Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

Multiple factors must be taken into consideration in the risk assessment, beyond amounts, the nature of the clients, their geographical location, the complex nature of the products must be cross-referenced.

Furthermore, for further clarification, It would seem useful to us to add to Article 1 the definition of customers/clients as resulting from a business relationship (see EFAMA’s recommendations). For CIU the client is the natural or legal person mentioned in the fund register.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

Data points listed in Annex 1 are exclusive quantitative, including for management of UCITS and AIFs and for portfolio management (Numbers of clients, total assets etc.). This approach based on figures only is too narrow to be able to grasp the actual risk posed by an asset manager. Other criteria such as those listed in recital 5 of RTS under art 40(2) must be taken into consideration: nature of customers, nature of services, products offered, distribution channel etc. As rightly pointed out in recital 7, “some sectors have specificities that affect the level of ML/TF risks to which obliged entities (...) are exposed”. We would very much favor taking these specificities into account over and above simple figures.

Considering that Annex 1, adapted to the banking sector, does not correspond to the activities of management companies, particularly medium and small-sized management companies, it seems essential that the RTS mentions a principle of adaptation to the activities carried out by the actors and integrates the notion of proportionality.  Clearly some of Annex 1 data arespecific to banking activity and not suitable for asset management.

As for the category entitled: "Invest. Services and Activities - reception and transmission of orders" it would seem particularly useful to us to take into consideration the fact that clients are or are not subject to the AML-CFT rules.

 

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

Adapting the review frequency according to the size of the entity and its activities seems useful. For small entities, it is essential not to accumulate inappropriate compliance obligations that undermine their competitiveness

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

As in the case of the Draft RTS on CDD, we believe it is crucial to consider the specificities of the asset management industry and the significant implications this Draft RTS on Selection might have on it. 

Management companies and AIFMs, as well as the funds that they manage, can be domiciled in one Member State; however, units/shares of the funds are made available for subscription to customers across various Member States and third countries. In the EU this is possible through the marketing passport established both in Chapter XI of UCISTD[1] and Art. 32 of AIFMD[2]. While not required by the provisions of these directives[3], managers often establish branches whose main or only purpose is to market these products in particular jurisdictions. These branches usually do not have a legal personality and do not act as distributors, as they do not have a separate marketing licence. All of their activities are being done on behalf of the funds and the management company domiciled in another EU jurisdiction, with the business relationship between the customer and the fund also being governed by the law of the jurisdiction where the main office of the manager is located and where all AML obligations are also being conducted. The extent to which this is a common practice is well known to ESMA, as such activity has to be notified not only to national competent authorities, but also to ESMA. 

Therefore, we are of the opinion that these types of branches cannot be treated as an establishment under the provisions of AMLAR. As was explained in the recital 27 of AMLR “Consistent with the case law of the Court of Justice of the European Union, unless specifically set out in sectorial legislation an establishment does not need to take the form of a subsidiary, branch or agency, but can consist of an office managed by an obliged entity’s own staff or by a person who is independent but authorised to act on a permanent basis for the obliged entity. According to that definition, which requires the actual pursuit of an economic activity at the place of establishment of the provider, a mere letter-box does not constitute an establishment. Equally, offices or other infrastructure used for supporting activities, such as mere back-office operations, IT-hubs or data centres operated by obliged entities, do not constitute an establishment.” According to Art. 92(1) of UCITSD these branches help to perform only the following duties: (i) processing orders, (ii) providing investors with necessary information, (iii) handling of information and access to procedures related to investors exercise of their rights, and (iv) acting as a contact point for communicating with the competent authorities. 

Moreover and for the same reasons, we believe that due to their specificities these branches should not necessarily be classified under the freedom to provide services. However, if they were, we would also like to highlight the magnitude of entities that could fall under the direct supervision of AMLA should the materiality thresholds remain as currently proposed in the Draft RTS on Selection. 

Article 1(1) of the Draft RTS on Selection provides two materiality conditions, with the fulfilment of just one of them being sufficient for the activities of the financial institution carried out in a Member State to be considered for the purposes of the selection of the entity for the direct supervision by AMLA. In the case of the asset management industry, where intermediaries should be treated as customers (according to more detailed explanation provided in our response to question no. 6 on the Draft RTS on CDD), the possibility of reaching a number of 20,000 customers per Member State is not very common. On the other hand, reaching a value of 50,000,000 EUR of incoming and outgoing transactions generated by customers in one Member State would be very probable. In particular, if subscriptions and redemptions coming into the fund would not be netted but accumulated. This is due to the fact that in funds, and in particular in the open-ended ones, the number of underlying clients subscribing into a fund through an intermediary can go into hundreds of thousands. Moreover, these clients are free to subscribe and redeem units or shares on a daily basis, which create daily outflows and inflows to the fund.

Therefore, we are of the opinion that not only both thresholds should be increased, but also they should be met cumulatively in particular Member State in order for it to be considered as one of the Member States mentioned under Art. 12(7) AMLAR. 

[1] Directive 2009/65/EC of the European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS)(UCITSD).

[2] Directive 2011/61/EU of the European Parliament and of the Council of 8 June 2011 on Alternative Investment Fund Managers and amending Directives 2003/41/EC and 2009/65/EC and Regulations (EC) No 1060/2009 and (EU) No 1095/2010 (AIFMD

[3] Article 92(2) of UCITSD provides that “Member States shall not require UCITS to have a physical presence in the host Member State or to appoint a third party for the purposes of paragraph 1.”

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

One single threshold is likely not to be suitable for asset managers. We recommend to introduce a distinction between retail and professional clients but also to take their status into account (obliged entity vs. non obliged entity). Large institutional clients subject to AML CFT regulation (e.g. insurance companies) generate large-size transactions but low risk for fund managers.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

  1. General remarks

As a general remark on the draft RTS on CDD we would like to raise that it highly limits the possibility to apply a risk-based approach to customer due diligence (CDD). While we understand and support the need for more harmonised efforts in the area of AML/CFT measures across the EU, the risk-based approach remains the core principle of the framework, as also highlighted in the recitals of AMLR[1]. Moreover, we believe that Art. 28(1)(b) and 33(1)(e) of the AMLR have been subject to overly restrictive interpretation, which has significantly limited the possibility to identify and define simplified measures for specific sectors. Particularly, we believe that some of the proposed rules are not possible to apply to the asset management sector, due to its specificities described in more detail under our response to question no. 6.

  1. Referring now specifically to Section 1 of the Draft RTS on CDD, we would like to raise the need for more clarity regarding to whom these provisions will apply. Articles 1-5 indicate when they refer to “natural persons” and when to “legal entities”, directly or by mentioning relevant points of Art. 22(1) of AMLR. This is not the case for the following articles, which apply to “customers” or “persons purporting to act on behalf of customers”. These terms were not defined under the draft RTS on CDD, nor was a definition established under the AMLR. These circumstances do not bring clarity, particularly in the case of Art. 6 of the Draft RTS on CDD, where only paragraph 5 specifically stipulates that it applies to non-natural persons. While it could be interpreted a contrario that all the other paragraphs refer only to natural persons, more clarity would be beneficial to the appropriate application of these rules.

  2. Moreover, in the case of different sectors of the financial industry and even in the case of different products offered by the same financial entities, different persons would be understood as their customers. This would particularly be the case in situations when multiple parties are involved. As explained in more detail under our response to question no. 6 below, in the case of the investment funds industry, the intermediaries would often be the customers of the fund. In such context, the FATF clarifies in its Guidance for a Risk-Based Approach for the Securities Sector[2] that: “Depending on how the investment fund is sold, with whom the business relationship is established or who is registered in the fund’s share/units register, the investment fund may be required to treat an underlying investor as its customer or the intermediary as its customer”. The EBA has acknowledged this particular case in its ML/TF Risk Factors Guidelines[3], where it provides that risk can be reduced in cases where “the customer is a firm subject to AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849”. 

    We are of the opinion that this recognition was an important achievement in understanding the complexities of different segments of the financial industry and how they impact the ML/TF risks caused by these business relationships. We believe that this additional clarity will be beneficial to a harmonised implementation of the new AML Package and, therefore, we urge EBA to include it in the recitals of the draft RTS on CDD. 

  3. It would be beneficial to provide obliged entities with more clarity, also by defining the term “persons purporting to act on behalf of the customer”. It would help ensure harmonisation and avoid divergent interpretations among Member States. Particularly in the case of legal entities, the group of individuals participating in the entity's operations can be very broad (directors, other employees etc.). In the case of bigger legal entities, such as financial institutions: (i) the lists of authorised signatories are long and subject to frequent changes, (ii) out of those individuals included on those lists, many may never have any interaction with the obliged entity, and (iii) requesting information such as nationality or place of residence may not be possible and could go against their right to privacy, given that these persons will be merely representing the legal entity and not acting in their own interest. Applying a full identification and verification process on all of them would be excessive and ineffective in battling financial crimes. Therefore, we believe that the definition should include those persons who are external to the customer (are not employed) and act based on a proxy of power of attorney.  

    Therefore, we would propose the following definition to be included in the draft RTS on CDD:

    ‘person purporting to act on behalf of the customer’ means (i) legal representative(s) of a customer who is an unfit natural person, or (ii) any legal or natural person, other than an employee or senior managing official of a legal person, authorised to act on behalf of the customer pursuant to a mandate, or proxy agreement

 

  1. Information to be obtained in relation to the addresses (Art. 2)

We would like to highlight that the data points specified under Art. 2 of the draft RTS on CDD are too prescriptive and would not be possible to apply in the context of different jurisdictions where address conventions differ. As such, it is not always possible to provide postal codes, city names or street names, especially in a non-EU context. 

Moreover, such an approach does not seem entirely appropriate from the perspective of legal entities and other institutions. Also, in the case of persons purporting to act on behalf of a customer that is a legal entity or for senior managing officials being identified as the ultimate beneficial owners and acting solely in their professional capacity, not all of the proposed details are necessary.

Therefore, we would propose the following wording for Art. 2 of the draft RTS on CDD:

1.The information on the addresses as referred to in Article 22(1)(a) point (iv) and 22(1)(b) point (ii) of the Regulation (EU) 2024/1624 shall consist of the following information: the full country name or the abbreviation in accordance with the International Standard for country codes (ISO 3166) (alpha-2 or alpha-3), and where appropriate postal code, city, street name, and where available building number and the apartment number.

2. In the case of persons purporting to act on behalf of a customer that is a legal entity or a Senior Managing Official who is identified as the ultimate beneficial owner and acts in its professional capacity, the address of the registered office of the legal entity will be sufficient.”

 

  1. Specification on the provision of the place of birth (Art. 3)

The currently proposed provision of Art. 3 requires information on the place of birth to consist of both the city and the country name. We are of the opinion that this is too prescriptive, as not all data is always available in documents such as IDs or passports. We are also not aware of any added value that having both the city and the country name in all cases will bring for the AML/CFT purposes.

This will also create an issue in terms of Art. 5(1) and the set of information that is required on a document for identity verification purposes. Information on the full place of birth (i.e. both the city and the country) would not be included in national IDs or driving licences. It is not possible to expect that countries will change the documents that they issue because of the AML/CFT requirements. This is true for the EU Member States and even more so for third countries. 

Therefore, we would propose the following wording for the Art. 3 of the draft RTS on CDD:

The information on the place of birth as referred to in Article 22(1)(a) point (ii) of Regulation (EU) 2024/1624 shall consist of both the city orand the country name.”

 

  1. Specification of nationalities (Art. 4)

Article 4 of the draft RTS on CDD requires that obliged entities shall obtain necessary information to “satisfy themselves that they know of any other nationalities their customer may hold.” This obligation is very impractical given that obliged entities do not have access to any database that will give them such satisfaction and identification documents, such as passports or IDs, for obvious reasons inform only about the nationality of one country.

Therefore, we would propose the following wording for Art. 4 of the draft RTS on CDD:

"For the purposes of Article 22(1)(a) point (iii) of Regulation (EU) 2024/1624 obliged entities shall take reasonable measures to obtain necessary information about to satisfy themselves that they know of any other nationalities their customer may hold."

 

  1. Identity verification (Art. 5)

We believe that paragraph 5 of Art. 5, which requires that the obliged entity is provided with “original identity document, passport or equivalent, or a certified copy thereof (…)” is excessive and does not leave room for the obliged entities to apply a risk-based approach. 

It is also not in line with provisions of the AMLR, which in Art. 22(6)(a) do not include the requirement of only originals or certified copies to be provided. Instead, it refers to “the submission of an identity document, passport or equivalent and, where relevant, the acquisition of information from reliable and independent sources, whether accessed directly or provided by the customer”, which we believe gives much more room for the obliged entities to decide on the means by which this submission and acquisition will take place, in accordance with the identified level of ML/TF risk.

From a retail customer perspective, the obligation to provide an original document or certified copy will highly increase the costs borne by the customers, as they will be the ones who would have to acquire and provide such a copy for themselves, their beneficial owners or persons purporting to act on their behalf. This will be even more challenging for customers from third countries. Our understanding is that the aim of the AML Package was to enhance the security of the system, and not to disincentivise customers from using services provided by the EU financial sector. 

Such an approach would contradict not only the EU efforts to encourage retail investors to use financial products in the EU, but also the recent works of the FATF that underscore the importance of financial inclusion. According to FATF, it is an essential element of the AML/CFT system as it “enhances financial sector transparency and integrity by increasing the reach and effectiveness of AML/CFT measures that help keep criminals out of the financial system and facilitate law enforcement investigations”[4]. The FATF highlights also the importance of a risk-based approach, as “applying overly cautious, non-proportionate AML/CFT safeguards when providing financial services and products can exclude legitimate consumers and entities from the regulated financial system (…)”. 

Moreover, risk based approach needs to be applied when collecting IDs to avoid unnecessary costs and burden. The effort and focus of obtaining IDs in original and/or certified form should be required only in case of inconsistencies or doubts on the actual identity of the customer. In particular, document certification is solely one of the numerous measures (and certainly not the most effective) an obliged entity can take to verify the obtained information.

The approach proposed in Art. 5(5) of the draft RTS on CDD will be simply not possible to achieve in the case of some sectors of the financial industry, which operate in a significantly different manner than the banking industry. A good example here is the asset management industry, which we describe in more detail under the response to question no. 6 below. Due to the specificities mentioned there, the verification of the customer’s identity rarely happens in person, and most of the customers are institutional investors. As such, the asset management industry won’t be able to apply the rules of Art. 5(5) to its customers. Also in the case of retail investors who would be customers of the fund directly (which is not typical for the most of the asset management industry) the identity verification would always happen first at the level of a bank. This is because subscriptions through cash do not exist in the fund reality and any payments to the fund and then to the investor always take place through a bank account.

Therefore, we would propose the following changes in Art. 5(5) of the draft RTS:

5. For the purpose of verifying the identity of the person referred to in Article 22(6) of Regulation 2024/1624,  the obliged entity shall gather, from these persons or from other reliable sources, the original an identity document, passport or equivalent., or a certified copy thereof, In case of customers posing a higher risk of ML/TF obliged entities shall adopt appropriate mitigation measures, such as, for example, those referred under Article 6. .”

 

  1. Understanding the ownership and control structure of the customer (Art. 10)

We are also of the opinion that the approach taken in Art. 10 of the Draft RTS on CDD is excessive and does not allow for the application of a risk-based approach, as it requires specified information to be obtained concerning all legal entities and/or legal arrangements between the customer and his beneficial owners. Many multilevel structures are created for business and operational reasons, and gathering all of the listed information will be unnecessary for the purpose of understanding the ownership and control structure of the customer. The approach here should depend on the complexity of the structure and the ML/TF risk it poses. 

In the asset management industry, which we describe in more detail under our response to question no. 6 below, it is common to find layers of intermediaries between the fund and investors (who are customers of the intermediary). These intermediaries are mainly banks or other financial entities that help investors invest in the funds and optimise costs and charges to provide them with lower fees. Given the characteristics of entities existing in the chain and the low level of ML/TF risk they could create, we do not believe that acquiring all of the information mentioned in Art. 10 regarding intermediaries at each level would be justified. 

Moreover, collecting additional information would create operational and technological burdens. Additional names would need to be recorded, kept updated and screened, requiring time, economic resources and often technological developments, without mitigating any actual ML/TF risk.

In such circumstances, we believe that to fulfil the requirements of Art. 62 of AMLR, it is sufficient for the obliged entity to understand the structure existing between the customer and the beneficial owner by collecting the names of entities in between and the percentage of their ownership. Any more detailed information on those entities could be required in cases where a higher level of ML/TF risk would be identified or they would exceed the threshold for beneficial ownership under Art. 52(1) of AMLR. 

Therefore, we would propose the following wording for Art. 10 of the draft RTS on CDD:

1. For the purposes of understanding the ownership and control structure of the customer in accordance with Art. 20(1)(b) of Regulation (EU) 2024/1624, where the customer’s ownership and control structure is complex and posing a higher risk of ML/TF in situations where the customer’s ownership and control structure contains more than one legal entity or legal arrangement, obliged entities shall obtain the following information:

a. a reference of all the legal entities and/or legal arrangements functioning as intermediary connections between the consumer and their beneficial owners owning more than 25% within the customer structure, if any

b. with respect to each legal entity or legal arrangement within the referred intermediary connections, the legal form of each legal entity or legal arrangement, and reference to the existence of any nominee shareholders; the jurisdiction of incorporation or registration of the legal person or legal arrangement, or, in the case of a trust, the jurisdiction of its governing law and; where applicable, the shares of interest held by each legal entity or legal arrangement, its subdivision, by class or type of shares and/or voting rights expressed as percentage of the respective total, where beneficial ownership is determined on the basis of control, understanding how this is expressed and exercised;

c. information on the regulated market on which the securities are listed, in case a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, and the extent of the listing if not all the legal entity’s securities are listed on a regulated market.

2. Obliged entities shall assess whether the information included in the description, as referred to in Article 62(1) of Regulation (EU) 2024/1624, is plausible, there is economic rationale behind the structure, and it explains how the overall structure affects the ML/TF risk associated with the customer.”

 

  1. Complex structures (Art. 11)

Similarly, the proposed provisions of Art. 11 of the Draft RTS on CDD would result in the vast majority of ownership structures being treated as complex, as multinational companies and medium/large financial entities typically have multiple layers of ownership, and in the majority of cases, in different jurisdictions. We do not believe this was intended by the AML Package, and again would not be in line with the level of ML/TF risk posed by those structures. In fact, due to the vast majority of structures being recognised as complex, it could make it easier for those truly complex to be less visible. Therefore, we do not believe that Art. 11 is in line with the principle of a risk-based approach. It also doesn’t leave any room for a different approach to entities which have a clearly lower ML/TF risk, due to the highly regulated industry in which they operate (e.g., financial institutions) or the fact that they are publicly listed companies.  

Firstly, the proposed number of “two or more layers between the customer and the beneficial owner” is disproportionately low. In the case of the asset management industry, there can be multiple layers of entities in the intermediary chain; however, as they would all generally be regulated financial entities, the ML/TF risk posed would remain low. Therefore, not only the number of layers that would be considered as indicating a complex structure should be left for the decision of the obliged entity, according to its risk-based analysis, but also the fact that those are regulated financial entities should exempt the structure from being treated as complex. 

Furthermore, the proposed conditions, if applied separately, also don’t justify treating such structures as complex. In particular, the mere fact of registration in different jurisdictions doesn’t justify such classification in today's world where markets and businesses are very interconnected. These jurisdictions could include different Member States of the EU or other countries that uphold the same AML/CFT standards. Immediate classification of such structures as complex could disincentivise further integration and international collaboration. 

Therefore, we would propose the following wording for Art. 11(1) of the Draft RTS on CDD:

1. To understand the ownership and control structure of the customer in accordance with Article 20(1)(b) of Regulation (EU) 2024/1624, obliged entities shall treat an ownership and control structure as complex where there are multiple two or more layers between the customer and the beneficial owner and in addition, one two of the following conditions is are met;

  1. there is a legal arrangement in any of the layers having no rationale in the structure;
  2. the customer and any legal arrangements/ legal entities present at any of those layers are incorporated or domiciled in a jurisdiction included in the EU list of non-cooperative jurisdictions for tax purposes registered in different jurisdictions;
  3. there are nominee shareholders and/or directors involved in the structure;

  4. there are indications of non-transparent ownership with no legitimate economic rationale or justification.

     

  5. Information on Senior Managing Officials (SMOs) (Art. 12)

We would also like to highlight that the level of ML/TF risk that can be associated with SMOs is not the same as the potential risk that could be associated with beneficial owners (BOs). Firstly, the SMOs, unlike the BOs, do not hold ownership interest over the company and do not control it through that ownership or via other means. If they did, they would have to be identified as BOs. Instead, and according to Art. 63(4) of AMLR, their details are being provided in cases where it was not possible to identify BOs or their identification is uncertain. Secondly, as these are persons who exercise executive functions within the legal entity, their identity has already been verified multiple times, as they would usually have to perform actions vis-à-vis multiple national authorities, such as tax or national registers. Due to the same reasons, their important details are usually available through reliable and independent sources of information, mentioned under Art. 22(6)(a) of AMLR.  

Therefore, it does not seem justified to require the same set of information and verification rules for SMOs as for BOs. According to Art. 63(4)(b) of AMLR the details that are to be collected on SMOs are to be equivalent to those required under Art. 62(1), second subparagraph, point (a). It does not refer to all the information listed for the purpose of BOs identification under Art. 62, and moreover, the article clearly refers to “equivalent” information, which does not mean “the same”. 

Particularly, we are of the opinion that requiring a CEO of a big company to provide his ID would be disproportionate, as his data and identity can be easily retrived through the relevant company’s registers. Moreover, acquiring information about his residential address will meet a strong and justified objection due to privacy and security reasons. This data is not necessary, nor commensurate with the limited ML/TF risk that he would pose. As a result, this overburdening obligation can have far-reaching implications, discouraging international companies to use the services of EU financial entities. 

Therefore, we would propose the following changes in Art. 12 of the Draft RTS on CDD:

In relation to senior managing officials as referred to in Article 22(2) second paragraph of Regulation (EU) 2024/1624, obliged entities shall:

  1. collect the same information as for beneficial owners for identification purposes; and
  2. verify the identity of senior managing officials in the same way as for beneficial owners using risk-sensitive measures

Alternatively, we propose that the solutions provided under Art. 19 of the draft RTS on CDD apply to SMOs in all circumstances and not only low-risk situations. 

 

[1] According to the recital 29 of AMLR: “In line with the risk-based approach of this Regulation, those policies, procedures and controls should be proportionate to the nature of the business, including its risks and complexity, and the size of the obliged entity and respond to the risks of money laundering and terrorist financing that the entity faces, including, for crypto-asset service providers, transactions with self-hosted wallets.”

[2] FATF, Risk- based Approach Guidance for the Securities Sector, para. 48 and 100. 

[3] EBA, Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions (“The ML/TF Risk Factors Guidelines”), repealing and replacing Guidelines JC/2017/37, 1 March 2021, section 16.9. b).

[4] FATF, Public consultation on AML/CFT and Financial Inclusion – Updated FATF Guidance on AML/CFT measures and financial inclusion, Paris, 25 February 2025, (FATF guidance on financial inclusion), para. 26.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

With the increased use of online services in the financial industry, non-face-to-face interactions have become a standard business practice in many countries. Such circumstances can potentially be an example of a higher risk scenario; however, not in cases where other mitigating factors or measures apply. In the asset management industry, for example, most interactions happen in non-face-to-face context. Nevertheless, the ML/FT risk is considered to be low in most cases, given that most fund customers will be institutional/regulated entities. Therefore, as already highlighted in our general remarks, it is essential that obliged entities are allowed to apply a risk-based approach, also in the context of non-face-to-face interactions. We do not believe this is possible under the proposed provisions of Art. 6 of the Draft RTS on CDD. 

Article 22(6) of AMLR provides two means for the verification of customers’ (and other persons') identity: submission of a document or acquisition of information from reliable and independent sources under letter (a) or the use of electronic means under letter (b). AMLR doesn’t favour one solution over the other, irrespective of whether the verification takes place in person or not, leaving the obliged entity the possibility to choose the best approach. On the contrary, Art. 6(1-2) of the draft RTS on CDD creates a clear preference for the use of electronic identification means, allowing obliged entities to acquire documents only if the “solution described in paragraph 1 is not available, or cannot reasonably be expected to be provided”. We believe that this approach goes against the logic of Art. 22(6) of AMLR and against the principle of a risk-based approach. While in some cases of high risk it might be justified to verify the identity of a natural person using e-IDAS, in low-risk circumstances it would be highly excessive. In instances where customers are mainly institutional/regulated entities, verification through documents or information coming from other reliable and independent sources would be sufficient. This is also because legal entities are usually registered in national registers and there are other, publicly available sources of information on their affairs (particularly if these are public companies listed on stock exchanges). Besides, electronic identification implies the use of high-cost tools that smaller, entrepreneurial asset managers may be unable to afford.

Also, in a broader context, such a strong preference for solutions such as e-IDAS is not sustainable. It is unrealistic to expect that all natural persons will have access to e-IDAS in the near future, as the current uptake of those solutions in Member States is not sufficient. It also discriminates against customers from third countries, where the e-IDAS Regulation does not apply. Therefore, we do not think that the use of other solutions can be considered only as temporary, and there should always be other permissible ways to verify customer’s identity in a non-face-to-face context. 

We would also like to highlight issues with the conditions proposed for remote solutions under paragraphs 3-6 of Art. 6 of the Draft RTS on CDD. 

First, the rationale for obtaining the customer’s explicit consent to verify his identity in line with paragraph 2 is not clear. It has not been required under the EBA Guidelines on Customer Remote Onboarding[1]. It is also not an obligation under the provisions of AMLR, and the Consultation paper falls short of providing any arguments behind it. Given that the purpose of the identity verification is for the verified person to get access to a financial product, and as such cannot be made without their active participation, an obligation to obtain explicit consent seems highly excessive. It will become an additional element in the already complicated onboarding process, which doesn’t add value to the AML/CFT purposes. 

Secondly, the safeguards included in paragraph 4 seem too far-reaching and do not consider the specificities of different sectors, particularly those that operate in a different manner from the banking industry. The reference to audiovisual communication in letter b, or connection interruptions in letter c, seem to favour live data streams. As such, they highly limit the choice of technological solutions that could be used. This is unjustified and also goes beyond the approach that was previously established by the EBA Guidelines on Customer Remote Onboarding, which allowed for much more flexibility, leaving the choice of technological solutions to the industry. 

In particular, these requirements will not be suitable for the identification of legal entities and natural persons acting on behalf of them. In the case of the asset management industry, for example, it is common to acquire a list of authorised signatories with reproductions of their IDs. Those lists can include multiple individuals (in some cases, going in tens or hundreds). A verification of each one of them via the remote solutions would not be in line with the risk-based approach and highly delay the onboarding process. Therefore in those cases only the paragraph 5 should apply. 

Therefore, we are of the opinion that following changes to the wording of Art. 6 are necessary:

“1. To comply with the requirements of Article 22(6) of Regulation (EU) 2024/1624 when verifying the identity of a customer who is a natural person in a non-face-to-face context, obliged entities shall:

(a) acquire the customer’s identity document, passport or equivalent using remote solutions that meet the conditions set out in paragraphs 2-4 of this Article;

(b) acquire information from reliable and independent sources according to conditions set out in Article 7; or 

(c) use electronic identification means, which meet the requirements of Regulation (EU) 910/2014 with regard to the assurance levels ‘substantial’ or ‘high’, or relevant qualified trust services as set out in that Regulation.

2. Remote solutions mentioned in paragraph 1 above shall be commensurate to the size, nature and complexity of the obliged entity’s business and exposure to ML/TF risks.

3. Obliged entities shall ensure that the remote solutions described in paragraph 1 include where suitable the following safeguards regarding the quality and accuracy of the data and documents to be collected:

a. controls ensuring that the person presenting the customer’s identity document (or equivalent) is the same person as the person on the picture of the document;

b. the integrity and confidentiality of the audiovisual communication with the person should be adequately ensured; for this reason, only end-to-end encrypted video chats are permitted;

c. any images, video, sound and data are captured in a readable format and with sufficient quality so that the customer is unambiguously recognisable;

d. the identification process does not continue if technical shortcomings or unexpected connection interruptions are detected;

e. the information obtained through the remote solution is up to-date;

f. the documents and information collected during the remote identification process, which are required to be retained, are time-stamped and stored securely by the obliged entity. The content of stored records, including images, videos, sound and data shall be available in a readable format and allow for ex-post verifications.

4. Obliged entities using remote solutions shall be able to demonstrate to their competent authority that the remote verification solutions they use comply with this article.

5. Where obliged entities accept reproductions of an original document, for customers that are not natural persons, and do not examine the original document, obliged entities shall take steps to ascertain that the reproduction is reliable. Where available, during the verification process, obliged entities shall verify the security features embedded in the official document, if any, such as holograms, as a proof of their authenticity.”

 

[1] EBA, Final Report. Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849, 22.11.2022, EBA/GL/2022/15, (Guidelines on Customer Remote Onboarding).

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Overall, we are in favour of proposals set out in Section. However, to address the specificities that exist in the asset management industry we would propose to add a second paragraph to Art. 21 of the draft RTS on CDD, with the following wording:

“2. In the case where the collective investment undertaking uses an intermediary to distribute its shares or units, and where the units or shares are subscribed in the name of the investor, the collective investment undertaking may fulfil the requirement under Article 20 (1) of Regulation (EU) 2014/1624 by being satisfied that the intermediary will provide CDD information on the investors and their beneficial owners upon request, and provided that:

a. the intermediary is subject directly or through group policies to AML/CFT obligations in an EU Member State or in a third country that has AML/CFT requirements that are comparable to those required by Regulation (EU) 2024/1624;

b. the intermediary is effectively supervised for compliance with these requirements;

c. the risk associated with the business relationship between the collective investment undertaking and the intermediary is not high.”

d. the fund or fund manager is satisfied that the intermediary applies robust and risk-sensitive CDD measures to its own customers and its customers’ beneficial owners.

.Below we explain in more detail the specificities of the fund industry and how they affect the ability of obliged entities such as CIUs to fulfil the AML obligations on CDD. 

Investment funds (UCITS and AIFs) are mainly subscribed by end clients with the help of intermediaries, e.g., banks or brokers. In such cases, units/shares in the fund are usually registered and held in the name of the financial intermediary on behalf of the underlying clients. These clients can be retail or professional, such as other financial institutions, which can also pool proceeds from their underlying investors. 

It is important to keep in mind that fund’s client is :

  • Where the asset manager directly markets the fund it also manages : the natural or legal person the asset manager has a business relationship with, including the fund distributors, 

  • Where the asset manager does not directly market the fund it also manages, the natural or legal person mentioned in the fund register.

    As a result, in such a scenario, only the intermediaries are recognised as the fund’s customers and not the underlying clients of the intermediaries. As end clients are not customers of the fund, intermediaries are most often prevented from disclosing data gathered during the client onboarding, by data protection and professional secrecy obligations. As a result, these circumstances prevent investment funds and their managers from identifying end investors and verifying their identity based on KYC documents. In such a case, the fund performs CDD obligations on the intermediary and would be unable to systematically identify and verify natural persons on whose behalf the transaction is being conducted. As intermediaries are most often AML obliged entities, they are already subject to AML/CFT supervision by competent authorities and conduct full CDD measures on their underlying clients. They also provide competent authorities and relevant BO registers with accurate and up-to-date information. Due to these arrangements, ML/TF risk in the fund sector is properly mitigated. 

    These specificities of the funds’ industry have long been recognised by the FATF, particularly that the fund’s units/shares are typically sold through another financial institution, which is itself an obliged entity under AML provisions and conducts the necessary due diligence. In the Guidance for a Risk-Based Approach for the Securities Sector[1] the FATF recognises that “The complexity of the securities sector and the variety of intermediary roles involved highlight that no one-size-fits-all AML/CFT approach should be applied.” and specifically on the distribution of investment funds: “the CDD measures an investment fund should take will depend on how the ultimate customer invests in the fund. Depending on how the investment fund is sold, with whom the business relationship is established or who is registered in the fund’s share/units register, the investment fund may be required to treat an underlying investor as its customer or the intermediary as its customer. Where an intermediary is treated as the investment fund’s customer, the investment fund may not have visibility on the intermediary’s underlying customers. This includes not having comprehensive identification nor transaction related information on the customers of the intermediary in cases such as, for example, where the intermediary nets all of its customers’ orders and submits a single net order to the investment fund each day.”

    Moreover, as investment funds treat intermediaries as their customers, they apply AML measures towards them. This is done in compliance with the risk-based approach explained in the EBA ML/TF Risk Factors Guidelines and includes: (a) gathering of sufficient information about the institution to understand fully the nature of the financial intermediary’s business and to determine from publicly available information the reputation of the institution and the quality of supervision, including whether it has been subject to a money laundering or terrorist financing investigation or regulatory action; (b) assessing the financial intermediary’s anti-money laundering and anti-terrorist financing controls; (c) obtaining approval from senior management before establishing new relationships; (d) clearly understanding and documenting the respective responsibilities as regards the fight against money laundering and terrorist financing of each institution; (e) being satisfied that the financial intermediary has verified the identity of and performed ongoing due diligence on the customers having direct access to accounts of the credit institutions, financial institutions and other institutions concerned by such relationships. This ongoing AML risk assessment and an in-depth knowledge of their distribution channels ensure that AML risks are adequately addressed in the asset management industry. As such, intermediary arrangements must also be clearly distinguished from nominees (recital 131 AMLR), as they are not used to deliberately evade transparency on BOs and misuse legal entities for ML/TF reasons.

    Similar to the one described above is the case when the intermediary acts as a distributor of the fund and the units/shares in the fund are registered in the name of the end client, rather than the own name of the bank or broker platform. In these cases, the primary distinction from the scenario described above would be that the end clients would also become clients of the fund. However, while the name of the end investor may appear in the fund share register, further relevant data may still not be accessible to the fund manager. Nevertheless, this would not alter the overall low risk profile of these relationships/operations, bearing in mind that: (i) the end clients would still remain direct customers of intermediaries, (ii) intermediaries are obliged entities subject to AML/CFT obligations, (iii) they are required to perform all elements of the risk-based CDD on end clients, and (iv) the CIU will undertake the due diligence on the intermediary as described above to thoroughly understand the distribution channels and evaluate AML/CFT risks. 

    The fact that investment funds will fulfil CDD obligations by leveraging the intermediary’s efforts, is also important from the end investors’ perspective. Further exercise of CDD obligations by investment funds directly on end investors would further burden them, prolonging their onboarding process. This could counterproductively affect current efforts to incentivise retail investors to participate in financial products. At the same time, it would not benefit AML/CFT purposes as it will simply duplicate the work done already by intermediaries. 

    To address specificities of the CIUs sector, as described above, the following changes need to be made in Art. 21 of the draft RTS on CDD:

    1.The description of the relationship between the CIU, the intermediary and end client has to be amended to correctly reflect the current market practice.

    The introductory part of Art. 21 of the draft RST on CDD refers to circumstances “when a collective investment undertaking is acting in his own name, but for the benefit of its underlying investors through another intermediary credit or financial institution (…)”. This is not in line with what happens in reality. As already explained, in most cases it would be the intermediary acting on behalf of the underlying clients and the shares/units in the fund would be subscribed either (i) in the intermediary’s own name, or (ii) in the name of the end client. 

    2.The Article has to fully reflect the fund industry's mitigated ML/TF risk.

    As explained above, the AML/CFT risks in the case of CIUs’ industry are mitigated by the existence of intermediaries, who are obliged entities themselves and, as such, have to perform CDD measures on end clients. This implies a lower level of ML/TF risk not only in the case of a particular business relationship but also in the industry in general. Therefore, we believe that the approach to CDD proposed in Art. 21 of the draft RTS on CDD should not be treated as simplified CDD under Section 4, but as the typical way in which CDD should be performed in the CIUs sector.

    We believe that such an approach would be in line with the mandate established under Art. 28(1)(a) AMLR as it requires the regulatory technical standards to specify “the requirements that apply to obliged entities pursuant to Article 20 and the information to be collected for the purpose of performing standard, simplified and enhanced due diligence(…)”. According to Art. 20(2) AMLR obliged entities are allowed to determine the extent of applied measures, taking into account not only the individual analysis of the risk posed by the specific client and business relationship, but also the business-wide risk assessment done pursuant to Art. 10 AMLR. 

    Notwithstanding the above, even if the provisions of Art. 21 of the draft RTS on CDD would remain as part of Section 4 on SDD, we believe that it should be possible to apply them to all business relationships that are considered as non-high-risk. Only in cases where high risk is observed should this be additionally mitigated by CIUs. 

    3. The Article should require intermediaries to provide CIUs with information on beneficial owners rather than all underlying investors.

    In funds, and in particular in the open-ended ones, the number of underlying clients subscribing into a fund through an intermediary can go into hundreds of thousands. Moreover, these clients are free to subscribe and redeem units or shares on a daily basis, which makes the fund’s end investor base highly variable. Funds are also pooled investment vehicles where the investment decisions rest with the fund’s manager and are typically not determined or controlled by the end investors. These specificities limit the attractiveness of funds for the purposes of money laundering and financing of terrorism. 

    Therefore, for the purposes of the AML/CFT it would only make sense for the CIU to be provided with information on beneficial owners. 

    4.The Article should recognise also the robustness of AML/CFT rules applied by international capital groups.

    While we agree with the need for the intermediary to be subject to AML/CFT obligations which are as robust as those applied in the EU, we would argue that Art. 21 of the draft RTS on CDD should also recognise the influence of the group structure on those requirements. A particular intermediary might be established in a third country, with AML/CFT rules less robust than those required by AMLR. At the same time, it could be subject to higher standards through group policies that would adhere to the EU rules or rules of another country that would be as robust. 

     

  • [1] FATF, Risk- based Approach Guidance for the Securities Sector, para. 48 and 100. 

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We would like to highlight that Art. 28 of the draft RTS on CDD goes beyond what was prescribed by Art. 20(1)(d) of AMLR. It requires that scanning measures shall be applied by obliged entities not only to customers, but also to all entities and persons which own or control such customers. At the same time, Art. 20(1)(d) of AMLR this scanning was limited in the case of legal entities to persons who control the legal entity or have more than 50% property rights or majority interest. This, to our understanding, clearly limits the scope of such scanning. 

In order to keep the provisions of the draft RTS on CDD in line with rules established by Level 1 provisions, we propose the following change in the wording of Art. 28:

To comply with Article 20(1)(d) of Regulation (EU) 2014/1624, obliged entities shall apply screening measures to their customers and to all the entities or persons who own or control such customers.”

 

Name of the organization

AFG