Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
Overarching considerations on defining risk
A key point missing in the Article 40(2) RTS (and the other RTS documents within the scope of the consultation) is a definition of the term “risk” itself, as no such term appears to be defined within Regulation (EU) 2024/1624 (the AMLR) / Regulation (EU) 2024/1620 (the AMLAR) - nor at FATF level (in either the glossary or interpretive notes). There is also the matter of the draft RTS' definitions for inherent and residual risk essentially being circular: Article 1(1)(1) of the draft RTS for Article 40(2) explains that "‘Inherent risk’ means the risk that an entity may be used for money laundering and terrorist financing"; Article 1(1)(2) likewise explains residual risk as "the risk that an entity may be used for money laundering and terrorist financing". In other words, "risk" is understood to mean "risk".
Given the centrality of this term to the EU AML / CFT framework, and its capacity for being interpreted in many ways, it would be helpful to clarify what is meant by “risk” in relevant contexts (be it in relation to an NRA, sectoral risk assessment, or business-wide risk assessment). Both public and private sector entities should understand precisely what they are assessing when performing risk assessments, rather than placing reliance on complex methodologies or formulae (e.g., risk being a function of threat, vulnerability, and consequence) whose results may be very open to interpretation by various stakeholders. Whichever definition is ultimately used, it may be helpful to tie it to ML / TF prevention (which is a central objective of the AMLR and AMLAR - as to which see Article 1(a) AMLR and Article 1(3)(a) AMLAR).
If one of the RfA’s key objectives is to harmonise relevant matters on supervision and CDD, ensuring that a term of central importance to the entire framework is consistent would go a long way to accomplishing just that.
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
N26 would urge caution in tying a key metric used for determining entities for direct supervision to fixed thresholds, as it may result in problematic cross-border entities not being caught. We would argue that a more helpful metric could be to consider the materiality of an entity’s cross-border economic activity as against the economic activity in its jurisdiction of authorisation. In our experience as a retail bank, the most problematic FIs (in the financial crime sense) tend to be smaller PSPs whose customers’ activity is primarily carried outside of the jurisdiction in which the PSP is authorised. It is these types of entities with substantial cross-border activity (but which might not meet the thresholds set out in the draft RTS) that may well pose the most substantial ML / TF risk to the wider EU financial system.
In tying direct supervision to cross-border materiality, this could potentially give AMLA greater insight and views on the entities posing the most pertinent level of ML / TF risk. More established and mature entities (who are presently supervised by national authorities) are unlikely to attract criminal activity to the same extent as these smaller entities with cross-border operations.
Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
N26 broadly agrees with this approach. Our sole concern here relates to ensuring that risk across entities in different jurisdictions is assessed in a consistent way, as products / services and their usage can substantially differ (e.g., customers from the same nationality exhibiting vastly different behaviour when using the same product in two different jurisdictions). There should be some mechanism in place to ensure that such differences are sufficiently captured.
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
We generally agree with Section 1’s provisions, subject to certain further additions to Articles 11 and 14, which we believe could strengthen Section 1's effectiveness.
Article 11 matters
We would caution against adopting a wholly prescriptive approach to understanding complexity. Entity complexity should be – in our view – established on a case-by-case basis, given that formulaic approaches can under- or overvalue the true complexity of a customer’s structure. By way of example, a single-layer corporate structure could have an intricate web of lending or security arrangements to various entities - despite not meeting Article 11’s threshold for complexity. For this reason, we suggest including a fourth sweep-up sub-article to ensure obliged entities are not given too much leeway to ignore obviously complex structures falling under Article 11’s thresholds.
As a general approach, we would suggest that obliged entities consider complexity in light of the customer’s structure and nexus of economic interest(s) (e.g., loans, security arrangements) as a whole and assess whether the structure makes logical or economic sense within its relevant context and the services being sought. If it does not, that structure should be considered complex.
Article 14 matters
We would also suggest a requirement for obliged entities to request information on the letter of wishes (LoW) (or equivalent), where a business relationship involves discretionary trusts. This is a key document for trustees, as it can form a relevant consideration for decision-making (i.e., a key ingredient for trustees to have properly exercised a power). An LoW often sets out the settlor’s expectations on which beneficiaries should benefit from the trust. Although an LoW does not bind trustees, it is in practice often given significant weight and its wording followed. A legal requirement to request copies of the latest letter of wishes (or summary of its contents) would help obliged entities obtain a much better understanding of the practical power dynamics in a discretionary trust.
Issues connected to Section 1
We note that the draft RTS does not appear to address the issue of obliged entities being unable to comply with CDD obligations. This is of particular concern, given that this situation (under the AMLD and future AMLR) requires obliged entities to terminate business relationships and potentially file a suspicious transaction report (STR) where they are unable to comply with CDD requirements.
It is unclear how the threshold for termination may be met - noting also that such an exercise may be inherently fact and context-specific. To illustrate the point, a customer failing to respond in time to a request for CDD information in connection with a periodical review could be considered to have met this threshold for termination. But it would be plainly disproportionate to terminate an account in such circumstances, particularly given the multitude of innocent or plausible explanations a customer could give. Similarly, filing a STR in such circumstances would likely have limited to no benefit for the relevant FIU.
Against that background, we would suggest giving further clarity in this draft RTS on this point, perhaps by extending the “alternative measures” provision in Article 21(1) AMLR to more general cases of obliged entities being unable to comply with requirements to apply CDD measures. One example of such an alternative measure could be to consider obliged entities as having complied where they apply measures tantamount to termination (e.g., preventing a non-compliant customer from actively transferring funds, freezing an account).
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 24 matters
N26 would support giving further clarity to Article 24(d) by specifying which part(ies) must be involved in the suspected criminal activity for the provisions to be engaged. Does this provision target situations where the obliged entity's customer generates that suspicion, or where it may only peripherally involve its customer?
Article 25 matters
We suggest that Article 25(a) be extended to allow for quick cross-border information exchanges between EU obliged entities. Banks in certain jurisdictions may approach one another on an informal basis to request AFC-relevant information on customers. Although this may function well domestically, similar requests made to banks in other jurisdictions are rarely - if ever - successful. We believe the wider banking system would benefit from having such information-sharing be put on statutory footing.
Article 26 matters
As to Article 26, our view is that this provision may be operationally difficult to implement, in addition to generating friction for relatively limited gain. Certain of its requirements (e.g., certified copies, original documents) may create unnecessary, disproportionate costs for obliged entities’ customers. We also note that this may be unduly burdensome for both customers and for certain types of obliged entities such as neobanks, whose business relationships may be carried out entirely online.
Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.
Our principal concern is the extent to which external audit findings might influence breach gravity - particularly in connection with AML / CFT system and control effectiveness. N26 has on occasion observed divergent approaches from external auditors (whose expertise on assessing AML / CFT matters may vary). This has at times led to inconsistent or legally-incoherent findings, which FIs may still need to provide to their supervisors. This may put certain obliged entities into an invidious position of potentially being punished for findings by supervisors who may - understandably - choose to rely on external audit results without giving further consideration to their accuracy.