Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

General comments on RTS under Article 40(2) of the AMLD, RTS under Article 28(1) of the AMLR on Customer Due Diligence, and RTS under Article 53(10) of the AMLD6 on pecuniary sanctions, administrative measures and periodic penalty payments

By way of introduction, the CCBE wishes to stress that it is aware that the draft RTS are designed to apply to the financial sector. However, the CCBE, who is also an observer member of the Commission informal sub group on the non-financial sector (NFSS), understands that the draft RTS for the financial sector will influence the RTS for the non-financial sector. Some of the questions of the EBA consultation even explicitly refer to the non-financial sector. It is therefore important to provide observations in case it was considered to apply the provisions in the drafts to the legal sector and other non-financial sectors. The CCBE wishes to point to the provisions that require a closer analysis and that need to take into account particularities of the non-financial sector, in particular, the legal sector.

To begin with, the CCBE would like to make general observations from a legislative point of view regarding the draft RTS. Additionally, some specific comments for each of the three draft RTSs were made further on in this document. These considerations focus on the most prominent issues, and do not necessarily consider all the questions included in the paper submitted for public consultation. 

First, the CCBE draws attention to the fact that these standards drafted for the financial sector cannot be automatically replicated for the non-financial sector, especially not for lawyers. There is a significant difference in the nature, financial and material means, and the size of the obliged entities (structures) in these sectors. For instance, the scale of automation is much bigger among banks than in law firms, especially in law firms which are SMEs and sole practitioners, which form a significant part of EU law firms. 

The CCBE understands that the draft RTS primarily address the financial sector, but that certain elements thereof are also pertinent to the non-financial sector. As the current drafts have been designed predominantly with financial institutions in mind, they do not sufficiently address several issues that are essential for ensuring a harmonised interpretation of the AML Regulation (AMLR) in relation to lawyers and other legal professionals. In this context, the CCBE would advocate for the development of specific RTS, specifically tailored to the legal profession, within the boundaries of the EU legislative framework which will replace the suggested financial sector-focused provisions. These clarifications would be vital for the consistent application of AML rules across Member States. Ambiguities have led to legal uncertainty under the previous AML Directives, and without further guidance or clarification, such uncertainty is likely to persist under the new framework, thereby undermining the goal of harmonised implementation across the EU. 

Second, several provisions in the draft RTS (particularly the RTS under Article 28 on customer due diligence (CDD)) appear to impose more stringent and prescriptive obligations than the corresponding provisions in the AMLR. Whereas the AMLR generally provides for flexibility and proportionality - using language such as “where necessary”, “may include”, or “proportionate to the higher risks identified”- the RTS often adopts a mandatory tone, using formulations such as “shall obtain” or “shall at least”. This creates the impression that measures which are intended to be optional or risk-sensitive under the AMLR are made compulsory under the RTS. We strongly recommend that the RTS be revised to reflect more accurately the spirit and wording of the AMLR, particularly by aligning its language with the proportionality principle and the discretion left to obliged entities in assessing risks. Alternatively, an option could be to include a statement in each RTS to reflect the message that the scope of each RTS is not meant to go beyond the scope of the AMLR (examples of potential more stringent obligations can be found in e.g. Article 10, 15, 16, 24, 25, 26 and 27 of the RTS on CDD).

Third, it is important to stress that one of the elements that distinguishes the legal sector is indeed that it is covered by the AML rules only when performing particular activities. The CCBE also wishes to underline the importance of legal professional privilege (LPP)/professional secrecy (PS), which must be fully preserved when assessing the inherent and residual risk of legal professionals. Supervisory activities must not result in obliged entities being required to disclose information protected by LPP/PS/professional secrecy which is a fundamental right. Furthermore, we stress that any future interpretative guidance or implementation instruments prepared by AMLA should be developed in close cooperation with the legal profession and its self-regulatory bodies. This is essential to ensure that supervisory expectations remain aligned with the ethical and legal obligations of lawyers under national and EU law, as well as with the jurisprudence of the European Court of Human Rights (ECtHR) and the Court of Justice of the Court of Justice of the European Union (CJEU). Lastly, we recommend that the implementation of the RTS be accompanied by a structured dialogue between AMLA and national legal professional associations, to ensure a proportionate and practical roll-out, e.g. of new data collection and assessment requirements.

Draft RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40(2) of the AMLD, Question 1. 

When it comes to Draft RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40(2) of the AMLD, the CCBE would like to put forward the following suggestions.

Article 2 requires attribution by supervisors of a numerical score based on pre-determined thresholds to all the inherent risk indicators which are applicable to the relevant obliged entity. These inherent risk indicators shall be based on the data points mentioned in Annex I, section A.

The CCBE recognises that to have all EU supervisors of the legal profession to develop and use the same set of data points has the potential to ensure a consistent approach within the EU (which is what the EU regulations are aiming for). Therefore, the CCBE appreciates the efforts aimed at harmonizing the work of the supervisory authorities.

Indeed, the system should not lead to different sets of approaches that would create different competitive standards for lawyers in various countries. At the same time, the CCBE believes that there should be more room for manoeuvre left to supervisors than in the current draft. Supervisors should have final competence on thresholds and weights applied to risk indicators and categories in order to be able to respond to specific risks in a Member State. In this sense, a minimum set of data with a possibility to adjust parameters and further optional parameters would be the preferred solution.

Conversely, the current draft RTS does not set forth how the “predetermined weights” to be applied to each risk indicators (see e.g. Article 2(2), §2) are to be computed. On the contrary, according to par. 20 of Section 3 (Background and rationale) of the Consultation Paper (emphasis added) : “ [b]ecause risks vary and evolve, risk indicators and weights would not be included in the draft RTS. Instead, it would be the role of AMLA, in cooperation with national supervisors, to define the risk indicators and weights for each review cycle and to monitor the effective application of these indicators by supervisors in all Member States”. 

Supervisors shall have margin of appreciation to decide, whether an event or development justifies a new assessment and classification of an entity. The system shall also allow for national specificities. It is crucial to take into account that there are differences across supervisory models and supervisors, which can be more or less centralised. The profession of lawyer is regulated and supervised for AML/CFT purposes differently across Member States. 

The system should also take into account non-financial sector specificities. For every sector relevant data points should be established relevant to the nature of the business and size of the sector, which take into account in a realistic manner the administrative load which can be absorbed by non-financial SMEs, including solo practitioners. The data points in the current draft are not adequate for the legal sector in this regard and do not take into account either, that the legal sector is covered by the AML rules only when performing particular activities. 

The CCBE also recalls that, in line with a risk-based approach recognised by FATF, the risk profile should be adapted to the size and nature of the business. Further considerations in this regard are provided in the answer to question 3. Therefore, the legal sector should be able to define its own data points relevant to its size and to the nature of the business. The approach to assess and classify obliged entities should take into account the nature and the size of the business which are scored.

The draft RTS rather seem to favour a “tick the box” approach and reduce the margin for discretion and evaluation. Such an approach risks creating more administrative burden and red tape for the legal sector while being ineffective regarding its actual goal, the fight against money laundering. It would also go against the direction of simplification and reduction of administrative burden announced by the Commission.

There are three elements in the approach proposed in the draft: inherent risk, quality control assessment, and residual risk. The first two elements will require adaptations and significant resources from the supervisors. 

When it comes to inherent risks assessment, supervisors of the legal sector such as Bars would require a longer adaptation period to adapt their existing risk assessment models (e.g. adding new data points) to assess the inherent risk profiles of all obliged lawyers and law firms.

Even if a Bar has developed a digital risk assessment classification to assess inherent risk profiles of all obliged lawyers and law firms, such a model relies on input from obliged entities. In light of the new rules, all lawyers and law firms will need to be notified of these new data collection requirements and expectations well in advance so that they can incorporate the requirements into their routine recordkeeping. Only after a first cycle of gathering these additional data points which would usually amount to a business year, the data will feed into the classification model, allowing the Bar to assess inherent risks based on new indicators.

Such an adjustment period would be even more important in Member States which do not have a high-functioning digital infrastructure, and for supervisors who rely on manual processes or do not yet have an adequate inherent risk classification model. These supervisors would first need to develop or acquire data collection systems, invest resources in communicating new requirements to obliged entities, and then dedicate further resources to implementing the new methods.

When it comes to the assessment of controls by supervisors, which is a component of the residual risk attribution, it is also important to point to the fact that supervisors will need to adapt their internal supervision procedures to reflect the new requirements. In practice, the organisation of  Bars as self-regulatory bodies will require time and resources. Internal decision-making procedures will need to be followed when adjusting workflows, staff might need to be retrained and communication of the new requirements and expectations to obliged entities will probably be necessary. Based on the views of its member Bars, the CCBE estimates that assessing an entity according to Article 3 can be complex and need a higher amount of time. For these reasons, the deadline for assessing and classifying the quality of AML/CFT controls of obliged entities should be longer for the legal sector, with foreseeing prioritisation of high-risk entities.

As for the residual risk, as it would be based on the two previous elements, as such, it would not require additional significant resources.

Furthermore, the current repeated risk assessment is not realistic for the legal sector – see below.

Another issue is the fact that self-assessment by the obliged entities is banned in the draft from the possibilities. For the legal sector, it should still be allowed, at least as transition to give the time to supervisory authorities. E.g. during the period equivalent to periodicity of review, of a cycle. In any case, even though obliged entities may (and should) perform a self assessment of their own (business-wide) AML/CFT risk, such assessment should be reviewed and challenged by the supervisor, which may reach a different conclusion in terms of risk scoring of the relevant entity.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

It is understood that the EBA’s purposed methodology is a three-step process. First the obliged entity is assessed to ascertain inherent risks based on services, products, client types, distribution channels, and geography exposure. A category of risk is assigned (low, medium, substantial or high risk). An inherent risk score will be assigned to the obliged entity. 

The second step is an assessment of the quality of the obliged entities internal AML controls. Essentially, it is understood that this is how an obliged entity mitigates its inherent risk through client risk assessments, policies and procedures. A score will be assigned to reflect the quality of the obliged entities AML controls. 

An obliged entity residual risk score is its inherent risk score minus its AML control quality score. 

Based on this understanding, a residual risk score may be equal to inherent risk score but never greater than inherent risk score. Residual risk score will most often be less than inherent risk score. 

The principle that residual risk can be lower but never higher than the inherent risk should be generally upheld.

Risk mitigations might not be individual but at the level of the profession (e.g. structures of control of pooled accounts by Bars and Law Societies ), which must also be taken into consideration.

However, “Automated assessment of inherent risks” mentioned on page 65, does not suit for lawyers. The assessment is usually done on a case by case basis (as they usually need to be based on the entire dossier in order to be effective and not on a single transaction).

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

The CCBE considers that it might be difficult to use the data points in Annex I in the legal sector. Only some of the data points listed in the current draft are relevant and feasible from the point of view of lawyers.

Therefore, if such a list was to be applicable to the legal sector, the list of data points should be revised and made tailormade for and in consultation with the legal profession. Several data points featuring in the draft Annex should be removed as most of them are not adapted to the legal sector. There is a need for a sector-specific, shorter list, tailored to lawyers. 

For instance, specialisations of lawyers in a particular area might only be a data point for the legal sector as far as they are verified by an institutional scheme (e.g.by the Bar).

Moreover, it is suggested to specify that the list of data points is indicative (and not mandatory) and not exhaustive, leaving it ultimately up to the Bar acting as a supervisor to decide. The CCBE would advocate for a minimum, indicative list of data points for the legal sector which national supervisors could complement based on their specific national risk factors.

Although some of the points in the draft might be interesting on the level of supervisors, this is not the case for individual lawyers for whom it would be difficult to inquire and keep track of them every time.

In addition, we believe that the proposed list of data points fails to distinguish between types of legal practice and size of operations. Many legal professionals, particularly sole practitioners or small law firms, do not have the technological infrastructure to collect and report data at the granularity expected in Annex I. Data points such as the number of transactions, distribution channels, or detailed geographic mapping of clients may simply not exist in a structured format within law firms, as legal work is usually organised around individual client files and case matters, not transactions in the financial sense. The requirement to generate and submit such data could lead to a significant administrative burden and diversion of resources from core legal work. This is especially problematic in Member States where digitalisation is still in progress. We also caution against applying assumptions derived from financial institutions to legal practice. For instance, the notion of “client onboarding” does not directly translate to how lawyers engage with clients. Legal representation often begins in urgent or highly sensitive circumstances (e.g. criminal defence, asylum, human rights), where rigid data capture frameworks as a pre-condition for the intervention of a lawyer could conflict with legal ethics, confidentiality or even constitutional rights of defence.

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

The CCBE thinks that the proposed timelines are not realistic or feasible for the legal sector, considering the large number of obliged non-financial sector entities in the EU. These timelines, should they enter into force, would weaken the quality and effectiveness of AML/CFT supervision of the non-financial sector across the Union.

For example, when it comes to the first assessment and classification of the inherent risk profiles of obliged entities (Article 5 of RTS), the proposed 9 months period is not adapted to the legal sector. 

Therefore, the timelines for the first assessment and reassessment shall be considerably longer for the legal sector.

Certainly, to ensure that supervisors’ understanding of the ML/TF risks to which obliged entities are exposed, the inherent risk profile and the residual risk profile of the obliged entities should be reviewed on a regular basis. However, for the legal sector, the frequency of the revision of both the inherent risk profile and the residual risk profile should be reduced. Timelines/intervals should be extended. 

For the legal sector, it is suggested that the frequency of assessments is organised into multiannual cycles (five to seven years) with a possibility for more frequent controls for the high- risk entities. 

Moreover, the CCBE considers that supervisors in the legal sector should be given discretion when it comes to deciding when to conduct an ad hoc assessment and classification of the inherent and residual risk profile of the relevant obliged entities, mentioned in Article 5(4) RTS.

Due to their knowledge of the particularities and nature of the sector, Bars acting as supervisors shall also be given discretion to determine what triggers the need for a complete reassessment of the entity’s inherent and residual risk. 

Lawyers should review their own risk profiles once a year, but the assessment by the supervisor should be less frequent by default with some exceptions (e.g. the fact the law firm welcomes a brand-new department coming from another law firm, etc.).

It should be observed that most law firms, even those that are deemed to be “big” are SMEs. Changing field of activities and type of clients would be a long-term project for lawyers, who build their reputations and specialties quite early in their practice. Also, big changes in the governance structure are exceptional. A huge variation of the risks in a period of one year is not likely to happen.

More generally, a lower residual risk rating identified by the supervisor should not postpone the reassessment of the entity, but a higher residual risk should accelerate it.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

From the point of view of the legal sector, the following issue would arise. According to Article 5, al. 3, b) of the draft RTS, supervisors apply reduced frequency, when “the obliged entity does not carry out activities falling within the scope of Regulation (EU) 2024/1624, other than the following activities: […].” This provision is a contradictio in terminis. That wording seems to imply that supervisors should assess and classify the risk level of all possible “obliged entities”, even if those entities do not carry out activities within the scope of Regulation (EU) 2024/1624 and – ipso facto – do not qualify as obliged entities in the legal sector. Supervisors should only assess and classify the risk level of entities that qualify as obliged entities under Regulation (EU) 2024/1624. Therefore, the wording of point b) should be as follows: “The obliged entity does only carry out the following activities: […].”

Moreover, for lawyers, the criteria to determine the periodicity would be based on the number of lawyers and not based on the number of staff members. This should include a possibility of nuances according to the level of integration (lawyers might only share e.g. premisses or a secretary without being otherwise associated).

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

EEA countries are in principle subject to the AMLD 6 rules and thus should be presumed to present lower risk, as opposed to third countries, for which the quality of the AML framework may not be presumed. Based on data minimisation principle, this should be taken into account to treat differently the data related to EU/EEA countries, as opposed to third countries.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

As a preliminary remark, the CCBE would like to point that analogous to Regulation (EU) 2024/1624, the draft RTS is focused on the financial sector and therefore, it cannot be applied to the non-financial sector. It is not only overly ambitious in its approach, but it is also not tailored to the nature of the business of legal professionals.

The non-financial sector, comprised in large part of many small(er) entities that do not possess the same amount of resources to implement time-consuming administrative CDD-measures (not including the time it will take to study and comprehend those new rules). These heavy administrative burdens threaten to severely augment the cost of compliance for obliged entities, hampering access of citizens to their services.

Legal professionals are only subject to AML obligations in specific circumstances defined by Article 3(3) of the AMLR. These are often limited, case-based, and triggered by particular client engagements. Therefore, the administrative structure and data capture logic proposed in Section 1 of the draft RTS — which appears designed for entities with ongoing client accounts, transaction volumes and continuous onboarding processes — does not align with the operational model of lawyers. A uniform application of these standards would impose disproportionate compliance burdens on lawyers and legal practices, especially sole practitioners or small offices, with no added benefit in terms of AML/CFT effectiveness.

The CCBE would like to provide the following observations with regards to Section 1 about information to be collected for identification and verification purposes.

With respect to Article 2 (Information to be obtained in relation to addresses), the detailed information required under this Article (which applies to both the customer itself, the persons purporting to act on its behalf, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted) appears contradictory to the risk-based approach principle (e.g. when it comes to proxyholders or persons benefiting from the activity/transaction, regard could be had to reducing the amount of information relating to personal address, reducing it, on a risk-based approach, to the country of residence/nationality(ies) only). For proxyholders acting for a legal person customer, instead of asking the personal address, it could be considered to gather the information on the professional address only.

Contrary to the purpose and other articles of the RTS, Article 4 regarding specification on nationalities, does not provide any guidance on what information could suffice. For the legal sector, this Article should either be deleted, leaving it up to the obliged entities to decide what information would suffice, or further guidance should be provided. 

According to Article 5, par. 3, obliged entities shall take “reasonable steps” to ensure the authenticity of the documents collected for the purpose of identification and verification of the client. Therefore, it should be clarified in the considerations how the criterium of “reasonable steps” should be interpreted. The same is true for Article 5, par. 4. Furthermore, the obligation to systematically obtain and verify documents for identification purposes should not be interpreted in a manner that conflicts with LPP/PS. Legal professionals may, in certain circumstances, be limited in what information or documents they may request or retain without infringing client rights or procedural safeguards.

Moreover, it should be specified what is a “certified” translation. Regarding translations, it is also suggested to include the possibility to use translations by reliable sources including automatic translation services. The quality of automatic translation is nowadays sufficient to understand such documents, so that the reference to certified translations seems outdated and is an unnecessary administrative burden.

In face-to-face context, Article 5, al.5 requires systematic collection of the original ID document, or a certified copy thereof. The requirement of collecting the original/certified documents is not aligned with a risk-based approach and consequently creates unnecessary administrative burden and additional costs. More flexible approach could be upheld on a risk-based approach, e.g. in case of proxyholders of low risk customers (such as regulated or listed entities), relying on a simple letter detailing the minimum identification data should be sufficient. In other cases, a letter detailing the minimum identification data should be acceptable if issued by professionals being themselves subject to AML/KYC obligations and considered, on a risk-based approach, as reliable, such as, for instance, a notary, a qualified lawyer, a registered accountant or any other persons that are authorised as equivalent to a notary for document certification purposes.

Further, not all passports and identification documents contain the same elements, such as place of birth, facial image, machine-readable zone, which may not be present in documents like driver's licenses or certain national passports. The RTS should acknowledge these differences and provide flexibility.

It should be clarified that reliable and independent sources of information according to the criteria set out in Article 7 may replace any documents required for the verification of the identity of the person. This follows from Article 22(6)(a) AMLR which allows the use of such documents. It can occur that a lawyer cannot obtain some documents and in these cases, they should be able to rely on other sources. 

With respect to Articles 10 and 11 regarding understanding the ownership and control structure of a customer:

• the presence of several layers does not necessarily result in a customer or an entity being considered as riskier or complex. The scope and extent of the information and supporting documentation, as the case may be, to be gathered with respect to each entity involved in the ownership structure of the customer should be determined on a risk-based approach;
• accordingly, the assessment of a given ownership structure should be done on a case-by-case basis, instead of being based on mandatory criteria, such as those provided under Article 11 of the draft RTS.

With respect to Article 12 (information on senior managing officials), a distinction should be made between a senior managing official identified in the absence of beneficial owners identified based on control or ownership, and beneficial owners identified on such basis. The ML/TF risk to a senior managing official is low as a senior managing official may be, and often is, simply an employee in an entity and does not normally have a personal financial interest in the investment being placed in the relevant investment fund and/or may not have control by other means in the entity. On the other hand, a beneficial owner who may have a personal financial interest and may control the entity by other means has a different risk and this person may be a senior managing official in certain specific case. It is important to focus on the real risk and stick to the follow the money principle. As a result, the verification of the identity of senior managing officials should occur on a risk-based approach, rather than “in the same way as for beneficial owners” (as currently provided by Article 12, b. of the RTS).

With respect to Article 13 (identification and verification of beneficiaries of trusts and similar legal entities or arrangements), the CCBE suggests to redraft Article 13 (1) as follows:

“For the purposes of Article 22(4) of Regulation (EU) 2024/1624, the information obliged entities collect shall include: a. a description of the class of beneficiaries and its characteristics, which shall contain sufficient information to allow the obliged entity to determine whether individual beneficiaries are ascertainable and shall be treated as beneficial owners; and b. relevant documents to enable the obliged entity to establish that the description is correct and up-to-date on a risk-based approach."

Moreover, it should be considered how in practice the commitment of Article 13(2) can be complied with by trusts. It is likely that trusts will refuse to take such commitment to inform proactively the obliged entity in case of change in beneficiaries, or in case of beneficiaries previously identified by class or characteristics becoming ascertainable. It is therefore recommended having this control whenever a payment is requested to a beneficiary.

Finally, we believe that Section 1 of the draft RTS does not sufficiently differentiate between business models. Unlike financial institutions, lawyers do not operate very often continuous transactional relationships, but rather provide episodic legal advice and representation. Concepts such as "ongoing monitoring", "customer onboarding", or "distribution channels" have limited relevance to the legal profession. Therefore, we propose that the RTS explicitly allow Member States and self-regulatory bodies to develop sector-specific implementation guidance for legal professionals, aligned with AMLR but tailored to legal ethics, practice, and risks.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

It is difficult to assess if the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 par. 1 (i.e. e-IDAS compliant solutions). 

The CCBE is opposed to the notion that the remote verification solutions described in paragraphs 2–6 should be considered merely transitional or temporary, pending the availability of e-IDAS-compliant solutions. First, such an approach would disproportionately impact smaller obliged entities, including small law firms, who may lack the financial and technical capacity to implement or integrate e-IDAS-compliant systems. These systems can be costly, complex, and heavily dependent on national infrastructure that is not yet uniformly available or accessible across all Member States. This is particularly problematic in Member States where legal professionals are not integrated into central e-IDAS systems (e.g. for professional identification) or where such systems are limited to certain public sector uses. Requiring lawyers to rely on infrastructure that is not built for them would create inequality in compliance and in the quality of legal services across the EU.

Second, regulatory frameworks must be technologically neutral and proportionate. Mandating a single solution (e-IDAS) when other secure and effective alternatives exist would stifle innovation and limit flexibility. For many situations, the safeguards provided in paragraphs 2–6 are entirely sufficient and allow entities to comply with their obligations without unnecessary burden.

Finally, the risk-based approach that underpins EU AML/CFT law suggests that different verification methods may be appropriate depending on the nature and risk profile of the transaction or client. It would be contrary to this principle to render remote verification solutions obsolete or legally inferior simply because e-IDAS systems are available in some jurisdictions or for some use cases.

The extensive conditions provided by Article 6, par. 4 notably in terms of technological features (e.g. only end-to-end encrypted video chats are permitted; images, video, sound and data are captured in a readable format and with sufficient quality; documents and information collected are time-stamped and stored securely) impair the possibility for the obliged entities to define and implement their own risk-based approach. Article 6 should merely stick to the risk-based approach principle, as currently provided under Article 6, par. 2 (i.e.“ […] Such solutions shall be commensurate to the size, nature and complexity of the obliged entity’s business and its exposure to ML/TF risks.”). At least, Article 6, par.4 should merely provide the principle that the obliged entity shall ensure that the solution used includes appropriate safeguards as to the quality and accuracy of the data and documents collected, without entering into further details (i.e. removing the items / conditions currently listed under a. to f. of Article 6, par.4).

Indeed, it should remain up to the obliged entity to decide, on a risk-based approach, whether video identification is required. The fact that a given individual is seen by the obliged entity (either on a face-to-face basis or through video chat) does not necessarily bring additional comfort if in practice, on a risk-based approach, the obliged entity has gained comfort that the source/channel used to provide relevant identification information/documentation is reliable.

In light of the above, Article 6, par.4 shall be updated as follows:

• sub b.: references to “audiovisual communication” and “video chats” shall be removed;
• sub c.: wording “any images, video, sound and data” shall be clarified as “any images, video, sound and/or data”;
• sub d.: this item, providing that “the identification process does not continue if technical shortcomings or unexpected connection interruptions are detected”, presupposes that verification of identity necessarily entails a live stream of data. This item shall thus be removed, or, at least, clarified as follows: “where applicable, the identification process does not continue if technical shortcomings or unexpected connection interruptions are detected”.

With respect to Article 6, par.3, consent for personal data processing under remote onboarding is not a matter of AML/CFT legislation, but rather of data protection legislation (i.e. GDPR). As such, this provision is not relevant for these RTS, and should thus be removed.

Additionally, according to Article 6, par.5, for customers which are not natural persons, where obliged entities take reproductions of an original document without examining relevant original document, “obliged entities shall take steps to ascertain that the reproduction is reliable”. This wording shall be clarified to state that such steps shall be undertaken on a risk-based approach, and, in particular, limited to cases where the obliged entity has grounds to question the reliability of the reproduction so obtained.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The elements to be verified, enumerated in Article 15 on identification of the purpose and intended nature of the business relationship or the occasional transactions shall be reviewed. For instance, par.1 point a) requires to check why the customer has chosen the services of the obliged entity. In practice, it is almost impossible to establish “why” someone has done something. Moreover, point d) requires determining the source of wealth, but it is not clear how it relates to the nature and purpose of the business relationship and might be impossible in a lot of circumstances. In any case the standard should be whether or not there are indicators that the alleged source of wealth is not plausible and not measures which amount to forensic accounting. Further, Article 15, c) states that: “[…] obliged entities shall take risk-sensitive measures to determine […] whether the customer has additional business relationships with the obliged entity or its wider group, and the extent to which that influences the obliged entity’s understanding of the customer and the source of funds”. In this article, the reference to the wider group appears unclear in the particular case of legal professionals. The wording should be qualified with “where relevant”, and/or “on a risk-based approach”.

Lastly, Article 16 provides a list of information to be gathered in connection with the purpose and intended nature of the business relationship. The introductory sentence should expressly limit these data “where relevant”, and/or “on a risk-based approach”.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 17, par.1., b) provides that it shall be reassessed whether existing customers/beneficial owners have become politically exposed persons (PEPs) under certain circumstances, including “at least if significant changes in the customer due diligence data occur, such as the nature of the customers’ business, employment or occupation”. The appreciation of the “significant changes” triggering a reassessment should be left to the obliged entities, applying a risk-based approach. In particular, a change in the customer’s business, employment or occupation does not necessarily expose to the risk of PEP (re)qualification: these items should be qualified with “where relevant”.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 20 on “Sectoral simplified measures: pooled accounts” poses major issues from the viewpoint of lawyer’s LPP/PS. This principle is afforded specific protection under Article 8 of the European Convention on Human Rights and Article 7 of the Charter of the EU. As elaborated in the well-established case law of the ECtHR and the CJEU (cf. ECtHR, 6 December 2012, Michaud v. France; ECtHR, 9 April 2019, Altay v. Turkey; CJEU, 8 December 2022, C-694/20; CJEU, 29 July 2024, C-623/22; CJEU, 26 September 2024, C-432/23), lawyer’s LPP does not only cover the activity of defence, but also legal advice. A lawyer can in principle not disclose who his or her clients are to third parties. 

The obligation for lawyers, regardless of their risk level, to immediately and at all times provide information and documents to credit institutions on the latter’s mere request, would amount to a disproportionate interference with their LPP/PS and thus an infringement of fundamental rights according to the ECtHR and the CJEU. The proposed mechanism also risks undermining public trust in legal confidentiality. If clients are aware that their identity and legal matters may be indirectly revealed through banking channels without their knowledge, they may refrain from seeking legal advice or withhold key information. This chilling effect would weaken the right to a fair trial and legal assistance as enshrined in Article 47 of the Charter.

Furthermore, Article 20 runs counter to the necessary independence of lawyers from external influence. In case the supervision on lawyers is entrusted to self-regulatory entities, it is not up to credit institutions to check whether “the customer [lawyer] applies robust and risk-sensitive customer due diligence measures to its own clients and its clients’ beneficial owners.” 

For those reasons, a different framework in the RTS is required that strikes a fair balance between the means of combatting ML/TF, and the special human rights protection granted to the LPP/PS of lawyers or this rule should be deleted and the matter left to the AML Regulations and Directives which deal with adequate supervision.  

Article 18,1,b requires systematic collection (even in case of lower risk), for legal entities, of notably “the tax identification number or the legal entity identifier where applicable”. Systematic relevance of this information for AML KYC/CDD purposes is questionable – noting that same article requires in any case the collection of the “registration number” of the entity.

In addition, we would propose the following clarification (underlined) in Article 18(2): “Paragraph 1 shall apply also to persons on whose behalf or for the benefit of whom a transaction or activity is being conducted, where appropriate based on the economic activity of the customer”.

Lastly, with respect to Article 22, the current wording of the article states that “Obliged entities shall take the measures necessary to ensure that they hold up-to-date customer identification data at all times”. It is proposed to remove the wording “at all times”, as there are concerns that this could be interpreted as requiring obliged entities to check permanently that the customer information is up to date, which would be very onerous and costly and not risk-based. 

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

For the legal sector, sectoral simplified measures could also be of use.

In general, we believe that the obliged entities should apply a risk-based approach to determine which specific situations are to be considered as lower risk situations, allowing the application of simplified due diligence.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Articles 24, 25 and 27 define minimum obligations to be complied with by obliged entities with regard to additional information on the customer and the beneficial owners, on the intended nature of the business relationship and on the reasons for the intended or performed transactions and their consistency with the business relationship. These obligations should be only illustrative and not prescriptive. It should be left to the responsible entities’ risk-based approach, commensurate to their risk appetite, to define the precise and tailored measures to apply to each case. Potentially, such measures may be based on factors such as the size of investment, the profile / regulatory status of the investor concerned. It must be underlined that many of the mentioned measures are not currently applied in practice. For example, entities obtain confirmation of source of wealth but not necessarily proof (only on specific red flags cases). Finally, the mandatory application of all of the enhanced due diligence measures considered, might shift the focus from the real risk to a “tick the box” exercise and lead to a de facto financial exclusion of certain customers. The CCBE therefore proposes to replace the terms “shall, at least” with “should, for instance”.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

With regards to the provisions dealing with targeted financial sanctions, Article 29 (a) on screening requirements forces obliged entities to screen customer information “through automated screening tools or solutions, or a combination of automated screening tools and manual checks, unless the size, business model, complexity or nature of the business of the obliged entity allows for manual checks only”. Therefore, the use of automated screening tools or solutions is required as principle but with a possibility to use manual checks only in some circumstances. It should be considered indeed that the size, business model, complexity or the business of the obliged entity might allow for manual checks only. This could be the case of certain law firms. Therefore, such a possibility to conduct manual checks should be foreseen for the legal sector in particular.

Moreover, it would be entirely disproportional from the viewpoint and spirit of Directive (EU) 2018/958 of 28 June 2018 on a proportionality test before adoption of new regulation of professions to expect from professionals to simply pay for the use of such costly tools. If such an obligation is to be imposed on obliged entities, the EU should develop and provide access to such automated screening tools, free of charge. 

Article 29(c)(ii) of the draft RTS cannot be applied to non-financial sector. The provision requires all obliged entities to screen their customers and beneficial owners “when there is a change in any of the existing designations, or a new designation is made in line with Article 26(4) of Regulation (EU) 2024/1624”. The corresponding provision in Article 26(4) of the AMLR clearly limits this specific requirement to credit institutions and financial institutions. Therefore, Article 29(c)(ii) RTS has to reflect the scope intended by the AMLR, limiting the obligation to perform screening upon new designations of targeted financial sanctions to credit institutions and financial institutions only, in line with Article 26(4) of AMLR. This ensures legal consistency and respects the proportionality and risk-based approach of the EU AML framework.

With respect to Article 28 (screening of customers) of the RTS, this article provides that, based on Article 20 par.1,d) of the AMLR, obliged entities shall apply screening measures to customers and to “all the entities or persons which own or control such customers”.

However, aforementioned Article 20 par.1,d) of the AMLR only sets forth the obligation, notably, to verify (emphasis added) “[…] whether natural or legal persons subject to targeted financial sanctions control the legal entity or have more than 50 % of the proprietary rights of that legal entity or majority interest in it, whether individually or collectively”. 

Article 28 of the Draft RTS, to the extent requiring the screening of “all” entities owning the customer, thus go beyond the requirements of the AML Regulation, which limits the requirement to a majority interest or a 50%-ownership threshold. Article28 of the Draft RTS shall therefore be amended to comply with Article 20, par. 1,d) of the AMLR, as follows: “To comply with Article 20(1)(d) of Regulation (EU) 2024/1624, obliged entities shall apply screening measures to their customers and to the relevant entities or persons which control or meet the ownership conditions over such customers as provided by this Article.”

With respect to Article 29, a., it may be noted that this Article notably requires systematic screening of:

• date of birth of natural person customers (i): while information such as e.g. date of birth may indeed be used, in case of positive hit, to further analyse the hit and determine whether the screened person actually corresponds to the sanctioned person identified, there should be no obligation to take this type of information into account for the screening in itself;
• where available, wallet address in the case of a natural person, legal person, body or entity (iii): the obligation to screen this information shall be strictly limited to cases where this information is otherwise held in the KYC file, to the extent relevant to the activities / services provided under the business relationship with the customer;
• in the case of a legal person, “beneficial ownership information” (iv): “beneficial ownership information”, as defined under Article 62 of the AMLR, includes a number of information on the beneficial owners, such as, without limitation:
  • all names and surnames, place and full date of birth, residential address, country of residence and nationality(ies), number of identity document, and, where it exists, unique personal identification number assigned to the person by his or her country of usual residence;
  • the nature and extent of the beneficial interest held, as well as the date as of which the beneficial interest is held;
  • where the ownership and control structure contains more than one legal entity or legal arrangement, a description of such structure, including names and, where it exists, identification numbers of the individual legal entities or legal arrangements that are part of that structure, and a description of the relationships between them, including the share of the interest held.

While this type of information may indeed be used, in case of positive hit, to further analyse the hit and determine whether the screened person actually corresponds to the sanctioned person identified, there should be no obligation to take this type of information into account for the screening in itself, which should be limited to the identity of the identified beneficial owner(s), together with additional information that the obliged entity may consider relevant.

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

As a preliminary comment, the CCBE observes that most of the provisions of the draft RTS only refer to the “supervisor”. The EBA should check whether the draft RTS sufficiently takes into account the possibility provided to member states by Article 53, par. 3 of directive (EU) 2024/1640:

“3. By way of derogation from paragraph 2, where the legal system of a Member State does not provide for administrative sanctions, this Article may be applied in such a manner that the pecuniary sanction is initiated by the supervisor and imposed by a judicial authority, while ensuring that those legal remedies are effective and have an equivalent effect to the pecuniary sanctions imposed by supervisors. In any event, the pecuniary sanctions imposed shall be effective, proportionate and dissuasive.”

In addition, the connection between Article 53(10) AMLD [relating to any breaches of Regulation (EU) 2024/1624 or Regulation (EU) 2023/1113] and Article 68 AMLR [relating (only) to breaches of AMLR Chapter IV, Beneficial Ownership Transparency] may need to be clarified. 

Article 2 and 3 cannot be applied to the legal sector. The provisions aim at regulating procedures and create classes of breaches. 

The CCBE believes that this lacks legal basis in the AMLD and cannot be regulated by RTS. 

Classification of breaches into four classes with consequences attached is against the provisions of the directive which prescribes only indicators. The classification and attribution of consequences is too rigid and alien to the European tradition of sanctions which are imposed after an individual appreciation of facts and circumstances. From the point of view of legal professional supervision systems, a rigid, predefined classification of breaches — especially one tied to automated consequences — is not suitable for a profession where case-by-case assessment, ethical obligations, and LPP/PS are central to practice. Many AML/CFT-related compliance issues in the legal sector arise from complex interactions between the obligation to prevent ML/TF and the duty to respect confidentiality, client rights, and due process. Applying a uniform four-tier system of gravity could result in sanctioning conduct that is not objectively serious, but merely reflects a good-faith error in the interpretation of overlapping obligations (e.g. suspicion thresholds vs. confidentiality) and the other way around. Such an approach risks undermining both the proportionality and legitimacy of enforcement measures. Furthermore, the draft RTS appear to overlook the reality that in many Member States, legal professionals are supervised by self-regulatory bodies, which have not only robust disciplinary mandates, but also obligations to safeguard constitutional principles, such as access to justice and LPP/PS. Those bodies operate under national legal traditions that require flexibility and deliberation — qualities that a strict, EU-wide classification model may undermine.

The draft also goes beyond what is the competence of the Union and the procedures should be left to national law.

The search for clarity and certainty is understandable, but if the draft provisions were to be applied to the legal sector, the effect would be the opposite - it would be ticking the box to set sanctions without really looking in the case. In case where judges are competent to impose sanctions, binding them by RTS would not be correct.

Also, if the system has to be risk-based it means one needs to tailor sanctions to specific circumstances of the case. The proposed classification system goes against this approach.

Other indicators could be taken into account, e.g.:

• is the breach due to a failure by the obliged entity itself, or a third party/delegate of the obliged entity?;
• whether the obliged entity took appropriate/reasonable steps to define mitigation measures/controls;
• making a distinction between breach to applicable AML/CFT laws/regulations, as opposed to. breach to the obliged entity’s own AML/CFT policies/procedures (which did not result in breach to applicable laws/regulations).

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

The list of criteria allowing for the decrease of pecuniary sanctions could be expanded, for example in case if the breach was committed by error, including error on the applicable laws and regulations in a complex regulatory environment.

The criteria to be taken into account for certain notions used in this article should be defined/harmonized, such as:

• qualification of the impact (minor / moderate / significant / very significant);
• duration of the breach (short vs. significant period of time).

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

With respect to Article 4(2), the level of pecuniary sanctions should decrease in equivalent amount to take into account the amounts already invested by the obliged entity to remedy the identified / sanctioned breach.

With respect to Article 4(4), pecuniary sanctions on natural persons which are not themselves obliged entities (e.g. board members, conducting officers… of an obliged entity) should be limited to cases where it may be demonstrated that the individual conduct of such natural persons had a direct impact on the identified / sanctioned breach.

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

For all these measures (from points 5a-5c), given their impact, they should be reserved for the breaches with the highest level of gravity, i.e. breaches with gravity classified as category four (while current draft refers to category three or four). Alternatively, they could be extended to category three breaches e.g. in case of failure by relevant obliged entity to remedy within a predefined timeframe.

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

The proposed rules are not adequate for the non-financial sector. 

As this is a question of national law, it may vary across Member States. The indicators and criteria provided in the draft RTS generally do not seem completely irrelevant to the legal sector, but as previously commented, it is important that these criteria/indicators remain examples to be taken into account by the supervisor, with the supervisor retaining flexibility to apply its own judgement when deciding on a sanction.

There is also a question of attribution of powers and competencies. It can be unconstitutional because depending on the national system, supervisors might not have police functions (e.g. the  Bar cannot impose fines). The draft does not fit with the reality and rules regarding supervisory powers in the legal sector. It is not helpful for the  Bars acting as supervisors.

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

The proposed methodology for periodic penalty payments should not apply to the non financial sector.

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

Article 53 (10) is not the appropriate legal basis for procedural questions. They are governed by national law only. Article 7 must be deleted. In any case, the right to be heard in relation to periodic penalty payments (Articles 7 and 8 RTS) should rather refer to the complete body of defendant rights of due process. 

Name of the organization