of the alternative remote solutions listed in paragraph 4 : OEs have to be able to demonstrate to their competent authority that the remote verification solutions they use protect against identity fraud as effectively as electronic identification means.
From a data protection point of view, currently anti-money laundering checks are carried out to comply with legal obligations to which OEs are subject; this means that specific consent is not required to process customers personal data for AML purposes (with the exception of processing biometric data, in which case it would be specifically collected).
It is not clear the nature of the consent which should be requested to the customers in case of remote identification. Would this consent consist of asking the customer for confirmation that he intends to proceed with that specific identification method? Clarification is needed about this.
Moreover, the cost to update IT solution already in place, in order to collect customer consent, is very high and is not clear the reason why would be necessary to collect the explicit consent for preventing AML/CF risk.
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Consumer credit operations are typical low-risk situations, due to the circumstance that their structure does not encourage the use of illicit money.
We are concerned that the obligation introduced in Article 22, stating the necessity to update the risk profile of all low-risk clients within 5 years after entry into force of the Regulation, appear disproportionate, as well as irrelevant, when applied to low-risk consumer credit products.
These products are generally subject to standard measures such as identity verification, sanctions screening, and PEP checks, which we believe are appropriate and sufficient given the limited risk exposure. Naturally, where there is a suspicion of heightened risk, the financial institution will escalate the customer’s risk classification accordingly and apply enhanced measures. For these products, it should be allowed to update data concerning the risk profile through automized systems without getting in touch with customers.
Updating the risk profile of all low-risk consumer credit clients, asking them to update pieces of information collected during the onboarding process, is almost impossible for financial institutions granting stand-alone loans (i.e. whose relationship is based only on the loan granted and not, for example, on a bank current account offered by the same financial institution). In these situations, indeed, financial institutions face great difficulties in updating AML/CFT risk profile after the loan has been disbursed, because in most cases clients do not respond to requests for document updating as they don’t have any benefit from answering.
We ask not to apply to consumer credit this obligation, which would entail a very high cost for lenders (cost of sending traceable requests, checking feedback, updating addresses to send communications) while the redemption from most customers would be null.
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
We believe that specific sectoral simplified due diligence measures should be applied to all consumer credit “linked credit agreements”, where the credit agreement is strictly linked to the purchase of a specific product/service (e.g. appliances, vehicles, furniture, energy transition kit, travels, language courses, medical care, etc…) and the loan cannot be used for any other purposes. Moreover, disbursements are done directly to the seller of goods/services, not to the customer. Such products have a low-risk exposure confirmed by cases highlighted during transaction monitoring and very low number of operations reported to the Financial Intelligence Office (FIU).