Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
In view of EBA’s approach as set out in the draft RTS, a key challenge will be the availability and reliability of data, especially for smaller credit institutions and other smaller financial institutions. The RTS should therefore provide more guidance on minimum data standards and, besides this, address potential gaps, perhaps by allowing for supervisory judgment or the use of proxies where data is incomplete.
Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.
EBA’s proposed approach follows a logical structure: controls are intended to mitigate risk, not exacerbate it. This assumption provides clarity for both supervisors and institutions, supporting objective, consistent, and comparable risk assessments across EU Member States. For credit institutions and financial institutions that are active in several Member States (with branches or cross-border services), this harmonisation could alleviate a reduction of compliance burden and regulatory fragmentation that today still arise from divergent national interpretations. Furthermore, a uniform and predictable approach reduces the risk of regulatory arbitrage and ensures that cross-border banks and other financial institutions are assessed on a level playing field, regardless of where they operate within the EU.
Despite these strengths, the EBA’s model may not capture the full complexity of risk management in large, inter-national banking groups or groups containing also other financial institutions. For example, technological changes or system migrations can temporarily degrade control effectiveness, sometimes resulting in a risk environment that is worse than the underlying business model would suggest. In these scenarios, it is conceivable that the residual risk— i.e., the risk remaining after controls — could be higher than the inherent risk, contrary to the EBA’s model. In general, if controls are ineffective, or worse, if they introduce new vulnerabilities, residual risk can logically exceed the inherent risk. This is recognised in other risk management domains (e.g., operational risk, cyber risk), where control failures can amplify rather than mitigate risk.
Therefore, EBA should consider refining its methodology to allow, in exceptional and well-justified cases, for residual risk to exceed inherent risk. This would enhance the sensitivity of supervision to control failures. To prevent misuse or inconsistency, such an approach should include clear criteria for AMLA and all NCAs for when and how residual risk can exceed inherent risk.
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
The EBA’s commitment to proportionality and a risk-based approach is essential for smaller credit and financial institutions. A “one-size-fits-all” data set risks imposing excessive costs and operational burdens, particularly where data is not already collected for other regulatory purposes.
3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?
The data points listed in Annex I are not clearly defined and could lead to misunderstandings and difference in reporting. The definitions should be clear in terms of using “value” for Euro denominated amounts and “volume” for the number of transactions. There also needs to be consistency in respect of other terms that are used.
Additionally, the number of data points is quite extensive and a large number are not easily available at this point in time. There is a significant impact in respect of the time and costs involved to collect those data points and it would also take a substantial amount of time to implement those reporting capabilities. In order to collect and report the new data points regularly, there will have to be substantial IT development in most banks.
Some of the data points like the number of legal entities with at least one UBO located outside of non-EEA countries (residence) will require a substantial effort and would then include situations where the UBO is based in the US, UK or Japan which would not indicate any higher risk. While basic data concerning beneficial owners is already collected and processed, more complex or multi-layered structures may not be fully available for processing and reporting, especially if to be mapped in different existing systems.
The number of customers registered abroad seem to include situations where the customer is based in another EU country and in whole-sale banking might include a large portion of the client population without this indicating any higher risk.
Number of customers with cross-border transactions involving non-EEA countries is going to be very challenging to provide as this involves a manual combination of customer data and transactional data. Not all transactional systems capture this information in a reliable manner as this is not a key risk factor in financial markets transactions.
Number of customers with requests from FIU would require a manual tracking. It is also not clear if that includes customers where a request is sent after a SAR was filed.
Number of payment accounts – it is not clear if that is in the meaning of the PSD2 or if that references bank accounts in general and would include correspondent banking accounts.
Total Value (EUR) of incoming transactions in the previous year: It is not clear if that includes other transactions than payments. Would a financial markets transaction in case of a SWAP be an incoming or outgoing transaction?
Nearly all data points require a further clarification on what is meant by that data point and above are just some examples.
Data on the use and effectiveness of eIDAS-compliant identification, for example, may not be systematically captured, especially if obliged entities rely on legacy onboarding processes.
3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?
No remarks. Non-Applicable.
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
In general, this frequency is also consistent with other regulatory frameworks (e.g., annual ICAAP/ILAAP reviews under CRD/CRR).
Allowing a reduced frequency (once every three years) for entities classified as lower risk is a proportionate and resource-efficient approach. It recognizes that some business models, customer bases, or geographies present consistently low risk and do not warrant the same level of supervisory intensity. This is especially relevant for subsidiaries or branches of inter-national banks with limited or highly standardized activities.
Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.
The proposed frequencies strike an appropriate balance between risk sensitivity and operational efficiency. However, the RTS should clearly define eligibility criteria for reduced frequency, including objective risk indicators and governance standards.
Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.
When assessing geographical risks in AML/CFT frameworks, the distinction between transactions involving jurisdictions and those involving third countries is both justified and necessary. The rationale is rooted in the harmonised, partially uniform regulatory environment, alongside with longstanding supervisory cooperation, and the generally higher standards of AML/CFT controls in the EEA, compared to the heterogeneous landscape of third countries. This differentiation is recognized in EU law, international standards, and practical AML risk management, and is essential for effective, risk-based allocation of compliance resources.
It can be observed that AML/CFT functions must allocate more resources to due diligence, monitoring, and reporting for transactions that relate to third countries. Nevertheless, this does not mean EEA transactions are risk-free; typologies such as intra-EU VAT fraud, golden Visas, or the use of shell companies still exist. However, the risk is generally lower and more manageable within the harmonised framework.
The EBA and the European Commission should give more guidance on this topic, best in form of guidelines for EDD and other countermeasures regarding certain high-risk third countries.
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
Clear criteria and a risk-based selection process for direct AMLA supervision should provide credit and financial institutions and corresponding groups with better predictability and transparency regarding their supervisory status.
From our perspective, the thresholds set out in Article 1 of the draft RTS for determining the materiality of activities exercised under the freedom to provide services are a critical aspect of the new supervisory framework. These thresholds — such as the minimum number of resident customers or transaction volume per host state — are intended to objectively identify institutions with significant cross-border activity and potential systemic risk, thereby subjecting them to direct AMLA supervision.
The proposed thresholds (e.g., 20,000 resident customers or 50 million EUR in transaction volume per host state) may not sufficiently account for the diversity of business models and risk profiles across the EU financial sector. The thresholds in Article 1 are meaningful in the retail context but not when it comes to wholesale banking. For example, institutions with a high volume of low-risk retail payments could be captured alongside those with fewer but higher-risk transactions, potentially diluting supervisory focus. Furthermore, there is a risk that the thresholds could create an unlevel playing field, disproportionately impacting larger, more diversified banks and other financial institutions that naturally exceed these thresholds due to their scale, rather than their inherent ML/TF risk.
More precisely, when assessing and weighting certain numbers of customers, it should be taken into account that there are, of course, different categories of customers (e. g. in banking, there can be payment customers (both as payers or as payees), loan customers, deposit customers, customers demanding trade or structured finance (and mostly being corporate or institutional customers), etc.). And each category does, of course, come along with an own AML/CFT risk profile. In addition, it can be observed that credit institutions and other financial institutions which are active in wholesale banking have much lower customer numbers but the value of one transaction can already exceed EUR 50 million. Typical customer numbers could be as low as 1,000 – 2,000 customers.
If the aim is to ensure a more risk-sensitive and proportionate regime, the EBA could consider an alternative approach that uses relative thresholds. This means that, instead of absolute numbers, thresholds could be set as a percentage of the institution’s total EU business, balance sheet, or transaction volume. This approach would better account for the relative materiality of activities and the institution’s systemic importance. It would also be recommendable to have separate thresholds for retail and wholesale banking to ensure the thresholds are meaningful to the business activities of the respective financial institutions (see also our answer to question 3).
Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.
In general, please refer to our answer to question 1. If the proposed approach of thresholds of absolute numbers would be followed, decreasing the threshold would lead to even more possible supervisory objects, and by this, the distinction criteria itself would become more or less obsolete.
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
A single threshold for the number of customers, irrespective of whether they are retail or institutional, is a blunt instrument for assessing the materiality of cross-border activities under the draft RTS. While the rationale for such a unified approach is administrative simplicity and comparability, there are substantive concerns about its effectiveness and proportionality in capturing true money laundering and terrorist financing (ML/TF) risk.
Retail and institutional customers present fundamentally different risk profiles. Retail customers typically engage in lower-value, higher-volume transactions, often with more predictable patterns and lower inherent ML/TF risk. Institutional customers, by contrast, may be fewer in number but can generate significantly higher transaction values, more complex structures, and greater exposure to cross-border or higher-risk jurisdictions. Treating these categories identically ignores this risk heterogeneity and may distort supervisory focus.
In addition, a single threshold based on customer numbers could result in the selection of institutions with large retail client bases but relatively modest ML/TF risk, while institutions with a small number of high-risk institutional clients might escape direct AMLA supervision. This misalignment could dilute the effectiveness of AMLA’s oversight, as resources may be diverted from genuinely higher-risk entities to those that simply have scale in retail operations.
Banking groups (and groups comprising other financial institutions) vary widely in their business models. Universal banks, private banks, and wholesale institutions serve markedly different clienteles. For example, a private bank with a few hundred ultra-high-net-worth clients may pose greater ML/TF risk than a retail bank with tens of thousands of local customers. A single threshold fails to account for these distinctions, potentially leading to regulatory arbitrage or unintended market distortions.
As an alternative approach, a dual threshold — higher one for retail and another, lower one for institutional clients — would better align with risk-based principles. For instance, a threshold of 50,000 for retail and 1,000 for institutional clients could ensure that both mass-market and high-impact, low-volume institutions are appropriately captured.
Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.
There is a linkage between the methodology for AMLA selection provided in this RTS and the methodology for riski-based supervision laid down in the RTS under article 40(2) AMLD6.
Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.
No remarks.
Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
The methodology for calculating the group-wide score in Article 5 of the draft RTS is a significant advancement, but it also raises practical and conceptual concerns.
The proposed methodology aggregates entity-level residual risk scores using a weighted average that reflects each entity’s importance within the group. This approach is designed to ensure that high-risk entities with significant operations are given due consideration, preventing lower-risk entities from unduly lowering the group’s overall ML/TF risk score. The intended rationale is to capture the true risk profile of large, complex groups and avoid risk dilution.
On the other side, it may be of concern that in the case of large international groups of credit or financial entities, these may face significant challenges in harmonizing risk data across diverse jurisdictions and business lines. Differences in data quality, local risk assessments, and regulatory interpretations could also affect the reliability of group-wide scores.
Also, the methodology could disproportionately penalize groups with a single high-risk entity, even if the rest of the group is low-risk, leading to an overstatement of the group’s overall risk and potentially excessive supervisory measures.
Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.
Without clear, harmonized definitions and guidance, there is a risk that different institutions or national supervisors may interpret the group-wide perimeter differently, undermining comparability and the level playing field the RTS seeks to establish. The EBA’s intent to issue interpretive notes is a positive step, but ongoing dialogue and refinement will be necessary to ensure consistent application across the EU.
Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?
Giving the same consideration to the parent company and all other group entities for determining the group-wide risk profile may not always yield an accurate or risk-sensitive assessment. The draft RTS methodology aggregates entity-level residual risk scores using a weighted average that reflects each entity’s operational significance within the group. This approach is intended to ensure that high-risk, material entities are appropriately weighted, preventing lower-risk entities from unduly reducing the group’s overall risk score.
However, treating the parent company identically to other entities, regardless of its actual business activity or risk exposure, can distort the group-wide assessment. In many international banking groups, the parent company may function primarily as a holding or coordinating entity with limited direct customer-facing or transactional activities. Assigning it equal weight could overstate or misrepresent its contribution to group-wide ML/TF risk, especially if its inherent risk is low relative to large, active subsidiaries.
This concern is recognized in the EBA’s consultation, which emphasizes that the group-wide methodology should reflect the relative importance of each entity. If the parent’s risk profile is low and its operational activity limited, giving it the same consideration as major subsidiaries could dilute the assessment of group-wide controls effectiveness and ML/TF risk. This may result in supervisory attention being misallocated, with less focus on genuinely high-risk parts of the group.
It might be possible to think about a more nuanced approach where the weighting of each entity, including the parent, is proportionate to its actual operational and risk significance. This could provide a more reliable and risk-sensitive group-wide assessment and would enhance the effectiveness of AMLA’s direct supervision.
Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
The transitional rules in Article 6 of the draft RTS are welcomed and provide for a pragmatic approach to implementing the new risk assessment and selection methodologies.
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
The proposals in Section 1 are broadly aligned with international best practices and FATF recommendations. They do not introduce fundamentally new information requirements but rather harmonise and clarify existing obligations, ensuring consistency across the EU.
Also despite certain deficiencies in the new rules, it can be stated that there are main cost drivers in the implementation of the new rules, for example for obliged entities’ system enhancements to capture and store the additional data fields in a harmonised format or also for training for staff to ensure correct data collection and verification, especially for new digital onboarding methods and non-standard documents.
Preceding our individual remarks to the Articles of Section 1, Article 1 – 6 mainly reference “The customer” even though the introduction mentions other roles like the person purporting to act on behalf of the customer. It would be beneficial to clarify whether the requirements are supposed to be limited to the customer or are applicable to all roles listed in Article 1, first sentence of the Draft RTS.
In this context, we also propose that the RTS should define the “person purporting to act on behalf of the customer”. The term is already used in the current AML Directive and resulted in a number of interpretations that vary widely between Member States. The term should be limited to external third parties acting through e.g. a power of attorney. In particular in the institutional space, identifying and verifying employees of the customer that support the onboarding process or sign contractual documents on behalf of the customer which as a legal entity would aways require a natural person to act on its behalf would not address any AML/CTF risk but only crate an unnecessary burden for the customers as well as the financial institutions. The identification and verification of an external third party e.g. an external law firm or other proxy that would act on behalf of the customer and represent the customer vis-à-vis the financial institution would be a meaningful risk mitigant and be in line with a risk-based approach.
Article 1: Names
It is stated that for legal entities, both registered and trade or commercial names must be recorded. It can be often the case that there are several trade names (variations) for a legal entity; see hereto the discussion on the SEPA ‘name check’ in the context of verification of payee. Since commercial names are not always included in official commercial registries, the mandatory scope of identification should stay limited to data points available in official registers.
And, Art. 1 paragraph 3 should be paragraph 2.
Article 2: Address
According to the proposed RTS, it shall be required to collect detailed address components (country, postal code, city, street, building/apartment number). For customers in jurisdictions with less formal address systems, this may pose practical challenges and could increase onboarding times. It does not sufficiently account for jurisdictions where formal address systems are lacking or inconsistent, such as rural areas in developing countries, potentially resulting in incomplete or unverifiable data and inadvertently excluding legitimate customers from financial services.
When it comes to the collection of a full residential address, it must be stated that this is focused on retail customers but does not take into account the role of other natural persons that might have a role within the customer due diligence process acting in their professional but not their personal capacity. The person purporting to act for as well as individuals from the senior management of institutional clients would have to provide personal data to the financial institution solely because of their employment or professional capacity and in some countries these could subject them to a heightened risk e.g. kidnapping in certain countries outside of the Union. In particular when the UBO is a deemed beneficial owner and as such the senior management has to be identified and verified, this is not addressing an increased ML/TF risk and results in a form over function approach instead of a risk-based approach. In such situations, the city and country of residence should be sufficient as this information is also sufficient for screening purposes. It can be noted that the respective official lists of restrictive measures rarely include a full residential address for listed individuals.
Article 3: Place of Birth
The requirement encompass both city and country of birth for natural persons, what may enhance the ability to screen against sanctions and PEP lists.
Whilst the intention of requesting the city and country in respect of the place of birth is understandable, this poses substantial practical challenges. In some countries, official records may not consistently capture or verify place of birth, leading to potential gaps or inaccuracies in the data provided by customers. Most official documents only include the city or in some countries like the USA, the state of birth. And for individuals born in regions with changing geopolitical boundaries or in rural areas without formal city designations, the requirement may cause confusion or result in inconsistent data entries, complicating automated screening and customer matching processes.
Obtaining additional information that cannot be verified by an official document would result in either non-verified information or financial institutions would have to obtain birth certificates and other documentation to verify the data points. In particular in the non-retail baking segment with large international corporates there would be very little benefit and mitigation of money laundering risk resulting from the additional documentation. It will also be challenging in situations where the country of birth might no longer exist due to political changes over the years. Such rigid enforcement of this CDD requirement could also delay onboardings. We therefore suggest that the information as presented in the official government issued identification documents should be sufficient.
Article 4: Nationality
It is our understanding that it shall be possible to record all citizenships in the course of the general CDD measures to the extent that the obliged entity will be satisfied in its individual information needs. This would also mean that it is not mandatory to record all nationalities. The RTS should clarify this first.
The requirement would also benefit from clearer guidance on acceptable evidence for multiple nationalities and risk-based flexibility for cases where full verification is impractical. In doing so, it should be sufficient that obliged entities may rely on the statement of the natural person as there is no central register or any other means to obtain and verify all nationalities of an individual.
Article 5: Documents for the verification of the identity
There is an inconsistent use of the terms “persons” and “customer”. The RTS should clarify whether Article 5 applies to all natural persons mentioned in Art 22 or whether there was any intention to distinguish between different roles.
Additionally, the permissible documents described under Art. 5 (1) would exclude a number of documents that are acceptable means of identification in their respective country. The driver’s license in the USA does not have all the required features and would therefore be no valid means of identification resulting in the potential requirement for persons acting on behalf of an institutional client to obtain a passport or not be able to represent the customer.
A company’s constitutional documents (articles of incorporation, company constitution etc.), when drawn up in accordance with relevant law, should also be considered an adequate source to identify and verify a legal entity.
It should be noted in the context of Art. 5 (1) lit. d that not all identity documents necessarily have a signature of the document holder.
The requirement in Art. 5 (1) lit. g for a document to contain ‘biometric data’ is problematic. It is unclear whether all identity documents from jurisdictions outside of the EU would or should contain this data – and in the absence of a central registry, it is equally unclear how obliged entities would be expected to verify this. Obliged entities do not have the computer hardware to read biometric data stored in microchips embedded within identification documents – and if such were available, the legal basis which would permit such reading is unclear. We recognise the qualification provided by the EBA via the inclusion of ‘where available’, but suggest nevertheless that lit. (g) be deleted.
The RTS refers in Art. 5 (2) to situations where the customer cannot provide a document for “legitimate reasons”. It is not clear what those entails. Does this means situations where the passport is not available as it is currently being extended and had to be submitted to the authorities as is required in certain countries, where the person acting for the institutional customer has forgotten to bring the passport to the office, where a person does not have a passport as it is not required to have such an identification document in their country of residence or any of the other possible situations where a passport is not available. The RTS should clarify the meaning of this wording.
Furthermore, we also request clarification of the scope of the provision in Art. 5 (2) which states that ‘a state or public authority’ may provide a document that is equivalent to an identity document or passport. Is this intended to refer only to national level entities, or are sub-national authorities also in scope?
Article 5 (3) draft RTS requires obliged entities to take ‘reasonable steps’ to ensure that documents are authentic and have not been forged or tampered with. This will constitute a substantial administrative and procedural burden for obliged entities. There is no known source of expertise or central register to verify every possible document issued by every possible global public authority. Even experienced law enforcement experts are not in a position to determine with certainty whether identity documents are genuine and have not been forged or falsified. In the absence of such, we request that the EBA clarify what would constitute obliged entities taking ‘reasonable steps’, as used in this context.
Also, Art. 5 para. 5 RTS expressly mentions the possibility to accept a certified copy. This is fundamentally sound, but there is a question regarding how to obtain it: can it come from the client or retrieved by another obliged entity that enacted an own CDD measure.
Article 6: Non-face-to-face context
With regards to verification of the customer in a non-face-to-face context in the light of Article 6, please see our answer to question 2.
Article 7: sources of information
We note that Article 7 draft RTS requires obliged entities to assess ‘the reputation, official status and independence of the information source’. It is not clear how an obliged entity is to assess reputation, official status or independence, or how an entity could document this to provide evidence of appropriate completion to a supervisory authority. We consider that obliged entities should decide for themselves what measures they take, in line with the risk-based approach. We therefore request that it be deleted from the Article, and greater emphasis placed on simply ‘risk-sensitive measures’ to make clear that obliged entities are expected to use their judgment, in accordance with the risk-based approach.
Art. 7 also references that the obliged entity should assess to which extent the information is up-to-date. There is no general definition what constitutes up-to-date and the approach in the Member States varies significantly. In order to harmonise the approach it should be clarified what is considered “up-to-date” and when documentation is still current.
Furthermore, the obliged entities will in practice usually not have sufficient information from KYC data providers or adverse media providers to assess ‘the ease with which the identity information or data provided can be forged’. In the absence of such information, it is unclear how obliged entities could perform such assessments. We therefore request that the RTS set out how obliged entities should perform such an assessment – or simply, that the requirement be removed.
Article 8: virtual IBAN
Concerning the identification and verification of the identity of the natural or legal persons using a virtual IBAN, please see our answer to question 3.
Article 9: Verification of the beneficial owner
The reference to ‘utility bills’ as an example of ‘third-party sources’ in the context of identifying the beneficial owner in Article 9 draft RTS is unhelpful in the context of wholesale business. Given the nature of wholesale business and of the customers of wholesale banks, it is not credible to expect wholesale banks to obtain utility bills (or similar items) from UBOs (or SMOs). We recognise the challenges the EBA faces in seeking to draft regulation applicable to all sectors. Regulation must nevertheless be realistic, fit for purpose, and appropriate for the sectors regulated. To require the collection of sources of such intimacy or detail goes beyond the requirements set by the co-legislators. As such, we request that the RTS require simply ‘reasonable measures’, in line with Article 9 draft RTS.
It appears also to be that the obliged entity is not limited to the BO register of the Member State in which the obligated entity is established. It should be clarified if obliged entities must access BO registers in other Member States.
Article 10: Ownership and Control Structure
The requirement to obtain a number of data points for each legal entity is over burdensome in particular when looking at institutional customers which quite often have a number of holding companies within their corporate structure. Obtaining the information on each holding entity when it is clear that the customers is a majority owned subsidiary of a listed entity which is e.g. listed on the Frankfurt Stock Exchange on the regulated market would contradict the risk-based approach. The entity might for other reasons not be classified a low risk but be a general/medium risk customer and not classify for simplified due diligence due to the products it used. However, that does not mean there are any concerns around the ownership structure and there is no benefit in obtaining the data points for 5 or more holding entities in the ownership structure. This will create a cottage industry and result in material system changes without mitigating any additional ML/TF risk.
Article 20 (1) (b) AMLR sets the taking of ‘reasonable measures’ as the starting point for the obliged entity to satisfy itself that it understands the ownership and control structure of the customer. The approach set out in the RTS goes however significantly beyond the AMLR text and introduces the requirement to obtain specific information, which may not in all cases be required or appropriate for understanding the customer’s ownership structure.
We request that the RTS consider the wholesale customer base and provide flexibility regarding the situations when assessment of all ownership layers is to be required. The level of such assessment should vary according to the customer type, sector, and potential status as a regulated or listed entity.
Article 10 (1) (a) draft RTS requires obliged entities to reference all the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners, if any. We consider this to be excessive and not in line with the risk-based approach. We suggest instead that the focus should be on intermediary layers owning or controlling more than 25%, and that the identification of intermediaries should apply to higher risk customers, thus reducing the administrative burden for lower risk scenarios.
Article 10 (2) draft RTS requires obliged entities to assess the economic rationale behind the structure presented by a customer. We do not consider it appropriate – or feasible – to require obliged entities to perform such an assessment. We also note the wording in Article 20 (1) (b) AMLR which requires simply ‘understanding’ the ownership and control structure. Assessing the economic rationale and performing a plausibility check (see above) go significantly beyond having an understanding of the control structure. There are many reasons a customer (or other legal entity) may choose to structure itself as it does. The choice of structure will often arise from internal information known only to the customer (or other legal entity) itself. It should not be expected for obliged entities to understand – or even to infer – the economic rationale behind the structure, as such an understanding (or inference) would require knowledge of internal information of the customer (such as tax implications or political and market considerations relevant to particular jurisdictions) which the customer is not obliged and would not expect to disclose. We recommend that the obligation should be changed to require obliged entities to assess whether a structure might have been set up only in order to avoid or reduce the transparency of beneficial ownership with no other likely or possible legitimate justification. As with the plausibility assessment, this would be triggered by the facts of the situation and in accordance with the risk-based approach.
Besides this, it might be helpful if EBA guidance could also give hints to regulated markets in third countries in this regard.
Article 11: complex structures
Treating any ownership structure with two or more layers when there is a cross border element as complex will result in nearly 90% of clients in wholesale banking being deemed complex. There are a number of reasons why most of the larger international companies that are also listed on regulated exchanges and should still be considered at the lower end of ML/TF risk have usually at least one holding company in a different jurisdiction between themselves and any of the subsidiaries. There are treasury centres concentrated in certain countries which they are the intermediary layer for certain regions, there are a large number of subsidiaries in different countries and across different business lines but that does not make the ownership structure complex and it is still very clear who is the ultimate parent entity. The complex structures should be limited to situations where there are trusts, funds or other more opaque intermediary shareholders that make it difficult to assess the final ownership. It is proposed to delete Art 11 (11) b.
Article 12: senior managing officials
As a rule, it is mandatory to identify and verify beneficial owners, or, if not possible, senior managing officials (SMOs). The fallback to SMOs is pragmatic and prevents unnecessary de-risking, especially for complex structures. However, verification of SMOs at the same level as beneficial owners could increase onboarding complexity and cost. For example, this could be the case because the definition of “senior managing officials” itself is not clear. In particular in the institutional client segment, there are various levels of management and as a result this could lead to a very large number of individuals which are considered SMO and thereby might fall under the deemed beneficial owner requirements. This could even include the AML Officer of regulated financial institutions which does not seem a risk-based and sensible approach. It would require a lot of capacity within the obliged entities to obtain and verify all this information with very little benefit in terms of risk mitigation and those resources should be better deployed to manage the real risk. The definition should be limited to the highest management level within the customer.
Article 13: trusts and similar legal entities or arrangements
Article 13 (1) (b) draft RTS cites ‘…relevant documents to enable the obliged entity to establish that the description is correct and up-to-date’. It is unclear what documents would satisfy Article 13 (1) (b). While an updated trust deed may contain beneficiary information, it may not always be available. In most instances, obliged entities would rely on trustees to attest that the documentation is correct and up-to-date. We request therefore that the RTS allow obliged entities to complete verification using reasonable measures. This would permit obliged entities to tailor their verification processes to the facts of the situation at hand, the better to ensure appropriate verification is undertaken without pre-judging how best any particular description received may be verified.
Article 14: discretionary trusts
Please see our remark to Art. 13 above.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
There is a need for clarity on what constitutes a non-face-to-face interaction. Historically, interpretations have varied – particularly in the wholesale context. For example, meeting a customer representative at a site visit may be considered ‘face-to-face’, even if the ultimate beneficial owner is not met. Clear definitions are crucial, especially if some competent authorities may consider wholesale interactions non face-to-face. We therefore request that the RTS clarify what constitutes ‘face-to-face’ – with a particular focus on the wholesale context. Furthermore, the future of the EBA Remote Onboarding Guidelines should be clarifies soon.
The draft RTS sensibly prioritizes eIDAS-compliant solutions, which provide a harmonized, high-assurance standard across the EU. However, it recognizes that not all customers can access such solutions, especially non-EU residents, expatriates, or vulnerable groups. Therefore, the RTS allows for alternative remote verification methods under strict conditions. With this, the approach is inclusive, preventing the exclusion of legitimate customers who cannot obtain eIDAS credentials. It may also align with the EBA’s commitment to financial inclusion and cross-border service provision.
In this view, it must be stated that the provisions appear to be very retail driven and seem to assume that the customer is a natural person. In particular in wholesale banking, there is generally a relationship manager who has an ongoing relationship with individuals who work for the legal entity customer, who visits the customer on a regular basis and is very familiar with the legal entity and the key persons responsible for the relationship with the financial institution. Limiting the options for the identification of natural persons in connection with the legal entity customer is not mitigating a identity fraud risk but creating an administrative burden in particular when the beneficial owners or other individuals that require identification and verification are not based on the Union and where e-IDAS is not an option. In particular where identification processes exist in Member States that have been used for more than a decade without material concerns like video identification processes in Germany, the RTS should allow those processes to continue.
On the other side, the reliance on alternative methods may introduce variability in the level of assurance, depending on the technology, process, and jurisdiction. There may also be a risk of inconsistent application across Member States, potentially undermining the harmonization goal of the AMLR.
Alternative remote solutions should not be strictly temporary but must be subject to ongoing risk assessment, quality control, and regulatory scrutiny.
The regulatory framework should remain technologically neutral, allowing for the evolution of secure, innovative solutions, while maintaining high standards for fraud prevention and customer protection.
Article 22 (6) AMLR refers to ‘the customer and of any person purporting to act on their behalf’. Article 6 (3) draft RTS refers only to ‘the customer’. If the scope of Article 6 (3) draft RTS is intended to match that of Article 22 (6) AMLR, or indeed is intended to cover additional roles that a natural person may have (including, notably, that of beneficial owner), we request that the text be amended to make this clear.
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
Art. 22 (3) and Art. 8 reference different roles but it is not fully clear what each role entails. It is not clear what the role of the issuer of the virtual IBAN is as opposed to the role of the credit institution holding the payment account. Typically, the credit institution that issues the virtual IBAN is also the credit institution that holds the payment account to which those virtual IBANs are linked. The virtual IBANs might then be provided to customers of the credit institutions or to another financial institutions which would then provide those to their customers.
The RTS should clarify the roles and who should provide information to whom. Otherwise, it appears as if the requirement addresses only (regulated) credit and financial institutions that pass on virtual IBANs after receiving them from another credit or financial institution (and should therefore not apply to passing on to unregulated companies).
Besides this, no obligated entities have access to a reliable register that would indicate whether an IBAN is genuine or virtual. The nationally maintained bank account registers are only available for inspection by public authorities. Irrespective of this, there is no reliable source of information from which the type of IBAN can be determined for the foreseeable future. This provision must therefore be rejected on the grounds of inconsistency, or at least amended with clarification.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art. 15 and 16 reference the word “risk-sensitive” but that does not make it fully clear that there can be situations where none of this is required even if SDD does not apply. The respective Articles in the AMLR make it clear that this is only required “where necessary” and not in call cases. It should be made clearer that this is meant by “risk-sensitive”.
Article 15: Customer’s Business Activity
This is crucial for risk assessment and transaction monitoring. The requirement seems to be proportionate, but there might be a deficiency as there is a potential for ambiguity or inconsistency in how business activities are described, especially for customers with diverse or evolving operations. Overly generic or vague descriptions can undermine effective risk assessment and monitoring. For customers in emerging industries (e.g., digital assets, gig economy), standard business activity categories may not apply, complicating risk profiling.
The RTS should therefore provide for standardised business activity classifications and risk-based guidance on the level of detail required, as well as practical allowances for customers with legitimate difficulties in providing granular information.
Article 16: Purpose and Intended Nature of Business Relationship
This item can support effective monitoring and risk assessment. The level of detail required is appropriate, but may require additional training for frontline staff.
Article 16 would benefit from clearer guidance on acceptable responses, risk-based flexibility for low-risk relationships, and practical examples to assist staff in eliciting and recording relevant information without creating unnecessary barriers for customers.
Concerning, the questioning of singular events, as listed in Article 16(c) of the RTS, is focused solely on credit institutions and not on the heterogeneous business models of the other obliged entities.
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art 17 (1) a) seems to indicate that the requirement to identify if there is a PEP would also apply to SMOs which are deemed beneficial owners of the customer even though their roles is very different to that of a beneficial owner. The SMO do not own assets related to the customer or inject their own funds and do not expose the customer to the same risk as the beneficial owner. Applying the same measures would result in substantial use if resources within the obliged entities that should be used to mitigate ML/TF risk when this is not increasing the risk of the customer. The RTS should clarify that those measures do not apply to the SMOs.
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
We note that according to Article 18 draft RTS, the requirement to collect the commercial name shall also apply to other organisations (“…for a legal entity and other organisations that have legal capacity under national law…”). We assume that the requirements of Article 1 (2) draft RTS apply to these organisations by analogy. We would welcome confirmation of this assumption in the text of the final RTS.
Article 23 governs the minimum information to establish the purpose and intended nature of the business relationship or occasional transaction in low-risk situations, so inside SDD measures. Article 32 sentence 1 of the draft RTS, that deals about the entry into force of the whole RTS, states in sentence 2 that Art. 23 paragraph 1 shall apply to already existing customers and new customers to be onboarded after the entry into force of this Regulation, and for already existing customers the information referred to in Article 23(1) shall be updated in a risk-based manner but no later than 5 years after entry into force of this Regulation.
Article 23 does not consist of more than one paragraph, so it should be checked if the reference (only) to Art. 23 draft RTS is right.
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
No remarks.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
No remarks.
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 28: Screening of customers
Article 28 draft RTS requires screening of customers and ‘all the entities or persons which own or control such customers’. This could suggest screening all intermediary layers between the UBO and the customer. This would not lead to effective use of scarce resource. We request that screening be limited to relevant layers, such as the direct shareholder and the ultimate parent entity, or based on a percentage of ownership. This approach would focus efforts on meaningful control and ownership and would be in keeping with the risk-based approach evident in the Level 1 text.
Article 29: Screening requirements
Article 29 (a) draft RTS requires screening of first names, surnames, and date of birth for natural persons. Noting that date of birth is not always included in listings of sanctioned persons, we request that the RTS clarify whether the date of birth should be used in the screening match process, or only in alert management to confirm true hits. We suggest that it may be preferable to remove date of birth from initial screening requirements.
Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
No remarks.
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
As section 8 also entails Article 32 regarding the entry into force, for the meaning of Art. 32 sentence 2 please refer to our comment to question 6.
Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.
No remarks.
Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.
No remarks.
Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.
No remarks.
Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.
No remarks.
5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?
No remarks.
5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?
No remarks.
5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?
No remarks.
Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.
No remarks.
Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.
No remarks.
Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?
No remarks.
Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?
No remarks.