Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
General
- (3) ‘the assessment and classification of the inherent and residual risk profile of obliged entities should be conducted on the basis of detailed harmonized information’. There seems to be no obligation on the verification of collected information. Can we limit that to verification while performing actual investigations and adjust the risk profile when data proves out to be recorded wrongly by the obliged entity.
- In the approach specific risks are not included. A specific risk differs from inherent risk because only one or a few obliged entities are affected by them. Specific risks will appear from investigations and an example is given under question 2.
- Due to secrecy law firms are not willing to share detailed information on customers or groups of customers. To make a sufficient risk assessment in our opinion we do not need a lot of detailed information (see also Question 3). We propose to collect data from obliged entities on a need to know basis. This principle has not been set out in the approach.
Specific articles
- 2. Assessment and classification will apply for each obliged entity provided that such obliged entity has commenced its activities at the latest during the year prior to that where the assessment and classification takes place. In our opinion all entities that started activities in the year that data is collected from should be excluded so the assessment is only on data re whole years.
- 2. Combined scores are determined per category with weights between 1 and 5. Is the calculation done by multiplying risk score and weight and then dividing by the total weight? We propose to add the calculation method to the RTS.
- 3. In step 3 an external auditor’s assessment is mentioned. We believe that the supervisor should investigate the quality of the audit (design as well as operation) before adjusting the AML/CFT controls score.
- 5.2 The annual assessment and classification will need to take place before 30 September. Law firms that do not meet this deadline, may be considered as a higher risk and as a result of this can be eligible for more extended supervision.?
- 5.3’ The total number of full-time equivalent employees employed by the obliged entity in the relevant Member State is less than or equal to (5)’. We prefer to adjust this number to ten (10) as this (number) reflects the efficiency of the current risk approach process (described in the ‘Beleidsregel Toezicht 2023’) which means that it not necessary to perform a yearly assessment. It is without doubt that in case of incidents etc. a reconsideration will take place.
- 5.4 ‘Major events or developments in the management and operations of obliged entities occur can significantly affect the ML/TF risks’. Is there any obligation to monitor and register these events and developments and/or guidance how to do this?
Textual remarks
Introduction
- A textual flaw in the introductory words (shaded yellow): “supplementing Directive (EU) No 2024/1640 of the European Parliament and of the Council with regard to regulatory technical standards setting out the benchmarks and methodology for assessing and classifying the inherent and residual risk profile of obliged entities, as well as well as the frequency of its revision”.
- In this RTS two words are used to indicate supervisors: ‘competent authorities’ and ‘supervisors’.
- (4) ‘Firstly, supervisors should assess and classify the inherent risk profile of obliged entities based on a set of indicators aimed at reflecting the level of ML/TF risks to which they are exposed.’ It’s not about the level of risk to which supervisors are exposed but to which obliged entities are exposed.
- (5) ‘different types of risk factors’ are referred to later as ‘categories’. This is not consistent.
Regulation
- 1.1 (1) The risk factors to define inherent risk are in a different order compared to the introduction.
- 1.1 There is no definition given of AML/CFT controls.
- 5. Updates are suggested on inherent risk and residual risk only. Why the AML/CFT controls are not mentioned separately?
- Article 5 – Entry into force should be article 6.
Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.
We do agree that residual risk in most circumstances will be lower or equal to inherent risk. There is enough room build in for adjustments by the supervisor on inherent risk (article 2 paragraph 4) to cover most exceptions.
There is one exception and that is when AML/CFT controls only exist “on paper” and when mitigating measures appear not to be existing and/ or appear to be not or hardly effective. In that case the originally estimated level of inherent risk should be set higher because of the fact that the underlying entity apparently tried to manipulate the level of residual risk, which can be seen as an “extra” risk factor.
See also article 5 Timelines 6.b of RTS 40 in which these thoughts have been provided for.
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
Not applicable for supervising law firms
3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?
Not applicable for supervising law firms
3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?
At this point we have a completely different set of data points available which are assembled and gathered from a yearly questionary for each law firm (the so called CCV). The table with data point as set out below is evaluated on a yearly basis and will be evaluated this year taking RTS 40 into account.
NB: It was not possible to upload a picture of the "table" below; if needed we will be more than willingly to send you
the table as a picture / excel - file. Please take this into account as well for the table "Number and size of law firms in the Netherlands at 1 January 2024" below.
Risk assessments law firms the Netherlands
Category Data point
Inherent risk indicators
- Customers / cases Number of cases AML activities
Number of cases re real estate transactions
Number of cases re offshore structures
Number of customers with high risk activities
Number of legal entities with complex structure
2. Services Active in tax law
Active in criminal and civil law
Not specialized in any law area
Combined office with notaries
3. Geographics Number of cliënt in high risk countries
Third party payments to high risk countries
4. Distribution channels Number of new customers onboarded in the previous year by third parties
5. Financial High volume on third party transactions
Law firm with high risk financial position
AML/CFT Controls
- AML Governance structure Compiance officer in place
Audit function in place
Proactive supervision on compliance re AML policy
AML training obligations are met
2. AML Policy & procedures AML risk policy dedicated to the specific law firm
Registration of risk profiles of clients and transactions included in the risk policy.
Number of actual reports of unusual transactions.
- On section A – inherent risk: the numbers of cases we now collect are estimations from law firms themselves and are provided in ranges (i.e. 1-10, 11-50, etc). Are estimations acceptable in the data points? To ask for exact numbers would mean significant changes to CRM systems within medium and small law firms, also meaning high costs.
On section B – AML/CFT Controls
75% of the obliged entities (80% of the law firms already excluded) are small firms with a governance structure that is limited to one lawyer being responsible for AML.Furthermore risk assessment, AML policies and procedures are in most cases based on models / best practices provided by the supervisor. We propose to limit the data collection on AML/CFT controls to the medium and large firms. Small firms will consequently be classified as ‘Poor quality of controls’( which can be adjusted if there appear to be relevant controls).
We define small firms as law firms with 1-9 lawyers active (see table below).
Table: number and size of law firms in the Netherlands at 1 January 2024
Number of lawyers Number of firms
1-9 5.240
10-49 272
50 or more 31
Total 5.543
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
- The difference in costs is very hard to estimate as it’s mostly the time invested by the obliged entities on filling in questionnaires.
Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.
- Criterium a) entities with less than 5 fte apply. We define law firms as small when less than 10 lawyers (see also question 3c) and the number of other employees are not taken in consideration. We propose to use only the number of lawyers and use 10 instead of 5.
- As written earlier 80% of the law firms are not obliged entities as they do not carry out activities falling within the scope of Regulation (EU) 2024/1624. We propose to check on this also once every three years.
Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.
We agree partially that crossborder transactions with EEA jurisdictions should be assessed differently than transactions with third countries or instance if UK is seen as a EEA jurisdiction. Also jurisdictions like Malta, Luxembourg, Switzerland and Cyprus are considered by us as higher risk countries than Germany or Norway for instance. The reason for this is the history as a tax haven for these countries and our believe that tax evaders are still active in those countries.
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
No comments, because this article / RTS is not applicable to the Presidents of the local Bar Associations (in the Netherlands) as supervisory authorities on lawyers (non-financial).
Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.
No comments, because this article / RTS is not applicable to the Presidents of the local Bar Associations (in the Netherlands) as supervisory authorities on lawyers (non-financial).
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
No comments, because this article / RTS is not applicable to the Presidents of the local Bar Associations (in the Netherlands) as supervisory authorities on lawyers (non-financial).
Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.
No comments, because this article / RTS is not applicable to the Presidents of the local Bar Associations (in the Netherlands) as supervisory authorities on lawyers (non-financial).
Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.
No comments, because this article / RTS is not applicable to the Presidents of the local Bar Associations (in the Netherlands) as supervisory authorities on lawyers (non-financial).
Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
No comments, because this article / RTS is not applicable to the Presidents of the local Bar Associations (in the Netherlands) as supervisory authorities on lawyers (non-financial).
Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.
No comments, because this article / RTS is not applicable to the Presidents of the local Bar Associations (in the Netherlands) as supervisory authorities on lawyers (non-financial).
Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?
No comments, because this article / RTS is not applicable to the Presidents of the local Bar Associations (in the Netherlands) as supervisory authorities on lawyers (non-financial).
Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
No comments, because this article / RTS is not applicable to the Presidents of the local Bar Associations (in the Netherlands) as supervisory authorities on lawyers (non-financial).
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 5.2: in this article it is described that in situations where the customer cannot provide a document that meets the requirements in paragraph 1 a document including a facial image of the document holder will be submitted. In the current Dutch legislation the requirement for such a situation is that a ‘sufficiently reliable means of identification” will be submitted which indicates that a facial image is not required in case this is proportionate to the situation. This process better supports a risk based approach. To summarize: identification should be performed i) in person ii) remote iii) residual option in the way described before.
In article 6.3 it is stated that consent for the remote identification of a client must be recorded. Is it sufficient to record the name of the client and the date of identification or should more information be recorded? What is expected if client does not give consent?
Article11.1.a: can you make more explicit what is meant by “there is a legal arrangement in any of the layers”?
Article 12 (and recital 9): it is useless to request from a SMO a statement regarding source of funds and source of wealth as this has no added value to reduce the risks of ML/TF and will increase the administrative burden.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context?
In article 6.4 of the RTS, sub c is mentioned twice
Article 6.4.e.: the time stamping and storage of the documents and information obtained during the remote identification seems to require additional technical equipment which may be a considerable increase in costs for especially small lawyer firms. Who is allowed to do the timestamping, the lawyer himself or an independent official? Are there more cost efficient alternatives?
Art 6.5 Is it enough to take steps to ascertain the reproduction is reliable or can/should entities do more (an obligation to ascertain)?
Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)?
Yes, but this solution will substantially increase the costs related to verification of customers for law firms. In addition, the remote solutions should also provide sufficient audit trail capabilities in order to execute the supervision in a good and effective manner. Is this enforceable in advance? Is there insight into providers and the associated costs?
Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
The time stamping and storage of the documents and information obtained during the remote identification seems to require additional technical equipment which may be a considerable increase in costs for especially small law firms. Are e-IDAS compliant solutions more cost efficient?
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
Not applicable.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art 15.c: also source of funds other parties? In addition, one should be aware that according to current (Dutch) laws it is prohibited for lawyers to include information that are related to non ML/TL sources.
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 17.a: the wording “……..before the establishment of the business relationship or…..” is not consequently used in this RTS.
Article 17.b: can you provide more guidance on the “frequency determined on a risk-based approach”.
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 18 paragraph 2 mentions 'persons on whose behalf or for the benefit of whom...'. Does this description only apply to the UBO or is it intended to be broader or more limited?
Article 21: also applicable to lawyers?
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
No comments.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art 26: we propose to add article 26.1.h.: “any other reliable information from an independent source”.
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art 29.b: can you please provide a definition of the word “match”?
Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Not applicable.
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
No comments.
Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.
The indicator to classify the level of gravity of breaches set out in article 1 under j of the RTS is mainly applicable to financial institutions. The wording of article 1 and article 2 para. 2 of the RTS leaves supervisor on non-financial institutions limited possibilities not to take this indicator into account in their assessment.
Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.
No comments.
Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.
No comments.
Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.
No comments.
5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?
No comments.
5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?
No comments.
5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?
No comments.
Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.
All indicators and criteria but the criteria mentioned in article 1 under j of the RTS. This indicator is primary applicable to the financial sector, which has an other position and other system than the non-financial sector, in particular different from supervisors of the legal profession. The activities of a lawyer are different to banktransactions. This should be taken into account.
Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.
No comments.
Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?
No, since article 6 of the RTS leaves room for the provisions stipulated by national law which also contain rules on factors and calculation of the amount of periodic penalty payments.
Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?
No comments.