Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

Assessing the approach is difficult without knowing the weights of each risk indicator. The methodology should be tailored to different types of entities, as a uniform method may not account for varying risk exposures and internal controls, leading to inconsistent classifications.

Additionally, the draft RTS on Risk Assessment must require supervisors to give each entity its risk classification rating individually and allow them to challenge or comment on it.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

Agreed.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

We are of the opinion that an annual review for the normal frequency is too high, and the rationale for it is not clear. With the further steps of the procedure to be conducted, it is possible that once one review is finalised, another will already have to be initiated. It will add to the costs borne by the industry, as well as the supervisors, which will ultimately be paid by the sector, and in the case of the asset management industry, ultimately by the investors.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

While the asset management industry is prepared to provide data, there are concerns about the relevance and granularity of the proposed data points. These could necessitate major changes in processes and systems, leading to significant implementation costs without enhancing risk assessment. This contradicts the European Commission's focus on simplifying regulations.

For most investment funds, detailed data on missing or incomplete CDD is not readily available. While blocked account numbers can be provided, details on deficient CDD for customers or beneficial owners cannot.

Data related to non-EEA countries does not necessarily indicate higher ML/TF risks, as many non-EEA countries are low risk, and EEA countries do not guarantee low risk. The country's risk level does not always correlate with the customer's risk level.

Subjective data points that lack an automated score may lead to inconsistent evaluations across entities, affecting comparability.

It is crucial that all proposed data points undergo practical testing with a representative group from various sectors and Member States.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

not applicable

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

As the procedure progresses, it is likely that upon completion of one review, another will need to be initiated immediately. This will increase the expenses incurred by both the industry and the supervisors, which will eventually be passed on to the sector. In the asset management industry, these costs will ultimately be borne by the investors.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

We would question the relevance of the criterion referring to the total number of full-time equivalent employees. We do not believe it to be a good indicator that would justify a reduced frequency for the review of the risk profile of the entity. The main impact it would have would be the narrower scope of entities that could be subject to the reduced frequency review.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

As noted in our response to question 3, being a non-EEA country does not inherently mean higher risk, nor does being an EU/EEA country ensure low risk. The same rules apply to both, so we believe the proposed distinction adds little value.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

Asset management companies and AIFMs, along with the funds they manage, may be domiciled in one Member State while offering units/shares for subscription to clients across various Member States and third countries. Within the EU, this distribution is facilitated by the marketing passport as provided in Chapter XI of UCISTD and Article 32 of AIFMD. Although not mandated by these directives, managers frequently establish branches primarily or solely dedicated to marketing these products in specific jurisdictions. These branches typically lack legal personality and do not operate as distributors under a separate marketing license. Their activities are conducted on behalf of the funds and/or the management company domiciled in another EU jurisdiction, with customer-fund relationships governed by the law of the manager's primary office location where all AML obligations are also managed. This practice is well known to ESMA, as such activity requires notification to both national competent authorities and ESMA.

Consequently, we assert that these types of branches should not be classified as establishments under AMLAR provisions or under the freedom to provide services framework. As stated in recital 28 of AMLR: "It is important that AML/CFT requirements apply proportionately and that any requirement imposed is commensurate with the role that obliged entities can play in preventing money laundering and terrorist financing." Accordingly, given that the role of these branches does not encompass the execution of the AML/CFT control framework (e.g., client onboarding, transactions, or payments), they should not be considered when selecting entities for direct supervision by AMLA.

Additionally, we wish to underscore the potential magnitude of entities subject to direct supervision if materiality thresholds are set too low. Article 1(1) of the Draft RTS on Selection stipulates two materiality conditions, with meeting either condition sufficient for a financial institution's activities in a Member State to be considered for AMLA direct supervision. In asset management, intermediaries should be treated as customers (as detailed in our response to question no. 6 on the draft RTS on CDD), making it uncommon to reach 20,000 customers per Member State. However, achieving 50,000,000 EUR in incoming and outgoing transactions from customers in a single Member State is highly likely, particularly if subscriptions and redemptions into the fund are accumulated rather than netted. Open-ended funds, and potentially closed-ended funds reserved for professional/institutional clients, could see underlying clients numbering hundreds of thousands, with daily inflows and outflows due to their ability to subscribe and redeem units or shares regularly.

Therefore, we suggest adding an additional criterion to clarify that activities mentioned in Article 12(7) of AMLAR pertain solely to those related to the AML/CFT control framework. Furthermore, we advocate for reviewing thresholds to suit specific industry sectors and applying them cumulatively within a Member State to qualify it under Article 12(7) AMLAR.

We propose the following wording for Article 1(1) of the draft RTS on Selection:

"The activities of a credit institution or financial institution under the freedom to provide services in a Member State other than where it is established shall be considered material for the purposes of Article 12(1) of Regulation (EU) 2024/1620, where:

a) those activities are related to the execution of the AML/CFT control framework (for example customer onboarding); (...)

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

Please see our response to question no. 1 above.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

We do not believe a distinction should be made. Please also see our response to question 1 above.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

To prevent duplications, we propose that the risk rating already assigned by each competent authority per article 40(2) of AMLD should not be replicated by AMLA. The evaluation conducted by each competent authority should be duly considered for this purpose.

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

No comment.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Please refer to our response to question 1. For both individual entities and groups, assessment should focus on entities obligated under the AML framework and involved in AML/CFT controls.

We propose defining “N” in Article 5(2) of the draft RTS on Selection as:

“_N: number of obliged entities in the group carrying out AML/CFT controls_”

Additionally, calculating the second threshold in Article 5(2) (i.e., “the total amount in Euro of incoming and outgoing transactions”) may be challenging or irrelevant for certain businesses, like those in the investment fund/asset management industry.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

Please see our response to question no. 6 above.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

Please see our response to questions no. 1 and 6 above.

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

No comment

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 1:

We propose the following re-wording of article 1:

Art 1(1) - "In relation to the names and surnames of a natural person as referred to in Article 22(1)(a) point (i) of Regulation (EU) 2024/1624, obliged entities shall obtain all of the customer's full names and surnames. Obliged entities shall gather at least those names that feature on their identity document, passport or equivalent or that are available from independent reliable sources."

Art 1(2) - For legal entities, firms must obtain both the registered name and the commercial name if it differs from the registered name and if available. "

Article 2:

We propose the following re-wording of article 2:

Art.2: “The information on the address as referred to in Article 22(1) (a) point (iv) and 22(1) (b) point (ii) of Regulation (EU) 2024/1624 shall consist of the full country name, postal code, city, street name, and where available, building number and apartment number as appropriate.

In the case of any person purporting to act on behalf of a legal entity customer or a Senior Managing Official who is identified as the ultimate beneficial owner but who acts in their professional capacity, the address of the registered office of the legal entity will suffice.

The requirement for collecting full residential addresses appears to be drafted from a retail customer perspective. For related parties in a wholesale/institutional context, the personal address may not be adding value and we believe that the country of residence might suffice. The RTS should consider this distinction and provide flexibility and using risk sensitive measures accordingly.

Persons purporting to act on behalf are by and large employees of a legal entity and we consider the collection of the business address sufficient, as they are acting in their capacity as an employee and not as an individual.

In addition, the article is too prescriptive. Indeed, not all countries have postal code, and not all customers (especially outside of EU) live on defined streets or cities. We therefore suggest to add “as appropriate” at the end of the article.

Article 4

We propose the following re-wording of article 4:

For the purposes of Article 22 (1) (a) point (iii) of Regulation (EU) 2024/1624 obliged entities shall take reasonable measures to know of any other nationalities their customer may hold.

Indeed, it is unclear how obliged entities would be able to satisfy themselves that they know of any other nationalities their customers may hold.

Article 5

We propose the following re-wording of article 5(5):

For the purposes of verifying the identity of the person referred to in Article 22(6) of Regulation (EU) 2024/1624, the obliged entity shall gather from the person or from other reliable sources, an identity document, passport or equivalent. For customers posing a higher risk of ML/TF the obliged entities shall adopt appropriate mitigation measures such as, for example, those referred under Article 6.

Below are the reasons supporting our proposal,

especially taking into account the specificities of the collective investment/ Asset Management sector:

We would like to highlight that when investors invest in funds, they are already a client of a bank, and a first level of identification and verification has already been performed by the bank (i.e. at the placement stage), which is itself subject to AML/CFT due diligence obligations. Every investor, whether retail or institutional, will invest into an investment fund using their own bank account. Investing in investment funds is a single purpose business relationship, which is inherent in the business. Any payment to the investor or to the financial intermediary (a regulated financial institution) is made via a bank account that is recorded at the beginning of the relationship with the investor. The payment is always made to a bank account, in the investors name only as 3^rd party payments are not facilitated. No subscription is made through cash. The focus should be to mitigate the risk of money laundering and terrorist financing and the way the identity of a person could be verified should follow a risk-based approach.

And more in general:

The requirement of collecting the original/certified documents is not aligned to a risk-based approach and consequently creates unnecessary administrative burden and additional costs on the investors which is contrary to the principle of investor protection and its best interest. In addition, this burden discourages investors to invest in funds. This goes against the Commission’s plan to increase financial inclusion and investors' participation in financing the economy. The current concern in Europe is to channel individuals’ savings towards the real economy, which has led the EU to engage into improving the CMU further. Moreover, this would in fact impact the cost of compliance and would, as a consequence, also have an impact on the EU Markets competitiveness compared to non-EU ones.

Risk based approach needs to be applied when collecting IDs to avoid unnecessary costs and burden. The effort and focus of obtaining IDs in original and/or certified form should be required only in case of inconsistencies or doubts on the actual identity of the customer. In particular, document certification is solely one of the numerous measures (and certainly not the most effective) an obliged entity can take to verify the obtained information.

Not all passports and identification documents contain the same elements, such as place of birth, facial image, machine-readable zone, which may not be present in documents like driver's licenses or certain national passports. The RTS should acknowledge these differences and provide flexibility.
There is an inconsistency between the data points required for identification and verification. While identification requires names as they appear on the ID, verification demands all names and surnames, which may not be mandatory in some jurisdictions.
The requirement for a "certified translation" may not add value, in particular where the relevant entity may avail of internal human resources having appropriate command of the language in which the ID document is drafted, and also the availability of AI or other translation tools.

Article 10

We propose the following re-wording of art. 10:

For the purposes of understanding the ownership and control structure of the customer in accordance with Article 20(1) (b) of Regulation (EU) 2024/1624, in situations where the customer’s ownership and control structure is complex and posing a higher risk of ML/TF, obliged entities shall obtain the following information:

a. a reference to the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their economical beneficial owners owning more than 25% within the customer structure, if any;

b. with respect to each legal entity or legal arrangement within the referred intermediary connections, the legal form of each legal entity or legal arrangement,; the jurisdiction of incorporation or registration of the legal person or legal arrangement, or, in the case of a trust, the jurisdiction of its governing law and;

c. information on the regulated market on which the securities are listed, in case a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, and the extent of the listing if not all the legal entity’s securities are listed on a regulated market.

Rationale: For consistency purposes, we suggest that the requirements reflected in this Article are triggered only in case a high-risk complex structure is identified (noting that a definition of “complex structure” is provided by Article 11 – please refer to our comments on this Article hereafter). Further, prescribing such requirements for any ownership or control structure involving more than one legal entity or legal arrangement denies the principle of risk-based approach, as this type of structure does not necessarily result in a higher risk (please refer to our comments under Article 11). Relatedly, this would imply gathering additional information and documentation for a number of customers/investors, thus representing additional costs for compliance, ultimately borne by investors and hindering the competitiveness of the EU financial center.

Article 11

We propose the following re-wording of art. 11:

"To understand the ownership and control structure of the customer in accordance with Article 20(1)(b) of Regulation (EU) 2024/1624, obliged entities shall treat an ownership and control structure as complex where there are multiple layers between the customer and the beneficial owner and in addition, one of the following conditions are met:

a. there is an anomalous legal arrangement within the structure;

b. the structure present at any of its layers legal arrangements/legal entities whichare incorporated or domiciled in a jurisdiction included in the EU list of non-cooperative jurisdictions for tax purposes;

c. there are nominee shareholders and/or directors involved in the structure; or

d. there are indications of non-transparent ownership with no legitimate economic rationale or justification."

Rationale:

Defining as complex two-layer structures having entities in different jurisdictions, would result in considering the vast majority of the customers of investment funds and investment funds managers as complex. is not reflective of the actual risk and would de facto encompass all international firms, in particular Financial Institutions that likely have multiple layers of legal entities between a local entity and the ultimate parent. For those firms, these structures are in place for business and organisational purposes and not to hide any (ultimate) ownership, as the ultimate ownership is always known. By maintain the original wording of the article, significant administrative burdens and costs will be engendered without any mitigation effect on the money laundering and terrorist financing risks.

Flexibility is needed to focus on structures that are truly complex and high risk, no matter how many layers they have. The risk of considering too many entities as complex is that obliged entities will miss the actual money laundering and terrorist financing risks and focus on a tick box approach instead.

Article 12:

We propose the following re-wording of art. 12:

In relation to senior managing officials as referred to in Article 22(2) second paragraph of Regulation (EU) 2024/1624, obliged entities shall:

a. collect the information for identification purposes; and

b. verify the identity of senior managing officials using risk sensitive measures

Below are the reasons supporting our proposal:

A distinction should be made between a senior managing official identified in the absence of beneficial owners identified based on control or ownership, and stricto sensu beneficial owners. The money laundering and terrorist financing risk to a senior managing official is low as a senior managing official may be, and often is, simply an employee in an entity and does not normally have a personal financial interest in the investment being placed in relevant investment fund and/or may not have control by other means in the entity. On the other hand, a beneficial owner who may have a personal financial interest and may control the entity by other means has a different risk. It is important to focus on the real risk and stick to the follow the money principle.

In practice, the vast majority of cases of SMO beneficial owners are for publicly listed entities and large firms with no significant single shareholders.

These entities pose a low money laundering risk regarding the beneficial owner side and obtaining an official ID document of e.g. the CEO of Apple and details of his personal address will not be feasible for security concerns. In addition, there is no doubt about this individual role, nor that he exists. Collecting ID and address of a SMO does not impact the overall risk profile of the customer, therefore not adding any added value or comfort to the obliged entity.

This point is likely to create significant damage to EU businesses: as a consequence, instead of asking an EU firm to manage a pension fund for Apple, they will likely ask a firm in the US or the UK to do so where the burden for them will be significantly lower for SMO (and authorised signatories).

Article 13

We suggest to redraft Article 13 (1):

“For the purposes of Article 22(4) of Regulation (EU) 2024/1624, the information obliged entities shall collect includes: a. a description of the class of beneficiaries and its characteristics, which shall contain sufficient information to allow the obliged entity to determine whether individual beneficiaries are ascertainable and shall be treated as beneficial owners at the point of payment request; and b. relevant documents to enable the obliged entity to establish that the description is correct and up-to-date on a risk-based approach."

Rationale:

Most trusts, such as UK trusts will for example have beneficiaries designated whenever a new child/grandchild is born. That child will have no impact on the customer risk profile and is not to be considered a beneficial owner until a payment is made. We therefore recommend having this control whenever a payment is requested to a beneficiary.

We suggest to redraft Article 13 (2):

“Obliged entities shall take risk-sensitive measures to ensure that the trustee, the legal entity or the legal arrangement provide, at the point of payment request relevant information on beneficiaries previously identified by class or characteristics.”

Rationale: Regarding the requirement under Article 13(2) for obliged entities to “take risk-sensitive measures to ensure that the trustee, the legal entity or the legal arrangement provide timely updates, including on specific events that may lead to beneficiaries previously identified by class or characteristics becoming ascertainable and thus beneficial owners”, it is likely that trusts will refuse to take such commitment to inform proactively the fund or its manager. Hence, same as above, we suggest to have this control at the time when a payment is requested to a beneficiary

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

No comment

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Not applicable

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 15

Art 15(c) states that: “[…] obliged entities shall take risk-sensitive measures to determine […] whether the customer has additional business relationships with the obliged entity or its wider group where applicable, and the extent to which that influences the obliged entity’s understanding of the customer and the source of funds”.

In this article, the reference to the wider group appears unclear in the case of investment funds. The wording should be qualified with “where relevant”, and/or “on a risk-based approach”.

Article 16

Art.16 provides a list of information to be gathered in connection with the purpose and intended nature of the business relationship. The introductory sentence should expressly limit these data “where relevant”, and/or “on a risk-based approach”. In the asset management sector, the sole purpose of the relationship and intended nature is long term investment and investment growth. By default, an asset manager is a product manufacturer and offers investment solutions only. It does not provide any other products or services.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 17

Art.17(1)(b) provides that it shall be reassessed whether existing customers/BOs have become PEPs under certain circumstances, including “at least if significant changes in the customer due diligence data occur, such as the nature of the customers’ business, employment or occupation”. The appreciation of the “significant changes” triggering a reassessment should be left to the obliged entities, applying a risk-based approach. In particular, a change in the customer’s business, employment or occupation does not necessarily exposes to the risk of PEP (re)qualification: these items should be qualified with “where relevant”.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

General comments and remarks on section 4 of the draft RTS

We welcome the inclusion of section 4 in the draft RTS. It provides valuable guidance and enables the application of the risk-based approach to money laundering and terrorism financing risks.

The EU collective investment sector, which represents net assets of investment funds domiciled in Europe, UCITS and AIFs, totalled EUR 21.9 trillion at the end of 2021. Luxembourg and Ireland are the two largest domiciles of UCITS and AIFs, with a market share of 26.8% and 18.6%, respectively (2021). Germany, France and the United Kingdom follow in this ranking. The sector includes a variety of distribution models and is often characterized by a high degree of intermediation and multiple obliged entities (e.g. platforms, banks, distributors …) between the investment fund and the private individual investing their assets into a product through and in the name of their bank. Business relationships have a global span and are by nature mostly remote, without representing necessarily a heightened ML/TF risk as the investors always via a bank account, cash or occasional transactions are excluded.

Private individuals can access a UCITS product of multiple product manufacturers without needing a direct relationship with them which makes the investment easier, cheaper and safer for the individual as the individual will solely face his/her bank who can advise holistically on the best products for the individuals risk profile and financial situation. The individual also does not need to maintain different relationships with different providers and have easy overview over their financial situation in its entirety.

In most cases, the intermediary is registered in the fund’s share/unitholder register and typically nets all of its customers’ orders and submits a single net order to the investment fund each day. In line with the FATF guidelines on the securities sector, the intermediary is therefore treated as customer/investor and is subject to AML/CFT due diligence as such (rather than the intermediaries’ customers who, as explained above, have for their benefit not direct relationship with the product manufacturer).

In consideration of the above, section 4 of the RTS could potentially have unforeseen adverse effects on the investment fund industry as a whole and risk counteracting the efforts made to increase the retail investments in the EU. There is a real risk that this additional burden will be at the detriment of the private individual (as explained above).

Please find below our comments on the articles of the RTS that we believe to be problematic.

Remarks on specific articles

Article 18

We propose the below re-wording of art. 18(2): “Paragraph 1 shall apply also to persons on whose behalf or for the benefit of whom a transaction or activity is being conducted, where appropriate based on the economic activity of the customer”

We note that this article is limited to the identification of the customer and not the verification.

Article 18 states that obliged entities shall also obtain the information listed in paragraph 1 for persons on whose behalf or for the benefit of whom a transaction or activity is being conducted.

While we understand the intent of the wording, it is important to highlight that this could be understood to include those entities that would fall under point 16.14 paragraph b) of guideline 16 of EBA's Guidelines (EBA/GL/2021/02), for example other investment funds (fund of fund type situation), pension providers, certain types of insurance products etc.

Identifying all individuals that ultimately benefit from such an investment is not in line with the ML and TF risk associated with the client type and is likely to cause material administrative and operational costs. Moreover, there are GDPR related concerns given that the entities are the legal owners of the shares/units. If there are investments made by a bank on behalf of 10000 of their customers, it is neither practical for the asset manager nor for any of the individuals having to provide their ID documentation twice for the same transaction. However, the intermediaries’ customers are identified if they represent a significant investor in the fund (i.e. more than 25% of the shares/units) and thus could be considered as beneficial owners of the investment fund itself.

Moreover, art.18(1)(b) requires systematic collection (even in case of lower risk), for legal entities, of notably “the tax identification number or the legal entity identifier where applicable”. Systematic relevance of this information for AML/KYC due diligence purposes is questionable – noting that same article requires in any case the collection of the “registration number” of the entity.

Article 21

Art. 21

We understand that the intention of article 21 is to clarify the simplified due diligence measures, as well as the extent of these measures, an investment fund shall perform with regards to intermediaries that invest in their own name on behalf of customers in the fund as described in paragraph c) of the point 16.14 of the guideline EBA/GL/2021/02.

In order to avoid any confusion and to align with the FATF securities sector guidelines, we suggest amending the text of the article as follows:

When an entity is acting as intermediary by subscribing for shares, units or other ownership interests of a collective investment undertaking in its own name, but on behalf of its customers, such collective investment undertaking may fulfil the requirement under Article 20(1)(h) of Regulation (EU) 2024/1624 by following up with the intermediary by making a request for information on any particular transaction(s), possibly leading to more information being requested on the underlying customers of the intermediary on a risk-sensitive basis, in case of any unusual activity or transaction on the part of the intermediary, or any potential deviations from the agreed terms of the arrangements governing the business relationship.

In addition, the collective investment undertaking shall be satisfied that:

the intermediary is subject to AML/CFT obligations in an EU Member State or in a third country that has AML/CFT requirements that are comparable to those required by Regulation (EU) 2024/1624;
the intermediary is effectively supervised for compliance with these requirements;
the risk associated with the business relationship is not high;
the fund or fund manager is satisfied that the intermediary applies robust and risk sensitive CDD measures to its own customers and its customers’ beneficial owners.

In practice, find below some typical examples of due diligence that we would apply in line with FATF guidance on risk-based approach guidance for the securities sector from 2018. In particular, in cases or EDD, additional measures are taken in addition to those mentioned above

SDD:

Verifying regulatory status and the comparability of the AML/CFT framework

EDD:

Obtaining additional customer information, such as the customer’s reputation and background from a wider variety of sources before the establishment of the business risk profile;
Being satisfied that the intermediary applies robust and risk sensitive CDD measures to its own customers and its customers’ beneficial owners.

Rationale:

The requirement to ensure that the intermediary provides DD information and documents on their customers immediately upon their request is highly problematic. Such an approach is not in line with FATF securities sector guidelines and mentioned above, of limited value. Their customers are already subject to CDD measures performed by the intermediary, an obliged entity in its own right and the robustness of the intermediaries AML process has already been scrutinized by the investment fund (in addition to their own internal processes, their auditors and their regulators).

In reference to paragraph 108 of the FATF securities sector Guidelines “The correspondent institution should monitor the respondent institution’s transactions with a view to detecting any changes in the respondent institution’s risk profile (i.e. compliance with AML/CFT measures and applicable targeted financial sanctions), any unusual activity or transaction on the part of the respondent, or any potential deviations from the agreed terms of the arrangements governing the correspondent relationship. Where such concerns are detected, the securities provider should follow-up with the intermediary by making a request for information on any particular transaction(s), possibly leading to more information being requested on the underlying customers of the intermediary on a risk-sensitive basis.”

This would for example include a loss of license or significant fine for shortcomings with AML/CTF legislation which is not adequately addressed and, in these situations, the Asset manager should and is taking action.

Below are the supporting reasons:

We note that the current wording of the article implies that for intermediaries that are not low risk (e.g. medium-low risk or medium risk) a full look-trough on their client base is required. In practice, this is very difficult to achieve and only yields limited insights given that the underlying customers can change on a daily basis as well as the complexities of the possible distribution set-ups. When banks invest on behalf of their customers, it is likely to be tens of thousands of customers with small value investments or regular savings plans/retirement plans. For their data to be provides, processed and screened (for a 2^nd, 3^rd, 5^th or 10^th time depending on how many products they invest in to diversify their investment) will significantly overflow current processes and systems and will create massive costs to Asset Managers. Costs that they would not need to incur if domiciled in other jurisdictions, such as the UK.
We suggest, more generally and not limited to the application of simplified Due Diligence, to put the emphasis on the due measures performed on the intermediary and the robustness of its AML processes, in line with FATF recommendations. This already very onerous process which duplicates regulatory oversight and audit regimes provides more assurance, is far less disruptive and generates lower costs. Under the current proposal, it would be virtually impossible to distribute EU investment funds in certain medium risk markets. It would significantly hurt the competitiveness of the UCITS brand especially outside of EU and we would see significant downsides to all EU providers and what is a trillion EUR industry diminish.
There are also practical hurdles requesting information on underlying customers, such as privacy and data protection laws in certain EU and non-EU countries. Regardless of the business impact for the European Investment Fund Industry, the costs associated with implementing such measures are significant (e.g. changing existing distribution agreements) and outweigh the fleeting gains that could be derived from it.
Generally speaking, we consider that this measure could lead to duplication (if only one product manufacturer chosen, if 10 the efforts would be multiplied by 10) of efforts and introduce inefficiencies and unnecessary burden and cost for private individual. In our view, the due diligence measures should focus on understanding and assessing the intermediaries' AML/CDD processes.

Article 22

We propose the following wording:

“Obliged entities shall take the necessary risk-based measures to ensure that they hold up-to-date customer identification documents and/or information data at all times”.

Below are the reasons supporting our proposal:

We have concerns that this could be interpreted as requiring obliged entities to check on a daily basis that the customer information is up to date, which would be very onerous and costly and not at all risk based.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

See responses to Q6 above

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Section 5 of the draft RTS on CDD establishes additional information that has to be obtained by obliged entities in instances where the use of enhanced CDD would be justified. We are of the opinion that these obligations are too prescriptive and do not leave sufficient room for the obliged entities to apply a risk-based approach. While we understand the need for broader harmonisation of AML/CFT rules, this should not take the place of a risk-based approach, which remains the pillar of a successful AML/CFT framework. Otherwise, these provisions risk creating a list of obligations that would become a tick-the-box exercise, rather than encouraging thorough assessment of a particular situation and the risks it represents. We also believe that this was not the approach intended by Art. 34(4) of AMLR and as such, solutions proposed in Section 5 might be going beyond the mandate under Art. 28(1)(a) of AMLR.

Therefore, we would propose the following changes in section 5 of the draft RTS on CDD:

Words “shall, at least” to be replaced by “may include” in all four articles.
Deletion of letter d in Art. 24 and in Art. 27, as it is not the responsibility of the obliged entities to investigate the criminal activity.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Screening of customers (Art. 28)

EFAMA would like to highlight that Art. 28 of the draft RTS on CDD goes beyond what was prescribed by Art. 20(1)(d) of AMLR. It requires that scanning measures shall be applied by obliged entities not only to customers, but also to all entities and persons which own or control such customers. At the same time, in Art. 20(1)(d) of AMLR this scanning was limited in the case of legal entities to persons who control the legal entity or have more than 50% property rights or majority interest. This, to our understanding, clearly limits the scope of such scanning.

In order to keep the provisions of the draft RTS on CDD in line with rules established by Level 1 provisions, we propose the following change in the wording of Art. 28:

“To comply with Article 20(1)(d) of Regulation (EU) 2014/1624, obliged entities shall apply screening measures to their customers and to all the relevant entities or persons who own or control or meet the ownership conditions over such customers as provided by this Article.”

Screening requirements (Art. 29)

Article 29 is too prescriptive and risks multiplying the possible “hits” the obliged entity would get when screening its database. As multiple “hits” reduce the effectiveness of the whole process they are not desirable.

Therefore, we propose the following wording for the introductory part in Art. 29(a) of the draft RTS on CDD:

“a. Screen through automated screening tools or solutions, or a combination of automated screening tools and manual checks, unless the size, business model, complexity or nature of the business of the obliged entity allows for manual checks only, the following information where appropriate:”

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Non-Applicable

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comment

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

The following further elements could be taken into account under the list of indicators:

whether the breach was caused by the obliged entity itself or a third party;
whether the breach related only to entity’s own AML/CFT procedures and policies or whether it also led to the breach of applicable regulatory obligations.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

No comment

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

No comment

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

I would like to highlight the need for caution when it comes to holding natural persons personally responsible for the breaches of obliged entities. In particular, the implications of such an approach on the availability of professionals performing compliance functions have to be taken into account.

The role of compliance is critical for the proper execution of AML/CFT obligations by the entity. However, as such function do not hold executive powers, the responsibility for any regulatory breaches do not rest solely with it. Rather, they provide a continuous oversight and advice to the decision-making bodies.

We believe that it would be disproportionate to hold personally liable the compliance team for the failures caused by decisions made by senior management of the company. It would also be against the usual three lines of defence model, where compliance plays the role of the second line. It could also undermine the attractiveness of these positions and further increase the difficulties in finding experienced professionals ready to hold this position in the financial sector. Shortages of well-qualified staff will have a counterproductive effect on the resilience of the entire sector.

While Art. 4(4) of the draft RTS on Sanctions recognises the need to take into account “their role in the obliged entities and the scope of their functions”, we are of the opinion that their involvement in the decision making process should also play an important role.

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

For all these measures, given their impact, they should be reserved for the breaches with the highest level of gravity, i.e. breaches with gravity classified as category four (while current draft refers to category three or four). Alternatively, they could be extended to category three breaches e.g. in case of failure by relevant obliged entity to remedy within a predefined timeframe.

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

Not applicable

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

Please see my response to Q4

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

No comment

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

No comment

Name of the organization

Capital Group