Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
The current AML RTS are designed to align with the EU’s new AML/CFT package, which includes the AML Regulation (AMLR), AML Directive 6 (AMLD6), and the AMLA Regulation.
These instruments are tailored to harmonize anti-money laundering efforts across the EU-27. However, this focus inherently limits the applicability and relevance of the standards to institutions operating outside the EU or those with significant cross-border operations.
While the purpose of AML legislation is well understood and its intent is beyond question some measures appear to be too stringent and achieving full compliance (one-size-fits-all approach) is a complex task. This creates operational and legal uncertainty for institutions engaged in international transactions.
Our group is operating worldwide and beside retail banking and corporate business we perform KYC screening for all financial institution in the world. However, the suggested RTS are designed mainly for retail banking and corporate business. The suggested RTS apply uniformly to all “obliged entities" without sufficiently differentiating between the types of customer (customer as natural or non-natural person, regulated and non- regulated financial institutions etc.). Each of these entities faces distinct AML risks and employs different screening methodologies, technologies, and risk appetites.
Specifically, for financial institutions, the below mentioned aspects need to be considered and accommodated in RTS:
- identification and verification of natural persons which is exclusively on non-face-to-face basis.
- FI entities are based (besides EU/EEA countries) in other regions (e.g. Asia-Pacific, Africa, North and South America) where the legal framework differs. The legal framework in those often prevents fulfilling all suggested AML measurements. For example senior managing officials are reluctant to provide sensitive GDPR protected information (e.g. providing of copies of ID cards or evidence of source of wealth of the senior managing officials may be in conflict with their national law).
- Currently, impossibility to fully comply with suggested RTS requirements may unavoidably to a large extent lead to a termination of business relationships e.g. with large financial group entities even though they are locally regulated entities and no other higher risk factors are identified.
Therefore we would like to add measurements which can substitute the suggested way of verification of identification which allows for the integration of customer or jurisdiction-specific differences.
- A possible solution could be an option to verify identification of natural persons as senior managing officials of regulated bank entities outside EU/EEA via data obtained from public independent and reliable source, e.g. public registers or commercial registers and not solely via ID cards.
- another possible solution could be a procedure where will be necessary to obtain ID cards pro beneficial owners category 1 and 2 only in case there will be identified other high risk factor (e.g. PEP, country of residence in high risk country etc.)
- RTS to provide detailed conditions under which compliance with some of requirements may be waived (e.g. regulated entities) or other measures that may be substituted.
Therefore we ask to establish system which is customised in the way that allow to carry out obligatory and necessary KYC and KYT screening in compliant way but taking into account above mentioned specificities.
In the context of the RTS concerning complex structures (Article 10), it appears that wording does not make it clear whether it is necessary to assess the complex structure at all levels i.e. from the ultimate beneficial owner to the screened entity and also further detailed down the ownership structure to asses all subsidiaries of the screened entity. Would it be possible to clarify whether the findings are expected across the entire organigram, including all subsidiaries — both along the full vertical structure and any lateral branches and to what level of detail should the assessment go? Would it be different when the other jurisdiction will be inside of EU/EEA and according to FATF list of countries they are low risk countries.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
Our main concern is the system of non face-to-face identification (Article 6) and verification of natural persons, which make up probably all of our identifications.
Countries issue ID cards under vastly different legal mandates. ID cards differ significantly in terms of data content, security features, and technology. The lack of standardization across ID systems hinders cross-border recognition. While the EU’s eIDAS regulation enables mutual recognition of electronic IDs within the EU, such frameworks are rare globally implemented. This creates inconsistencies in how identity is established and verified across borders.
For example, in some jurisdictions (e.g., Germany, India), national ID cards are mandatory and centralized, while in others (e.g., the U.S., U.K.), there is no national ID card, and identity is verified through a combination of documents like driver’s licenses or passports.
Financial institutions operating internationally face challenges in screening and verifying identities due to inconsistent ID formats and data fields, varying levels of assurance and trust in the issuing authority and legal restrictions on data sharing or use of foreign-issued IDs.
When operating also in regions outside EU/EEA it could be in some cases almost impossible comply with all the RTS because fulfilling them for the counterparty could be even against particular national laws (obtaining ID cards of all beneficial owners, senior managing officials, source of wealth etc.) and therefore it would be necessary to terminate the business relationship.