Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
In relation to the introduction of the draft, it is recommended to standardize the interpretation of the term "verify" throughout the document. In our view, an obliged entity is capable of performing a due diligence-based assessment of a document, rather than verifying the authenticity of the information provided. The term "verify" appears multiple times in the document with varying meanings, which creates ambiguity.
Article 1 section 3: The RTS extends the obligations defined in the AMLR by introducing a requirement to obtain the commercial name of the entity. We reccomend to remove this extension.
Article 2: Does the specified scope of data apply solely to the address information in the cases mentioned in these two Articles, or does it also extend to other references to “address” in the AMLR (e.g. Article 22(1)(c) point (ii))?
The address is also a requirement in the context of UBOs; however, it should be approached less strictly and according to the risk-based approach. Postulate – the address at UBO should be required in full only in the case of identified high risk and related to the owners and their "assets". In other cases, if it is not possible to obtain the full UBO address from the client, the obligated institution should fulfill its task by obtaining the country or town/country of residence of the UBO
Article 3: The scope of information included in identity documents and passports varies across jurisdictions. There may be cases where only the name of the city or the country of birth can be verified based on the identity document. Does the inability to verify one component of the “place of birth” (i.e., either the city or the country) — while the other is identified, e.g., based on a client declaration — constitute a reason for considering that customer due diligence cannot be fulfilled (triggering an obligation to terminate the relationship)?
Article 4: The requirement is unclear; however, it is understood that this obligation applies only in cases where the institution has reasonable grounds — based on its risk analysis — to suspect that the person may hold another nationality. The obligation to inquire about second citizenship must be rationalized in light of data minimization principles and the lack of justification to treat citizenship as a mandatory factor in customer risk assessment (as per the annex to AMLR). We request confirmation whether failure to determine another nationality (given its optional nature) may result in administrative sanctions for the obliged entity. Should the approach regarding citizenship be identical for customers and UBOs, or can differences apply?
Article 5: It is unclear whether the obliged entity is required to archive (store in the client’s file) a copy/scan of the document, or whether recording the characteristics and information contained in the document is sufficient. Can the obliged entity determine the rules of document retention based on a risk-based approach?
Furthermore: This provision prevents opening an account for a minor using a student ID. Postulate: to maintain such a possibility given that minors are not legally required to hold an identity card. Postulate- Adding a provision referring to minors and their documents required in the identification and verification process.
Article 9: The draft introduces an overly restrictive approach. AMLR indicated documenting UBO's identity - that a given person - name/surname /ID number/date of birth. Documenting all data from UBO is not required.
Postulate – we request the permission to obtain UBO data including all nationalities, address of residence, ID card, etc. declaratively from the Bank's client, without verifying them with documents. The Bank should document that a given person is a UBO, and not document each UBO data. Obliged entities do not have relationship with UBO, but with the Client and such task would be impossible to perform.
Additionally, the scope of this data should also be subject to the Risk Based approach. The Bank should not obtain a full/wide scope of data from every client, including standard risk, as an obligation. In the current shape of the draft, there is no gradation of the scope of data.
For example - the requirement to collect accounts numbers from UBO in order to verify the address is an excessive requirement, difficult to meet by obligated institutions.
We refer to a recital that introduces the possibility of a lighter approach and propose that this recital should be more precisely reflected in the provisions of the draft (RTS): recital: "When obliged entities collect information from customers for the purposes of complying with customer due diligence requirements, that information may not always involve the collection of documentation. This Regulation specifies the situations where documentation should be collected."
Do the obtained documents have to allow for verification of each piece of information/data that is required to be determined, e.g. for the beneficial owner? Is it sufficient to authenticate with a document the mere fact that a given person is the beneficial owner (without the obligation to verify each piece of data, e.g. date of birth, which may not be available on such a document?
Article 10: Question regarding the difference in scope of application between Article 10 and 11: is an organigram also required for the fulfilment of the obligation under Article 10? Postulate- w we request a clear definition of the application of Article 10. Currently, article 10 defines expectations in an unclear way. Is an organigram also required in such a situation?
Furthermore, what if the management board is identified as the beneficial owner (i.e., there are no entities meeting the definition of intermediary connections)? In such cases, should the required information be collected for the entire structure? Is this scope broader than provided in Article 62 of the AMLR?
Article 11: The mere existence of different jurisdictions is a sufficient criterion for defining complex structures. We propose to include in the criteria a distinction between EU countries (lower requirements) and non-EU countries (higher requirements). We also propose to consider the criterion of the number of levels of the structure, so that it corresponds to the actual risk (in the case of EU entities, a 2-level structure does not seem to be complex and the actions required by RTSy/AMLR may be redundant from the perspective of the effectiveness of the risk management process).
Furthermore, the draft goes beyond the AMLR requirement. Obtaining an organigram from the client should be one of the possible methods that will allow for understanding the ownership and control structure / authorization for the obligated institution, but it should not be an obligation.
There may be cases when obtaining an organigram (especially with the criteria for a complex structure established in the project) may be excessive and not useful from the perspective of identifying and mitigating risk.
The obligated institution should have the option to choose the method of implementing the requirement. Obtaining the document from the client will not always be the optimal / preferred method.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
Do the provisions allow the use of identity document scans provided by the client for beneficial owners? Reproductions of such documents may not enable adequate verification of embedded security features.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 15: These articles (article 15 &16) constitute a significant extension of the AMLR provisions. Postulate - RTS should not extend the tasks and requirements already defined in the AMLR, but only clarify them.
At this point, the draft changes the scope of required data for High Risk clients and introduces the obligation to prepare an SOW for each HR client, which is different from what the Regulation states and describes, which requires explanation. Postulate- confirmation that SOW is required in cases directly indicated in the AMLR. In other cases, the obligated entity may request the Client for SOW, provided it identifies a non-compliance/risk requiring the acquisition of information about SOW.
Additionally – what does the term “higher” mean, does it refer to the high level or also to medium? Does “higher” mean “other than low risk”? Does the point apply to clients classified as “auto-high” or perhaps specific high risk clients, where we see an additional risk aspect or a requirement from the AMLR such as PEP?
Article 16: It is not clear how the term "employment status" should be understood. Does this term refer to a learned profession or only to the current state of employment (employed, unemployed, self-employed or retired) or to the current place of employment?
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 17: Does this imply that any change in the customer’s business triggers the obligation to reverify their PEP status?
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 18: The regulation defines "lower risk situations" and "low-risk situations". How these notions should be interpreted? Do they refer to inherent risk or residual risk profile of the customer? Is there any difference between these concepts?
Article 19: Can the central UBO register be a source of obtaining additional information about UBO, such as the ID card, address of residence, other citizenships - if the obligated institution has determined and documented who the UBO is, but does not have the full scope of required data? The question applies to all types of clients, not just those with "lower risk".
Postulate – to clearly indicate in the RTS that central registers can be used to obtain missing data, provided that UBO is established and documented.
It is not clear – Will the obligation to report discrepancies to the CRBR (UBO register) remain local, or will there be a requirement to report to all relevant EU registers?
Postulate - maintaining the local regime, i.e. in Poland, reporting only to the CRBR (UBO register) regarding entities registered in Poland.
Article 20: It is not clear what obligations an obligated institution that applies simplified due diligence measures has. Is it an obligation to always obtain information about its client's clients and process it from a risk assessment perspective (e.g. screening against sanctions lists)? Does not having information about a client's clients exclude the liability of the obligated institution? On what basis and to what extent / how long is the processing / storage of the client's client data permitted?
2. How should obligated institutions establish a list of countries with AML/CFT regulations adequate for AMLR? Is it the institution's own assessment or is such a list published by EU bodies?
3. What does the term "effectively supervised" mean? How should this concept be understood?
Article 22: To ensure a consistent start to application of the AMLR requirements, we propose to align the terms and refer to the AMLR rather than the Regulation implementing the RTSs.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 24&25: By introducing a catalogue of requirements starting with “at least”, it significantly expands the scope of tasks listed in the AMLR and carried out by obligated institutions for HR clients.
Postulate - the catalog should indicate the use in justified cases where such analysis of the client's past and UBO is purposeful, and not in the case of every EDD.
Article 24: 1We propose that the list of people about whom it is mandatory to obtain information should be indicated as an example, not as a requirement. The current provision may cause excessive actions on the part of obligated institutions. Shouldn't this provision be limited only to cases where the obligated institution has information about such people?
2. The current form of the provision may lead to the obligated institution asking the client about the above-mentioned people, which may additionally arouse suspicion and lead to the disclosure of information about the analysis being conducted (tipping-off).
3. Does such a provision violate the provisions of the GDPR?
Article 25: We propose to modify the provisions of the entire document "verify the legitimacy". The provision in this form seems inadequate to the role of the obligated institution, which is not to verify the legality of actions, but to assess the risk and, at its own discretion (guided by due diligence), determine whether the information is adequate or raises doubts. Example: Art. 27 in point a. "verify", while in point b. "asses". There is certainly a difference, but it is not fully known what it is and whether it is actually justified.
Does this requirement mean using a partnership established under Article 75? The question is how to implement this requirement in a situation where a partnership is not established.
The requirement is not clear in the context of onboarding. Postulate - the requirement should be treated only as post-onboarding and in justified cases resulting from the assessment and need of the obligated institution in determining the risk to which it is exposed.
Draft refer to the "expected number" and "frequency of transactions" - we read this as a follow-up verification of the number and frequency of transactions recorded on the client's account versus the type/size/nature of the entity that is our client. If the number and frequency of transactions were expected data at the KYC onboarding stage, then we suggest to remove such detailed statistics from the scope of the client's KYC.
The provision does not specify the period for which information should be collected. Postulate - specify the period for which such information should be collected.
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 29: What exactly does “residence” mean (for example, does a change of residence within a) the same location b) different locations within the same country require screening? Or only cases where the country of residence changes?
The guidelines do not refer to the transliteration rules that should be applied. The introduction of such a requirement should be linked to the application of uniform transliteration rules throughout the EU. And if they exist - refer to such rules / regulations.
The scope of data that should be used in screening is broader than that which should be collected (e.g. other names, aliases). The list of data should be unified. We also propose to clarify what we mean by "other names", "trade name", "alias" along with examples. The lack of detailed guidelines may lead to data being collected redundantly (e.g. many previous names under which the business was conducted). Guidelines for the collection of this data should also indicate that the obligated institution should apply a risk-based approach here.
The regulation does not introduce an obligation in the scope of applying trade / economic sanctions (e.g. a ban on coal import from Russia), where this factor would be of significant importance. We propose removing the factor of "change of business operations" as a reason for conducting data screening due to the fact that the financial sanctions referred to in the AML concern the names of persons and entities entered on the list.
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 31: Is it required to obtain and verify each of the data obtained under Article 22 (customer, person acting on behalf of the customer) and Article 62 (for the beneficial owner)? 2. How should one proceed in the event that the obligated institution attempts to obtain, but ultimately fails to obtain and verify some of the above data, but the identity of the person or entity has been verified and the obligated institution is convinced that it knows that the person is the person they claim to be?
Does the provision mean that all attributes must be used when using an electronic identification means?