Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

Non-Applicable

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

Non-Applicable

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

Non-Applicable

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

Non-Applicable

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

Non-Applicable

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

Non-Applicable

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

Non-Applicable

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

Non-Applicable

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

Non-Applicable

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

Non-Applicable

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

Non-Applicable

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

Non-Applicable

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

Non-Applicable

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Non-Applicable

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

Non-Applicable

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

Non-Applicable

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Non-Applicable

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

In regards to Article 5 – Documents for the verification of the identity, it is important that RTS are able to foster the financial inclusion and accessibility to also non-traditional forms of documentation and not to limit consumers ability to use financial services due to the fact that they posses an official document issued by a state or public authority, but without some conditions in Article 5 (1) point a. to g. This is even more evident now with increased migration trends and ongoing movement of people due to the unstable situation on a global level. In addition, due to the fact that there still lacks a level of harmonization on the EU level when it comes to document issued across the EU Member States (PRADO base has hundred of officially issued documents - even some ID cards in certain MS does not fulfill all the conditions), conditions in Article 5 (1) point a. to g. might be opposing specific national regulations which can recognize other type of documents serving as the confirmation of identity and residence without having all aforementioned conditions.

Suggestion is to add "where available" to Article 5 (1) points a. to b. in order not to eliminate valid documents issued by public authorities and to enable financial inclusion.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

The objective is to prevent the use of the EU’s financial system for ML/TF purposes, while observing the principle of technology neutrality and enabling innovation within the EU Single Market. Imposing only a prescriptive e-IDAS Compliant Solutions based on level 1 text, i.e. eID or e-IDAS, undermines the possibility for the EU regulatory framework to adequately respond to new development of global market and new technologies and thus put EU obliged entities in uncompetitive position with other market participants who enter EU Single Market when they have already assured proper funding by doing business on other global markets which are not that restrictive towards new technologies. This is even more important now with new technologies based on AI, ML and other technologies.

The good approach to follow are the EBA's Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849 (EBA/GL/2022/15 - 22/11/2022).

In conclusion, the main goal should be to identify and verify the customer in accordance with general standards (e.g. using an officially issued ID card, capturing relevant data in readable mode) and this is objective to achieve, and not dictating technology per se which shall be applied in doing so. 

Thus, RTS under Article 28(1) AMLR, including the Article 6, should not favour specific technological solutions and respect the principle of technological neutrality, such as those under e-IDAS regulation which will in any case need years to become commonplace. Technological neutrality is important to foster ongoing innovation and to ensure that the AML/CFT principles and procedures set out in these guidelines remain relevant and applicable.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Non-Applicable

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Non-Applicable

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Non-Applicable

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Non-Applicable

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

Non-Applicable

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Non-Applicable

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Non-Applicable

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The exemption for low value electronic money instruments is based on a number of restrictions that are referred to as “risk mitigating measures” in AMLR Article 19(7). 

These are as follows: 

• The amount stored does not exceed EUR 150
• The instrument is used exclusively to purchase goods and services
• The instrument is not linked to another payment account and cannot be used to exchange for cash or to purchase crypto assets
• The products is subject to transaction monitoring

The proposed RTS in their current form, listing of 11 additional criteria, with the requirement for supervisors to consider each one when assessing exemption is likely to have negative effect and even lead to misalignment with level 1 text. It would be more appropriate for the risk factors to build on and generally follow risk mitigating measures mentioned already mentioned in Article 19(7) AMLR.

In addition, some risk reducing factors can be interpreted as even more stringent to those mentioned in Article 19(7) AMLR or as opposing to the Article 19(7) AMLR. Proposal to remove or change the following risk reducing factors mentioned in Article 30 (Section 7) of RTS:

• Proposal to remove - "a. The payment instrument has low thresholds to limit transaction values;" - law threshold are already clearly stated in level 1 text and shall not be lower than those in Article 19(7) AMLR, e.g. 150 EUR for the amount stored.
• Proposal to remove - "b. The payment instrument is funded in a way that the issuer can verify that the funds 
  originate from an account held and controlled solely or jointly by the customer at an EEA-regulated credit or financial institution;" - this would in essence contradict the spirit of the level 1 text, which is supposed to also cover current e-money products that are in many cases acquired in exchange for cash. In addition, this would also undermine other legislative proposals based on the EU's strategy to ensure access and acceptance of cash. Also, this criteria undermines the principle of financial inclusion due to the fact that consumers depended on cash, especially lower thresholds such as 150 EUR, are "higher risk".
• Proposal to remove - "c. The payment instrument is issued at a nominal or no charge;" - this risk factor lacks the connection with AML/CFT and is more connected with other legislative proposals such as PSD3 or PSR. How does issuance of payment instrument at a nominal or no charge reduces the risk of ML/TF?
• Proposal to remove - "d. The payment instrument can be only used to acquire a very limited range of goods or services;" - this risk factor lacks the connection with AML/CFT and is more connected with other legislative proposals such as PSD3 or PSR. There is already, mitigating measure in level 1 text, i.e. the payment instrument is used exclusively to purchase goods or services provided by the issuer, or within a network of service providers. In addition, this criteria is more connected with the LNE exemption under PSD3 and PSR which in any case will not come under radar of regulated activities carried out by obliged entities.
• Proposal to remove - "e. The payment instrument is valid only in a single Member State provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer; " - rationale is the same as for points c. and d., this is not a question of AML/CFT, but rather PSD3 and PSR LNE exemptions.
• Proposal to remove - "g. The payment instrument has a specific and limited duration in which the payment instrument can be used;" - rationale is the same as for points c., d. and e., this is limiting the usage of payment instruments and influencing consumer rights under the PSD3 and PSR.
• Proposal to change point h. to be read as follows - "h. The payment instrument is available through channels which may include the issuer or a network of service providers which have appropriate safeguards, including fraud measures in place" - The rationale behind the exemption is to exempt certain CDD measures, more notably identification and verification of customer due to the lower risk associated with those products. The wording "including electronic signature” and “antiimpersonation” shall be deleted because a verified e-signature would become a kind of KYC which would be a contradiction to the intention of the exemption in Article 19 (7) AMLR.
• Proposal to remove - "Distribution is limited to intermediaries that are themselves obliged entities apply 
  customer due diligence measures and record-keeping requirements laid down in Regulation (EU) 2024/1624" - The non-application of due diligence obligations by an obliged entity does not lead to a lower risk than the non-application of due diligence obligations by a non-obligated person. Thus, it is unclear how this would reduce risk.
• Proposal to change point k. to be read as follows - "k. The issuer applies adequate tools, such as geo-fencing and IP tracking, to monitor the access from, transfers to or receiving funds from non-EU countries." - Both geo-fencing and IP tracking are subject to legislative restrictions (in particular under Regulation (EU) 2018/302 and Regulation (EU) 2016/679). A low risk should also be possible if the respective obliged entity complies with these restrictions.

As already stated, risk reducing factors shall follow in general the risk mitigating measures already stated under Article 19 (7) AMLR and not undermine the applicability of the exemption. Thus the following new risk factors to be considered by relevant supervisors are suggested:

• Proposal to introduce: "The issuer has measures in place to track all transactions from the point of issuance and distribution of payment instrument to the point of purchase of goods and services." - Rationale is to add transaction monitoring measures in place from the point of issuance to the point of usage as risk-mitigating measure for the whole life-cycle of the payment instrument.
• Proposal to introduce: "The issuer has measures in place that allow for an effective monitoring of the distribution channels of the e-money product in order to detect and prevent suspicious activities." - Rationale to add distributor monitoring as another risk-mitigating measure to demonstrate the low-risk nature of an e-money product on the point of distribution.
• Proposal to introduce: "The issuer has measures in place that allow for an effective monitoring of the distribution channels of the e-money product in order to detect and prevent suspicious activities." - Rationale to add merchant monitoring as another risk-mitigating measure to demonstrate the low-risk nature of an e-money product on the point of usage.
• Proposal to introduce: "The issuer has measures in place that allow for the identification of suspicious transaction patterns and behavioural profiling and allows for disabling the payment instrument in case a suspicious activity pattern is detected. Re-activation of the product can only be done by the issuer." - Rationale to add risk-mitigating measures that allow for the detection of suspicious transaction patterns and the automatic deactivation of the e-money product if such patterns occur. The re-activation of the e-money product requires prior interaction with the issuer.
• Proposal to introduce: "The issuer has adequate technological safeguards in place. Such measures could include device fingerprinting and IP address tracking to detect suspicious activity or the use of velocity checks (e.g., number of transactions in a short period)." - Rationale to add adequate technological safeguards in place. Such measures could include device fingerprinting and IP address tracking to detect suspicious activity or the use of velocity checks (e.g., number of transactions in a short period).
• Proposal to introduce: "The issuer has measures in place in order to disable a specific distributor and/or distribution channel in case of intense increase in the degree of money laundering and terrorist financing risk increase." - Rationale is to add measures in place where the issues controls the whole distribution network by being able to stop a specific distributor and/or distribution channel if needed, and which are another risk-mitigating measure.
• Proposal to introduce: "The issuer has measures in place in order to disable a specific merchant and/or merchant channel in case of intense increase in the degree of money laundering and terrorist financing risk." - Rationale is to add measures in place where the issues controls the spending patterns by being able to stop a specific merchant and/or spending channel if needed, and which are another risk-mitigating measure.

In conclusion, it is highly important that risk reducing factors are not opposing or undermining the introduced exemption under Article 19(7) AMLR, while ensuring risk reduction.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Non-Applicable

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

Non-Applicable

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

Non-Applicable

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

Non-Applicable

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

Non-Applicable

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

Non-Applicable

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

Non-Applicable

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

Non-Applicable

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

Non-Applicable

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

Non-Applicable

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

Non-Applicable

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

Non-Applicable

Name of the organization