Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
Yes we do, as regards the harmonization of the process to be considered that not all required data fields can be provided by all entities. Since this will depend on the legal entities business type. Hence, this point is to be considered while establishment of the templates for data collection process.
Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.
Agreed. To highlight that when mitigating measures does not reduce the inherent risk, then inherent risk would remain as it is, but wouldn't increase. Also our recommendation is to not add the substantial risk as a new risk classification category and keep it aligned to other risk classification categories already known in AML/CTF regulations: Low, medium and high.
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
To be considered that not all required data fields can be provided by all type of regulated or obliged entities. Since this will depend on the legal entities business type. Hence, this point is to be considered whilst designing the templates for data collection process per obliged category and business type.
The cost is variable but materially impactful as this requires further developments in tools and systems, potentially new IT acquisitions and development and additional work on the existing data in terms of mapping and integrity. This may also lead to additional resources adequacy needs.
3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?
Number of customers with complex structure. This term can be interpreted by different legal entity's differently. It's not an objective data field. Even though all obliged legal entities are assessing the ownership structure and identifying UBOs, there is no readable data fields to retrieve the statistics of the complex structures.
Further, it's not clear what is meant by "high risk activities"? Is it about industry sector of the customers?
Further, in respect to the statistics related to correspondent relationships, in case of omnibus accounts, it's not possible to determine the value of transactions executed on behalf of the respondent client. It's not visible for entities offering omnibus account structure.
Besides depending on the business type of the legal entity, it may not be always possible to have the end respondent, UBO of the transaction in its transaction monitoring system at all. The same applies also for the following data fields:Total value of incoming funds moved on behalf of the respondent's clients by country of respondent's establishmentTotal value of outgoing funds moved on behalf of the respondent's clients by country of respondent's establishmentNumber of new customers onboarded remotely in the previous year - especially onboarding of the legal entities happens in general remotely.
3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?
NA
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
The rationale that smaller or low risk entities are less likely to experience significant shifts in risk profile over time may not be valid at all time as a small entity can grow significantly in 3 years so the ones to be considered for the reduced frequency should just be low risk entities (regarding their activity and products).
--> It seems that this is taken into account with the ad hoc review, but issue with when this review concretely occurs.
Logically a gap in costs between the normal (each year) and the reduced frequency. But to take into account that normally, this control monitored by AMLA is direct and therefore, the local authorities that were performing the control directly will be out (+ no real added value to make 2 controls on same topics)
Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.
The annual review should remain the standard to standardise the approach and make it a fait practice
Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.
No. Assessment of the geographical risk should be attached to the risk of countries independent from EU, EEA, Third country. The cross border elements and complexities of the jurisdictional presence in HRJ or non equivalent regulatory environment should always be considered.
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
The thresholds cannot be applied the same way to all FI due to the nature of business activities and customers type. In a post trade environment, these materiality is not relevant.
Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.
This should apply to retail or corporate banking or payment services providers but not to Investment banking, institutional investors and Securities services.
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
No there must be a difference for each client category and the activity and volumes are strictly different. There is also a diveregence in termes of access to the products and financial instruments.
Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.
The methodology is aiming at a standardized approach that requires further granularity to be adapted to all FI, products, services and clients base.
Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.
Disagree - Understandable that not allowing adjustment on the inherent risk might lead to an objective and consistent score.
Nevertheless, we highlighted some issues on the methodology. Therefore, it is quite certain that these issues will lead to inefficient selection if the adjustment is not allowed, specially with the methodology and thresholds chosen (thare are simple and rigid, not tailored for each type of entity).
Therefore, an adjustment should be allowed in the last steps, and institutions might choose some entities instead of others, based on AML/TF vulnerabilities (for instance, regarding the risk level of the countries an entity operate in).
Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
Agree
Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.
Does it mean that not all AML obliged entities should be included in the group risk analysis but only the one which have material activities? Will this be also applicable in general for Group Risk analysis? If not, then Parent companies should prepare two different risk analysis, one including all obliged entities the other one only including entities with material activities, which would be inefficient. What does it mean including in the group-wide perimeter excatly?
Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?
The group risk analysis should include the already assessed inherent and residual risks assessed by legal entities as part of the groups inherent risk and effectiveness of the controls of the parent company itself, since parent company has other internal safeguards as part of the obligations of a parent company. Hence, we don't agree that the parameter should be the same.
Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
Agree
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
A detailed guidance is necessary for assessment of the UBO according to the requirements of the new AML Regulation to enable the same approach within EU.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
It depends more on training of the employees performing the verification process of the customers than on eIDAS compliant solution. It's important to add the level of training to be completed by employees responsible for verification process and the condition of the verification process (e.g. closed premises.). We don't think that such remote solutions should be temporary.
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
No comments
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
No comments
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
We don't agree with the last sentence. Any suspicious acitivity is anyway reported to compentent authority with or without involvement of the PeP. Hence, no need for this addition. Even though there is a unique definition for the PEP, the PEP status flag in the data sources are stricter than regulatory required (e.g., not only political positions on national, international level have PEP flag, but also local political positions).
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Addition of examples for simplified monitoring and the maximum frequency for SDD customers would be helpful. Are low risk customers at the same time SDD customers requires further clarity and a more detailed approach on the criteria to set the SDD categorization aligned with the low risk conditions.
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
All regulated products without cash payments access and with face to face institutional or highly regulated environment such as investment banking, trading, securities services and lending.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Ongoing monitoring: Setting up threshold for ICSD is nearly impossible as it depend on the use of products that the customer is using, it also depends on the size of the customer and its country of operations and type of activity.
Can the Senior Management consider the MLRO as part of the senior management even if not Executive Board or committee member, since MLRO may have sufficient knowledge and seniority to decide.
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Reporting obligations: This would not only have a great impact of the financial sector but also on competent authorities. What is the reason for reporting of matches or potential matches to the competent authorities. Financial sector has sufficient knowledge to assess the matches and potential matches and decide, if it's a true match or not. True matches of sanctions breaches are already reported to competent authorities. From this description it's also not clear, what kind of matches are to be reported, only sanctions, PEP, negative media?
Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
No comments
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Disagree. What is the difference then to Article 6 on the verification of the customer in a non face-to-face context? Why in one case eIDAS compliance is not important in the other one it's important? The legal entities have customers from all over the world. Not all customers are using eIDAS compliant solutions. It might generate a contra-productive effect for financial markets to make this requirement obligatory.
Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.
The breach has to persist over a significant period of time - what is significant - precision needed here.
We should have different assessments regarding the breach: long term breach with minor impact seems to be considered as having the same assessment than a short term breach with major impact - change and/or clarification needed.
Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.
No comments
Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.
"Effective and timely action": it has to be moderated regarding the breach and the company's size (breach can take more time to be ended) - the cooperation and contribution should be mostly taken into account.
Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.
No comments
5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?
No comments
5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?
No comments
5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?
No comments
Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.
No comments
Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.
No comments
Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?
Yes and we appreciate the efforts and continuous guidance targeting a harmonized market and standardized practices although there is always a need to keep in mind the end users best interest and the market stability and entities, there must be a holistic approach with a tailored control to the type of FI and clients categories.