Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?
ΑΝΝΕΧ Ι section B (1B) – Internal Findings (High Criticality): Guidance or the establishment of common principles is requested regarding the designation of 'high criticality' for compliance/internal audit findings, in order to ensure the comparability of related reports across obliged institutions.
Otherwise, differing frameworks may lead to significant discrepancies in the volume or severity of reported findings, without objectively reflecting performance or risk.
Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.
Although the proposed risk assessment methodology (Section 4.2, Annex I)[1] is based on a combination of quantitative indicators (such as number of clients, geographical coverage, types of products) and qualitative elements derived from the entity’s own risk assessment—as reflected and evaluated by the competent supervisory authorities—it is recommended to incorporate an additional parameter related to the nature and operational intensity of the activity in each country of presence.
The classification of presence, whether through a branch or under the freedom to provide services (FOS), does not distinguish between: – a presence with limited operational involvement, where the service is provided remotely or supported by minimal local infrastructure, and
– an operationally intensive presence, where the entity uses commercial intermediaries, maintains support systems (e.g. onboarding support, complaint handling), or offers more complex products (e.g. merchant acquiring, reloadable instruments), which entail a higher supervisory burden and increased AML/CFT risk.
This distinction could be integrated as a qualitative differentiation factor in the calculation of residual risk and/or in the final selection of entities subject to direct supervision.
Furthermore, it is proposed that the same distinction be taken into account in the context of the RTS on pecuniary sanctions (Article 53(10) of AMLD6), to ensure that proportionality in the imposition of sanctions reflects the actual operational involvement and exposure of the entity in the relevant market—not merely its legal form of presence.
[1] Data Points to be collected for the purpose of the RTS under Article 40(2) of the AMLD and Article 12(7) of the AMLA Regulation.
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Articles 1 - 5: The RTS introduce technical criteria for identification documents—which may require adjustments to their onboarding processes. The requirement to document “a legitimate reason” for accepting non-PRADO documents introduces operational complexity and should be applied with flexibly, taking into account national practices and the document’s overall reliability.
Additionally, many EU legal identification documents do not include the place of birth. Therefore, it is considered necessary to clarify whether, in such cases, the place of birth may be recorded based on the customer’s declaration in order to comply with Article 1(2)(a) in cases where this element is not included in the official document. In this context, it is also proposed to allow the recording of the country of birth only, where more detailed information is not available.
Article 10 (b): We suggest that the EBA provide illustrative, non-binding examples to support the understanding of what is expected under Article 10(b), particularly with regard to how control is “expressed and exercised” in intermediary ownership structures.
Article 12: It is proposed that the final text of the RTS explicitly clarify that, in cases where:
– no beneficial ownership register is available or accessible, and
– ownership information cannot be directly derived from public corporate registries,
a documented declaration by the legal representative or the submission of a structured ownership chart—provided there are no inconsistencies with other available sources—may be considered a sufficient basis for the identification and verification of the Ultimate Beneficial Owner (UBO).
Such clarification is essential to avoid interpretations that could inadvertently lead to the premature or unjustified application of the provision regarding the use of senior managing officials (SMOs). As set out in Article 28(4) of the AMLR and reiterated in Recital 10 of the draft RTS, recourse to SMOs is permitted only where:
• all reasonable means of identifying the UBO have been exhausted, or
• there are specific doubts as to the accuracy of the information obtained.
Furthermore, it is noted that Article 12 of the draft RTS does not explicitly restate the obligation to document the steps taken before designating an SMO, as required under the AMLR. It is therefore recommended to include a relevant reference or cross-citation to enhance legal certainty and regulatory consistency.
Finally, it is proposed to clarify that, in legal entities without an ownership structure (such as associations, non-profit organizations, etc.), the designation of an SMO may be based on the legal nature of the entity and does not require further investigation of an ownership chain.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
It is requested that technological neutrality be preserved (in line with Regulation 910/2014), that provisions be made for equivalent technical solutions, that non-digital customers are not excluded, and that a risk-based assessment approach be applied—without imposing technical requirements that do not actually enhance compliance.
It is noted that the technical requirements introduced in the RTS for identity verification in environments without physical presence may lead to broader customer exclusion—not only affecting vulnerable social groups (such as asylum seekers), but also individuals holding identification documents that, while legally valid, do not meet interoperability technical standards (e.g., older-style ID cards in Greece or Italy that are not PRADO-compatible).
The transition toward EU-wide adoption of “new” identity cards under Regulation (EU) 2019/1157 is ongoing and has not yet been fully implemented across all Member States. As a result, by the time the AMLR and the present RTS enter into force, a significant number of customers may still hold documents that are not technically supported.
It is therefore proposed to explicitly maintain flexibility for the application of risk-based controls, with proper documentation, so as not to exclude individuals from digital onboarding simply because their identification documents are legally acceptable but not technically “advanced,” provided that no other high-risk indicators are present.
The principles of technological neutrality and proportionality must be upheld.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 16 (a): It is considered appropriate to establish a specific threshold for occasional transactions (or cumulatively linked transactions), above which the profile of the occasional customer will be formed.
Furthermore, we suggest clarifying that occasional transactions refer to transactions carried out by individuals who do not have an established business relationship with the obliged entity.
Article 16 (d): We would welcome clarification regarding the requirement related to the term "type of recipients" by providing examples or at least indicative categories.
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 17: Specifically for the category of Mayors, what is the official source of population data (e.g., the Hellenic Statistical Authority - ELSTAT)? Which point in time should be considered (e.g., the most recent population census by ELSTAT)?
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 18: It is considered appropriate to supplement this section with the provision of Article 33(1)(a) of the Regulation, concerning the possibility of submitting supporting documents within a 60-day period and the actions required in case of non-submission.
Article 22 (2): Can a validated customer declaration (QES) confirming that no changes have occurred be deemed sufficient to meet customer data renewal requirements, without triggering a full re-collection of information, provided there are no material changes?