Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

General remarks

EFAMA supports the efforts to strengthen the EU anti-money laundering (AML) and countering financing of terrorism (CFT) framework, to enhance harmonisation of rules across Member States, which stood behind the recently adopted AML Package. Given also the number of Level 2 and 3 mandates included therein and the short timeline within which they should be delivered, the current work conducted by the EBA will be important in supporting the Anti-Money Laundering Authority (AMLA) once it is established. 

At the same time, the European asset management industry, represented by EFAMA, is concerned that the measures proposed in the Consultation Paper, and in particular in the draft RTS on CDD, are overly prescriptive and do not allow for the principle of the risk-based approach to be applied by the obliged entities. These new measures introduce additional data gathering requirements and necessary system developments, while not leveraging existing financial industry solutions and expertise. The extent of those new elements raises the question of efficiency and risks becoming a tick-the-box exercise, contrary to the principles of effective due diligence and a risk-based approach. 

Moreover, it goes against the clear priorities set by the European Commission in the Competitiveness Compass. Among horizontal enablers necessary to achieve the EU's future prosperity and competitiveness, the Compass includes simplifying the regulatory environment, reducing the burden, and favouring speed and flexibility. The approach presented in the Consultation Paper also goes against the Commission’s plan to increase financial inclusion and investors' participation in financing the economy.

With the technical details of this new AML framework being currently discussed, we believe that the proposed level of prescriptiveness could end up being a missed opportunity to introduce an effective, efficient and proportionate AML/CFT framework. Therefore, in our response to the Consultation Paper, we present multiple solutions for rationalising the proposed technical standards, with particular emphasis on  Art. 21 of the draft RTS on CDD.

Response to question 1

It is challenging to assess the proposed approach in its entirety when important elements such as the weights that will be applied to each risk indicator are not available. In any event, such an approach should be better tailored to the specific characteristics of different types of obliged entities. A uniform methodology may not reflect the particular risk exposure and internal controls across diverse entities, which could lead to inconsistencies in risk classification.

On a separate matter, the draft RTS on Risk Assessment must reflect the supervisors' obligation to provide each entity with the risk classification rating on an individual basis and allow them to challenge or comment on it.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

We agree. 

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

Response to question 3

While the asset management industry is ready to provide available data, the concern is that the proposed data points and their granularity are not aligned with the actual business activities of obliged entities. If that were the case, not only would they require significant changes in the processes and systems, but they could also become an unnecessary regulatory obligation with significant implementation costs that would not allow for a proper assessment of the inherent and residual risk profile of obliged entities. Now that simplification and burden reduction constitute a significant focus of the European Commission's Savings & Investments Union strategy, it is not consistent to introduce provisions that will likely lead to an additional reporting obligation.

For example, in the case of the asset management industry and for the vast majority of investment funds, the data point “Number of retail investor customers/Number of professional investor customers” wouldn’t be possible to provide if the data point refers to the customers of the intermediaries. This is due to the specificities of the industry, which highly depends on the use of intermediaries, as we explain in our response to question no. 6 under the draft RTS on CDD. As illustrated also by section 16.14. b) of the EBA ML/TF Risk Factors Guidelines, in fact it would be the intermediary who would often be the fund's customer. As a result, and in particular in the case of UCITS funds, the management company won’t be able to provide data on the number of intermediary’s retail investor customers as it won’t be in its possession. 

Moreover, data points relating to non-EEA countries would not necessarily indicate a higher ML/TF risk, as many of the non-EEA countries would not be associated with such risk. Likewise, EEA countries do not guarantee a low ML/TF risk. Also, the country's risk level is not necessarily a precondition to the level of risk that should be associated with the customer, as there can be low-risk customers from high-risk countries (e.g. pension schemes) and vice versa. Therefore, these data points do not serve well the objective of identifying the inherent and residual risk level of the obliged entity.

Furthermore, data points allowing for subjective assessment, i.e., those not linked to an automated score, would not serve the purpose of uniform evaluation of the obliged entities and their risks. It is quite probable that they will not be assessed using the same methodology and would not provide comparable results.   

Therefore, it is of utmost importance that all of the proposed data points are tested and checked in a practical exercise that will involve a representative group of entities from all sectors and a sufficient number of Member States.

Response to question 3a

In the short to medium term, some data points will not be available as they were not previously recorded in the systems of obliged entities. 

In the long term, to adapt their database to the new obligations, obliged entities will have to: (i) conduct a gap analysis, (ii) conduct an analysis of currently used systems and to what extent they can be used for new obligations, (iii) design and implement new solutions or update the old ones, and (iv) review manually all existing relationships to fill in the missing parts of the database. Completing these tasks will require significant costs, human resources, and time.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

As mentioned in our response to question 3, the best way to get clarity in this regard would be to conduct a practical exercise with a sufficiently wide group of entities. Not only do particular industries differ in the data that would usually be available, but significant differences can also be seen between particular Member States.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

Non-Applicable

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

EFAMA is of the opinion that an annual review for the normal frequency is too high, and the rationale for it is not clear. With the further steps of the procedure to be conducted, it is possible that once one review is finalised, another will already have to be initiated. It will add to the costs borne by the industry, as well as the supervisors, which will ultimately be paid by the sector, and in the case of the asset management industry, ultimately by the investors.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

We question the relevance of the criterion referring to the total number of full-time equivalent employees. We do not believe it to be a good indicator that would justify a reduced frequency for reviewing the entity's risk profile. The main impact would be the narrower scope of entities that could be subject to the reduced frequency review.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

We would like to point out the comments provided in our response to question no. 3 regarding the data points that relate to non-EEA countries. Indeed, the fact that a country is non-EU/EEA does not necessarily entail a higher risk. Nor does the fact that a country is in the EU/EEA necessarily equate to a low-risk scenario. The same rules will apply in this regard; therefore, we do not believe the proposed distinction will bring much added value.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

As in the case of the draft RTS on CDD, EFAMA believes it is crucial to take into account the specificities of the asset management industry and the significant implications this draft RTS on Selection might have on it. 

Management companies and AIFMs, as well as the funds that they manage, can be domiciled in one Member State; however, units/shares of the funds are made available for subscription to customers across various Member States and third countries. In the EU this is possible through the marketing passport established both in Chapter XI of UCISTD and Art. 32 of AIFMD. While not required by the provisions of these directives (Article 92(2) of UCITSD provides that “Member States shall not require UCITS to have a physical presence in the host Member State or to appoint a third party for the purposes of paragraph 1), managers often establish branches whose main or only purpose is to market these products in particular jurisdictions. The extent to which this is a common practice is well known to ESMA, as such activity has to be notified not only to national competent authorities but also to ESMA. These branches usually do not have a legal personality and do not act as distributors based on a separate marketing licence. All of their activities are being done on behalf of the funds and/or the management company domiciled in another EU jurisdiction, with the business relationship between the customer and the fund also being governed by the law of the jurisdiction where the main office of the manager is located and where all AML obligations are also being conducted. 

Therefore, we are of the opinion that these types of branches cannot be treated as an establishment under the provisions of AMLAR or be classified under the freedom to provide services. As was explained in Recital 28 of AMLR, “It is important that AML/CFT requirements apply in a proportionate manner and that the imposition of any requirement is proportionate to the role that obliged entities are able to play in the prevention of money laundering and terrorist financing .” Accordingly, as long as the role of those branches is not related to the execution of the AML/CFT control framework (e.g. client take-on, transactions or payments), we consider they should not be taken into account when selecting entities for the direct supervision by AMLA. 

We would also like to highlight the magnitude of entities that could fall under the direct supervision should the materiality thresholds be too low. Article 1(1) of the draft RTS on Selection provides two materiality conditions, with the fulfilment of just one of them being sufficient for the activities of the financial institution carried out in a Member State to be considered for the selection of the entity for the direct supervision by AMLA. In the case of the asset management industry, where intermediaries should be treated as customers (according to the more detailed explanation provided in our response to question no. 6 on the draft RTS on CDD), the possibility of reaching a number of 20,000 customers per Member State is not very common. On the other hand, reaching a value of 50,000,000 EUR of incoming and outgoing transactions generated by customers in one Member State would be very probable. In particular, if subscriptions and redemptions coming into the fund are not netted but accumulated. This is because in funds, particularly in the open-ended ones, but this may also apply to closed-ended funds (generally reserved for professional/institutional clients), the number of underlying clients subscribing to a fund through an intermediary can go into hundreds of thousands. Moreover, these clients are free to subscribe and redeem units or shares on a daily basis, which creates daily outflows and inflows to the fund.

Therefore, we are of the opinion that one additional criterion should be added to clarify that the activities mentioned in Art. 12(7) of AMLAR refers only to those activities that are related to the AML/CFT control framework. Further to that, we also believe that the thresholds should be reviewed to adapt to specific industry sectors, as well as met cumulatively in a particular Member State, in order for it to be considered as one of the Member States mentioned under Art. 12(7) AMLAR. 

We would propose the following wording for Art. 1(1) of the draft RTS on Selection:

“The activities of a credit institution or a financial institution under the freedom to provide services in a Member State other than where it is established shall be considered material for the purposes of meeting the conditions of Article 12(1) of Regulation (EU) 2024/1620, where:

a) those activities are related to the execution of the AML/CFT control framework (for example customer onboarding);

b) the number of its customers that are resident/domiciled in that Member State is above […]; and

c) the total value in Euro generated by the customers referred to under letter (a) is above […]”.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

Please see our response to question no. 1 above.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

We do not believe a distinction should be made. Please also see our response to question 1 above. 

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

In order to avoid duplications, we consider that the risk rating already assigned by each competent authority in accordance with article 40(2) of AMLD should not be replicated by AMLA. The assessment made by each competent authority should be duly taken into account for this purpose.

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

No comment.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Please see our response to question no. 1. As in the case of individual entities, also in the case of groups, the assessment should be limited to the entities that are obliged entities under the AML framework and carry out activities related to the execution of the AML/CFT controls. 

Therefore, we propose for “N” in the formula provided under Art. 5(2) of the draft RTS on the Selection to be given the following wording:

“N: number of obliged entities in the group carrying out AML/CFT controls”

Moreover, the second threshold proposed under Article 5(2) of the draft RTS on Selection (i.e. “the total amount in Euro of incoming and outgoing transactions”) may be difficult to calculate or not relevant for certain types of businesses, such as the investment fund industry. 

Therefore, we suggest deleting it.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

Please see our response to question no. 6 above. 

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

Please see our response to questions no. 1 and 6 above. 

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

No comment. 

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

General remarks

As a general remark on the draft RTS on CDD we would like to raise that it highly limits the possibility to apply a risk-based approach to customer due diligence (CDD). While we understand and support the need for more harmonised efforts in the area of AML/CFT measures across the EU, the risk-based approach remains the core principle of the framework, as also highlighted in the recitals of AMLR. According to the recital 29 of AMLR: “In line with the risk-based approach of this Regulation, those policies, procedures and controls should be proportionate to the nature of the business, including its risks and complexity, and the size of the obliged entity and respond to the risks of money laundering and terrorist financing that the entity faces, including, for crypto-asset service providers, transactions with self-hosted wallets.” Moreover, we believe that Art. 28(1)(b) and 33(1)(e) of the AMLR have been subject to overly restrictive interpretation, which has significantly limited the possibility to identify and define simplified measures for specific sectors. Particularly, we believe that some of the proposed rules are not possible to apply to the asset management sector, due to its specificities described in more detail under our response to question no. 6.

Referring now specifically to Section 1 of the Draft RTS on CDD:

1. We would like to raise the need for more clarity regarding to whom these provisions will apply. Articles 1-5 indicate when they refer to “natural persons” and when to “legal entities”, directly or by mentioning relevant points of Art. 22(1) of AMLR. This is not the case for the following articles, which apply to “customers” or “persons purporting to act on behalf of customers”. These terms were not defined under the draft RTS on CDD, nor was a definition established under the AMLR. These circumstances do not bring clarity, particularly in the case of Art. 6 of the draft RTS on CDD, where only paragraph 5 specifically stipulates that it applies to non-natural persons. While it could be interpreted a contrario that all the other paragraphs refer only to natural persons, more clarity would be beneficial to the appropriate application of these rules.

2. Moreover, in the case of different sectors of the financial industry and even in the case of different products offered by the same financial entities, different persons would be understood as their customers. This would particularly be the case in situations when multiple parties are involved. As explained in more detail under our response to question no. 6 below, in the case of the investment funds industry, the intermediaries would often be the customers of the fund. In such a context, the FATF clarifies in its Guidance for a Risk-Based Approach for the Securities Sector (para. 48 and 100) that: “Depending on how the investment fund is sold, with whom the business relationship is established or who is registered in the fund’s share/units register, the investment fund may be required to treat an underlying investor as its customer or the intermediary as its customer”. The EBA has acknowledged this particular case in its ML/TF Risk Factors Guidelines, section 16.9. b), where it provides that risk can be reduced in cases where “the customer is a firm subject to AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849”. 

   We are of the opinion that this recognition was an important achievement in understanding the complexities of different segments of the financial industry and how they impact the ML/TF risks caused by these business relationships. We believe that this additional clarity will be beneficial to a harmonised implementation of the new AML Package and, therefore, we urge EBA to include it in the recitals of the draft RTS on CDD. 

3. It would be beneficial to provide obliged entities with more clarity, also by defining the term “persons purporting to act on behalf of the customer”. It would help ensure harmonisation and avoid divergent interpretations among Member States. Particularly in the case of legal entities, the group of individuals participating in the entity's operations can be very broad (directors, other employees etc.). In the case of bigger legal entities, such as financial institutions: (i) the lists of authorised signatories are long and subject to frequent changes, (ii) out of those individuals included on those lists, many may never have any interaction with the obliged entity, and (iii) requesting information such as nationality or place of residence may not be possible and could go against their right to privacy, given that these persons will be merely representing the legal entity and not acting in their own interest. Applying a full identification and verification process on all of them would be excessive and ineffective in battling financial crimes. Therefore, we believe that the definition should include those persons who are external to the customer (are not employed) and act based on a proxy of power of attorney.  

   Therefore, we would propose the following definition to be included in the draft RTS on CDD:

   ‘person purporting to act on behalf of the customer’ means (i) legal representative(s) of a customer who is an unfit natural person, or (ii) any legal or natural person, other than an employee or senior managing official of a legal person, authorised to act on behalf of the customer pursuant to a mandate, or proxy agreement

Information to be obtained in relation to the addresses (Art. 2)

We would like to highlight that the data points specified under Art. 2 of the draft RTS on CDD are too prescriptive and would not be possible to apply in the context of different jurisdictions where address conventions differ. As such, it is not always possible to provide postal codes, city names or street names, especially in a non-EU context. 

Moreover, such an approach does not seem entirely appropriate from the perspective of legal entities and other institutions. Also, in the case of persons purporting to act on behalf of a customer that is a legal entity or for senior managing officials being identified as the ultimate beneficial owners and acting solely in their professional capacity, not all of the proposed details are necessary.

Therefore, we would propose the following wording for Art. 2 of the draft RTS on CDD:

“1.The information on the addresses as referred to in Article 22(1)(a) point (iv) and 22(1)(b) point (ii) of  Regulation (EU) 2024/1624 shall consist of the full country name and where appropriate postal code, city, street name, building number and the apartment number.

2. In the case of persons purporting to act on behalf of a customer that is a legal entity or a Senior Managing Official who is identified as the ultimate beneficial owner and acts in its professional capacity, the address of the registered office of the legal entity will be sufficient.”

Specification on the provision of the place of birth (Art. 3)

The currently proposed provision of Art. 3 requires information on the place of birth, including both the city and the country's name. We believe this is too prescriptive, as not all data is always available in documents such as IDs or passports. We are also unaware of any added value that having the city and the country name in all cases will bring for the AML/CFT purposes.

This will also create an issue in terms of Art. 5(1) and the set of information that is required on a document for identity verification purposes. Information on the full place of birth (i.e. both the city and the country) would not be included in national IDs or driving licences. It is impossible to expect countries to change the documents they issue because of the AML/CFT requirements. This is true for the EU Member States and even more so for third countries. 

Therefore, we would propose the following wording for the Art. 3 of the draft RTS on CDD:

“The information on the place of birth as referred to in Article 22(1)(a) point (ii) of Regulation (EU) 2024/1624 shall consist of the city or the country name.”

Specification of nationalities (Art. 4)

Article 4 of the draft RTS on CDD requires that obliged entities shall obtain necessary information to “satisfy themselves that they know of any other nationalities their customer may hold.” This obligation is very impractical given that obliged entities do not have access to any database that will give them such satisfaction and identification documents, such as passports or IDs, for obvious reasons inform only about the nationality of one country.

Therefore, we would propose the following wording for Art. 4 of the draft RTS on CDD:

"For the purposes of Article 22(1)(a) point (iii) of Regulation (EU) 2024/1624 obliged entities shall take reasonable measures to obtain necessary information about any other nationalities their customer may hold."

Identity verification (Art. 5)

EFAMA believes that paragraph 5 of Art. 5, which requires that the obliged entity be provided with “original identity document, passport or equivalent, or a certified copy thereof (…)” is excessive and does not allow the obliged entities to apply a risk-based approach. 

It is also not in line with provisions of the AMLR, which in Art. 22(6)(a) do not include the requirement of only originals or certified copies to be provided. Instead, it refers to “the submission of an identity document, passport or equivalent and, where relevant, the acquisition of information from reliable and independent sources, whether accessed directly or provided by the customer”, which we believe gives much more room for the obliged entities to decide on how this submission and acquisition will take place, in accordance with the identified level of ML/TF risk.

From a retail customer perspective, the obligation to provide an original document or certified copy will highly increase the costs borne by the customers, as they will be the ones who would have to acquire and provide such a copy for themselves, their beneficial owners or persons purporting to act on their behalf. This will be even more challenging for customers from third countries. Our understanding is that the AML Package aimed to enhance the security of the system, and not disincentivise customers from using services provided by the EU financial sector. 

Such an approach would contradict the EU efforts to encourage retail investors to use financial products in the EU and the recent works of the FATF in its consultation on Updated FATF Guidance on AML/CFT measures and financial inclusion, that underscore the importance of financial inclusion. According to FATF, it is an essential element of the AML/CFT system as it “enhances financial sector transparency and integrity by increasing the reach and effectiveness of AML/CFT measures that help keep criminals out of the financial system and facilitate law enforcement investigations” (para. 26). The FATF highlights also the importance of a risk-based approach, as “applying overly cautious, non-proportionate AML/CFT safeguards when providing financial services and products can exclude legitimate consumers and entities from the regulated financial system (…)”. 

Moreover, a risk-based approach must be applied when collecting IDs to avoid unnecessary costs and burden. The effort and focus of obtaining IDs in original and/or certified form should be required only in case of inconsistencies or doubts about the customer’s actual identity. In particular, document certification is solely one of the numerous measures (and certainly not the most effective) an obliged entity can take to verify the obtained information.

The approach proposed in Art. 5(5) of the draft RTS on CDD will be simply not possible to achieve in the case of some sectors of the financial industry, which operate in a significantly different manner than the banking industry. A good example is the asset management industry, which we describe in more detail under the response to question no. 6 below. Due to the specificities mentioned there, the verification of the customer’s identity rarely happens in person, and most customers are institutional investors. As such, the asset management industry won’t be able to apply the rules of Art. 5(5) to its customers. Also, in the case of retail investors who would be direct customers of the fund (which is not typical for most of the asset management industry), identity verification would always happen first at the bank level. This is because subscriptions through cash do not exist in the fund reality, and any payments to the fund and then to the investor always occur through a bank account.

Therefore, we would propose the following changes in Art. 5(5) of the draft RTS:

“5. For the purpose of verifying the identity of the person referred to in Article 22(6) of Regulation 2024/1624,  the obliged entity shall gather, from these persons or from other reliable sources, an identity document, passport or equivalent. In case of customers posing a higher risk of ML/TF obliged entities shall adopt appropriate mitigation measures, such as, for example, those referred under Article 6.”

Understanding the ownership and control structure of the customer (Art. 10)

EFAMA is also of the opinion that the approach taken in Art. 10 of the draft RTS on CDD is excessive and does not allow for the application of a risk-based approach, as it requires specified information to be obtained concerning all legal entities and/or legal arrangements between the customer and his beneficial owners. Many multilevel structures are created for business and operational reasons, and gathering all of the listed information will be unnecessary for the purpose of understanding the ownership and control structure of the customer. The approach here should depend on the complexity of the structure and the ML/TF risk it poses. 

In the asset management industry, which we describe in more detail under our response to question no. 6 below, it is common to find layers of intermediaries between the fund and investors (who are customers of the intermediary). These intermediaries are mainly banks or other financial entities that help investors invest in the funds and optimise costs and charges to provide them with lower fees. Given the characteristics of entities existing in the chain and the low level of ML/TF risk they could create, we do not believe that acquiring all of the information mentioned in Art. 10 regarding intermediaries at each level would be justified. 

Moreover, collecting additional information would create operational and technological burdens. Additional names would need to be recorded, kept updated and screened, requiring time, economic resources and often technological developments, without mitigating any actual ML/TF risk.

In such circumstances, we believe that to fulfil the requirements of Art. 62 of AMLR, it is sufficient for the obliged entity to understand the structure existing between the customer and the beneficial owner by collecting the names of entities in between and the percentage of their ownership. Any more detailed information on those entities could be required in cases where a higher level of ML/TF risk would be identified or they would exceed the threshold for beneficial ownership under Art. 52(1) of AMLR. 

Therefore, we would propose the following wording for Art. 10 of the draft RTS on CDD:

“1. For the purposes of understanding the ownership and control structure of the customer in accordance with Art. 20(1)(b) of Regulation (EU) 2024/1624, where the customer’s ownership and control structure is complex and posing a higher risk of ML/TF, obliged entities shall obtain the following information:

a. a reference to the legal entities and/or legal arrangements functioning as intermediary connections between the consumer and their beneficial owners owning more than 25% within the customer structure, if any;

b. with respect to each legal entity or legal arrangement within the referred intermediary connections, the legal form of each legal entity or legal arrangement; the jurisdiction of incorporation or registration of the legal person or legal arrangement, or, in the case of a trust, the jurisdiction of its governing law;

c. information on the regulated market on which the securities are listed, in case a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, and the extent of the listing if not all the legal entity’s securities are listed on a regulated market.

2. Obliged entities shall assess whether the information included in the description, as referred to in Article 62(1) of Regulation (EU) 2024/1624, is plausible, there is economic rationale behind the structure, and it explains how the overall structure affects the ML/TF risk associated with the customer.”

Complex structures (Art. 11)

Similarly, the proposed provisions of Art. 11 of the Draft RTS on CDD would result in the vast majority of ownership structures being treated as complex, as multinational companies and medium/large financial entities typically have multiple layers of ownership, and in the majority of cases, in different jurisdictions. We do not believe this was intended by the AML Package, and again would not be in line with the level of ML/TF risk posed by those structures. In fact, due to the vast majority of structures being recognised as complex, it could make it easier for those truly complex to be less visible. Therefore, we do not believe that Art. 11 is in line with the principle of a risk-based approach. It also doesn’t leave room for a different approach to entities with a clearly lower ML/TF risk, due to the highly regulated industry in which they operate (e.g., financial institutions) or the fact that they are publicly listed companies.  

Firstly, the proposed number of “two or more layers between the customer and the beneficial owner” is disproportionately low. In the case of the asset management industry, there can be multiple layers of entities in the intermediary chain; however, as they would all generally be regulated financial entities, the ML/TF risk posed would remain low. Therefore, not only should the number of layers that would be considered as indicating a complex structure be left for the decision of the obliged entity, according to its risk-based analysis, but also the fact that those are regulated financial entities should exempt the structure from being treated as complex. 

Furthermore, the proposed conditions, if applied separately, also don’t justify treating such structures as complex. In particular, the mere fact of registration in different jurisdictions doesn’t justify such classification in today's world, where markets and businesses are very interconnected. These jurisdictions could include different Member States of the EU or other countries that uphold the same AML/CFT standards. Immediate classification of such structures as complex could disincentivise further integration and international collaboration. 

Therefore, we would propose the following wording for Art. 11(1) of the draft RTS on CDD:

“1. To understand the ownership and control structure of the customer in accordance with Article 20(1)(b) of Regulation (EU) 2024/1624, obliged entities shall treat an ownership and control structure as complex where there are multiple layers between the customer and the beneficial owner and in addition, two of the following conditions are met;

a. there is a legal arrangement in any of the layers having no rationale in the structure;

b. the legal arrangements/ legal entities present at any of these layers are incorporated or domiciled in a jurisdiction included in the EU list of non-cooperative jurisdictions for tax purposes;

c. there are nominee shareholders and/or directors involved in the structure; 

d. there are indications of non-transparent ownership with no legitimate economic rationale or justification. ”

Information on Senior Managing Officials (SMOs) (Art. 12)

EFAMA would also like to highlight that the level of ML/TF risk that can be associated with SMOs is not the same as the potential risk that could be associated with beneficial owners (BOs). Firstly, the SMOs, unlike the BOs, do not hold ownership interest over the company and do not control it through that ownership or via other means. If they did, they would have to be identified as BOs. Instead, and according to Art. 63(4) of AMLR, their details are being provided in cases where it was not possible to identify BOs or their identification is uncertain. Secondly, as these are persons who exercise executive functions within the legal entity, their identity has already been verified multiple times, as they would usually have to perform actions vis-à-vis multiple national authorities, such as tax or national registers. Due to the same reasons, their important details are usually available through reliable and independent sources of information, mentioned under Art. 22(6)(a) of AMLR.  

Therefore, it does not seem justified to require the same set of information and verification rules for SMOs as for BOs. According to Art. 63(4)(b) of AMLR the details that are to be collected on SMOs are to be equivalent to those required under Art. 62(1), second subparagraph, point (a). It does not refer to all the information listed for BOs' identification under Art. 62, moreover, the article clearly refers to “equivalent” information, which does not mean “the same”. 

Particularly, we believe that requiring a CEO of a big company to provide his ID would be disproportionate, as his data and identity can be easily retrieved through the relevant company’s registers. Moreover, acquiring information about his residential address will meet a strong and justified objection due to privacy and security reasons. This data is neither necessary nor commensurate with the limited ML/TF risk that he would pose. As a result, this overburdening obligation can have far-reaching implications, discouraging international companies from using the services of EU financial entities. 

Therefore, we would propose the following changes in Art. 12 of the Draft RTS on CDD:

“In relation to senior managing officials as referred to in Article 22(2) second paragraph of Regulation (EU) 2024/1624, obliged entities shall:

a. collect information for identification purposes; and

b. verify the identity of senior managing officials using risk-sensitive measures.”

Alternatively, we propose that the solutions provided under Art. 19 of the draft RTS on CDD apply to SMOs in all circumstances and not only low-risk situations. 

Identification and verification of beneficiaries of trusts (Art. 13 and 14)

We would like to highlight that unlike Art. 13, where at least paragraph 2 provides for risk-sensitive measures to be taken while ensuring that timely updates are provided, Art. 14 of the draft RTS on CDD does not include elements introducing necessary proportionality. 

Therefore, we would propose the following wording for Art. 14(2) of the draft RTS on CDD:

“2. To comply with paragraph 1, obliged entities shall take risk-sensitive measures to:

1. obtain sufficient information about how and in which ways the power of discretion can be exercised by the trustee(s);
2. establish whether trustees have exercised their power of discretion and appointed one or more beneficiaries from amongst the objects of power or whether the default takers have become the beneficiaries due to the trustees’ failure to exercise their power of discretion.”

We also note that Art. 13 may not foresee certain situations, for example, in a case where a trust will designate the beneficiary only when a new child/grandchild is born.

Therefore, we would propose the following wording for Art. 13(1) of the draft RTS on CDD:

“1. For the purposes of Article 22(4) of Regulation (EU) 2024/1624, the information obliged entities shall collect includes:

1. a description of the class of beneficiaries and its characteristics, which shall contain sufficient information to allow the obliged entity to determine whether individual beneficiaries are ascertainable and shall be treated as beneficial owners at the point of payment request; and
2. relevant documents to enable the obliged entity to establish that the description is correct and up-to-date on a risk-based approach.”

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

With the increased use of online services in the financial industry, non-face-to-face interactions have become a standard business practice in many countries. Such circumstances can potentially be an example of a higher risk scenario; however, not in cases where other mitigating factors or measures apply. In the asset management industry, for example, the majority of interactions happen in a non-face-to-face context. Nevertheless, the ML/FT risk is considered to be low in most cases, given that most fund customers will be institutional/regulated entities. Therefore, as already highlighted in our general remarks, it is essential that obliged entities are allowed to apply a risk-based approach, also in the context of non-face-to-face interactions. We do not believe this is possible under the proposed provisions of Art. 6 of the Draft RTS on CDD.  

Article 22(6) of AMLR provides two means for the verification of customers’ (and other persons') identity: submission of a document or acquisition of information from reliable and independent sources under letter (a) or the use of electronic means under letter (b). AMLR doesn’t favour one solution over the other, irrespective of whether the verification takes place in person or not, leaving the obliged entity the possibility to choose the best approach. On the contrary, Art. 6(1-2) of the draft RTS on CDD creates a clear preference for the use of electronic identification means, allowing obliged entities to acquire documents only if the “solution described in paragraph 1 is not available, or cannot reasonably be expected to be provided”. We believe that this approach goes against the logic of Art. 22(6) of AMLR and against the principle of a risk-based approach. While in some cases of high risk it might be justified to verify the identity of a natural person by the use of e-IDAS, in low risk circumstances it would be highly excessive. In instances where customers are mainly institutional/regulated entities, verification through documents or information coming from other reliable and independent sources would be sufficient. This is also because legal entities are usually registered in national registers, and there are other, publicly available sources of information on their affairs (particularly if these are public companies listed on stock exchanges).

Also, in a broader context, such a strong preference for solutions such as e-IDAS is not sustainable. It is unrealistic to expect that all natural persons will have access to e-IDAS, as the uptake of those solutions in Member States is not sufficient. It also discriminates against customers from third countries, where the e-IDAS Regulation does not apply. Therefore, we do not think that the use of other solutions can be considered only as temporary, and there should always be other permissible ways to verify customer’s identity in a non-face-to-face context. 

We would also like to highlight issues with the conditions proposed for remote solutions under paragraphs 3-6 of Art. 6 of the draft RTS on CDD. 

First of all, the rationale for obtaining the customer’s explicit consent to verify his identity in line with paragraph 3 is not clear. It has not been required under the EBA Guidelines on Customer Remote Onboarding. It is also not an obligation under the provisions of AMLR, and the Consultation Paper falls short of providing any arguments behind it. Given that the purpose of the identity verification is for the verified person to get access to a financial product, and as such cannot be made without their active participation, an obligation to obtain explicit consent seems highly excessive. It will become an additional element in the already complicated onboarding process, which doesn’t add value to the AML/CFT purposes. 

Secondly, the safeguards included in paragraph 4 seem too far-reaching and do not consider the specificities of different sectors, particularly those that operate in a different manner from the banking industry. The reference to audiovisual communication in letter b, or connection interruptions in letter c, seem to favour live data streams. As such, they highly limit the choice of technological solutions that could be used. This is unjustified and also goes beyond the approach that was previously established by the EBA Guidelines on Customer Remote Onboarding, which allowed for much more flexibility, leaving the choice of technological solutions to the industry. 

In particular, these requirements will not be suitable for the identification of legal entities and natural persons acting on behalf of them. In the case of the asset management industry, for example, where in many cases other financial institutions acting as intermediaries will be considered as customers (more on that under our response to question no. 6), it is common to acquire a list of authorised signatories with reproductions of their IDs or signatures. Those lists can include multiple individuals (sometimes going in tens or hundreds). Verifying each of them via the remote solutions would not be in line with the risk-based approach and would highly delay the onboarding process. It would have negative implications on the current business model of the majority of investment funds, which could further stifle the development of the EU capital market. Therefore, in those cases, only paragraph 5 should apply. 

Therefore, we are of the opinion that following changes to the wording of Art. 6 are necessary:

“1. To comply with the requirements of Article 22(6) of Regulation (EU) 2024/1624  in a non-face-to-face context, obliged entities shall:

(a) apply additional and appropriate measures, on a risk-based approach, to mitigate the inherent higher risk that this type of customer relationship may present; or 

(b) use electronic identification means, which meet the requirements of Regulation (EU) 910/2014 with regard to the assurance levels ‘substantial’ or ‘high’, or relevant qualified trust services as set out in that Regulation.

2. Alternatively to the solutions described in paragraph 1, obliged entities may acquire the customer’s identity document (or equivalent) using remote solutions that meet the conditions set out in paragraphs 3-5 of this Article. Such solutions shall be commensurate to the size, nature and complexity of the obliged entity’s business and exposure to ML/TF risks.

3. Obliged entities shall ensure that the remote solutions described in paragraph 2 use reliable and independent information sources and include where suitable the following safeguards regarding the quality and accuracy of the data and documents to be collected:

a. controls ensuring that the person presenting the customer’s identity document (or equivalent) is the same person as the person on the picture of the document;

b. the integrity and confidentiality of the communication with the person should be adequately ensured; 

c. any images, video, sound and/or data are captured in a readable format and with sufficient quality so that the customer is unambiguously recognisable;

d. where applicable, the identification process does not continue if technical shortcomings or unexpected connection interruptions are detected;

e. the information obtained through the remote solution is up to-date;

f. the documents and information collected during the remote identification process, which are required to be retained, are time-stamped and stored securely by the obliged entity. The content of stored records, including images, videos, sound and data shall be available in a readable format and allow for ex-post verifications.

4. Where obliged entities accept reproductions of an original document, for customers that are not natural persons, and do not examine the original document, obliged entities shall take steps to ascertain that the reproduction is reliable. Where available, during the verification process, obliged entities shall verify the security features embedded in the official document, if any, such as holograms, as a proof of their authenticity. Such steps shall be undertaken on a risk-based approach, and, in particular, limited to cases where the obliged entity has grounds to question the reliability of the reproduction so obtained.

5. Obliged entities using remote solutions shall be able to demonstrate to their competent authority that the remote verification solutions they use comply with this article.”

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Non-Applicable

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

1. Identification of the purpose and intended nature of the business relationship or the occasional transaction (Art. 15)

The reference to the wider group under Art. 15(c) of the draft RTS on CDD is unclear in the case of the investment fund industry. 

Therefore, we would propose the following changes in Art. 15(c) of the draft RTS on CDD:

“c. whether the customer has additional business relationships with the obliged entity or its wider group, where applicable, and the extent to which that influences the obliged entity’s understanding of the customer and the source of funds; and”

2. Understanding the purpose and intended nature of the business relationship or occasional transaction (Art. 16)

While the proposed Art. 16 of the draft RTS on CDD allows for risk-sensitive measures to be taken by obliged entities, the list of information to be obtained is excessive. Especially, if it is expected to be collected in all circumstances. In particular, in the case of the asset management industry, the purpose of the relationship and the nature of the transaction are limited to long-term investment. 

Therefore, we believe that the introductory part of Art. 16 of the draft RTS on CDD should have the following wording:

“When obtaining information in accordance with Article 25 of Regulation (EU) 2024/1624 obliged entities shall take risk-sensitive measures to obtain the following information where relevant:”

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 17(1)(b) of the draft RTS on CDD, requires that, for existing customers (and other persons), a determination be made whether they have become PEP at least if significant changes in the customer due diligence data occur. As examples of those significant changes, “nature of the customer’s business, employment or occupation” are listed. This approach does not allow for the application of a risk-based approach. Moreover, we believe that such changes do not necessarily expose the customer to reclassification as PEP.

Therefore, we would propose the following change in Art. 17(1)(b) of the draft RTS on CDD:

“b. determine whether existing customers, the beneficial owner of the customer and where relevant, the person on whose behalf or for the benefit of whom a transaction or activity is being carried out have become politically exposed persons, with a frequency determined on a risk-based approach and at least if significant changes in the customer due diligence data occur, such as the nature of the customer’s business, employment of occupation where relevant; (…)”

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

1. Sectoral simplified measures: Collective investment undertakings (Art. 21)

EFAMA appreciates the recognition given to the lower ML/TF risk posed by the asset management industry, which was expressed in Art. 21 of the draft RTS on CDD, which applies simplified measures to Collective Investment Undertakings (CIUs). At the same time, further considerations are required for the framework to reach its purpose. Therefore, below we explain in more detail the specificities of the fund industry and how they minimise the ML/TF risk and affect the ability of obliged entities such as CIUs to fulfil the AML obligations on CDD.

Investment funds (UCITS and AIFs) are mainly subscribed by end clients with the help of intermediaries, e.g., banks or brokers. In such cases, units/shares in the fund are usually registered and held in the name of the financial intermediary on behalf of the underlying clients (I Scenario). These clients can be retail or professional, such as other financial institutions, which can also pool proceeds from their underlying investors. 

As a result, in such a scenario, only the intermediaries are recognised as the fund’s customers and not the underlying clients of the intermediaries. As the intermediaries’ clients are not customers of the fund, intermediaries are most often prevented from disclosing data gathered during the client onboarding, by data protection and professional secrecy obligations. As a result, these circumstances prevent investment funds and their managers from identifying end investors and verifying their identity based on KYC documents. In such a case, the fund performs CDD obligations on the intermediary and would be unable to systematically identify and verify natural persons on whose behalf the transaction is being conducted. As intermediaries are most often AML obliged entities, they are already subject to AML/CFT supervision by competent authorities and conduct full CDD measures on their underlying clients. They also provide competent authorities and relevant BO registers with accurate and up-to-date information. Due to these arrangements, ML/TF risk in the fund sector is properly mitigated. 

These specificities of the funds’ industry have long been recognised by the FATF, particularly that the fund’s units/shares are typically sold through another financial institution, which is itself an obliged entity under AML provisions and conducts the necessary due diligence. In the Guidance for a Risk-Based Approach for the Securities Sector, para. 48 and 100, the FATF specifically recognises the distribution of investment funds: “the CDD measures an investment fund should take will depend on how the ultimate customer invests in the fund. Depending on how the investment fund is sold, with whom the business relationship is established or who is registered in the fund’s share/units register, the investment fund may be required to treat an underlying investor as its customer or the intermediary as its customer. Where an intermediary is treated as the investment fund’s customer, the investment fund may not have visibility on the intermediary’s underlying customers. This includes not having comprehensive identification nor transaction related information on the customers of the intermediary in cases such as, for example, where the intermediary nets all of its customers’ orders and submits a single net order to the investment fund each day.”. This is also why it is important to incorporate in the recitals of the draft RTS on CDD section 16.14. b) of the EBA ML/TF Risk Factors Guidelines and clarify that, in the circumstances explained above, the intermediary would be the customer of the CIU. 

Moreover, as investment funds treat intermediaries as their customers, they apply AML measures towards them. This is done in compliance with the risk-based approach explained in the EBA ML/TF Risk Factors Guidelines and includes: (a) gathering of sufficient information about the institution to understand fully the nature of the financial intermediary’s business and to determine from publicly available information the reputation of the institution and the quality of supervision, including whether it has been subject to a money laundering or terrorist financing investigation or regulatory action; (b) assessing the financial intermediary’s anti-money laundering and anti-terrorist financing controls; (c) obtaining approval from senior management before establishing new relationships; (d) clearly understanding and documenting the respective responsibilities as regards the fight against money laundering and terrorist financing of each institution; (e) being satisfied that the financial intermediary has verified the identity of and performed ongoing due diligence on the customers having direct access to accounts of the credit institutions, financial institutions and other institutions concerned by such relationships. This ongoing AML risk assessment and an in-depth knowledge of their distribution channels ensure that AML risks are adequately addressed in the asset management industry. As such, intermediary arrangements must also be clearly distinguished from nominees (recital 131 AMLR), as they are not used to deliberately evade transparency on BOs and misuse legal entities for ML/TF reasons.

Similar to the one described above is the case when the intermediary acts as a distributor of the fund and the units/shares in the fund are registered in the name of the end client, rather than the own name of the bank or broker platform (II Scenario). In these cases, the primary distinction from the scenario described above would be that the end clients would also become clients of the fund. However, while the name of the end investor may appear in the fund share register, there are many aspects that this model shares with the one previously described: (i) the end investors are also clients of intermediaries, (ii) intermediaries are obliged entities subject to AML/CFT obligations, (iii) they are required to perform all elements of the risk-based CDD on end investors, and (iv) the CIU will undertake the due diligence on the intermediary as described above to thoroughly understand the distribution channels and evaluate AML/CFT risks. Also in this case, the exposure to ML/TF risk is substantially reduced by the involvement of an intermediary who is an obliged entity and is directly responsible for conducting CDD on end investors. Therefore, also under these circumstances, the lower ML/TF risk will justify the application of simplified CDD measures by asset managers, as proposed under Art. 21 of the draft RTS on CDD. As was mentioned under recital 23 of the AMLR “AML/CFT requirements should apply regardless of the form in which units or shares in a fund are made available for purchase in the Union, including where units or shares are directly or indirectly offered to investors established in the Union or placed with such investors at the initiative of the manager or on behalf of the manager”. This suggests that the method of subscription or distribution of CIU units or shares should not, by itself, be considered a factor that determines a different intensity or nature of AML/CFT obligations.

The fact that investment funds will fulfil CDD obligations by leveraging the intermediary’s efforts is also important from the end investors’ perspective. Further exercise of CDD obligations by investment funds directly on end investors would be duplicative, prolonging their onboarding process. This could counterproductively affect current efforts to incentivise retail investors to participate in financial products. At the same time, it would not benefit AML/CFT purposes as it will simply duplicate the work done already by intermediaries. The use of intermediaries has a lot of benefits for private individuals, providing them with easy, cost-effective access to a wide range of products and product manufacturers to diversify their investments and benefit from lower fees.

To address specificities of the CIUs sector, as described above, the following changes need to be made in Art. 21 of the draft RTS on CDD:

1. The description of the relationship between the CIU, the intermediary and the client of the intermediary has to be amended to correctly reflect the current market practice.

   The introductory part of Art. 21 of the draft RST on CDD refers to circumstances “when a collective investment undertaking is acting in his own name, but for the benefit of its underlying investors through another intermediary credit or financial institution (…)”. This is not in line with what happens in reality. As already explained, in most cases it would be the intermediary acting on behalf of their clients and the shares/units in the fund would be subscribed either (i) in the intermediary’s own name, or (ii) in the name of the end client (in which case they are also a client of the fund). 

2. The Article has to fully reflect the fund industry's mitigated ML/TF risk.

   As explained above, the ML/TF risks in the case of the entire CIUs’ industry are mitigated by the existence of intermediaries, who are obliged entities themselves and, as such, have to perform CDD measures on end clients. The European Commission already recognised this in its analysis of the ML/TF risks associated with the sector of financial institutions including asset managers (Commission Staff Working Document, COM(2022)554 final, p. 45,), where it said that: “The main factor that mitigates the inherent risk of money laundering is the low level of cash-based transactions, despite the fact that the sector is exposed to high-risk customers, including politically exposed persons, while the volume and level of cross-border transactions are high. To have access to the investment sector, perpetrators need to introduce money through the banking system, and hiding illegal money through opaque structures requires a high degree of expertise and/or high cost. Therefore, banks are often a first barrier that mitigates the inherent money laundering risk.” This  clearly shows a lower level of ML/TF risk, not only in the case of a particular business relationship, but also in the industry in general. Therefore, we believe that the simplified approach to CDD proposed in Art. 21 of the draft RTS on CDD should be treated as the typical way in which CDD should be performed in the entire CIUs sector, including the cases where units are subscribed in the name of the investor (as described under II Scenario).

   Therefore, we also believe that it should be possible to apply them to all business relationships that are considered as non-high-risk. Only in cases where high risk is observed should this be additionally mitigated by CIUs. 

   We believe that such an approach would be in line with the mandate established under Art. 28(1)(b) AMLR as it requires the regulatory technical standards to specify “the type of simplified due diligence measures which obliged entities may apply in stations of lower risk pursuant to Article 33(1) of this Regulation, including measures applicable to specific categories of obliged entities and products or services, having regard to the results of the risk assessment conducted by the Commission pursuant to Article 7 of Directive (EU) 2024/1640.”. This, together with Art. 33(1)(e) of AMLR which specifically mentions “other relevant simplified due diligence measure identified by AMLA pursuant to Article 28”, clearly allows for this draft RTS on CDD to establish “distinct” CDD measures for specific categories of obliged entities, such as asset managers. 

3. The Article should require intermediaries to provide CIUs with information on beneficial owners rather than all underlying investors.

   In funds, and in particular in the open-ended ones, the number of clients of the intermediary subscribing into a fund through an intermediary can go into hundreds of thousands. Moreover, these intermediaries’ clients are free to subscribe and redeem units or shares on a daily basis, which makes the fund’s end investor base highly variable. Funds are also pooled investment vehicles where the investment decisions rest with the fund’s manager and are typically not determined or controlled by the end investors. These specificities limit the attractiveness of funds for the purposes of money laundering and financing of terrorism. 

   Moreover, the intermediary might not be able to provide information on all of its clients, it would be practically highly problematic and not in line with the FATF guidelines mentioned above. It would also not be necessary from the AML/CFT perspective, as these investors would already be subject to CDD measures performed by the intermediary. 

   Therefore, for the purposes of the AML/CFT it would only make sense for the CIU to be provided with information on those individuals that would be considered as beneficial owners, as defined under the provisions of the AMLR. 

4. The Article should recognise also the robustness of AML/CFT rules applied by international capital groups.

   While we agree with the need for the intermediary to be subject to AML/CFT obligations which are comparable to those applied in the EU, we would argue that Art. 21 of the draft RTS on CDD should also recognise the influence of the group structure on those requirements. A particular intermediary might be established in a third country, with AML/CFT rules less robust than those required by AMLR. At the same time, it could be subject to higher standards through group policies that would adhere to the EU rules or the rules of another country that would be as robust. 

   We also believe that the use of word “comparable” will be much clearer. 

5. The Article should also recognise in a separate paragraph the specificities of the II Scenario

   While most of the above would also apply to the II Scenario, to properly address its specificities, we believe it would be appropriate to include a dedicated paragraph which would help clarify the difference between the two models. When a CIU is distributed through an intermediary and the subscription is made in the investor’s name, the investor may be considered a client of the CIU. In this scenario, the simplified measures should be considered sufficient to fulfil the obligations under the entire Article 20(1) of the AMLR and not merely those under Article 20(1)(h). In this case, contrary to Scenario I, it would make sense for the CIU to be satisfied that the intermediary will also provide information on the underlying investors, and not only the beneficial owners.

    

Taking all that into account, we would suggest the following changes in the wording of the Art. 21 of the draft RTS on CDD:

“1. In the case where shares/units/other ownership interests in a collective investment undertaking are subscribed by an intermediary or chain of intermediaries (credit or financial institutions) in its own name and on behalf of underlying investors, the collective investment undertaking may fulfil the requirement under Article 20(1)(h) of Regulation (EU) 2014/1624 by being satisfied that the intermediary will provide CDD information on the underlying beneficial owners upon their request, and provided that:

a. the intermediary is subject directly or through group policies to AML/CFT obligations in an EU Member State or in a third country that has AML/CFT requirements that are comparable to those required by Regulation (EU) 2024/1624;

b. the intermediary is effectively supervised for compliance with these requirements;

c. the risk associated with the business relationship between the collective investment undertaking and the intermediary is not high; and

d. the fund or fund manager is satisfied that the intermediary applies robust and risk-sensitive CDD measures to its own customers and its customers’ beneficial owners.”

To address also the specificities of the second scenario that exists in the asset management industry and which we described above, we would also propose to add a second paragraph to Art. 21 of the draft RTS on CDD, with the following wording:

“2. In the case where the collective investment undertaking uses an intermediary to distribute its shares or units, and where the units or shares are subscribed in the name of the investor, the collective investment undertaking may fulfil the requirement under Article 20 (1) of Regulation (EU) 2014/1624 by being satisfied that the intermediary will provide CDD information on the investors and their beneficial owners upon request, and provided that:

a. the intermediary is subject directly or through group policies to AML/CFT obligations in an EU Member State or in a third country that has AML/CFT requirements that are comparable to those required by Regulation (EU) 2024/1624;

b. the intermediary is effectively supervised for compliance with these requirements;

c. the risk associated with the business relationship between the collective investment undertaking and the intermediary is not high;

d. the fund or fund manager is satisfied that the intermediary applies robust and risk-sensitive CDD measures to its own customers and its customers’ beneficial owners.”

6. Customer information data updates in low-risk situations (Art. 22)

EFAMA is of the opinion that the requirement that up-to-date customer identification data is held “at all times” is excessive, in particular in the case of simplified CDD. It could be understood as requiring this data to be checked on a daily basis, which would be excessive, in particular in low-risk situations. Even in the case of the banking industry, it would be impossible to apply, and even more so for obliged entities such as investment funds.   

Therefore, we would propose the following wording for Art. 22(2) of the draft RTS on CDD:

“2. Obliged entities shall take the risk-sensitive measures necessary to ensure that they hold up-to-date customer identification data and that they update the information they hold on customers onboarded before this Regulation applied within 5 years after the application date of this Regulation.”

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

Please see our response to question no. 6 above. 

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Section 5 of the draft RTS on CDD establishes additional information that has to be obtained by obliged entities in instances where the use of enhanced CDD would be justified. We are of the opinion that these obligations are too prescriptive and do not leave sufficient room for the obliged entities to apply a risk-based approach. While we understand the need for broader harmonisation of AML/CFT rules, this should not replace a risk-based approach, which remains the pillar of a successful AML/CFT framework. Otherwise, these provisions risk creating a list of obligations that would become a tick-the-box exercise, rather than encouraging thorough assessment of a particular situation and the risks it represents. We also believe that this was not the approach intended by Art. 34(4) of AMLR and as such, solutions proposed in Section 5 might be going beyond the mandate under Art. 28(1)(a) of AMLR.

Therefore, we would propose the following changes in section 5 of the draft RTS on CDD:

1. Words “shall, at least” to be replaced by “may include” in all four articles.
2. Deletion of letter d in Art. 24 and in Art. 27, as it is not the responsibility of the obliged entities to investigate the criminal activity.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

1. Screening of customers (Art. 28)

EFAMA would like to highlight that Art. 28 of the draft RTS on CDD goes beyond what was prescribed by Art. 20(1)(d) of AMLR. It requires that scanning measures shall be applied by obliged entities not only to customers, but also to all entities and persons which own or control such customers. At the same time, in Art. 20(1)(d) of AMLR this scanning was limited in the case of legal entities to persons who control the legal entity or have more than 50% property rights or majority interest. This, to our understanding, clearly limits the scope of such scanning. 

In order to keep the provisions of the draft RTS on CDD in line with rules established by Level 1 provisions, we propose the following change in the wording of Art. 28:

“To comply with Article 20(1)(d) of Regulation (EU) 2014/1624, obliged entities shall apply screening measures to their customers and to the relevant entities or persons which control or meet the ownership conditions over such customers as provided by this Article.”

2. Screening requirements (Art. 29)

Article 29 is too prescriptive and risks multiplying the possible “hits” the obliged entity would get when screening its database. As multiple “hits” reduce the effectiveness of the whole process they are not desirable. 

Therefore, we propose the following wording for the introductory part in Art. 29(a) of the draft RTS on CDD:

“a. Screen, through automated screening tools or solutions, or a combination of automated screening tools and manual checks, unless the size, business model, complexity or nature of the business of the obliged entity allows for manual checks only, the following customer information where appropriate:”

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Non-Applicable

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comments. 

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

The following further elements could be taken into account under the list of indicators:

1. whether the breach was caused by the obliged entity itself or a third party;
2. whether the breach related only to the entity’s own AML/CFT procedures and policies or whether it also led to the breach of applicable regulatory obligations. 

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

No comment.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

No comment. 

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

EFAMA would like to highlight the need for caution when it comes to holding natural persons personally responsible for the breaches of obliged entities. In particular, the implications of such an approach on the availability of professionals performing compliance functions must be considered.

The role of compliance is critical for the proper execution of AML/CFT obligations by the entity. However, as such functions do not hold executive powers, the responsibility for any regulatory breaches does not rest solely with them. Rather, they provide continuous oversight and advice to the decision-making bodies. 

We believe that it would be disproportionate to hold personally liable the compliance team for the failures caused by decisions made by senior management of the company. It would also be against the usual three lines of defence model, where compliance plays the role of the second line. It could also undermine the attractiveness of these positions and further increase the difficulties in finding experienced professionals ready to hold this position in the financial sector. Shortages of well-qualified staff will have a counterproductive effect on the resilience of the entire sector. 

While Art. 4(4) of the draft RTS on Sanctions recognises the need to take into account “their role in the obliged entities and the scope of their functions”, we are of the opinion that their involvement in the decision making process should also play an important role. 

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

The proposed administrative measures will significantly impact an obliged entity's operations. In particular, the withdrawal or suspension of an authorisation and restriction or limitation of business operations or network will have significant implications for the obliged entity, which might not be possible to reverse once full compliance with AML/CFT obligations is restored. 

Therefore, we believe that these measures should be reserved for the most significant breaches i.e. classified under category four. 

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

Please see our response to question 5a above. 

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

No comment.

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

Non-applicable.

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

Please see our response to question 4.

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

No comment.

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

No comment. 

Name of the organization