Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

PayPal broadly supports the suggested approach to create a risk assessment framework for obliged entities across the EU. We believe that an objective assessment of the obliged entity inherent risk profile, mitigating controls and a residual risk profile is an appropriate risk assessment framework. 

We further welcome the fact that the methodology takes an entity-first approach, as opposed to assessing sector-wide risk exposure, given significant differences in business models within a sector, as well as the robustness of controls to mitigate risks the obliged entity is exposed to. 

In relation to the proposed methodology, we would like to offer the following further clarification: 

  • We note that in the absence of a methodology for how weights are distributed, the draft risk assessment framework is incomplete.
  • The assessment of AML controls in place should not be considered an exhaustive and closed list of controls. We would advocate for the acknowledgement that additional risk mitigating measures that are not listed specifically can also be taken into account for the final rating of the AML exposure. To that end, we would welcome the explicit ability to expand the list of controls.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

PayPal supports an approach whereby residual risk can be lower, but never be higher, than inherent risk. 

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

NA

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

NA

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

NA

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

Given that the data gathering exercise for the purpose of the risk assessment as laid out in this draft RTS is new, it is difficult to ascertain the exact impact that it will have on obliged entities. We generally agree to a clear and predictable risk assessment frequency, in line with the proposed frequencies (every year or every three years) depending on the risk profile of the obliged entity. We would however call for greater flexibility for national competent authorities to decide on the frequency of the risk assessment updates, based on a thorough understanding of the risk profile, developments in product offer, and mitigating measures. This would alleviate administrative burden for both obliged entities and supervisory authorities in situations where there have been no material changes to the overall risk profile. The criteria for reduced frequency (where an entity is an SME or assessed as low risk) would not support such situations. 

Moreover, we note that the first data gathering exercise under the draft RTS is foreseen to be completed by 9 months after the entry into force of the RTS delegated regulation. We would note that corporate data for such an exercise typically is gathered on a yearly basis, and the timing of the publication of the RTS could influence the point at which most recent data is available. We would thus encourage the Commission to seek to publish the final RTS no later than Q1 2026, to allow for 2026 data to be used as part of the first risk assessment framework. 

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

We call for greater flexibility for national competent authorities to decide on the frequency of the risk assessment updates, based on a thorough understanding of the risk profile, developments in product offer, and mitigating measures. This would alleviate administrative burden for both obliged entities and supervisory authorities in situations where there have been no material changes to the overall risk profile. The criteria for reduced frequency (where an entity is an SME or assessed as low risk) would not support such situations.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

We strongly believe that transactions within the EU single market, within the SEPA payments area, or within a single currency area should be assessed differently to transactions linked with third countries. Such an approach would align with established EU principles, such as the EU single market and passporting of financial services and demonstrate confidence in the effectiveness of the EU’s AML/CFT framework and further support the new AML single rulebook approach. 

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

NA

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

NA

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

NA

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

NA

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

NA

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

NA

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

NA

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

NA

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

NA

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 1: Information to be obtained in relation to names

  • Regarding point 1, we note that “all of the names and surnames” could be difficult to obtain, as identity documents do not always include middle names of individuals. We welcome the clarification that only names listed on the identity document would be required.
  • Regarding point 2, we support the collection of both the registered name and commercial name of an entity as this is already established practice under existing regulation. 

Article 2: Information to be obtained in relation to addresses

  • The collection of a country name, postal code and street name are standard data points for KYC collection. However, the verification of this information based on identity documentation would be problematic as information contained therein varies between countries and between official identity documentation within countries. We believe a clarification should be included recognizing that the form of information that is required should align with appropriate documentation. 

Article 3: Specification on the provision of the place of birth

  • PayPal calls for a clarification regarding the place of birth requirement. It is important that the place of birth information required aligns with the place of birth information contained in the relevant identity documents. Requiring both the city and country of birth could be problematic in situations where these are not listed on a national identification document. 
  • The article could be clarified as follows: The information on the place of birth as referred to in Article 22(1) (a) point (ii) of Regulation (EU) 2024/1624 shall consist of both the cityand the country name, where appropriate. Obliged entities shall ask the customer to provide at least the place of birth information that features on their identity document, passport or equivalent.

Article 4: Specification on nationalities

  • Acquiring information from prospective customers regarding their nationalities beyond the nationality indicated on their identity document, other than a direct request from the customer, would be problematic. The wording ‘necessary information’ does not provide for clarity on the expectation on the obliged entity. This requirement should not go beyond acquiring from the customer additional nationality details.

 

Article 5: Documents for the verification of the identity

  • Regarding point b, not all identity documents contain all names (including middle names) and surnames. As per our submission on Article 1, an identify document that meets the other criteria outlined at Article 5(1) and contains a customer’s first name and last name should suffice.
  • Similarly, the requirement to obtain a customer’s place of birth information should align with our suggested amendment to Article 3. 

 

Article 6: Verification of the customer in a non face-to-face context (also covered in response to question 2)

  • PayPal welcomes the objective to ensure a customer onboarding flow that takes advantage of digital innovation and maximises financial inclusion using digital identification means. It is essential that the use of remote onboarding tools in line with EBA Remote Customer Onboarding Solutions guidance (EBA/GL/2022/15) which align with the requirements in this article is allowed to continue.
  • We welcome the article’s acknowledgement of flexibility in accordance with the size, nature and complexity of the business. Moreover, given uncertainties around the deployment of the EU digital identity wallet (EUDIW) and the fact that it is not compulsory for customers to use, we believe relying solely on its technical framework would be far too restrictive and could significantly undermine the ability of obliged entities to achieve financial inclusion. 

 

Article 11: ownership and control structure of complex structures

  • We question the objective of the suggested approach of the RTS to include two or more layers when obliged entities are requested to understand the ownership and control structure of the customer. This requirement is overly restrictive and could significantly impede onboarding flows seeking to utilise the benefits of digital innovation. In order to better achieve the relevant policy aims of the AML package, the requirement to obtain an organigram should be limited to ownership and control structures where (a) there are two or more layers between the customer and the beneficial owner and (b) where there are indications of non-transparent ownership with no legitimate economic rationale or justification.
  • We believe that a risk-sensitive approach to complex structures will better enable obliged entities to focus their resources on understanding the ownership structures of entities that are the most complex. 

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

  • PayPal welcomes the objective to ensure a customer onboarding flow  that takes advantage of digital innovation and maximises financial inclusion using digital identification means. It is essential that the use of remote onboarding tools in line with EBA Remote Customer Onboarding Solutions guidance (EBA/GL/2022/15) which align with the requirements in this article is allowed to continue.
  • We welcome the article’s acknowledgement of flexibility in accordance with the size, nature and complexity of the business and risk exposure of the obliged entity.
  • Given uncertainties around the deployment of the EU digital identity wallet (EUDIW) and the fact that it is not compulsory for customers to use, relying solely on its technical specifications would be far too restrictive for effective customer onboarding and KYC requirements. Alternative options should continue to be permitted and their use should be encouraged in situations where the eIDAS-certified solutions are not available or accessible to the customer. We therefore support paragraphs 2-6 recognizing this optionality.
  • Moreover, such solutions should not be time-bound and should remain technology-neutral. eIDAS-solutions will always remain voluntary, and as such cannot be fully relied upon for remote customer onboarding. Therefore, solutions in line with EBA Remote Customer Onboarding Solutions should continue to be regarded as compliant with the requirements in this article. 

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

NA

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 15: Identification of the purpose and intended nature of the business relationship or the occasional transactions & Article 16: Understanding the purpose and intended nature of the business relationship or the occasional transactions:

  • PayPal notes that the draft RTS in articles 15 and 16 determining actions to be taken to identify and understand the intended nature and purpose of the business relationship or occasional transaction could, if interpreted as exhaustive requirements, prove extremely burdensome, unsuitable for certain types of products and/or services  and, in some cases, impossible to ascertain with certainty (even with significant interruption to the customer journey). We believe that these requirements, if interpreted as exhaustive requirements, would not support an approach based on the objective risk of the customer relationship. We would recommend a clarification that the risk-sensitive nature of the measures to be taken import a risk-based approach, where the assessment is conducted in line with the customer risk profile.
  • A clarification of this nature would obviate the risk that Articles 15 and 16 might be interpreted as an exhaustive list of requirements which would be out of step with the risk-based approach set out in the Level 1 text. 

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 17: Identification of Politically Exposed Persons (PEPs)

  • PayPal supports the definition of a person ‘known to be a close associate’ as defined in article 2 (36) of regulation (EU) 2024/1624.
  • Regarding point 2, PayPal supports an approach that combines automated screening tools and manual checks to ensure appropriate PEP controls.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

PayPal agrees with the enablement of simplified due diligence in situations of lower risk, in line with FATF recommendations. We generally note a move away from a risk-based approach in the AML regulation and the draft RTS, with additional requirements to increase the amount of data to be gathered and verified by obliged entities on their prospective customers. We believe it is essential to ensure that a risk-sensitive approach to AML programmes is embedded across all requirements, in order to ensure a balance can be struck between robust AML controls and customer onboarding flows that take advantage of digital innovation and maximise financial inclusion

Article 18: Minimum requirement for the customer identification in situations of lower risk

  • There should be alignment across the RTS in relation to the information gathered on customer names, and this should align with information available on an accepted identity document. A middle name is not always available on all identity documents and should thus not be required for customer due diligence purposes. See responses in section 1.

Article 22: Customer identification data updates in low-risk situations 

  • Regarding the obligation to hold up-to-date customer identification data (point 2), we would call for clarity on the wording “at all times”. This could be interpreted as an ongoing, real-time data verification requirement, which would be disproportionate to the objective of low-risk scenarios. We would recommend the deletion of “at all times” from the sentence.
  • Paypal further fully supports the acknowledgement in point 2 that new requirements stemming from regulation (EU) 2024/1624 do not de facto apply retroactively to existing customers onboarded in line with applicable regulation prior to the entry into force of this regulation. We support a process whereby existing customers can be brought into scope of the requirements within a 5-year timeline, in line with a risk-based approach.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

NA

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

NA

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 29: screening requirements

  • Under point a (i.), we would call for alignment across various articles in the draft RTS in relation to the first names and last names to be collected. To ensure consistency, the requirement should cover the names as captured on the official identity document.
  • Regarding a (iii.) the collection of data "where available in the lists of targeted financial sanctions” would be impossible given significant differences and inconsistencies in data points depending on the applicable list. These additional data points should serve in the clearing process only. 

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

NA

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

NA

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

Article 1 (e) identifies “the impact of the breach on the exposure of the obliged entity (or the group to which it belongs) to money laundering and terrorist financing risks” as a proposed indicator to classify the level of gravity of breaches. In circumstances where the entire policy objective of the AML package is to strengthen the EU’s framework for combatting money laundering and terrorist financing by reducing the exposure of obliged entities to AML/CFT risk, it is difficult to conceive of any breach of the requirements that would not impact the exposure of an obliged entity to AML/CFT risk. 

If we accept that all conceivable breaches will impact the exposure of an obliged entity to AML/CFT risk, then the indicator at Article 1(e) will be present in the case of all breaches. As a result, it has no utility as an indicator to classify the level of gravity of breaches and should be removed. 

Article 1(g) identifies “whether the breach could have facilitated or otherwise led to criminal activities”. In circumstances where the entire policy objective of the AML package is to strengthen the EU’s framework for combatting money laundering and terrorist financing, it is likewise difficult to conceive of any breach of the requirements that could not conceivably facilitate or lead to criminal activities (such as money laundering or terrorist financing). If we accept that all conceivable breaches could conceivably facilitate or lead to criminal activities, then the indicator at Article 1(g) will be present in the case of all breaches. As a result, it has no utility as an indicator to classify the level of gravity of breaches and should be removed.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

Article 2.3 classifies a Category 1 breach as meeting the following criteria:

  • There is no impact or a very minor impact on:
    • the obliged entity, (by assessing the factors set out in Article 1(d)(i) - (iii));
    • the exposure of the obliged entity, or of the group to which it belongs, to money laundering and terrorist financing risks;
  • Has lasted for a short period of time;
  • Has occurred on a non-repetitive basis;
  • could not have facilitated or otherwise led to criminal activities (as defined in Article 2(1) point 3 of Regulation (EU) 2024/1624);
  • involves no structural failure within the obliged entity with regard to AML/CFT systems and controls and policies or any failure of the entity to put in place adequate AML/CFT systems and controls;
  • Has no actual or potential impact on the financial viability of the obliged entity (or its group);
  • Has no actual or potential impact of the breach on the integrity, transparency and security of the financial system of a Member State or of the Union as a whole, or on the financial stability of a Member State or of the Union as a whole;
  • Has no actual or potential impact on the orderly functioning of the financial markets; and
  • is not of a systematic nature.

While PayPal agrees in principle with classifying the level of gravity of breaches, such classification must be meaningful. The proposed classification of Category 1 breaches is so restrictive that it is difficult to conceive of a breach that would in practical terms fall into this Category. For example, it is difficult to conceive of a breach of the requirements that would have no impact or a very minor impact on an obliged entity or on the exposure of an obliged entity to ML/TF risk. Likewise, given the broad policy aim of the AML Package to strengthen the EU’s framework for combatting money laundering and terrorist financing, it is difficult to conceive of a breach that could not conceivably facilitate or lead to criminal activities. 

Article 2.4 classifies a Category 2 breach as meeting the following criteria:

  • There is a moderate impact on:
    • the obliged entity, (by assessing the factors set out in Article 1(d)(i) - (iii));
    • the exposure of the obliged entity, or of the group to which it belongs, to money laundering and terrorist financing risks;
  • It could not have facilitated or otherwise led to criminal activities (as defined in Article 2(1) point 3 of Regulation (EU) 2024/1624);
  • involves no structural failure within the obliged entity with regard to AML/CFT systems and controls and policies or any failure of the entity to put in place adequate AML/CFT systems and controls;
  • Has no actual or potential impact on the financial viability of the obliged entity (or its group);
  • Has no actual or potential impact of the breach on the integrity, transparency and security of the financial system of a Member State or of the Union as a whole, or on the financial stability of a Member State or of the Union as a whole;
  • Has no actual or potential impact on the orderly functioning of the financial markets; and
  • is not of a systematic nature. (emphasis added)

While PayPal agrees in principle with classifying the level of gravity of breaches, such classification must be meaningful. The proposed classification of Category 2 breaches is so restrictive that it is difficult to conceive of a breach that would in practical terms fall into this Category.  Given the broad policy aim of the AML Package is to strengthen the EU’s framework for combatting money laundering and terrorist financing, it is difficult to conceive of a breach that could not be described as conceivably facilitating or leading to criminal activities. Likewise, it is difficult to conceive of any breach that could not be described as having a moderate impact on the exposure of an obliged entity to AML/CFT risk.

Unless the indictors for Category 1 and Category 2 breaches are revised, we do not expect any breaches to fall into Category 1 or Category 2. This will render these categories illusory and result in a situation where all breaches are de facto placed in Category 3 or Category 4. This has further implications for administrative measures available to sanction such breaches which we have commented on in Question 5. 

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

Article 4(3)(e) identifies “or risk of loss caused to customers or other market users” as one of the criteria. While Paypal agrees that loss caused is a useful criterion, assessing risk of loss that has not been realised is overly broad, far too difficult to assess with certainty and should therefore be removed. 

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

The only specific factor identified to be taken into account by supervisors when setting the level of pecuniary sanctions is “the  financial strength of the natural persons held responsible, including where applicable its annual income”.  A number of national competent authorities have included a proviso that any proposed penalty which causes a natural person to be adjudicated bankrupt should be reduced so as to ensure that outcome is avoided. A similar proviso should be incorporated into the relevant RTS.  

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

The imposition of administrative measures restricting or limiting the business, operations or network of institutions comprising an obliged entity or divest it of activities should be reserved for the most serious of breaches. 

Taking into account our previous submissions on Category 1 and Category 2 breaches, we are of the view that  all breaches will, in practice, fall into Categories 3 and 4. We are of the view that the restrictive approach to Categories 1 and 2 should be revised accordingly and that the administrative measures referred to in this section should be reserved for Category 4 breaches only. 

Article 5(2)(b) appears to oblige supervisors to take into account whether such a measure would mitigate a potential impact on the indicators outlined at Article 1(e), (g), (i) or (j).  Paypal agrees that supervisors should take into account whether such a serious administrative measure would mitigate a potential impact on the indicators outlined at (i) or (j) (being the Finacial viability of the obliged entity, the integrity, transparency and security of the financial system or the orderly functioning of the financial markets. 

However, Paypal remains of the view that the indicators set out at (e) and (g) are too broad as to be useful in the context of determining the severity of most conceivable breaches of the relevant requirements and so should be excluded from any analysis of whether or not to impose the administrative measures contemplated by this section. 

Furthermore, Article 5(2)(d) appears to envisage that these serious administrative measures could be imposed for a potential breach. In Paypal’s view, the words “or the potential breach” should be deleted from that provision. Administrative measures of this nature should be reserved for actual breaches only. 

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

NA

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

NA

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

NA

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

NA

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

NA

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

NA

Name of the organization

PayPal