Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

It would be desirable to leave the risk assessment and the determination of the risk profile to the obliged entities themselves in order to reduce costs, both on the side of the supervisor for retrieving data and performing the assessment, and on the side of the obliged entities that can expect extensive data requests from the supervisor for the purpose of the assessment. In addition, it seems more efficient to leave the risk assessment up to the obliged entities, because it may be complicated for supervisors to assess who is considered an obliged entity, because of the new definition of obliged entity (for example, holdings of regulated financial entities will be put into scope and these entities are to a large extent currently not in scope of the supervisors). Article 40 of the AMLD allows an approach where the obliged entities perform the risk assessment; it still allows the national supervisor to apply a risk-based approach to supervision.

Obliged entities such as asset managers are already required to comply with very extensive data requests from supervisors (arising from other legal obligations) and the approach as described in the RTS would lead to an increase in reporting obligations, given the extensive datapoints added in the Annex. Now that simplification and burden reduction are a major focus of the European Commission's Savings & Investments Union strategy, it is not consistent to introduce provisions that will very likely lead to an additional reporting obligation. In addition, the data points in the Annex are now too broad and could be further specified per sector, in order to (at least) reduce the impact on the time investment and compliance costs of obliged entities.

In addition to an increase in reporting obligations for asset managers, the supervisors will receive (from all obliged entities under their supervision) information, some of which is already shared with them, and will have maximum nine months to carry out the first assessment (see article 5(1) draft RTS), which will be a challenge. In order to address the challenge the supervisors may face and to keep in mind the focus on burden reduction we believe it is vital to 1) reassess the information needed, 2) reassess whether this information is already available, 3) ensure an efficient process for uploading information to the supervisor and 4) have clarity on the various terms used in the draft RTS/Annex 1 to the draft RTS (see also our comments under question 3).

Another point of attention is the apparent lack of transparency regarding the process which results in a residual risk score and accompanying risk profile (in accordance with article 4(3) draft RTS) and any actions that can be taken by obliged entities in case they have questions and/or do not agree with the risk profile assigned to the them.

Finally, with regard to the calculation of the group-wide ML/TF risk score, the draft RTS contains a methodology that is based on an aggregation of entity-level residual risk scores. This aggregation consists of a weighted average, which reflects the importance of each entity within the group. It is however unclear if all entities within the group need to be included, i.e. also entities that themselves are not obliged entities. We assume that these non-obliged entities should not be in scope. This should be clarified in the text.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

No comments

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

No comment

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

Annex I includes the following remark: “Some data points do not apply to all sectors, given the specific nature of their activities. Likewise, the data points under 'Products and Services' will only be considered if the obliged entity offers the product or service.” We agree with this approach. However, with the addition of the second sentence, it might seem that only data points from the category ‘products and services’ can be disregarded. We believe it should be a possibility to also leave out data points from the other categories (customers, geographies and distribution channels). For the avoidance of doubt, perhaps this can be clarified in the text.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

No comment

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

For various reasons, we believe the frequency is too high. Firstly, the higher the frequency, the higher the compliance costs. Obliged entities that are required to share information with their supervisors will go through a governance process that requires both capacity and time. These costs are directly incurred by the obliged entity. Secondly, the requirement to conduct the assessment will require capacity and time from the supervisors increasing supervisory costs. Both costs will have to be borne by the sector, and will therefore ultimately be paid by the clients of the obliged entities. Thirdly, an update of the assessment seems most relevant when there is a change in the operations of the obliged entity. For most financial entities, there will not be a change every year, and an update of the assessment in that sense will therefore not be necessary.

Based on the above, we are of the opinion that the frequency should be determined more risk-based, see also our answer to question 5.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

A suggestion could be to use the result of the assessment to determine the frequency, instead of the criteria mentioned in article 5(3) draft RTS, as these are not necessarily a good indication of the risk of the obliged entity. For example, the number of employees does not say anything about the risk profile of the company and a limited number of employees can even be a risk factor.

The frequency based on the outcome of the assessment should be appropriate, also considering that article 5 (4) and article 5 (5) of the draft RTS prescribe that an ad hoc assessment should be conducted in case of major events or developments. Guidance should however be provided as to what should be understood by ‘major events or developments’, to ensure harmonized interpretation EU-wide.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

No comment

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

Article 12 (7) AMLR specifies that the RTS to be developed should specify the minimum activities to be carried out by a credit or financial institution under the freedom to provide services for it to be considered as operating in a Member State. We assume that for asset managers “operate through freedom of services” does not include transactions related to making investments. We suggest to clarify this.

We believe the specificities of the asset management industry should be taken into account more closely. Thresholds for one sector do not have the same impact as for another sector and these thresholds do not seem suitable if they are static.

For example, UCITS and AIFs can be distributed throughout the EU (and third countries) using a marketing passport. Often also marketing branches are established in other Member States. However, the business relationship between the customer and the fund is being governed by the law of the jurisdiction where the main office of the manager is located. A marketing branch will therefore not lead to an increased AML risk.

We propose that different thresholds be used for specific types of obliged entities, so that any threshold is proportionate to the type of service provided. In this way, direct supervision by AMLA is also more proportionate to the risks applicable to the entity concerned.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

Please see our answer to question 1.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

Please see our answer to question 1.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

We agree with the approach that the methodology in this RTS builds on the methodology laid down in the RTS under article 40(2), provided that the methodology is robust, transparent and addresses the specifics of the various financial sectors.

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

Yes, we agree with this approach.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

As mentioned in our response to question 1 of the Draft RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40(2) of the AMLD, we are of the opinion that the data points as mentioned in article 5(3) may not be the most relevant data points in all instances.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

No comment

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

Yes, we agree with the approach. In determining the group-wide risk profile, the entity-level residual risk scores of the group’s components are aggregated, based on a weighted averaging method. If the parent company has a low-relevant activity and therefore a low risk score, the risk score of the parent company will have limited impact on the group-wide risk score, and will therefore not lead to an unreliable group-wide risk assessment and score.

Please refer also to our response to question 1: it is not entirely clear if all entities within the group (i.e. also entities that themselves are not obliged entities) need to be included when calculating the group wide ML/TF risk score. We assume that these non-obliged entities should not be in scope. This should be clarified in the text.

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

No comment

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

In general, we would like to note that the RTS is not equally consistent in terms of the level of detail. Where in some cases it prescribes in great detail how an obligation should be met (which in some cases leaves little room for a risk-based approach), in other cases open standards are used, which leads to the question what type of information or source may be used to meet an obligation.

Also the differences between different types of obliged entities are also not always properly taken into account. For example: the AMLR and RTS refer to terms as ‘customer’ and ‘business relationship’. The AMLR only defines the term ‘business relationship’, that assumes a business relationship is also a customer.[1] The AMLR requires to perform customer due diligence when establishing business relationships. For obliged entities being asset managers, this seem to imply not only investors are considered as business relationships, but also all counterparties in case of both investments and divestments. Under this assumption, in some cases a more simplified due diligence seems justified. For example, some asset managers only have customers that are regulated investors (e.g. pension funds). Some parts of the due diligence are too extensive for these types of customers, such as the check on source of wealth/funds or the identification and verification of UBOs (e.g. information on residence, Legal Entity Identifier, VAT registration number or tax reference number). Therefore we suggest to include more sector specific guidance andleave room for a more risk-based approach for obliged entities when performing customer due diligence and determining the risk categories. Sector specific guidance could include examples on low, medium and high risk.

We also suggest to clarify that who should be considered as “customers/ business relationships” of holding/parent companies of for example asset managers that may become in scope of the AMLR.

Below we provide feedback on an article-by-article basis:

Article 1:

Article 1 stipulates that obliged entities shall obtain all of the customer's full names and surnames. This wording does not provide clarity on how to deal with call names, marital names, aliases and the varying usages of prefixes/suffixes in Member States.

Article 2:

Article 2 stipulates what details should be obtained in relation to addresses. It’s not clear to what extend this information should be verified (we would suggest this should only be the case for high risk customers) and what sources can be used for verification.

Article 3:

Article 3 details that the place of birth concerns both the city and country name. However, we are wondering what type of documents should be used to verify this information, as passports, ID cards or equivalent documents normally do not contain the country name.

Article 4:

Based on article 4, obliged entities shall obtain necessary information to satisfy themselves that they know of any other nationalities their customers may hold. This is a very open formulation - when, for example, does one speak of 'satisfied'?

The question then arises as to which source could be used, since asset managers and other obliged entities do not have access to a public database to verify this data. The question is therefore how this can be operationalised. For example, can a statement from the customer suffice?

Article 5:

This article describes the documents that can be used for identity verification. Since ‘nationality’ is required to be on such equivalent document, this means that in some Member States a driving licence is no longer a valid means of identification.

The article allows the provision of ‘certified copies’. It is, however, not stated what the certification entails (e.g. authenticity of document and/or confirmation of identity) and by whom a certification must be done.

Article 10:

DUFAS is of the opinion that the approach taken in this article 10 is excessive and does not allow for the application of a risk-based approach.

For the purposes of understanding the ownership and control structure of the customer obliged entities shall obtain a reference to all the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners (if any). We assume that this means that only entities in the direct line (parent-subsidiary companies) should be part of the investigation (and therefore not sister companies or other entities within a group). Nevertheless, this is still a far-reaching obligation and the extent of the investigation into these intermediary connections should depend on the customer's risk.

In paragraph 1 sub c it is stated that information on the regulated market on which the securities are listed (in case of (partly) listed company) needs to be obtained by the obliged entity. This seems like a far-reaching obligation given that customers whose securities are listed on a regulated financial market are currently giving rise to a simplified CDD.

Article 11:

The application of Article 11 (too) quickly results in a complex structure. For example, the amount of layers as a static number is not always a good risk indicator because for many (large) companies or multinationals the use of multiple layers is very common. However, if this wording were to be retained, it should at least be made clear that the customer itself and the UBO itself do not count as a layer (so effectively there would be 4 layers - including the customer, the UBO and two intermediate layers).

The condition that the customer and any legal entities present at any of these layers are registered in different jurisdictions, does not directly contribute to a higher risk or less transparency. A Dutch company that has an entity in a neighbouring country such as Belgium does not directly lead to an increase in the complexity of the structure.

All in all, there should be a risk-based approach when determining whether there is a complex structure.

Article 12:

Article 12 requires senior managing officials to be identified and verified similarly to UBOs. Due to the broad definition of senior managing official in the AMLR, the impact could be excessive. A different approach could be taken to limit the impact, for example by limiting the obligation of information collection to executive board members or only those SMOs engaged in the transaction or business relationship.

In addition, the data to be collected could be limited, since senior managing officials do not contribute money to the business relationship and therefore research into, for example, a source of funds/wealth has no added value. The obligation could be limited to identification and verification of identity of the SMO. And even then, a risk-based approach could be taken, depending on the customer's business.

[1]‘business relationship’ means a business, professional or commercial relationship connected with the professional activities of an obliged entity, which is set up between an obliged entity and a customer, including in the absence of a written contract and which is expected to have, at the time when the contact is established, or which subsequently acquires, an element of repetition or duration (article 2(19) ALMR).

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

We are in favor of using remote solutions, but only if such solutions are appropriate. At this moment this does not seem the case.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

No comment

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We again point out that for the asset management sector, in some cases (e.g. in case of regulated investors/customers like pension funds) a more simplified due diligence seems justified. For example the check on source of wealth/funds or the identification and verification of UBOs. Therefore we suggest to include more sector specific guidance and leave room for a more risk-based approach for obliged entities when performing customer due diligence and determining the risk categories.

Article 16:

To understand the purpose and intended nature of a business relationship or occasional transaction, obliged entities shall take risk-sensitive measures to obtain the information mentioned in this article. However, the current wording does not seem to leave much room for risk-sensitive measures. For example, we wonder whether it is necessary to collect all the information mentioned in sub e in all situations, or only in case of enhanced due diligence. The extensive list of information that needs to be collected leads to a lot of extra work for customers and obliged entities, and lacks a risk focus, especially taking into account the asset management sector.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comment

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 21:

The wording here does not seem to correspond with practice. It is not the collective investment undertaking (CIU) “acting in its own name, but for the benefit of its underlying investors through another intermediary”. In most cases it would be the intermediary acting on behalf of the underlying clients and the shares/units in the fund would be subscribed either (i) in the intermediary's own name, or (ii) in the name of the end client.

Also, in funds the number of underlying clients subscribing into a fund through an intermediary can go into hundreds of thousands. Funds are also pooled investment vehicles where the investment decisions rest with the fund’s manager and are typically not determined or controlled by the end investors. These specificities limit the attractiveness of funds for the purposes of money laundering and financing of terrorism. Therefore, for the purposes of the AML/CFT it would only make sense for the CIU to be provided with information on beneficial owners.

Article 22:

Based on the wording of article 22 paragraph 2, a grace period seems to apply only to existing customer identification data in low-risk situations, but a grace period should apply to all customers (with different terms depending on the risks – high risk clients should be updated within one year after the application date of the AMLR). Further clarification would be required here.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

Section 4 relates to simplified due diligence measures. For the asset management sector the RTS now only includes simplified due diligence measures for situations where collective investment undertakings use intermediaries to perform due diligence. We believe that other simplified due diligence measures or exemptions should be introduced, for example for situations where customers of asset managers/ investment funds are regulated investors, such as pension funds. In that regard extensive requests related to the source of funds/wealth do not make any sense.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 25:

It is not clear to us what is meant by "verify the legitimacy of the destination of funds" in that the obliged entity must collect additional information about the intended nature of the business relationship. How can this be done and with what information/sources? What is expected of obliged entities?

Als paragraph 1 sub b, the wording 'and/or' is included. If not intended cumulatively (which is expected here), then it would be preferable to remove the word 'and'.

Article 26:

Perhaps an unnecessary comment, but the layout of this article does not seem correct. For example, sub a and b should be merged.

Article 27:

It is not clear how this article (additional information on the reasons for the intended or performed transactions and their consistency with the business relationship) should be interpreted in the context of EDD in relation to high-risk third countries (art. 29(4) AMLR).

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 28:

We would like to highlight that this article goes beyond what was prescribed by article 20 paragraph 1 sub d of AMLR. It requires that scanning measures shall be applied not only to customers, but also to all entities and persons which own or control such customers. At the same time, in article 20 paragraph 1 sub d of AMLR this scanning was limited in the case of legal entities to persons who control the legal entity or have more than 50% property rights or majority interest.

Article 29:

Article 29 (c)(i) mentions both ‘during customer onboarding’ and ‘before entering into a business relationship’. We are curious whether different situations are intended here, given that onboarding also precedes entering into a business relationship.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comment

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 32:

Please see our previous comment regarding the grace period. Also, the reference to Article 23(1) appears to be incorrect. Finally, the period for updating information of existing customers should be based on a period after the date of application of AMLR (instead of the RTS), especially if the entry into force date of the RTS would be earlier.