Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

For guarantee banks as cooperation partners of the lending house banks and savings banks, the customer acceptance process and customer support are usually handled by the financing institution, whereby these are almost exclusively corporate customers, and the development loan business involves little risk of money laundering. The guarantee is also linked to the underlying transaction “loan”, so that a failure of this customer’s contractual relationship with the principal bank also prevents or terminates the customer relationship with the guarantee bank. An independent business relationship of the guarantor alone is not possible with guarantees, which is why a separate individual fulfilment of the due diligence obligations does not appear to be expedient – the KYC measures only fulfil their purpose together with the lender. As such, the KYC, updating and reporting obligations should only exist jointly with the “principal obligated party”/house bank for development institutions, at least in the case of pure collateralisation, and adequate regulations should be created, as already laid down in Germany by the FIU and BaFin in their key points paper to avoid double reporting.

We generally agree with the proposals in Section 1 of the draft RTS but have concerns about the potential increase in compliance costs and operational challenges for guarantee banks and guarantee institutions. In our view, several RTS provisions lack proportionality and risk-based nuance. Requirements such as the collection of detailed data on intermediary companies in a structure for parties with whom no business relationship exists, extensive documentation requirements for non-face-to-face onboarding or exact information on addresses and countries of birth, without consideration of the risks, impose a significant burden on costs and operators. As currently drafted, the lack of flexibility will lead to disproportionately high compliance costs, unnecessary customer contact and delays in implementation, without limiting the corresponding risk-mitigating effects. We therefore propose the following amendments.

Article 1 - Names of natural persons and legal entities

• With regard to the required information on the name of the legal entity, we suggest adding that a trade name should only be requested if it is available.

Article 2 – Information to be obtained in relation to addresses

• We propose flexibility in situations where no zip code or street name exists. In such cases, institutions should be allowed to record the address provided by the customer, in accordance with Article 22 (1) (a) (iv) of the AMLR.
• We assume that the requirements for data collection are limited to collection from the customer, but not to further verification. It should be sufficient to ask the customer to provide this data.

Article 3 – Specification of the place of birth

• We propose deleting the requirement to state the country of birth. In practice, there are considerable differences in the indication of the place of birth in identity documents. While most documents only state the place of birth (e.g. in Germany), it is rare for both the place and country of birth to be stated in the document. Determining the country of birth is therefore associated with uncertainties. This applies in particular to countries that no longer exist in their former form. The risk of collecting incorrect data or recording information differently due to a lack of clear standards is higher than the added value of such a provision.

Article 4 – Specification of nationalities

• As set out in the general comments, in relation to the term “satisfy themselves,” we suggest explicitly stating that institutions may rely on the information provided by the client unless there are risk factors or warning signals that would warrant additional verification.

Article 5 – Documents for the verification of identity

• Our understanding is that Art. 5 (1) only applies to documents that are not official passports or national identity documents and that this article contains an exhaustive list of characteristics that a document must contain in order to be treated as equivalent to a passport or national identity document for the purposes of verifying a customer’s identity under Article 22 (1)(a) of the AMLR. If the document presented is a valid passport or national identity document issued by a state or public authority (e.g. in the Netherlands identity card, driving license), we consider that this can be accepted without further conditions, even if certain elements listed in Article 5(1) are missing. For example, a passport that does not contain an MRZ does not have to be excluded from use if it is a valid national identity document. This should not only apply to low-risk situations, as mentioned in recital 14.
• We consider that these criteria can be interpreted with sufficient flexibility to take into account valid identity documents that are generally accepted in national legislation. For example, in relation to Article 5 (2) and Article 3 of the RTS, we note that not all identity documents include country of birth or nationality. We interpret Art. 5 (2) as allowing for reasonable flexibility, whereby such identity documents are still accepted, and any missing data can be supplemented by information provided by the customer. This also applies to information such as habitual residence, which is not included in most identity documents but is required under Article 22 (1) (a) of the AMLR. Such information is obtained directly from the customer.
• We assume that in cases where a customer’s identity has already been verified under national law prior to the entry into force of the AMLR, this verification remains valid and there is no obligation to re-verify a customer’s identity simply because the document no longer meets all the conditions of Art. 5 (1). Once the identity has been verified, it should remain valid unless risk-based triggers indicate the need for re-verification.

Article 7 – Reliable and independent sources of information

• We believe that the reference in Art. 22 (6) (a) of the AMLR to the use of reliable and independent sources “where relevant” should be interpreted on a risk basis. This means that for customers classified as low or medium risk, it may not be necessary to obtain additional information beyond the identification document to verify the customer’s identity. In these cases, a customer declaration may fall within the scope of reliable and independent information in lower risk scenarios, unless the obliged entity has a valid reason to believe otherwise. For high-risk customers, however, obtaining additional information may be appropriate.
• Further clarification is needed on what is meant by “risk-sensitive measures to assess the credibility of the source.” The current wording leaves room for different interpretations, particularly with regard to the level of due diligence expected for different risk categories.
• We also advocate further clarification of the term “current.” There is no consistent practice across EU Member States regarding the acceptable age or “currency” of data on legal persons and supporting documentation used for KYC checks. This applies both to the duration of the acceptable age and the starting point for determining “currency”. We request that the RTS clarifies the duration for which relevant documents are considered new or “current”. This could be done by making the requirement of “current” only for documents that originate from a public register and therefore have an extract date, and then setting a time limit for these extracts.

Article 10 – Understanding the client’s ownership and control structure

• The extensive requirements to understand the customer’s ownership and control structure in the case of complex structures go beyond the wording of the AMLR. Furthermore, it contradicts the risk-based approach that the AMLR explicitly promotes by not allowing the option of less stringent information collection in a low-risk scenario.
• Furthermore, the draft does not specify from whom and how this information is to be obtained. We conclude from this that it is up to the obligated parties to obtain the information themselves, if necessary also via public sources.

Article 11 – Understanding the client’s ownership and control structure in the case of complex structures

• Art. 11 contains a very broad definition of “complex structures.” Many clients naturally have several layers of ownership, sometimes in different jurisdictions. Applying this definition without a risk-based differentiation could lead to unnecessary bureaucracy. We recommend allowing for proportionality and a risk-based assessment.
• We also ask for clarification of the term “organisation chart.” We interpret it as the ownership/control path between the customer and its UBO, but not the entire structure. Where reliable sources are available, companies should not be required to obtain organisational charts from customers.

Article 12 – Information on senior executives

• In our view, Art. 12 of the RTS goes beyond the mandate of Art. 22 (2) of the AMLR by equating the requirements for UBOs and SMOs. As the RTS makes a clear distinction between UBO and SMO, we believe that they should not fall under the same requirements. We believe that a business address should be sufficient for senior executives. Requiring a residential address is disproportionate and questionable as SMOs do not act as UBOs and are explicitly not considered as such.

Articles 13-14

• We suggest clarifying what is meant by “sufficient information” in the context of both articles, e.g. by providing practical examples, in particular for complex trust structures or for cases where information is not publicly available.
• We recommend inserting the word “proportionate” before “measures” in Article 14 (2) (b) to clarify that a risk-based approach is permissible, as this is in line with the principle of proportionality and existing anti-money laundering practices.

In general, recourse to third parties is very important for guarantee institutions in the case of individual guarantees, where the guarantee institution guarantees a credit transaction between the financing bank and the beneficiary company. This avoids the same information being requested twice for the same transaction.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

We support the use of remote solutions for customer verification in a non face-to-face context, as described in Article 6 paragraphs 2-6, as these solutions would provide a sufficient level of protection against identity fraud. Remote solutions can be more accessible for customers who may not have e-IDAS-compliant electronic identities, such as those belonging to vulnerable groups, which is particularly important for guarantee institutions whose mission is notably to ensure financial inclusion. In that sense, we advocate for remote solutions to be a permanent alternative where e-IDAS-compliant solutions are not feasible/accessible. Moreover, we warmly welcome the possibility for obliged entities to accept reproductions of an original document, often the easiest and most straightforward way to verify the identity of a customer in a non face-to-face context.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

We generally support the proposals in Article 8 regarding virtual IBANs, since for SME customers, the nature of a guarantee transaction inherently involves a relationship with the credit or financial institution that offers the loan. As such, this approach not only streamlines the verification process but also reduces unnecessary bureaucratic burden, as the guarantee institution’s customers are effectively managed and monitored by the banks themselves.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Articles 15 and 16 contain a large number of requirements that are too extensive in terms of content in the context of general due diligence obligations for normal risk scenarios. This contradicts the risk-based approach, as the wording of the provisions already sets out very detailed requirements and leaves no room for choice. In cases where no higher risk is apparent, this unnecessarily ties up capacity and impairs the customer relationship. In line with the reasoning (2) and the principle of proportionality, we call for obliged entities to be given greater leeway in obtaining the relevant information, as these scenarios are explicitly not covered by the EDD. In terms of content, we simply see no need to collect the documents mentioned in order to identify and understand the purpose and nature of the business relationship or occasional transaction.

Article 15 – Indication of the purpose and intended nature of the business relationship or occasional transaction

• The provisions in Art. 15 partially go beyond the legal basis in Art. 20 (1) (c) of the AMLR. Even under the EDD, asset tracing should not be a standard requirement (see our comments on Article 27). It is an intrusive measure that should be applied selectively and only in clear high-risk situations. Treating it as a default requirement in any higher risk context is counterproductive and inconsistent with effective risk prioritization.

Article 16 – Understanding the purpose and intended nature of the business relationship or occasional transaction

• The requirement under Art. 16 (c) to obtain detailed information about a customer’s employment income (including salary, wages, bonuses, pension or retirement funds, government benefits, business income, savings, loans, capital gains, inheritances, gifts and other asset disposals) is excessive as there are no risk indicators. While we understand that such information may be useful for clarification in cases of doubt or suspicion, it seems disproportionate in standard CDD scenarios such as the opening of a payment account by an individual or the execution of routine transactions.

Moreover, for institutions who have no direct contact with the SMEs but have the banks/lenders as partners, these obligations can mean administrative burden while providing no relevant information regarding the SMEs’ financial needs. For such entities, these exercises could be voluntary.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We appreciate the possibility for less complex obliged entities like guarantee institutions to rely on manual checks for the identification and verification of politically exposed persons (PEPs). This provision is particularly beneficial as it aligns with the operational realities and capabilities of guarantee institutions. In the case of individual guarantees, guarantee institutions often have a direct and well-established relationship with their SME customers, so manual checks are particularly effective to verify the necessary information. By permitting manual checks, the draft RTS acknowledges the unique operational framework of guarantee institutions, ensuring that they can comply with CDD obligations in a manner that is both practical and efficient, without imposing unnecessary technological or administrative burdens.

Article 17 – Identification of politically exposed persons

• However, as an improvement, we suggest that Art. 17 introduces a more risk-based approach in relation to relatives and related parties (RCAs) of PEPs, based on the individual scenario and the nature of the relationship. A clarification that opens the possibility to rely on information available in various provider lists (e.g. Factiva, Dow Jones, Info4c ...) could be helpful in this sense.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We welcome the simplified due diligence measures proposed in Section 4 of the draft RTS, as they would be particularly well-suited for lower-risk transactions such as promotional guarantee transactions to SMEs. As outlined in Article 18, collecting only the most fundamental details, like the legal form, registered name, and address is appropriate and minimises unnecessary administrative burden for both the low risk obliged entity and their SME clients. The provisions in Article 19 for the identification and verification of beneficial owners or senior managing officials in low-risk situations are also well-balanced, allowing for the use of reliable sources such as central registers or customer statements, which is already widely practiced by guarantee institutions.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

We strongly support the identification of promotional SME guarantees as financial products that should benefit from specific sectoral simplified due diligence measures. Guarantee institutions play an important role in overcoming the market failure of access to finance for SMEs, as they provide guarantees to SMEs that have an economically sound project but do not dispose of sufficient bankable collateral. In that sense, and to our understanding, point 2.d of the AMLR Annex II precisely covers promotional guarantees to SMEs as “financial products or services that provide appropriately defined and limited services to certain types of customers, so as to increase access for financial inclusion purposes.” Indeed, promotional SME guarantees are by nature particularly low-risk in terms of money laundering and terrorist financing for several key reasons. Firstly, these guarantees do not involve cash payment services, which inherently reduces the risk of money laundering activities. Secondly, the nature of promotional guarantee business is long-lasting, making it unattractive for money laundering schemes that typically seek quick and anonymous transactions. Additionally, promotional guarantees granted by our members are typically small in size, which further diminishes their appeal for illicit financial activities. Moreover, either the guarantee institution, in the case of individual guarantees, or the financing bank, in the case of portfolio guarantees, or both, closely follow the financed projects. This close monitoring ensures that any irregularities can be quickly identified and addressed. Finally, to be eligible for guarantee support, beneficiary companies are required to submit a viable business plan, which adds an additional layer of scrutiny and legitimacy to the process. 

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 24 – Additional information about the customer and the beneficial owners

• As the AMLR introduces a new definition for a politically exposed person, the number of persons covered by the EDD will increase. At the same time, the requirements for additional information about the customer and the UBO will be significantly expanded.
• Point (c) raises questions about the methods for recording and documenting the beneficial owner’s previous business activities and whether any changes should be tracked. It is also unclear how far back the documentation should go. In our view, a maximum of five years should not be exceeded as this is the maximum retention period prescribed by the AMLR. A shorter period (e.g. 3 years) should also be sufficient.
• Point (d) raises concerns regarding the data protection of family members, persons known to be close associates or other close business partners. In order to conduct a risk assessment, much personal data must be obtained with the involvement of the internal data protection committee. Little of the required information is generally publicly available.
• At the same time, it is unclear how the collection of the required parameters relates to the ban on tipping under Art. 73 of the AMLR. If the obliged entity has a “reasonable suspicion of a criminal offense,” it must submit a suspicious activity report and may not disclose this to the customer. However, in view of the extensive investigation obligations, disclosure can hardly be avoided. The RTS should clarify that informing customers in cases of suspicion is crucial in Art. 24 (d). 

Article 25 – Additional information on the intended nature of the business relationship

• Due to the open and extensive wording in this article, several requirements cannot be clearly defined. We assume that the “information from authorities” does not oblige the obligated parties to proactively investigate and obtain information from authorities. In most cases, the request for information would not be successful for data protection reasons. We therefore only see this requirement as a necessity to obtain publicly accessible information from authorities. We advocate clarifying this in the RTS.
• In our opinion, it is also necessary to clarify what the obligation to collect information about the client’s most important customers entails. The AMLR does not include these groups of persons in the scope of the due diligence obligations. The RTS can therefore not easily extend the due diligence obligations. 

Article 26 – Additional information on the origin of the client’s funds and assets and the beneficial owners

• Art. 26 – in contrast to Art. 24 and 25 – does not allow for evidence based on the assessment of the obliged entity. There is no obvious reason for this distinction, and in light of the risk-based approach, obliged entities should be able to use documents other than those mentioned to verify the origin of the funds and assets.
• Regarding point (a), the expectation that payslips or employment documents must be signed by the employer is outdated and incompatible with modern digital payroll systems where physical signatures are not the norm.
• In this context, we also assume that the term “certified” as mentioned in Article 26 (a), (b), (e), (f) will be defined to reflect the practices of both physical and digital certification. This would support a risk-based approach and further reduce the bureaucratic burden. We ask for further clarification.
• If an obliged entity has seen the original document, they should generally be allowed to keep a copy and certify that they have examined the original without requiring external certification. Especially if the documentation can be retrieved from public sources
• With regard to point (d), it cannot be assumed that official public documents are available for assets arising from an inheritance. In many jurisdictions, an inheritance may be settled informally within the family if the legal heir is obvious and no will exists. In such cases, alternative evidence or declarations should be used.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Articles 28-29

• We understand Art. 29 (a) (iv) to mean that “beneficial ownership information” only includes information about the UBO itself and not about the intermediary companies. This is also the only way to understand recital 19 of the RTS.
• The term “material changes” in Article 29 (c) (iii) requires further clarification.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Non-Applicable.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We understand that Article 32 generally provides for a five-year period for updating all customers who are not high risk. In combination with Recital 16 of the RTS and Guideline 43 in Chapter 3.2.3 of the consultation document, we understand this to include the application of all customer due diligence requirements. Although Art. 32 refers to the entry into force of this Regulation (i.e. this RTS on the CDD), we consider that the five-year period should start from the date of application of the AMLR, as confirmed in Art. 90, which sets this date as July 10, 2027. Recital 16 of the RTS supports this interpretation by explicitly referring to the “date of application” as the date from which the update obligation is to be calculated. Accordingly, we interpret Art. 32 to mean that all existing customer information must be updated on a risk-based basis by July 10, 2032. With regard to low-risk customers, we ask for explicit confirmation that the general period of 5 years for updating can be extended on a risk-based basis; see also our comments on question 7.

Name of the organization