Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

We welcome the EBA’s proposed approach to assess and classify the risk profile of obliged entities, and fully support the principle of applying a risk-based and proportionate supervisory model.

We believe this is critical to ensure that supervisory efforts are focused where they can be most effective in mitigating money laundering and terrorist financing risks.

That said, we would encourage the EBA to place greater emphasis on the role of data quality, entity transparency, and the use of structured identifiers such as the LEI within the risk classification process.

Poor data quality and lack of transparency in ownership structures, counterparties, or transaction flows can materially increase an institution’s risk profile — even where other factors (such as sector or geography) might suggest a lower baseline risk.

Conversely, institutions that have invested in robust data governance, adoption of the LEI for legal entities, and structured data standards should be recognised as having a stronger foundation for risk management.

In short, we recommend that data governance and entity transparency be treated as a core component of the risk classification framework, alongside more traditional risk factors such as customer type, geography, and product complexity.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

We agree with the EBA’s proposed relationship between inherent risk and residual risk — namely, that residual risk should not exceed inherent risk. This is conceptually sound, as residual risk reflects the remaining level of risk after controls and mitigation measures are applied.

That said, we believe it is important to ensure that the quality and effectiveness of risk controls — particularly data-related controls — are fully captured in the assessment of residual risk.

For example, if an institution has poor entity identification practices, fragmented ownership records, or inconsistent use of structured data (such as the LEI), then even if its inherent risk is moderate, the residual risk should not be assessed as low — because these data weaknesses would undermine the effectiveness of AML/CFT controls.

While we do not favour an approach where residual risk exceeds inherent risk (as that would conceptually imply that controls are introducing new risk, which is not the purpose of residual risk assessment), we do believe that:

Inadequate or poorly implemented controls (especially in data quality and transparency) should result in a minimal reduction, or even no reduction, from the inherent risk score.

Supervisors should be encouraged to closely scrutinise the actual effectiveness of controls rather than assuming they perform well on paper — particularly when it comes to how well the institution manages entity transparency, ownership, and transaction data.

In summary: we support the EBA’s overall approach, but recommend a strong emphasis on data governance and transparency as key drivers of whether residual risk is meaningfully reduced.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

In the short term, there will inevitably be some initial investment costs for many institutions — particularly where existing data is fragmented, unstructured, or not fully aligned to the required formats. Institutions that have not yet adopted standardised entity identification practices (such as LEI) or structured data models (such as ISO 20022) may face additional effort to cleanse, enrich, and restructure their data to meet these expectations.

In the medium term, however, these investments should start to yield benefits, as institutions move towards a more standardised and automated data architecture. Data once aligned and cleansed can be reused across multiple compliance processes — not only for supervisory reporting, but also for internal transaction monitoring, sanctions screening, and customer risk assessment.

In the long term, we expect the overall cost of maintaining high-quality data to decrease significantly — particularly for institutions that embrace structured, interoperable standards such as:

  • LEI for legal entity identification
  • ISO 20022 for payments and transaction data
  • Data governance frameworks that promote data accuracy, traceability, and reuse across the organisation

Furthermore, institutions with high-quality, standardised data will also see wider benefits in terms of reduced false positives in AML/CFT systems, improved risk management, and more efficient regulatory reporting.

In summary:

  • Short-term: moderate costs for data remediation and alignment (especially for those with legacy systems)
  • Medium-term: efficiencies start to emerge as structured data and standardisation take hold
  • Long-term: significant efficiency gains, better risk management, and lower ongoing costs for high-quality institutions

We therefore believe that while initial costs are real, the strategic value of investing in structured, transparent data — especially through the consistent use of LEI — far outweighs the short-term burden.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

In our experience, many of the core data points in Annex I — such as sector, geography, delivery channels, and product types — are already captured by most credit and financial institutions as part of their standard customer due diligence (CDD), risk assessments, and regulatory reporting processes.

However, there are a few areas where data gaps or inconsistencies are still common, particularly in institutions with legacy systems or fragmented data architectures:

  1. Beneficial ownership and ownership structures
  • While this information is typically collected during onboarding, it is often poorly structured, inconsistently updated, and difficult to query or link across systems.
  • The absence of standardised identifiers for legal entities (such as the LEI) in ownership hierarchies further exacerbates this challenge.
  1. Use of standardised identifiers such as LEI
  • Many institutions still do not consistently collect or maintain LEIs for their legal entity customers, despite its growing adoption in regulatory frameworks.
  • The LEI should be more systematically embedded in core customer and transaction systems to support traceability and interoperability.
  1. Detailed risk indicators linked to transaction behaviour
  • While transaction data is of course available, many institutions lack well-structured, cross-referenced datasets that allow them to analyse behavioural patterns across customers, geographies, and channels in a consistent and automated way.
  1. Group-wide or cross-border linkages
  • In large banking groups, group-wide risk data consolidation remains challenging — particularly when subsidiaries operate on heterogeneous systems or in multiple jurisdictions with varying data standards.

In short, the biggest gaps today tend to be in:

  • Ownership transparency
  • Consistent use of structured identifiers (LEI)
  • Structured transaction behaviour data
  • Group-wide risk data integration

Addressing these gaps — through the adoption of LEI, ISO 20022 standards, and robust data governance — will be key to enabling the kind of transparent, data-driven supervision envisioned in this RTS.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

Many of the data points listed in Annex I can and should be equally applicable to the non-financial sector, especially for those categories of obliged entities that play an important role in mitigating ML/TF risk — such as real estate agents, lawyers, notaries, corporate service providers, auditors, casinos, and virtual asset service providers (VASPs).

In particular, the following data points are entirely relevant and feasible for non-financial obliged entities to provide:

  • Customer sector and geography
  • Products and services offered
  • Delivery channels
  • Customer types (including legal persons, beneficial owners, politically exposed persons (PEPs), etc.)
  • Ownership structures and beneficial ownership
  • Use of standardised identifiers such as the LEI for corporate clients

That said, there are practical challenges in certain parts of the non-financial sector:

  • Many non-financial entities lack mature data governance frameworks and centralised systems for managing structured risk data.
  • The adoption of LEI and structured ownership transparency is still less common outside of the regulated financial sector — though we believe this should change.

With appropriate guidance, phased implementation, and support for data standardisation (especially through promoting LEI adoption in the non-financial sector), these gaps can be closed over time.

In short:

  • Most of the data points in Annex I are conceptually applicable and should be required of non-financial obliged entities.
  • The key enablers will be clear guidance, standardisation (especially LEI), and investments in basic data governance.
  • A phased, risk-based implementation could help accommodate sectors that are currently less mature in their data management capabilities.

Ultimately, applying consistent transparency expectations across both the financial and non-financial sectors is critical to an effective EU AML/CFT framework.

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

We support the proposed review frequencies — once per year for normal frequency, and once every three years for reduced frequency — as they strike a sensible balance between maintaining up-to-date risk assessments and managing the operational burden on institutions.

From an industry perspective, many credit and financial institutions already perform annual reviews for medium to high-risk customers as part of their internal customer due diligence (CDD) lifecycle. Aligning the supervisory expectation to this cycle is therefore practical and consistent with existing practice.

The option of a reduced frequency (once every three years) for low-risk entities is also welcome, as it allows both institutions and supervisors to allocate resources proportionately — especially given that low-risk customer profiles and business models typically change at a slower pace.

In terms of cost of compliance, the key differentiator between annual and triennial review cycles is driven by:

  1. Staff time and resources allocated to conducting reviews and refreshing data
  2. The need for ongoing data collection, verification, and remediation

Based on industry experience:

  1. For high or normal frequency reviews (annual), the operational cost is roughly 2 to 3 times higher than for reduced frequency reviews, as it requires a full refresh and validation of customer and risk data each year.
  2. Moving from an annual to a triennial cycle for genuinely low-risk customers can therefore deliver meaningful efficiency gains, without compromising risk coverage.

It’s also worth noting that institutions that invest in structured data and automation (for example, using LEI for legal entities and ISO 20022 for transaction data) will see lower marginal costs for either review frequency — as much of the necessary data can be maintained dynamically, rather than relying on manual refresh cycles.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

We broadly agree with the proposed criteria for applying reduced review frequency — particularly the focus on:

  1. The low inherent risk of the obliged entity
  2. The nature and scale of its business activities
  3. The stability of its risk profile over time
  4. Its history of compliance and cooperation with supervisory authorities

These are sensible and risk-based criteria that should help ensure that reduced frequency is applied only where genuinely appropriate.

That said, we would suggest strengthening the emphasis on data quality and transparency as part of the eligibility assessment. Specifically, we propose that:

  • Institutions that demonstrate a high level of data governance, transparency, and structured data adoption (such as consistent use of LEI for legal entity customers, robust ownership transparency, and structured transaction data) should be considered stronger candidates for reduced frequency — as their data is inherently more reliable and easier for supervisors to monitor.
  • Conversely, poor data quality, lack of transparency, or gaps in key identifiers should be treated as a contra-indicator — even where the entity might otherwise appear low-risk on paper. If the supervisor cannot easily verify the entity’s counterparties, ownership, or transaction flows, it would not be prudent to reduce review frequency.

In essence: data quality and transparency should be added as explicit criteria for determining eligibility for reduced frequency.

Evidence:

  • In our work with financial institutions, we see that those with high data quality and use of structured identifiers can maintain more accurate and dynamic risk profiles with less manual effort — making reduced supervisory touchpoints more sustainable and justifiable.
  • On the other hand, institutions with fragmented data typically miss emerging risk signals and require more frequent supervisory engagement to compensate for the lack of transparency.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

Yes — we believe it is both reasonable and risk-appropriate to differentiate between cross-border transactions within the EEA and those involving third countries when assessing geographical risk.

There are several sound reasons for this:

  1. Common regulatory baseline within the EEA
  • EEA jurisdictions are subject to a common set of AML/CFT standards, including harmonised EU Directives, regulations, and supervisory expectations.
  • The level of transparency, data availability, and cooperation between EEA supervisory authorities is also higher, which helps mitigate cross-border risk within this zone.
  1. Data interoperability and traceability
  • Within the EEA, the use of common data standards (such as LEI, ISO 20022 for payments, and centralised beneficial ownership registers) is more advanced and coordinated — allowing for better traceability of transactions and counterparties.
  • In contrast, third-country transactions often involve heterogeneous data formats, varying levels of transparency, and differing legal frameworks, which increases residual risk.
  1. FATF evaluations and third-country divergence
  • While some third countries align closely with FATF standards, there remain significant variations in the effectiveness of AML/CFT implementation, transparency of ownership structures, and regulatory cooperation.
  • As a result, transactions involving certain third countries present higher uncertainty and potentially higher ML/TF risk.

Supervisory experience shows that cross-border investigations and information-sharing are faster and more effective within the EEA compared to many third countries — largely because of common legal frameworks, data standards, and mutual recognition of supervisory authority.

In our experience supporting clients in payment transparency and entity resolution projects, we find that EEA-to-EEA transaction flows are far easier to reconcile and monitor, while third-country flows often introduce data gaps and inconsistent counterparty identification — especially where LEI is not consistently adopted.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

We support the EBA’s intention to provide clear thresholds to assess the materiality of activities under the freedom to provide services. In principle, this brings greater clarity to supervisory expectations and helps ensure consistent treatment of cross-border activities.

That said, we believe that thresholds based purely on transaction volumes or customer numbers do not always reflect the actual money laundering or terrorist financing (ML/TF) risk profile of the activity. For instance, certain activities involving smaller volumes or fewer customers — such as cross-border corporate structuring, high-value payments, or services targeting higher-risk jurisdictions — may carry a disproportionate risk compared to their size.

In our view, the materiality assessment should give more weight to the nature and risk profile of the activity, rather than relying mainly on volume-based thresholds. Additional qualitative risk factors should be integrated into the assessment, such as:

  • Customer risk (including the transparency of beneficial ownership)
  • Jurisdictional risk
  • Type of product or service offered
  • Use of structured data and transparency tools (such as the LEI) to support traceability

Without these qualitative elements, there is a risk that certain genuinely high-risk services may fall below the proposed thresholds and receive insufficient supervisory attention.

From an operational standpoint, institutions that invest in structured data and robust entity identification are better positioned to monitor and manage these risks effectively across borders. Promoting the use of tools like the LEI would also support more accurate application of thresholds and better risk differentiation.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

Lowering the thresholds could help capture a broader range of activities under supervisory attention, which may be appropriate in certain higher-risk sectors. However, this approach also risks increasing the compliance burden on institutions engaged in low-risk, low-scale activities, particularly smaller firms or those providing niche services.

In our view, simply lowering the thresholds across the board would be a blunt instrument. A more effective approach would be to adjust the threshold framework to better reflect risk, rather than just lowering the numerical values.

For example:

  • Institutions with high-risk customer bases, high-risk geographies, or complex corporate structures could justifiably be subject to lower thresholds.
  • On the other hand, those offering low-risk, fully transparent services — and with strong data governance (including consistent use of LEI and other structured identifiers) — should not face unnecessary compliance costs due to blanket threshold reductions.

From our work with financial institutions suggests that applying risk-based adjustments to thresholds is more effective than uniform lowering. Institutions that manage high-quality, structured data and maintain strong transparency controls can safely operate with more proportional supervisory expectations, without compromising AML/CFT objectives.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

We believe a distinction should be made between retail and institutional customers when applying thresholds based on the number of customers. These categories represent very different risk dynamics and scale of activity, and treating them identically could distort the materiality assessment.

Institutional customers tend to be larger, more complex entities, often with higher transaction volumes and more sophisticated financial activity — but they also tend to be fewer in number and often subject to more intensive due diligence (including use of structured identifiers such as the LEI). In contrast, retail customers are typically higher in number but with more standardised, lower-value transactions.

For example:

  • A firm serving 50 institutional clients conducting high-value cross-border activity may present greater systemic risk than one serving 5,000 low-value retail customers.
  • Conversely, very large-scale retail customer bases may create risks linked to volume and potential misuse of payment services.

Maintaining a single threshold across both categories risks either underestimating the risk of institutional business models, or overburdening firms that primarily serve retail clients.

We have learnt that, institutions that actively manage structured client data (especially institutional clients using LEI) are better able to monitor risk accurately — which further supports the case for differentiated thresholds.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

Yes, we agree that the methodology in this RTS generally builds on the framework set out under Article 40(2). The focus on using a risk-based approach, supported by a structured and consistent assessment of materiality, is aligned with the principles outlined in the earlier RTS. This consistency is important, as it provides clarity to obliged entities operating under both frameworks and promotes a more harmonised supervisory approach across the EU.

That said, one area where the connection could be strengthened is around data quality and transparency expectations. In the Article 40(2) RTS, there is a clear opportunity to encourage better data standards (such as adoption of LEI and structured ownership data), which can greatly enhance the accuracy and consistency of risk assessments. A similar emphasis should be carried through into this RTS, particularly when dealing with cross-border services where entity transparency is often more challenging.

Aligning these expectations more explicitly between the two RTS would improve both the quality of supervisory data and the effectiveness of cross-border risk monitoring, reducing the risk of fragmentation across national approaches.

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

We agree that the inherent risk score should remain stable and should not be adjusted as part of the selection methodology under this RTS. Inherent risk is intended to represent the baseline level of risk associated with the nature of the obliged entity’s business, customer profile, geography, and products — independently of the quality of its controls or mitigation measures.

Allowing adjustments to the inherent risk score at this stage could undermine the consistency of the risk framework and make it more difficult to compare entities on a like-for-like basis. This would also risk introducing supervisory fragmentation, as different national authorities might apply adjustments in inconsistent ways.

What is more appropriate — and already built into the framework — is that the residual risk score reflects the actual effectiveness of the entity’s controls, including data quality, governance, transparency, and operational performance. This preserves the integrity of the inherent vs residual risk distinction, which is fundamental to risk-based supervision.

In practice, adjusting inherent risk scores mid-process would also create additional operational complexity, as institutions would face moving goalposts when managing their risk profile across different supervisory contexts.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

We generally agree with the methodology proposed in Article 5 for calculating the group-wide score. Using a weighted approach based on the risk profiles and materiality of the group’s entities is a sensible way to reflect the overall risk of the group, while ensuring that subsidiaries or branches contributing disproportionately to group-wide risk are properly accounted for.

However, in our view, one key factor should be reinforced — namely, the consistency and quality of data across the group. In practice, many financial groups face challenges in consolidating reliable, structured risk data across multiple jurisdictions and business units. Variations in the use of structured identifiers (such as the LEI), ownership transparency, and transaction data standards can lead to inconsistencies in how risk is measured and reported at the group level.

We would encourage the RTS to place more explicit emphasis on the expectation that groups should maintain consistent, standardised data across their entities, enabling accurate and comparable risk aggregation. Groups that have invested in common data standards and governance frameworks should be recognised for this in their risk management profile.

Without this emphasis, there is a risk that group-wide scores may mask pockets of elevated risk in entities where data is weaker or less transparent. We have seen examples where failure to align data across the group leads to underestimation of cross-border risk exposure.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

The general approach to defining the group-wide perimeter seems reasonable and in line with existing regulatory frameworks. However, in practice, we do see challenges when it comes to identifying and managing the full extent of the group, particularly in cases involving complex ownership structures, cross-border subsidiaries, affiliates, and joint ventures.

One concern is that without a clear and consistently applied standard for entity identification and ownership transparency, some parts of the group perimeter may either be overlooked or not accurately reflected in risk reporting.

For example:

  • In large, diversified financial groups, non-financial subsidiaries or joint ventures can sometimes fall into a grey area regarding inclusion in AML/CFT perimeter assessments.
  • The absence of consistent use of structured identifiers such as the LEI, particularly in non-EEA subsidiaries or affiliates, makes it harder to ensure full visibility of cross-border relationships and risk exposures.

We recommend that the RTS place more emphasis on requiring groups to adopt a consistent, transparent framework for identifying and documenting the full group perimeter — including the use of LEI for all legal entities wherever possible, and clear mapping of ownership and control relationships.

Where groups follow these practices, it becomes significantly easier for both supervisors and internal risk functions to accurately assess group-wide risk and to ensure that no parts of the group are inadvertently excluded from perimeter assessments.

While we do not have a fundamental concern with the concept of the perimeter as drafted, the practical implementation will depend heavily on entity transparency and structured data — and this should be given more prominence in the RTS.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

In principle, we agree that all entities within the group, including the parent company, should be considered when determining the group-wide risk profile, as group-wide controls and governance ultimately flow from the parent.

However, giving the same weight to the parent and operating entities may not always provide an accurate picture of the group’s overall risk or the effectiveness of controls — especially where the parent itself conducts little or no operational activity, and where the bulk of risk exposure sits in major subsidiaries.

In practice, the effectiveness of group-wide controls should be assessed in two dimensions:

  • The design and oversight of controls at the parent level (e.g. governance, risk frameworks, data standards, group-wide AML/CFT policies);
  • The implementation and operational effectiveness of controls at key subsidiaries and risk-contributing entities.

A flat approach that gives equal consideration to all entities, regardless of activity level, risks overstating the contribution of a non-operational parent and understating risk concentrations in high-risk subsidiaries.

In groups with sound data governance — where structured identifiers (such as LEI) and common risk taxonomies are used across the group — it becomes easier to calibrate this balance correctly.

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

We agree with the transitional rules as proposed in Article 6. Providing a clear and phased transition period is important to give obliged entities — particularly larger cross-border groups — sufficient time to adapt their internal processes, systems, and data governance frameworks to meet the new requirements.

Many institutions, especially those with legacy systems or operations across multiple jurisdictions, will need time to:

  • Align their data models to support consistent and accurate group-wide risk assessment;
  • Implement or expand the use of structured identifiers (such as LEI) across all relevant entities;
  • Strengthen group-wide governance and reporting to comply with the new expectations.

Without an adequate transition period, there is a risk of uneven implementation and incomplete data, which could in turn lead to inconsistent supervision and unnecessary supervisory friction.

In our view, the transitional timeline proposed by the EBA strikes a fair balance — providing sufficient time for practical implementation while ensuring that momentum towards stronger group-wide risk management is maintained.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We generally agree with the proposals set out in Section 1 of the draft RTS. The focus on ensuring that obliged entities have sound internal policies, controls, and procedures to assess and manage ML/TF risk is well aligned with both risk-based principles and international best practices.

That said, we would suggest giving greater emphasis to the role of data governance and transparency as core components of effective AML/CFT systems. In particular, the draft RTS could more explicitly reference the importance of:

  • Using structured identifiers such as the LEI for legal entity customers;
  • Maintaining accurate and up-to-date ownership and control data;
  • Aligning customer and transaction data to international standards (such as ISO 20022 for payments).

From a cost of compliance perspective, institutions that already invest in high-quality data and governance frameworks will likely experience lower incremental costs under this RTS, as much of the required foundation will already be in place. Conversely, firms that still rely on fragmented or manual processes may face higher upfront investment costs — though these are necessary and justified to achieve lasting improvements in risk management.

In our experience, institutions that adopt structured, reusable data benefit from not only stronger AML/CFT outcomes but also long-term operational efficiencies — including fewer false positives, faster investigations, and better regulatory reporting.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

We welcome the clear framework provided in Article 6 for verifying customers in a non face-to-face context. The growing reliance on digital channels makes it essential to have robust standards in place to manage identity verification risks.

In our view, e-IDAS-compliant solutions (as described in paragraph 1) clearly provide the strongest level of assurance — due to their regulatory oversight, interoperability across the EU, and built-in security and trust mechanisms. Where such solutions are available, they should absolutely be considered the preferred option.

The remote solutions described in paragraphs 2-6 provide important flexibility, particularly in markets or sectors where e-IDAS solutions are not yet widely available. However, it is fair to say that these alternatives do not yet offer uniform protection across all use cases — much depends on the specific technology used, the quality of implementation, and the institution’s data governance and fraud detection capabilities.

We do not think that these remote solutions should necessarily be considered purely temporary, as innovation in biometrics, liveness detection, digital identity wallets, and other technologies is evolving rapidly. Over time, some of these solutions may match or even exceed current e-IDAS capabilities in certain areas.

That said, until there is more convergence on trusted standards, it would be sensible for the RTS to encourage institutions to treat remote solutions as subject to additional risk assessment and control measures — and to prioritise migration to e-IDAS-compliant solutions as they become available in each market.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

We welcome the inclusion of guidance on virtual IBANs in Article 8, as this is a growing area of financial services that can present both opportunities and risks from an AML/CFT perspective.

Virtual IBANs can provide genuine benefits for payment service providers and customers — such as improved reconciliation, operational efficiency, and flexibility in account management. However, without proper transparency, they can also obscure the underlying parties to a transaction, which could be exploited to facilitate money laundering or evade detection.

We fully support the emphasis in Article 8 on ensuring that the identity of the customer linked to the virtual IBAN is clearly recorded, verified, and visible to both the institution and relevant authorities. In particular:

  • There should be no ambiguity about the legal entity or individual controlling the virtual IBAN.
  • Transaction flows through virtual IBANs should be traceable and link clearly to the underlying customer and, where applicable, to the ultimate beneficial owner.
  • The use of structured identifiers (such as LEI for legal entities) and transparent ownership records should be encouraged to support this traceability.

Without these safeguards, there is a risk that virtual IBANs could be misused to create layers of obfuscation in payment chains.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We broadly agree with the proposals in Section 2 of the draft RTS. The section sets out a clear and structured framework for managing customer due diligence (CDD), ongoing monitoring, and record keeping, all of which are central to effective AML/CFT compliance.

In particular, we support the emphasis on ensuring that obliged entities maintain up-to-date and accurate customer data — this is critical in identifying and responding to evolving ML/TF risks.

  • One area we would suggest strengthening is the explicit reference to structured data and transparency as key enablers of good practice. For example:
  • Encouraging the use of the LEI for all relevant legal entity customers can significantly improve transparency and reduce risk of errors in customer identification and monitoring.

Aligning transaction and customer data to structured standards (such as ISO 20022) can enhance monitoring and enable more effective detection of suspicious activity.

From a cost of compliance perspective, the impact will vary by institution:

  • Institutions that have already invested in strong data governance, modern core systems, and structured identifiers will see relatively modest incremental costs.
  • Firms that still rely on fragmented systems or manual processes will likely face higher short-term costs to bring data and processes in line — but these investments are necessary to achieve lasting improvement in AML/CFT outcomes.

In the medium to long term, moving towards structured, reusable data will lower the cost of compliance by reducing duplication, improving monitoring efficiency, and streamlining reporting to competent authorities.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We agree with the overall approach set out in Section 3 of the draft RTS, which provides an important framework for managing outsourcing and the use of agents or distributors in AML/CFT processes. Given the increasing reliance on third-party relationships in financial services, it is essential to have clear standards to ensure that AML/CFT obligations are not diluted or bypassed through outsourcing arrangements.

In particular, we support the emphasis on:

  • Clear allocation of responsibilities between the obliged entity and its agents or service providers;
  • The need for ongoing monitoring and oversight of outsourced activities;
  • The obligation to ensure that data and records remain accessible and traceable to the competent authorities.

We would, however, suggest strengthening the reference to data consistency and quality across the outsourcing chain. In practice, one of the key risks we see in outsourced models is the creation of data fragmentation — where customer information, transaction monitoring data, and risk profiles are split across multiple systems and providers, often without consistent use of structured identifiers.

To mitigate this, we recommend the RTS should explicitly encourage:

  • The use of standardised identifiers (such as LEI) for legal entity customers across all parties in the chain;
  • The alignment of customer and transaction data to structured formats, to ensure seamless oversight and risk monitoring;
  • Group-wide data governance standards that apply equally to outsourced service providers and agents.

In terms of cost of compliance, for well-governed institutions with mature outsourcing frameworks, the incremental cost should be manageable. The greater cost will likely fall on firms that have historically taken a more fragmented or informal approach to outsourcing — but this investment is necessary to ensure end-to-end AML/CFT effectiveness.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We support the proposals in Section 4 of the draft RTS. The focus on group-wide policies, procedures, and controls, particularly in the context of cross-border groups, is essential to ensuring consistency in how AML/CFT risks are managed across the entire organisation.

In our experience, one of the key challenges in large financial groups is maintaining a consistent level of data quality, risk transparency, and monitoring capability across different business units, jurisdictions, and subsidiaries. Section 4 rightly places responsibility on parent undertakings to ensure that group-wide standards are in place and enforced.

We strongly support the requirements to:

  • Apply group-wide standards for customer due diligence, transaction monitoring, and record keeping;
  • Ensure timely and accurate information-sharing between entities within the group;
  • Provide competent authorities with access to consolidated and comprehensive data on group-level ML/TF risks.

We would again highlight the importance of reinforcing the role of structured data and standard identifiers in achieving these objectives. Specifically:

  • The consistent use of LEI for legal entity customers across all group entities greatly improves transparency and facilitates group-wide risk aggregation;
  • Aligning transaction data to common standards (such as ISO 20022) ensures that monitoring and reporting can be performed effectively across jurisdictions;
  • Implementing group-wide data governance frameworks ensures that all entities — including subsidiaries and branches — adhere to a common standard of data quality and completeness.

In terms of cost of compliance, most large groups already invest in centralised governance structures, and the additional requirements in Section 4 are broadly aligned with existing best practices. However, groups with legacy systems or those operating in multiple non-harmonised jurisdictions may face higher transition costs — particularly if significant data integration work is required.

That said, in the longer term, investing in group-wide data consistency and structured transparency will reduce compliance costs by enabling more automated risk monitoring and reporting, while also improving the effectiveness of the group’s AML/CFT framework.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

There are indeed certain sectors, products, and services that could justifiably benefit from specific simplified due diligence (SDD) measures, provided that a robust risk-based assessment is applied and that data quality and transparency are maintained.

In our view, the following areas typically present lower inherent ML/TF risk and could be considered for sectoral SDD:

  1. Basic payment accounts or low-value electronic money accounts
  • These are often subject to limits on value, functionality, and geographic use, which naturally mitigates risk.
  • EBA’s prior guidance on low-value payment products already supports this approach.
  1. Financial products with strict legal limitations
  • For example, certain types of life insurance products with no cash surrender value or no third-party beneficiary option.
  • These products have little value as vehicles for ML/TF.
  1. Pension products
  • Regulated, long-term retirement products that cannot easily be used for ML/TF due to strict withdrawal conditions and traceability of contributions.
  1. Listed companies with full transparency obligations
  • Customers that are listed on regulated markets and already subject to transparency and disclosure obligations under EU law could benefit from streamlined due diligence — particularly where their ownership and control structures are already public.
  1. Certain public sector entities
  • Government bodies, supranational organisations, and central banks typically present low ML/TF risk where proper verification of legal status is performed.

Rationale:

  • These sectors and products are characterised by high transparency, regulatory oversight, limited ML/TF misuse potential, and good traceability — especially when supported by structured data (e.g. LEI for listed companies and public entities).
  • Applying SDD in these cases allows supervisory and institutional resources to be better focused on higher-risk areas.

Evidence:

  • FATF guidance and various national risk assessments consistently identify these categories as lower-risk when properly controlled.
  • In our work with financial institutions, we also see very low incidence of ML/TF flags associated with these products when proper controls are in place.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We agree with the direction and intent of the proposals in Section 5 of the draft RTS, particularly in strengthening the framework for enhanced due diligence (EDD) in higher-risk situations.

It is critical that EDD is applied in a risk-sensitive and proportionate way — focused on genuine higher-risk relationships and activities — rather than being treated as a “tick-box” exercise. The RTS helpfully sets out expectations for deeper verification, source of funds/wealth checks, and more frequent ongoing monitoring where justified by risk.

We would encourage even more explicit reference to the role of structured data and transparency tools in supporting effective EDD. In particular:

  • The use of LEI for legal entity customers provides a reliable anchor point for verifying entity identity and cross-referencing beneficial ownership.
  • Structured transaction data (aligned to standards like ISO 20022) enables more effective behavioural monitoring.
  • Linking ownership and control information to verified data sources improves confidence in source of funds and wealth checks.

Where firms rely on outdated or fragmented data models, the cost and complexity of EDD can escalate quickly. By contrast, firms that invest in good data governance and structured identifiers can perform higher-quality EDD at lower ongoing cost and with greater consistency across jurisdictions.

In terms of cost impact:

  • Firms with mature AML/CFT and data frameworks will see modest incremental costs to align with Section 5.
  • Firms with legacy systems may face higher upfront investments, but these are necessary and will also deliver broader benefits across AML/CFT, regulatory reporting, and risk management.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We fully support the proposals in Section 6 of the draft RTS. Clarifying the requirements for reliance on third parties is an important step toward ensuring that this practice is applied consistently and does not introduce weaknesses into the overall AML/CFT framework.

In our experience, the risks associated with reliance on third parties often stem from:

  • Inconsistent data standards between the obliged entity and the third party;
  • Incomplete or delayed access to underlying CDD data;
  • Lack of clarity over ongoing monitoring responsibilities.

Section 6 addresses these issues well — in particular by requiring that obliged entities ensure they have immediate access to CDD records and that the third party is subject to equivalent AML/CFT obligations and supervision.

To strengthen this further, we would recommend that the RTS place more emphasis on:

  • Ensuring that structured data formats (for example, use of LEI for legal entity identification) are agreed between parties to facilitate seamless and accurate data exchange;
  • Clear data governance standards for how CDD information is stored, updated, and shared across reliance relationships;
  • Requirements to test or validate the quality and completeness of third-party data on a periodic basis.

In terms of compliance costs:

  • For firms that already maintain strong data governance and vendor management frameworks, the incremental cost of aligning to Section 6 should be manageable.
  • For firms that rely on informal or poorly documented third-party arrangements, there may be some upfront investment required to improve contracts, processes, and data exchange — but this investment is justified to protect against the risk of “blind reliance” that could expose the institution to ML/TF risks.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We agree with the proposals set out in Section 7 of the draft RTS, particularly the focus on timely, accurate, and complete record keeping and on the accessibility of data to competent authorities.

Good record keeping is a cornerstone of effective AML/CFT practice. In today’s environment of increasingly complex cross-border financial activity, the ability to provide clear, verifiable, and well-structured records is essential not only for regulatory compliance, but also for enabling efficient investigations and risk monitoring.

Section 7 rightly places emphasis on ensuring that records are:

  • Comprehensive — covering the necessary elements of customer due diligence and transaction monitoring;
  • Accessible — available to competent authorities in a timely manner;
  • Kept for an appropriate duration — balancing AML/CFT needs with data protection requirements.

One area we would encourage the EBA to highlight more strongly is the importance of structured data and data quality in supporting these objectives. In particular:

  • Use of the LEI for legal entity customers provides an anchor for linking customer data across different systems and jurisdictions;
  • Storing records in structured, machine-readable formats (aligned with standards such as ISO 20022) enables faster and more reliable retrieval and analysis, both for internal use and for sharing with authorities;
  • Good data governance and lineage practices ensure that records remain consistent and traceable over time, even as systems and business models evolve.

In terms of cost:

  • For firms with mature data architectures and governance frameworks, the cost of complying with Section 7 should be relatively low.
  • For firms still reliant on fragmented systems or manual processes, there may be higher short-term costs to standardise record keeping and improve accessibility — but this is a necessary and future-proof investment. In the long run, it also reduces the risk of costly remediation or enforcement action due to gaps in data or poor traceability.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We support the proposals in Section 8 of the draft RTS and the related data requirements set out in Annex I. In particular, we welcome the move toward more standardised, consistent, and structured data collection across obliged entities.

High-quality, structured data is critical for effective supervisory risk assessments, as well as for enabling cross-border cooperation and improving the quality of intelligence shared with Financial Intelligence Units (FIUs).

We especially support the focus in Annex I on gathering data on:

  • Customer types and risk profiles;
  • Products and services;
  • Geographic exposure;
  • Transaction volumes and behaviours;
  • Use of standardised identifiers (where applicable).

We would strongly encourage the RTS to go one step further by explicitly referencing the use of structured identifiers such as LEI for legal entities. This would ensure that entity identification is not only accurate but also interoperable across systems and jurisdictions — which greatly enhances the value of the data for supervisory and investigative purposes.

In our work with financial institutions, we consistently see that those that adopt structured data standards and invest in data quality experience:

  • More efficient compliance processes;
  • Fewer false positives in monitoring systems;
  • Stronger audit trails;
  • More seamless reporting to supervisors.

In terms of cost:

  • For firms that already manage well-structured data and reporting frameworks, the additional cost of aligning to Annex I should be modest.
  • For firms still dependent on unstructured or fragmented data, there will be more significant upfront work required — but this investment is both necessary and aligned with global trends toward data-driven supervision. The long-term benefits — both in terms of reduced compliance costs and better risk management — will outweigh the initial effort.

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

We support the structured approach proposed in Article 1 for classifying the level of gravity of breaches, as it brings greater consistency, transparency, and proportionality to the sanctions framework.

The indicators set out are logical and reflect the key factors that determine the potential harm or systemic risk posed by a breach — including:

  • The nature and seriousness of the breach;
  • The impact on the financial system or the integrity of AML/CFT controls;
  • The duration and frequency of the breach;
  • The degree of cooperation with supervisory authorities.

That said, we would suggest adding a stronger emphasis on data-related factors within the list of indicators. In practice, we see that many serious AML/CFT deficiencies are rooted in:

Poor data quality;

  • Lack of transparency around customer identity or ownership;
  • Failure to adopt structured identifiers, such as the LEI for legal entities;
  • Fragmented or inconsistent transaction monitoring data.

When such weaknesses are systemic, they undermine the effectiveness of an institution’s AML/CFT framework — regardless of whether other formal controls appear to be in place.

We therefore recommend that data integrity, entity transparency, and structured data usage be explicitly included in the gravity assessment. Institutions that neglect these foundations should face higher sanction levels, while those that demonstrate strong data governance should receive recognition of their lower residual risk.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

We support the principle of introducing a clear classification of breach gravity — as set out in Article 2 — to help ensure that pecuniary sanctions and supervisory responses are proportionate, consistent, and transparent across the EU.

The proposed three-tier classification (minor, serious, very serious) is simple and intuitive, and aligns with good regulatory practice. It allows supervisors to distinguish between breaches that are technical or low-impact, and those that pose systemic or material ML/TF risk.

That said, as with our comments on Article 1, we believe that data-related failings should be more explicitly factored into the determination of gravity:

  • For example, breaches involving systemic failures in entity identification, transparency, and data quality (such as persistent absence of LEI for legal entity customers, or major gaps in ownership or transaction data) should typically be classified at least as “serious”, and potentially “very serious” — depending on the extent to which these weaknesses impair the institution’s AML/CFT controls.
  • Conversely, institutions that have invested in structured data and transparency, even if they experience isolated process breaches, should not be unduly penalised if the underlying data integrity and traceability remain strong.

In our experience, poor data governance is often an underlying cause of broader AML/CFT control failures — yet it is sometimes under-emphasised in breach classifications.

We therefore recommend that the RTS explicitly incorporate data transparency and governance into the assessment of breach gravity. This would help drive positive behaviours across the industry and strengthen the overall resilience of the EU AML/CFT framework.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

We support the structured approach proposed in Article 4 for determining the level of pecuniary sanctions. The list of criteria is comprehensive and reflects the right balance of risk, impact, conduct, and mitigation factors — which will help ensure fair and proportionate application of penalties.

In particular, we welcome the inclusion of factors such as:

  • The gravity and duration of the breach;
  • The degree of cooperation with supervisory authorities;
  • The presence of recidivism or repeated failings.

One area where we believe the list could be strengthened is around data governance and transparency. In today’s AML/CFT landscape, systemic weaknesses in data quality, entity identification, and transaction transparency can significantly increase ML/TF risk — often more than isolated procedural breaches.

We would suggest explicitly including the following considerations:

  • Whether the institution maintains high-quality structured data to support AML/CFT controls (for example, consistent use of LEI for legal entity customers, structured transaction records, traceable ownership data);
  • Whether poor data quality or lack of transparency contributed to or aggravated the breach;
  • Whether the institution has taken corrective actions to improve data governance as part of remediation.

Poor data foundations often lead to broader control failings — such as ineffective transaction monitoring, missed red flags, and unreliable reporting to FIUs. Recognising this in the sanctions framework would help incentivise stronger data-driven AML/CFT practices across the industry.

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

Yes, it is appropriate to consider the financial strength of the legal or natural person when determining the level of pecuniary sanctions. This ensures that penalties remain effective, proportionate, and dissuasive — regardless of the size or financial capacity of the entity or individual concerned.

When assessing financial strength for legal persons, we would suggest adding an explicit reference to the use of structured, verifiable sources of information, such as:

  • LEI-linked public disclosures (for entities using LEI);
  • Consolidated financial statements, especially in cross-border groups;
  • Transparent data on ownership structures and ultimate beneficial ownership.

In practice, financial strength assessments can be undermined by opaque or complex group structures — particularly where non-transparent ownership chains or inconsistencies in entity identification exist. The use of structured identifiers (LEI) and clear ownership mapping significantly improves the reliability of these assessments.

For natural persons, it would also be useful to consider:

  • Whether the person derives indirect financial benefit from ownership or control of legal entities involved in the breach;
  • The degree to which their personal assets are intertwined with corporate structures, which could influence enforcement of pecuniary penalties.

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

We support the inclusion of clear criteria to guide supervisors when considering significant administrative measures such as restricting or limiting business operations, or requiring divestments. These are impactful interventions that should be grounded in a well-evidenced, risk-based process.

The draft RTS rightly focuses on factors such as the nature and seriousness of the breach, its systemic impact, and the effectiveness of remediation. We would also suggest placing greater emphasis on the role of data governance and transparency when assessing whether these measures are warranted.

For example:

  • If an institution demonstrates systemic weaknesses in entity identification (such as failure to adopt LEI where applicable), ownership transparency, or transaction data quality, these weaknesses can severely impair AML/CFT controls and may justify more severe supervisory action — especially where the affected business lines or geographies present higher ML/TF risks.
  • Conversely, where an institution maintains strong data quality and transparency but faces isolated process failings, proportionality should guide the response — and restriction of business operations may not be necessary.

In addition, in complex or cross-border groups, the supervisor should consider whether poor data integration across the group materially limits the institution’s ability to monitor and control risk — which could justify targeted divestments or restrictions to reduce group-wide risk exposure.

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

The criteria set out in the draft RTS for determining when withdrawal or suspension of authorisation is appropriate. This is among the most serious supervisory measures and should be applied where there is clear evidence of systemic and persistent failure to meet AML/CFT obligations, or where the institution’s core controls and governance are fundamentally unsound.

In line with our comments on earlier questions, we believe that data quality, transparency, and governance should be a key part of the supervisory assessment. In particular:

  • If an institution cannot demonstrate transparent and reliable identification of customers and counterparties (for example, through failure to adopt LEI or maintain clear ownership records), this should weigh heavily in the supervisor’s decision — especially if these weaknesses are long-standing or resistant to remediation.
  • Where transaction monitoring is compromised by poor or inconsistent data (for instance, unstructured payment data or incomplete record keeping), the institution’s ability to meet its AML/CFT obligations may be so impaired as to warrant suspension or withdrawal.
  • In cross-border groups, if the parent is unable or unwilling to ensure consistent data standards and effective risk monitoring across its subsidiaries, this may further justify such action to prevent contagion of risk across the network.

We would encourage the RTS to state more clearly that persistent, unresolved deficiencies in data transparency, data governance, and traceability are a serious factor in determining whether an institution is fit to continue holding authorisation.

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

We fully support the ability of supervisors to require changes to governance structures where weaknesses in oversight, accountability, or risk management have contributed to AML/CFT failings. In many cases, governance deficiencies are a root cause of broader control weaknesses.

In this context, we believe the RTS should explicitly recognise that an institution’s approach to data governance and transparency is an integral part of its overall AML/CFT governance. Specifically:

  • If ownership of data quality and data risk is unclear, fragmented across the organisation, or not actively overseen by senior management and the board, this should be a red flag that may warrant governance changes.
  • If senior management has failed to implement group-wide data standards — for example, consistent use of LEI for legal entities, structured transaction data, and reliable ownership records — this signals a broader failure of governance and risk culture.
  • Conversely, institutions that can demonstrate clear accountability for data governance, effective oversight by the board, and integration of data risk into their enterprise risk management framework should be seen as having stronger governance foundations.

We have observed that addressing data governance is often the missing link when institutions attempt to strengthen AML/CFT governance after supervisory findings. We would therefore encourage the RTS to make this connection more explicit — so that supervisors can formally take data governance maturity into account when deciding whether governance changes are required.

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

In our view, most of the indicators and criteria set out in the draft RTS are equally relevant to the non-financial sector, as the underlying principles of risk-based supervision, governance, data quality, and transparency apply across all obliged entities — whether financial or non-financial.

In particular, the following indicators should definitely apply to the non-financial sector:

  • Gravity of the breach — nature, scale, duration, and impact of the breach should be assessed consistently across sectors.
  • Cooperation with supervisory authorities — applicable in all cases.
  • Effectiveness of governance and internal controls — equally important in non-financial entities, especially for sectors such as real estate, legal services, corporate service providers, and virtual asset service providers (VASPs).
  • Data quality and transparency — non-financial entities should also be expected to maintain accurate, structured, and accessible customer and transaction records, particularly where they engage in activities that can be exploited for ML/TF.
  • Use of structured identifiers — as the LEI becomes more widely adopted, there is no reason why non-financial obliged entities should not also incorporate this in their risk management and customer due diligence processes when dealing with corporate clients.

The only area that may require tailoring is in the treatment of indicators related to prudential or financial soundness — for example, capital adequacy or liquidity, which are relevant to regulated financial institutions but less applicable to non-financial businesses. However, this is already recognised in the structure of the RTS and can be accommodated with proportionality.

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

Yes — we believe there is merit in providing more detailed guidance on how the indicators and criteria should be applied in relation to natural persons, particularly senior management as defined under the AMLR.

Senior management plays a critical role in setting the tone for compliance, ensuring effective governance, and overseeing risk culture within an organisation. Where failings occur at this level, the potential for systemic AML/CFT weaknesses is significant.

At present, the draft RTS rightly references the role of individuals, but further clarity could help ensure consistent supervisory outcomes across the EU. We would suggest adding guidance in the following areas:

  1. Accountability for Data Governance and Transparency
  • Senior management should have clear accountability for ensuring the integrity of customer and transaction data, including:
  1. The consistent use of structured identifiers (such as LEI) where applicable;
  2. The accuracy and completeness of ownership and control records;

  3. The organisation’s ability to produce timely and accurate reports to supervisors and FIUs.

    2. Oversight of AML/CFT Risk Management

  • Senior management should be assessed on whether they:
  1. Regularly review the effectiveness of AML/CFT systems;
  2. Ensure that resources (staffing, technology, data) are adequate to manage AML/CFT risks;

  3. Have established clear reporting lines and escalation mechanisms for AML/CFT concerns.

    3. Personal Conduct and Culture

  • The assessment should consider whether individual members of senior management have:
  1. Demonstrated a proactive approach to AML/CFT compliance;
  2. Acted with integrity and transparency in dealing with supervisors;
  3. Tolerated or failed to address known weaknesses in AML/CFT controls.

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

Yes — we believe that the RTS would benefit from being more granular and explicit regarding the factors used to calculate periodic penalty payments. Clearer guidance on how penalties are calibrated would:

  • Promote greater consistency across the EU;
  • Provide more predictability for obliged entities;
  • Strengthen the deterrent effect of the regime by making the link between behaviour and penalty levels more transparent.

In particular, we would suggest that the following factors be explicitly included in the calculation:

  1. Degree of systemic risk created by the breach
  • Penalties should scale with the extent to which the breach exposes the financial system or economy to ML/TF risk — taking into account the institution’s size, geographic reach, and product offering.
  1. Impact on data integrity and transparency

Periodic penalties should be higher where breaches involve:

  • Failure to maintain accurate, structured customer data (e.g. lack of LEI adoption for legal entities);
  • Incomplete or opaque ownership structures;
  • Poor transaction data traceability (e.g. missing or unstructured payment data).

These failings often undermine the ability of authorities to detect and investigate ML/TF, and should be treated as aggravating factors.

  1. Responsiveness and remediation

The calculation should reflect whether the institution:

  • Proactively identifies and corrects deficiencies;
  • Cooperates fully with the supervisor;
  • Implements sustainable improvements to data governance, AML/CFT controls, and risk culture.
  • Failure to remediate should result in escalating penalty amounts over time.
  1. Duration of non-compliance
  • Penalties should scale based on how long the institution remains in breach, and whether management has failed to address known issues in a timely manner.

In addition:

Uncertainty about penalty calculation creates both compliance ambiguity and potential for uneven enforcement across Member States.

Clear and predictable rules help drive better compliance behaviours — particularly in areas like data governance and transparency, which are often neglected if not explicitly linked to enforcement outcomes.

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

Yes — we strongly believe that the RTS should aim to create a more harmonised set of administrative rules for the imposition of periodic penalty payments across the EU.

Without such harmonisation, there is a risk of significant divergence in supervisory practice between Member States, which could:

  • Lead to uneven enforcement;
  • Create regulatory arbitrage opportunities;
  • Undermine the overall effectiveness and credibility of the EU AML/CFT framework.

In our view, certain key provisions should be included at EU level (rather than left to national legislation) to ensure consistency and legal certainty across the Single Market:

  1. Clear and harmonised factors for penalty calculation

The EU framework should set common factors to be used in calculating penalties (as per our response to Question 8), including:

  • Gravity of the breach;
  • Impact on data integrity and transparency;
  • Duration of non-compliance;
  • Cooperation and remediation efforts.
  1. Minimum procedural standards for the imposition of penalties

The RTS should require Member States to follow transparent and documented processes when imposing penalties — including:

  • Clear notification to the institution;
  • Opportunity to respond;
  • Publication of final decisions (with appropriate safeguards).
  1. Escalation mechanisms
  • The RTS should establish harmonised rules for escalating penalties where non-compliance persists, so that penalties remain credible and dissuasive across the EU.
  1. Provisions to ensure proportionality and fairness
  • The framework should include clear guidelines on applying proportionality, taking into account:
  • The size and financial strength of the institution;
  • The nature and impact of the breach;
  • The institution’s risk profile and market role.

Why EU-level harmonisation is needed:

  • Divergent national practices on penalties can distort competitive neutrality in the Single Market.
  • A harmonised framework will support greater supervisory convergence, in line with the objectives of AMLA and the new AML package.
  • It will also give institutions greater clarity and predictability — encouraging more consistent investment in AML/CFT compliance and data governance across the EU.

Name of the organization

Payment Labs