Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

The methodology requires extensive data collection and scoring calculations and continuous maintenance. The extensive nature of this methodology presents challenges for smaller supervisory authorities and entities because it could become difficult to maintain and lead to inconsistent applications.

The detailed scoring thresholds and category boundaries may enable entities to manipulate their scores instead of improving their risk management practices. The specific threshold values (1.75, 2.5, 3.25) might motivate entities to focus on managing threshold levels.

The annual assessment cycle of the regulation does not effectively detect rapidly changing risks which affect digital financial services and emerging payment methods despite its provisions for ad-hoc assessments after major events.

Technical Issues The rules in Article 4.2 appear to be contradictory in nature. The method of averaging controls quality with inherent risk does not properly show how poor controls could increase risk instead of neutralizing it when controls quality is worse than inherent risk.

The regulation states that weights should reflect "risk significance" yet it fails to provide clear instructions about how supervisors should establish consistent weights across different jurisdictions.

The three-year assessment period for low-risk entities under Article 5.3 extends too long because business models and risk profiles transform rapidly especially among fintech companies.

Recommendation

Reduce Complexity:

Create simplfied methodology for smaller supervisors and low risk entities with core risk indicators rather than full comprehensive assessment.
Phased rollout: begin with high risk sector and gradually expand to lower risk players.

Preventing Threshold Management:

Replace hard threshold with overlapping ranges (ie 1.5-2.0 for Medium Low – 1,75-2,25 for Medium) to reduce manipulation intentions.
Add qualitative override mechanisms.
Allows supervisor to adjust category boundaries based on portfolio risk distribution, preventing entities from clustering around thresholds levels.

Proportionality Principle

Create clear criteria where simplified approaches can be used without comprimising supervisory effectiveness.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

Comments

While the residual risk would most of the time be lower than the inherent risks, we do believe that residual risks may be higher than the inherent ones in the following cases:

Control Failure Amplification in cases when the risk mitigaation measures are ineffective (bad design of the control, poor implementation, non compliance) the residual risk can exceed the inherent risk level. Indeed in such scenario controls wont just fail to reduce the risks but they can make them worse.
Dynamic Environment sometimes the cure becomes part of the disease. New control systems can introduce fresh risks or complications that didn't exist before, potentially offsetting their intended benefits.
Controls Can't Keep Pace: In fast-moving situations, controls may become obsolete while inherent risks continue evolving, leaving organizations more exposed than when they started.

Recommendation

EBA should consider that residual risk may sometimes exceed in exceptional situation the level of risk of the inherent risk when controls are inadequate and bring new risks or amplify the existing risks.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

General Comments

We understand that the data point relates to credit and financial institutions, most of the data points may be collected but not in a structured way. The combination proposed are not typically done at this time by credit institution, this will lead to a lot of work to gather all the data especially in the first years.

Impact on the Costs

Short Term Costs (1-2 years) setup costs

Credit Institutions will need to pay high initial costs for implementing the system which includes:

Update of the data infrastructure (not all entities are capturing all the data point requested in the annex 1).
Need to connect client and client transactions with geography and BO information for some of the data point.

The implementation of new reporting processes together with quality assurance protocols and regulatory interpretation requires staff training and compliance setup.

Medium Term Costs (2-5 years) maintenance costs

To support further the process the following costs will arise:

Additional FTEs for data collection, validation and reporting.
Technology maintenance.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

Data Currently Not Available to most credit institutions (or difficult to aggregate)

Data are not structured in the way the data points are described in the annex 1. Here are some explanations of what would be challenging to collect as per our exchanges with different institutions in the financial place:

Number of PEP related business relationship, usually related relationship with PEP will be categorised as PEP, if the data point is to identify close associate or family associates, those data may not be avaialble directly in the database (no specific field) but will rather need to be treated manually as an extract of the PEP data might need to further develop the category in the database to faciliate such extract.
Number of client with at least one transactions during the previous year (to calculate banks will likely take the whole population and deduct those with no transactions) it would be good to further explain if the one transaction is expected to be a “client initiated transactions”, most of banks have system to detect dormant acocunt, but the period with no transactions is more than one year. There wojuld be need to further change the dormancy detection tool.
Complex structures are usually not a data point in KYC database, this would imply the creation of such datapoint and review to categorise legal entities as complex according to the final RTS definition.
When the FIU is sending request to obliged entities they do not specify the motivation of the request (we may presume all their request (we may presume it is the case but this information is not given)
Virtual Ibans, we assume that the data request here relates only to the VBAN transactions that occurred on VBAN offered by the obliged entities. There is no possibility to identify a VBAN so obliged entities will not be able to provide statistics on payment iN or OUT to VBAN out of the bank. There will be a need to create those data point, and map client activitiy transactions.
Geographies data point are also a big piece; investment by countries for AMC (Asset Management Companies ? Financial Services Providers) is it reduced to non listed investment? or does it cover only private equity, real estate or direct credit investments? Number of investors per countires is not collected by credit institutions, could be obtained from transfer agent and may be a challenging task as well, some TA are giving those information but it will be difficult to aggregate the data. Not sure what is meant for : Total value (EUR) of entity's investment undertakings (CIUs) by country
Distribution channel data point will be a challenging set of data to aggregate. Information may be collected for some banks but not in a structured way. When we are using distributors we do not necessarily have the full number of underlying investors, similarly when we are dealing with financial intermediaries we don’t have all this figures too, what is to be done in those cases ?
Outsourcing: obliged entities may use several service providers, which will extend the work of data collection?
AML Training: very granular approach proposed that will need especially for large institution some work to capture and gather the data;
Transactions montioring: can you please be more precise and define alerts in case of inconsistencies between CDD and transactions ? Based on members consultation none have so far an automated system to compare the KYC data and the alerts, this is rather done ex post when the alert is issued by the monitoring tool, the comparison is done at this moment.
When an entity is performing manual controls on transactions, getting the data point on transfer from a geographic point of view might not be feasible.
For part 3D to 3F there will be a lot of work to prepare the collection and aggregation of the data. The data may be there but are not.

On a general remark, we want to stress that the data point should also consider the type of business (level of activities, geography).

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

no answer proposed - nevetheless a lot of those data points are not available in the non-financial sector..

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

Reduced frequency of rating refresh might reduce the cost, in line with the risk based approach we are confident with the proposed frequency of review.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

No comments.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

EEA jurisdictions generally have more robust regulatory frameworks and supervisory controls in place. This enhanced regulatory environment, combined with harmonized AML/CFT standards across Member States, explains why cross-border transactions within the EEA may in theory present lower money laundering and terrorist financing risks compared to transactions involving third countries.

Nevertheless, AML Framework is still not applied exactly in the same way; in EU we have Croatia and Bulgaria which are on the grey list form the FATF despite being full EU member.

At the end due to different level of implementation of similar framework (within EEA) the right level to look at that remains at this moment at country level.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

The logic behind the materiality criteria outlined in Article 1 is comprehensible. Nevertheless, we contend that their proposed values and formulation appear designed predominantly with retail banking operations in mind. Based on the current text formulation, we anticipate these criteria would encompass a disproportionate number of private wealth management firms and institutional banking entities conducting cross-border services. These benchmarks require adjustment to address this imbalance and guarantee that the pool of designated financial entities remains appropriately representative and varied.

Specifically:

The monetary criterion specified in article 1(1)(b) requires significant upward revision given the transaction volumes typical in institutional and private wealth management sectors.
Additionally, the criteria outlined in articles 1(1)(a) and 1(1)(b) should function together rather than independently when determining materiality. Applying the monetary benchmark from section (b) in isolation could create complications due to external factors, including currency fluctuation impacts on foreign currency transactions or the influence of exceptional transactions (such as corporate restructuring or fiduciary account closures). These variables could affect whether an institution falls under direct oversight, despite no actual change in its overall transaction activity or risk profile.
Lastly, the evaluation timeframe for both criteria (a) and (b) requires explicit definition (such as three-year rolling averages) to provide transparency and predictability concerning direct supervision boundaries.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

We oppose the option to reduce the threshold values established in Article 1.

As indicated in our previous commentary on Question 1, we maintain that the threshold values in Article 1 are already insufficient. Any further reduction would, in our assessment, intensify the potential bias toward retail operations and risk creating an unmanageably large pool of institutions subject to direct oversight. We consider it essential that direct supervision parameters remain stable and predictable, while ensuring the number of entities under AMLA's direct oversight stays within feasible limits to maintain supervisory effectiveness. Decreasing the Article 1 thresholds, or permitting such reductions, would produce contrary results to these objectives.

Recommendation

We believe that the threshold approach should be reconsider to better match the different sector of activities as the figures would be much more different.

We would recommend to have a sector based threshold, some activities will have big volumes and a big number of customers (payment services, crypto digital assets) while a private banking activity would typically have a much lower number of customers.

We would then recommend to use sector differentiated threshold such as:

Standard Financial Services 10 000 customers or 25 Millions transactions
Crypto/Digital assets: 5000 customers or 10 Millions
Payments Services: 25 000 customers or 50 Millions
Private banking : 2500 customers or 100 Millions.

This threshold adjustment would allow to focus on the high risk sectors (crypto, private banking).

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

While a single threshold simplifies compliance, evidence supports distinguishing retail and institutional customers due to differing risk profiles.

A dual-threshold system (e.g., stricter for retail, more lenient for institutional) would better align with:

FATF’s risk-based approach (tailoring measures to risk levels).
Industry best practices (e.g., banks already treat differently customer types)
Regulatory efficiency (avoiding excessive burdens on low-risk entities).

We would need to have a clear definition of institutional client.

Recommendation

It will add complexity but we do believe it would be better to incorporate separate threshold for retail and institutional client with safeguard (the differentiator might not be the category but the level of risk, you can have high or low risk intsitutionals). But retail and institutional clients needs to be defined in details.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

Some point of disagreement

Different Risk Assessment Objectives

Article 40(2) assesses jurisdictional risk (macro-level).
- RTS 12(7) assesses entity-specific risk (micro-level).
- Impact: A methodology designed for countries may not optimally fit firm-level risk.
- Article 40(2) uses a binary approach (high-risk or not), whereas RTS 12(7) should be granular (e.g., more customers = progressively higher risk).
- Evidence: The EBA’s 2022 ML/TF Risk Factors Guidelines stress firm-specific risk differentiation.

Lack of Proportionality in RTS 12(7):

Recommendation

While RTS 12(7) borrows elements from Article 40(2), it does not fully build on its methodology due to differing objectives.

A customized approach for RTS 12(7) would better target entity-specific risks, avoiding misalignment with AML/CFT goals.

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

Comments

The inherent risk score (as proposed in Article 2 of the draft RTS under Article 40(2) AMLD6) is intended to provide a baseline assessment of jurisdictional ML/TF risk (e.g., based on FATF listings, sanctions, and AML framework strength).

The key question is whether supervisors or firms should be allowed to adjust this score based on additional factors.

Arguments Against Adjustments

Consistency & harmonization : the less manual adjustment you make, the more consistent the inherent risk calculation will be.

A non adjustable score reduce dispute over risk categorizations with obliged entities.

Arguments Favorable to Adjustments

The risk based approach requires a risk sensitive approach and sometimes flexibility in one direction or the other.

The length of high-risk review cycle does not always reflect progress being made in the jursidiction, an entity highly exposed to a FATF grey list country which is in remediation since 2 years and make good progress would not have the same profile of risk as if the country the entity is exposed too just get grey listed.

Those manual adjustment would allow to take this example into consideration but requires a higher level of flexibility.

In the table below we are summarising our view:

Factor EBA’s Fixed Score. Flexible Adjustment

Consistency. High. Risk of divergence

Risk Sensitivity. May not reflect reality. More accurate

Compliance Burden. Potentially Excessive. More proportionale

Supervisory Challenge. Easier enforcement. Harder to monitor

Recommendation

Solely relying on methodology calculation, while having a lots of advantage, may give a wrong pictures of the risks within the entity. To align with AMLD6 we do believe that a controlled flexible mechanism, with internal escalation and expert opinion, should be used for adjustment that should be justified and evidenced.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Comments

The EBA’s methodology provides consistency but it does not take into account risk factors and could lead to excessive burdens.

A revised approach should:

Allow limited downward adjustments for well-controlled subsidiaries.
Apply risk-weighted scoring (not just averages).
Include materiality thresholds to reduce unnecessary reporting.

This would align better with FATF’s risk-based approach while maintaining supervisory oversight.

We would also appreciate some calculation examples to ensure we understand how calculation is working.

Recommendations

The following risk reduction measures that could be considered:

Permit reduction when subsidiary operates in low risk jurisdiction.
In case AML CTF controls are regularly audited and assessed as effective (in the auditor’s report).

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

Recommendations

You may want to consider the following factors when taking about the group-wide perimeter:

Branches are automatically consolidated (same legal entity)
Subsidiaries included if material or high risks, are the related data consolidated with the parent ‘(being the same entity?)
Clarify that pure operational entity (IT, HR, Intra Group Services when outsourcing) or holding companies are out of scope unless they pose ML/TF risks.
Role of the parent company in the collection and transmission of the data needs to be further clarified.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

Comments

No we disagree, as some other entities of the group may not have ML/TF risks due to their activity (please also refer to question 7). In some cases group entities are setup just to provide intra group services (IT – operations), those entity may be inherently less exposed to ML/TF than subsidiary offering banking services.

So there should be some dissociation.

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Comments

The transitional rules are aggressive and very rigid, this may result in ineffective implementation, we would recomment to

Extend deadlines for low risk firms as assessed by their national competent authorities (proportionality)
Allow phased adoption for complex groups.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 3

Official ID documents do not have both always both City and Country of domicile

Article 4

Comments

It should be further clarified how obliged entities will “satisfy themselves that they know of any other nationalities their customers may hold”.

For example, obliged entities can satisfy themselves by a declaration received from the customer unless red flags arise or the obliged entity has reason to believe the information is not accurate, then additional verification could be undertaken.

Recommendation

As it could be difficult for obliged entities to satisfy themselves on this point, it is recommended that the word ‘shall’ should be replaced by “shall take reasonable measures to”

Article 5

Comments

The seven points criteria Art 5(1) appear very stringent. Has it been considered that this may exclude legitimate documents from certain jurisdictions. What would that mean for instance if we are onboarding a client from a country which does not produce identification document with readable zone?

Mandatory Machine Readable Zone (1.e)

This requirement is particularly problematic for Luxembourg financial institutions that serve clients from diverse global jurisdictions. Many countries' identity documents, especially from developing nations, may lack machine-readable zones despite being official government-issued IDs.

Luxembourg's significant private banking sector serves clients from regions where such technical features may not be standard on legitimate government documents. This requirement could create unintended financial exclusion of legitimate customers.

Biometric Data Requirement (Paragraph 1.g)

While the biometric data requirement includes the qualifier "where available," the inclusion of biometrics as a standard criterion may create confusion for Luxembourg institutions about whether documents without biometrics meet the verification standard. Luxembourg's interpretation of previous AML directives has generally not emphasized biometric data for standard verification.

The requirement that ALL conditions (a-g) must be met for a document to be considered equivalent to an identity document creates an excessively rigid standard. Many legitimate government-issued identification documents globally may lack one or more of these features while still providing adequate verification.

The point 2 mentions an exemption to those requirement in case of “legitimate reason” would be good to have explanation about what is a legitimate reason (document with all the points does not exist in the country of issuance?).

Operational Costs

Significant costs would arise from:

Development of new document verification systems to validate all required features.
Staff training on new document requirements.
Enhanced client communication about required documentation.
Remediation of existing client files to meet the new standards.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

Article 6

Comments

Point 3

Explicit consent should be clarified and what exactly is required and what would occur if consent was not provided. For example, this would impact existing investors, what would occur here? The cost to compliance here is significant with reach out to investors to seek their consent if remote onboarding is required.

Consent is not included in the EBA’s Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849 Guidelines on the use of Remote Customer Onboarding Solutions.pdf .

Also on the topic of outsourcing, who would manage seeking the consent - in the case of Funds - is it the client on behalf of their investor rather than an Administrator?

Practical Challenges for Certified Copies (Point 5)

The requirement for original documents or certified copies, without clear provisions for digital certification methods, is potentially problematic for Luxembourg's digital finance initiatives and efforts to streamline customer onboarding.

Is point 2 contradictory to Article 22(6) (a) of the AMLR*, where it states that the submission of the ID document can be ‘accessed directly or provided by the customer”. Is the intention that remote solutions must be used rather than the manual intervention by obliged entities in the performance of verification of customers in a non-face-to-face context- for natural persons? It is already stated in the opening sections of the RTS , what is considered a ‘reliable and independent source’ for legal entities.

Further, point 6 of the RTS further states “ Obliged entities using remote solutions shall be able to demonstrate to their competent authority that the remote verification solutions they use comply with this article” – this can be read that not all obliged entities will use remote solutions.

To be clarified in the RTS how obliged entities will/can verify security features and if this is practical for obliged entities.

We recommend a more proportionate and practical framework for document verification, particularly for documents that inherently lack sophisticated security features. A risk based approach should be more appropriate in these circumstances.

Article 6(5) presents a logical inconsistency when applied to remote identification scenarios. The requirement to examine physical security features like holograms becomes impossible when documents are submitted digitally rather than presented in person. We urge the EBA to provide clear guidance on how institutions should evaluate document authenticity when physical inspection of security features is not feasible.

Cost of Compliance :

"If the intention is that obliged entities will be required to use a remote solution in all instances for verification in a non-face to face relationship, this would be a significant change in sectors such as Funds, and for obligied entities that do not currently use remote onboarding tools and systems."

Article 7

Terms like “reputation’ and “credibility” lack objective benchmarks, different compliance officer may reach different conclusion on the same source.

It would be appreciate to provide minimum standards for “credibility of the source” and where possible pre-approved sources.

This may support the assessment of such sources, which remain a real challenge especially in the world of today.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Article 10

The conditions outlined in paragraph 1 to consider a legal entity as complex, with two layers plus the other conditions, should be re-considered and in the context of investment funds / private capital funds. Due to the international nature of these funds, the majority will have ownership in different jurisdictions and with more than two layers of ownership.

Article 11

The defintion of complex structures is too narrow, indeed, if we look at the private equity industry for instance all the deals would be capture as complex, as in case of cross border investment there will be at the very minimum 2 entities which would be based in different locations (two entities in two different EU countries that would be low risks).

We would recomment to make the four criteria cumulative to qualify as complex structure. Otherwise the whole private equity industry structures would qualify as complex structure which may have an impact on the risk assessment of those structures which would be conterproductive disporportionate and may reduce attention on the higher risk situation.

Article 12

According to Article 22(2) of the AMLR, institutions must identify senior managing officials (SMOs) when beneficial owners cannot be determined or when questions arise about previously identified beneficial owners' identities.

This creates a conceptual disconnect, as SMOs are fundamentally different from beneficial owners in nature and function. The EBA requires collecting identical information for both SMOs and beneficial owners, yet provides no clear rationale for this equivalence. The EBA's position suggests, without explicit confirmation, that the data requirements outlined in Article 62 of the AMLR extend to SMOs as well.

The legislative intent appears clear: had lawmakers intended SMOs to receive identical treatment to beneficial owners, Article 22(2) of the AMLR would have explicitly stated this requirement. The current text simply mandates SMO "identification" without elaborating further. Through Article 12(a) of the draft RTS, which requires collecting comprehensive Article 62 data on SMOs, the EBA may be overstepping its regulatory authority by imposing requirements that go beyond what the AMLR originally contemplated.

Article 14

The extent of the discretionary power of the trustees are not always so clearly defined, we would appreciate a more extended definition of “sufficient information’ as such might be sometimes complicated.

In addiition, sometimes the protector of a trust must approve certain major trustee decisions such as distribution to beneficiaries above thresholds, changes to investment strategy, appointment or removal of trustees, to some extents some amendments of the tust terms.

Hence the measures to establish whether the trustees have exercised their power of discretion in fairness are fairly complicated to take, we would appreciate to mention the obliged entities should take “reasonable” or “proportionate to the risk” measures.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 15

Suggest that paragraph d is removed, as the referenced Article 20(1)(c) of the AMLR, does not specify source of wealth. This is addressed in Article 25 of AMLR.

In case the client is changing of provider an additional obligation for the service provider would be to understand the reason for the change ?

Article 16

Occasional transactions customer. On the documenation and proportionality aspects it may be useful to clarify if self-declarations for low risk cases it would be enough.

Context:

- In continuation to the points raised my be in the first working group meeting, KYC procedures should include focus on reason for change in service provider where applicable and during client acceptance.

- Article 15 a. & 16 a. Focuses on the positive connotation on why the customer has chosen the obliged entity, however it misses out on why the customer left the previous entity in a negative connotation.

Application:

- the positive vs negative conniption can have two different applications which shall not yield the same results.

- For example, a customer may choose a new PSF because of lower fees and closer to business location, however he may have only left the previous PSF because they denied approving an inter-company loan transaction or were terminated due to being outside their risk appetite.

Reason for this enhancement:

- Uniformity of application: Compliance Officers and obliged entitled who are good in applying such standards are often chastised as these measures may seem too tough given they are not widely applied by competitors. This makes a company with good compliance loose clients as others may accept them without this requirement and also therefore reduce compliance measures in the long term. Therefore, a uniform application ensures that even though such clients might be accepted, the risk factor was known and considered at the time.

- KYC OK Bias: Several times, the KYC file of a new client changing service providers might seem totally fine. Yet some aspects like transaction monitoring issues, management pressure etc can only be known while working with the client. In this scenario asking a simple question as suggested would ensure that clients whose KYC are ok are not deemed naturally ok but also judged on their history.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 17

Article 17 of the RTS outlines requirements for identifying PEP, their family members and close associates including:

Timing of identification (before new relationship or before any transaction occasional or not).
Scope (client, beneficial owner or person on whose behalf the transaction is being made).
Ongoing monitoring.
Methodology (automated tools, and manual cheks).

Areas of concerns:

As a starter, financial institutions are not the police, they should be able to identify PEP or close associates, this is not a presumption of wrong doing, regulation should be built with this mindset. Automated screening requirements, if we are talking here about ongoing monitoring screening against pep lists this is an existing requirements that is applied by most of the medium / large size obliged entities, small players may still for costs reasons use manual checks which seems to be accepted in the RTS. But the wording leaves significant room for interpretation that may lead to inconsistent interpretation. We can note that once a person becomes PEP this is generally for a long period of time, the qualification of the person might not be tested at each transaction, however the transaction itself might be a triggering event, potentially amount below a certain threshold should be excluded (i.e. EUR500).

Close associate:

The identification of close associate or “persons known to be close associate” represent a practical challenge, the practice is currently to use third party vendor’s list and perform internet searches but this is far form being exhaustive and there is always the risks of identification of close associate in that case.

We may discover a close associate link in the realtionship by seeing payments to/from PEP but the identification at the opening may be challenging.

For close associate identification, due to the challenges, we would appreciate a mention that would mention that obliged entities are taking “reasonable measures” to identify such relationships acknowledging the challenge of the identification. We could build on the model of the MAR regulation and go for persons living in the same “house” for a period of 12 consecutive months as a basis.

Article 17 establsihes important requirements for PEP aligned with the risk based approach, more clarity on proportionality and practical implementation expectation would held reduce compliance costs and maitain effectiveness.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 18 & 19

Article 18 and 19 of the draft RTS outline the minimum requirements for Simplified Due Diligence (SDD) in lower risk situations. These requirement cover:

Minimum identification requirements (article 18).
Minimum requirements for identifying and verifying beneficial owner or senior management official (article 19).

We would appreciate if EBA could clarify explicitely what is meant by “lower risk situation” can this be interpreted as in opposition to high risk situation (and would include low and medium risk situation), this uniformise the wording within the text. We do believe this may be limited to low risk situation.

In the article 19, the verrification of UBO/SMO could be completed by consulting official company register or other publicly available source, building on the LEI information that has to be renewed annually and for which validity is global. In those cases no official ID documentation will be required.

Requiring disclosure of refugee or subsidiary protection status could create safety concerns for vulnerable individuals. This information is highly sensitive and its collection in “lower risk” situation (where we can apply simplified due diligence) seems disproportionate.

How can statelessness persons reliably prove their status?

Proposal:

For lower risk situations consider truly simplified requirmeents such as name, date of birth, and one reliable identifier, with additional information collected only when specific risk indicators arise.

Article 21

Comments

The CDD approach outlined in Article 21 of the AMLA Regulation poses significant challenges to the mutual fund industry’s reliance on nominee structure.

Many investors hold shares via nominee account (financial intermediaries, broker), transfer agent are relying on those nominee as long that they get the comfort that they can place reliance on them. The reliance is accepted when the nominee / intermediary can demonstrate he applies AML CFT measures comparable to those applicable in the EU.

We cannot apply a full look through in those situation.

Recommendation

The 25% beneficial ownership threshold should be applied as a trigger point, with mandatory look-through procedures required for ownership interests above this 25 % threshold. In addition when we have in an open ended fund, where investors behind can change very quickly (especially in case the fund is a money market fund) the tracking will be very challenging.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

We can suggest that mortgages once part of a group of other interactions/transactions on the ongoing life cycle of repayments if under SEPA DD as all terms are fixed and set by a “hard to change contract”. Then buy and sale on listed EU markets from EU accounts (because there is a full traceability and reporting). Any form of direct debit (SEPA) up to EUR200 (the underlying idea is to cover utility payments).

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 24

In case of ML/TF suspicious, point d enables obliged entities requirements to gather information on family members and associates (point d) may encounter resistance from clients accustomed to greater privacy protections, potentially affecting Luxembourg's competitiveness in private banking. The easiest way would be to disapply GDPR in case of AML case, the two regulations have contrary/opposite objectives and GDPR should not be an excuse not to capture criminal activities. In this the role of financial institutions should be to do what the can and be able to demonstrate their efforts, they cannot put a gun on the head of clients to obtain information.

Although it is not practically so easy to obtain such information from the client and open source information may be limited in regards to close connection.

Proportionality Concerns

Even for high risk situations, investigating entire famuly network may seem excessive in some situations.

No limits on how far investifations can extend, that may create a risk of creating “guilt by association” scenarios, may violate right to privacy of non customers.

The investigations possibility of obliged entities are limited, we do not have investigations rights similar to police or justice.

Practical implementation issues

What if family members refuse to provide informations?

How can obliged entity verify information about third parties who arent their customers?

Storage and retention of third-party data which may generate additional regulatory challenges (gdpr).

Recommendation

We would welcome specific limits on third party investigations, adding some objective criteria for assessments, some mandatory data protection safeguards (are prospects notified we may investigate and to which extend).

Article 25

Information sharing

For point a It is not clear what “information from authorities or from other obliged entities “involves. This should be clarified and what is the intention. This pertain to the KYC, understanding the client, not policing it, the frontier might be thin, however the role of financial institutions should not be to take decision instead of business, banks are not there to take responsibilities over business, what blurry definition will likely lead to.

For Luxembourg UCITS and AIFs, verifying the legitimacy of investor flows (point b) is complex given the multilayered distribution channels typical in fund structures. It must be noted that the organisation of distribution of financial products is spread between intermediaries, having each their responsibilities, from UCITS and AIF investor flow could be understood up to collection accounts.

For funds of funds and master-feeder structures (common in Luxembourg), determining the "expected" transaction patterns (point b) can be particularly challenging due to the multiple layers involved. Then intermediaries are also regulated entities subject to similar AML-CFT requirements, the purpose of the regulation should not be to redo a full AML up to end UBO at each step of the value chain.

Point b. Clarification on what is required from obliged entities to “enable the obliged entity to verify the legitimacy of the expected number, size, volume and frequency of transactions that are likely to pass through the account, as well as their recipient(s)” would be welcome. If documentation is required to verify the legitimacy this could an be an onerous task for obliged entities. This should be done through access to evidences as part of SLAs for example. Furthermore, the case of an insurance, a management company of a fund, or a full-fledged bank is not the same, if regulation aims to similar ends, the channels used have a bearing on the process to be followed.

In point a) it is mentionned that the obligation to verify legitimacy of the destination of funds may include information from authorities and other obliged entities:

What is the legal basis for such sharing? This may be challenged from a data protection and professional secrecy perspective.
What kind of information could we request from the authorities ? which authorities ? NCA ? FIU? Are obliged entities expected to contact authorities to verrify the legitimacy of the destination of funds ?

Practical challenges

How detailed must transaction predictions be?

Assuming authorities would be sharing information, how would that flow of exchange would take place?

Given the comments above we would appreciate sectoral application guidance (banks, funds).

Article 26

Practical challenges

The prescriptive nature of article 26 raises practical questions on how to handle evidences that would not match the described documentation standards (certification, public notary not always possible) may present a practical challenge.

We would tend to disagree, either there is a list of set criteria for all (exhaustive list of agreed documents, to avoid arbitrage), or reliance on the concept of as best fit based on legal value of documents (notary, public authority then contractual…).

In practice we also use publicly available information from reliable sources to further corroborate the source of wealth.

Source of wealth often stems from decades old events, oririnal documents may no longer exist, some jurisdiction don’t issue “certified copies’. Cross border document authentication is complex and expensive. How far back do we need to go?

Requesting certification documents on a systematic basis may be not achievable in some instances.

For point a, employer are generally not signing such statement.

Recommendation

We would recommend to clearly define the type of certification that would be acceptable and / or to open some flexibilities on a risk based approach basis.

Include materiality threshold.

Consider recognizing digital documents, provide alternative for unaivalable documentation.

Consider proportionality to transaction size, amount of assets. Add time limitations for historical wealth.

Article 27

As matter of principle, the role of the financial intermediary should not be to take the responsibility of any transaction performed by its clients, they are the one deciding and should therefore be entitled to take their decisions, we consider that the wording could lead to unintended consequences putting the onus of authorising transaction on the wrong party. The purpose at financial intermediary level should be to be reassured and have in its eyes relevant credible information about the “context” of a given transaction.

As presented above the construction is abstract and not enshrined into the realities of the different markets, specifically Luxembourg may face particular challenge due to its eco system, in order to fulfil expectations above notably “assess the legitimacy of the parties involved in the transactions, including any intermediaries…”:

Fund distribution network, as an international fund center this involve complex distribution network with multiple intermediaries.
International payments flows with cross border payments and chain of intermerdiaries.
Banking with corporate clients with extensive international businesses may create disproportiionate burdens if CDD will be required for all counteparties.

Practical challenges

Point a - Verifying "Why"

How does a bank verify someone's true intentions?

Customers can simply state any reason, no objective way to assess truthfulness of stated purposes.

Point b - Business Consistency

Requires detailed understanding of customer's entire business

"Overall transactions" suggests comprehensive monitoring

Many businesses have varied, evolving activities

Point c - Third-Party Assessment

Banks cannot realistically assess "legitimacy" of all parties in a transaction chain

International transactions involve unknown intermediaries
No access to information about non-customers
Jurisdictional limitations on investigations

Recommendation

Replace "legitimacy" with objective risk indicators
Remove family/associate investigation requirements
Focus on transaction patterns, not intentions
Provide clear, objective standards
Include proportionality safeguards
Define key terms precisely

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 28

No specific comments we understand the applicable threshold for customers who owns would be 25%. In case of intermediaries (nominees), how do you expect obliged entities to meet the requirement:

Through delegation (making sure that the nominees is screening its ultimate individual > 25 % and communicate to the obliged entities)
Obliged entities to request systematically if there is one natural person behind the nominee owning 25 % to be identified and verrified?

I prefer delegation as on the one hand it places every entity in front of its responsibilities and it long should increase the reliability of the entire system by forcing all entities to do a bare minimum to the risk of being excluded.

Article 29

Practical challenges

“Without undue delay” is vague, this may lead to interpretations, we would appreciate a time line clearly expressed.

No guidance provided on false positive management. No expectations in terms of documentation requirements for screening decisions.

Recommendation

Define “undue delay”, include false positive handling guidance, specify minilmum daata fields for effective screening.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comments

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comments

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

The draft RTS in Article 1(e) suggests utilizing "the consequences of the violation on the obliged entity's (or its group's) vulnerability to money laundering and terrorist financing risks" as a measure for evaluating breach severity. Nevertheless, given that the fundamental objective of the AML framework is specifically to minimize such vulnerabilities, it becomes challenging to conceive of any violation that wouldn't produce this effect. Since this metric would be applicable to nearly every violation, it provides no meaningful differentiation and ought to be eliminated.

In a similar vein, Article 1(g) of the draft RTS mentions "whether the violation may have enabled or contributed to illicit activities." Considering that the AML framework aims to prevent money laundering and terrorist financing, practically any violation could be interpreted as potentially enabling criminal conduct. This characteristic also makes the metric ineffective for distinguishing severity levels, warranting its removal.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

We endorse the concept of categorizing violation severity, however the present framework for Category 1 violations is excessively restrictive to provide practical utility. In reality, few violations would satisfy these parameters, since most would generate some consequences for the institution or its vulnerability to ML/TF exposure and could reasonably be viewed as potentially enabling illicit conduct, considering the comprehensive scope of the AML regulatory framework.

The suggested parameters for Category 2 violations are similarly constraining. Given the AML regulatory framework's extensive goal of minimizing money laundering and terrorist financing activities, the majority of violations could reasonably be interpreted as potentially enabling or contributing to criminal conduct, making it improbable that violations would definitively fit within this classification.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

no comments

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

no comments

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

Potential breach cannot be the trigger for a sanction, it has to be existing and not potential.

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

No comments

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

No comments

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

No comments

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

No comments

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

No comments

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

No comments

Name of the organization

ALRIM - luxembourg association for risk management