Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 1 – Information to be obtained in relation to names

  • Comment:  
    • Paragraph 1 requires Obliged entities to obtain all the customer's names as they appear on their identity document. This rigid formulation presumes direct document sourcing, overlooking standard industry practice of verifying data through independent third-party providers or data triangulation.
  • Proposed amendment:
    • “[…] shall obtain all of the customer’s full names and surnames or verified through reliable and independent third-party sources which ensure data integrity equivalent to original documents.”

 

Article 3 – Specification on the provision of the place of birth

  • Comment:
    • Place of birth may not be available for all individuals, particularly elderly persons or those born in countries that no longer exist (e.g., Yugoslavia, USSR). As such, Obliged entities should not be penalised where place of birth is unobtainable due to legitimate limitations, including for elderly individuals or those from defunct states.

 

Article 5 – Documents for the verification of the identity

  • Comments:  
    • Paragraph 1 defines a set of seven features that a document “shall” include to be equivalent to an identity document. This list is overly prescriptive and does not account for functional equivalence or new technologies (e.g. facial biometrics via trusted platforms).
    • Paragraph 4 specifies that Obliged entities take reasonable steps to understand documents in a foreign language including through a certified translation when deemed necessary. To help set a baseline, paragraph 4 should specify that when deemed necessary, it would be sufficient for the information in documents to be collected and translated in an EU Official language using available translation tools. 

 

Article 6 – Verification of the customer in a non-face-to-face context

  • Comment:  
    • Paragraph 1 prioritises eIDAS-compliant tools as the default. Not all customers (e.g. non-EU residents) can access these. The text should recognise alternative solutions as equally valid, rather than fallback options.
    • Paragraph 5 references the verification of non-natural persons. In its current wording, it can be interpreted that Obliged entities are unable to check against a corporate registry and instead prescribes a non-digital method that burdens the customers to provide documentation.
  • Proposed amendment:
    • “...shall use electronic identification means with assurance levels ‘substantial’ or ‘high’ under eIDAS, or equivalent verification solutions provided by independent service providers where eIDAS is not reasonably available.”

 

Article 7 – Reliable and independent sources of information

  • Comment:  
    • The current draft emphasises the source, suggesting singularity and discouraging corroboration.
  • Proposed addition:
    • “Obliged entities shall also prioritise triangulated verification from multiple reliable sources where possible. Obliged entities may access such sources directly or through third-party service providers whose procedures ensure the integrity and traceability of the data.”

 

Article 9 – Reasonable measures for the verification of the beneficial owner

  • Comments:  
    • The draft lists consultation of public registers and collection of utility bills, bank statements, etc. Utility bills in particular are insecure and should be deprecated.
    • The article should specify that verification ofbeneficial ownership may be performed directly or via third-party service providers.

 

Article 10 – Understanding the ownership and control structure of the customer

  • Comment:  
    • Requires collection of detailed ownership data but does not acknowledge that indirect sourcing through providers is efficient and often necessary.
  • Proposed amendment:
    • “...obliged entities shall obtain the following information directly or through third-party providers:”

 

Article 11 – Understanding the ownership and control structure in case of complex structures

  • Comment:  
    • In paragraph 1, complexity is defined as “two or more layers”. This definition is overly simplistic and may misclassify legitimate multinational groups.
    • In paragraph 2, there is a requirement to obtain from the customer an organigram in addition to the information in Article 10(1) of the RTS where a structure is considered as complex and then to recheck the accuracy of this information. This would imply a certain circularity and poses the question whether this check would allow the use of the information originally collected. It should be clarified that the obliged entity can satisfy itself of the accuracy of the information either from the customer or the public domain.
  • Proposed amendment:
    • Replace: “[...] shall treat an ownership and control structure as complex where there are two or more layers[...]” with: “[...] shall treat an ownership and control structure as complex based on indicators such as opacity, use of nominee structures, non-cooperative jurisdictions, or where ownership cannot be traced to natural persons using standard verification tools. Number of layers alone shall not determine complexity.”

Article 13 – Identification and verification of beneficiaries of trusts and similar legal entities or arrangements

  • Comments:
    • It is unclear whether all trusts are to be treated as high-risk by default. We recommend the RTS clarify that not all trusts should be automatically deemed high-risk. A case-by-case assessment based on the nature, jurisdiction, and structure of the trust should apply.
    • In paragraph 2, there is also a need for clarity on what constitutes a “timely update” and whether updates are required even where there has been no material change. Obliged entities should not be required to update trust-related data unless there is a material change. 

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

Article 6 – Verification of the customer in a non-face-to-face context

  • Comment:  
    • Paragraph 1 prioritises eIDAS-compliant tools as the default. Not all customers (e.g. non-EU residents) can access these. The text should recognise alternative solutions as equally valid, rather than fallback options.
    • Paragraph 5 references the verification of non-natural persons. In its current wording, it can be interpreted that Obliged entities are unable to check against a corporate registry and instead prescribes a non-digital method that burdens the customers to provide documentation.
  • Proposed amendment:
    • “...shall use electronic identification means with assurance levels ‘substantial’ or ‘high’ under eIDAS, or equivalent verification solutions provided by independent service providers where eIDAS is not reasonably available.”

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 15: Information on the purpose and intended nature of the business relationship or occasional transactions 

  • Comments:
    • Point (a): The Article does not clearly state what risk is being mitigated when determining why the customer has chosen the obliged entities’ products or services.
    • Point (d), Source of wealth (SoW) may be difficult to verify if wealth is accrued gradually or via informal means. The current framing implies that SoW justifies the relationship, which reverses its role in risk assessment. SoW should be removed from this section and instead covered under the Enhanced Due Diligence (EDD) section of the RTS, reflecting its use in assessing, not justifying, relationships.

 

Article 16: Understanding the purpose and intended nature of the business relationship or the occasional transactions

  • Comments:
    • Point (a): It should be clarified that the focus is on identifying mismatches. A reference can be made to existing red flag guidance.
    • Point (c): To include gambling/lottery proceeds and overseas fund inflows and to clarify the distinction between SoF (transactional) and SoW (long-term wealth).
    • Point (e): The RTS should offer guidance on the level of detail expected regarding occupation and should reference high-risk sectors.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 17: Identification of Politically Exposed Persons

  • Comments:
    • The RTS should explicitly reaffirm that frequency should be driven by a documented, risk-based approach, considering the size, complexity, and risk profile of the obliged entity and its clients.
    • The current triggers outlined in paragraph 1(b) are too limited. Political changes, such as elections, cabinet reshuffles, or structural reorganisation of ministries, are clear events that can materially impact who qualifies as a PEP. However, the RTS currently relies on updates to the published EU list of prominent functions, which are known to be inconsistent and infrequently updated. The RTS should include language explicitly recommending that political events (e.g., elections or constitutional changes) serve as triggers for rescreening—even in the absence of updated Member State data.
    • Member States are currently only required to publish lists of prominent public functions, not the individuals holding those roles or changes to role structures. This creates a gap in reliable, up-to-date data that hinders effective screening. We suggest the EBA consider encouraging Member States to improve the frequency and quality of data publication regarding role occupants, changes in office, and administrative restructures.
    • Given the frequency of political change and the need for scalable, timely updates, the RTS should explicitly recognise the use of third-party service providers for automated PEP monitoring. These providers are uniquely positioned to track and analyse global political developments and maintain dynamic lists in ways that are not feasible through manual checks alone. This recognition would ensure that small and large Obliged entities alike can meet obligations efficiently and effectively, particularly when resources are limited.
    • The current wording under paragraph 2 implies that manual screening may be sufficient in some circumstances. While flexibility is important, the RTS should caution that manual-only screening is rarely sufficient given the speed and volume of global PEP changes. Manual checks may be acceptable in very limited, low-risk contexts, but this should not be treated as a viable standard approach.
  • Proposed amendments:
    • Amend paragraph 1(b) to include “[...] or following clear political changes such as national elections, cabinet reshuffles, or administrative reforms, particularly where such changes are likely to affect individuals holding prominent public functions.”
    • Clarify in paragraph 2 that manual checks alone should only be deemed appropriate when supported by a documented risk assessment demonstrating low-risk, low-transaction volumes, and minimal exposure to politically active jurisdictions.
    • Insert a new clause recognising the use of third-party service providers for ongoing PEP screening and update detection, especially to support consistent monitoring in light of incomplete or delayed Member State disclosures, as well as the obligation for PEP screening in non-Member States.
    • Propose the inclusion of guidance for Member States to improve transparency and data quality in their role lists, and where possible, to publish names of individuals occupying prominent functions, subject to privacy safeguards.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 18: Minimum requirement for the customer identification in situations of lower risk

  • Comments:
    • Difficulties can arise collecting place of birth for individuals who no longer hold relevant identification (e.g. refugees, stateless persons).
    • Clarification is needed on what exceptions apply to the requirement for a tax identification number (TIN) or legal entity identifier (LEI).

 

Article 19: Minimum requirements for the identification and verification of the beneficial owner or senior managing officials in low-risk situations

  • Comments:
    • Clarification is needed on whether obliged entities are expected to perform full identity verification (IDV) or simply confirm who the beneficial owner is. We suggest that the RTS states that verifying the BO may involve confirmation, not full IDV, unless the risk triggers EDD.
    • Point (a): Obliged entities may assume that they must collect information in the central or company register directly. The RTS should clarify that third-party service providers may be used.
    • Furthermore, there is a need to distinguish between the reliability of information contained within company registers vs. central BO registers. Central BO registers may not be sufficient as sole sources.
  • Proposed amendments:
    • Point (a): “In situations of lower risk, the obliged entity may consult, either directly or via a third-party service provider, one of the following sources….”

 

Article 22: Customer identification data updates in low-risk situations

  • Comments:
    • Refresh obligations may be burdensome given the number of legacy clients. We would recommend basing refresh plans on a risk-based approach to ensure consistency. 

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 24: Additional information on the customer and the beneficial owners

  • Comments:
    • Point (a): It is unclear how obliged entities can check authenticity beyond consulting registers.
    • Point (b): The current formulation is vague and should specify that assessing the reputation of the customer involves “adverse media screening”.
    • Point (c): Assessing past activities, in addition to present ones, would in many instances be unfeasible to obtain. To make this more feasible, a timeline (e.g., five years) to assess past activities should be indicated.

 

Article 25: Additional information on the intended nature of the business relationship

  • Comments:
    • Point (a): Verifying the “legitimacy of destination of funds” is vague and operationally difficult. It should be clarified what actions obliged entities are expected to take to verify destination of funds. Furthermore, the notion of data-sharing is introduced without contextual lead-in.

 

Article 26: Additional information on the source of funds, and source of wealth of the customer and of the beneficial owners

  • Comments:
    • Certified document requirements significantly delay onboarding and increase costs. Where information obtained is the result of statutory filings, these should be included as a reliable source without the further requirement for certification. A risk-based exemption from certified documents should be permitted.
    • Point (g): “High degree of reassurance” is a subjective standard and needs clearer guidance.

 

Article 27: Additional information on the reasons for the intended or performed transactions and their consistency with the business relationship

  • Comments:
    • Point (a): “Legitimacy of intended outcome” is ambiguous and difficult to verify. It should be removed or clearly defined what constitutes “legitimacy” in this context.
    • Point (c) and (d): These requirements are vague and leave unclear if obliged entities are now expected to conduct CDD on the recipient of a transaction. These should be reframed or removed unless operational guidance is included. Instead, point (b) should be emphasised as the primary practical due diligence step.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 28: Screening of customers

  • Comments:
    • The Article should specify the ownership percentage thresholds and control criteria that determine when a natural or legal person is deemed to “own or control” a customer. Reference should be made to applicable ownership/control thresholds as per the EU Sanctions Guidelines (e.g., 50% or more ownership or control).
    • Expectations regarding aggregate (e.g., two persons each owning 25%) and indirect ownership through intermediary entities should be clarified. It is important for Obliged entities to understand how to interpret complex ownership chains in the context of sanctions screening.
    • A provision should be included noting that where clarity is lacking, Obliged entities should apply a risk-based approach.

 

Article 29: Screening requirements

  • Comments:
    • Rather than creating new standards, this Article should reference existing EBA Guidelines on internal controls and customer risk factors, to ensure consistency and avoid duplication.
    • Obliged entities should be permitted to disregard "weak aliases" (e.g., nicknames or name misspellings with no strong identification link). However, guidance is needed on how to define and assess an alias as “weak.”
    • The inclusion of wallet addresses should be reconsidered for sectors that do not offer virtual asset services. For traditional financial institutions, this data is unlikely to be relevant or actionable.
    • The article does not mention other useful identifiers such as passport numbers, national IDs, or LEIs, which are often used in sanctions screening and could increase the accuracy of matches.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Annex I 

Certified sources

  • Comment:  
    • The Annex only lists official or statutory registers, omitting independent third-party providers.
  • Proposed amendment:
    • Add a category: “Independent and certified third-party providers of identity verification and beneficial ownership information, where such providers demonstrate compliance with AML/CFT obligations and data integrity standards equivalent to central registers.”

Name of the organization

Data & Technology for Compliance (DT4C) Alliance