Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

We do not have any specific comments in relation to the approach defined by the EBA to assess and classify the residual risk of obliged entities by considering the inherent risks and the control framework due to the limited information available as to which items of the data collection will trigger an increase in risk rating and to what extent. However, we have some remarks in relation to some data points which have been defined (please refer to question 3). 

The Draft RTS does not set forth how the “predetermined weights” to be applied to each risk indicators (see e.g. art.2(2)) are to be computed. On the contrary, according to paragraph 20 of Section 3 (Background and rationale) of the Consultation Paper (emphasis added): “[b]ecause risks vary and evolve, risk indicators and weights would not be included in the draft RTS. Instead, it would be the role of AMLA, in cooperation with national supervisors, to define the risk indicators and weights for each review cycle and to monitor the effective application of these indicators by supervisors in all Member States.” This approach leaves huge flexibility (and thus political power) to AMLA. 

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

We agree

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

The industry is currently very concerned that the type of data points requested and their granularity are not aligned with the actual business activities. This creates unnecessary administrative burden and significant additional costs. The concern is that these requirements do not focus on the real AML risks of our operations and are not necessarily consistent with the “follow the money” principle.  To be clear, the concern is not on the number of data points, most asset managers are used to providing significant data sets in multiple EU countries already. If the data is available, the industry is of course ready to provide them. A portion of the points require significant changes in policy, process and systems at a significant cost, without any benefit to allow an effective assessment of the inherent and residual risk profile of obliged entities. Such additional cost for compliance will be ultimately borne by the investors, thus hindering competitiveness of the EU financial center.

We have listed below our comments for data points under both sections, in case where (i) we have identified challenges in providing the requested information within the Investment Fund/Asset Management Industry; (ii) we seek some clarifications; and/or (iii) the data points are not applicable.

Our comments pertain to the availability, cost and value add of the data points not on the number of data points to be provided. As highlighted above, most firms already provide substantial sets of data to the regulator and this is not an issue at all if they are available, even if, we note that the amount of data requested may not be consistent with the data minimization principle that has been part of the EU regulatory framework since GDPR and impacting the 5th AML Directive.

In relation to the last point, we note that all data points associated with the following sub-categories are not applicable to the Investment Fund/Asset Management Industry: 

Payment accounts, Virtual IBANs, Prepaid cards, Lending, Factoring, Life Insurance contracts, Currency Exchange (involving cash), Custody of crypto assets, Money remittance, Wealth management, Trade finance, E-Money, TCSP services, Exchange crypto-fiat, Exchange fiat-crypto, Exchange crypto-crypto, Transfer crypto-assets, Safe Custody services, Crowdfunding, Cash transactions.

As a general comment, it appears that certain data points relate to nexus of relevant item with non-EEA countries (e.g. customers / Number of legal entities with at least 1 UBOs located in non-EEA countries (residence)). Instead, we recommend to limit these data points to high-risk countries, as the fact that a country is non-EU/EEA does not necessarily entail a higher risk. This approach would align with the principle of data minimization and enable to focus on most relevant data. We would also like to add that there are quite common scenarios of very low risk customer types in higher risk countries, for example public pension schemes in South America, which by their nature are very low risk (as being funded by deduction of % of employees’ salaries). And on the other hand, there might be customer types in lower risk countries with a high risk of money laundering, which would warrant a high-risk client rating, such as significant PEP exposure or very high-risk activities. Therefore, we believe that data points should focus on indicators which would be helpful to identify high-risk situations, instead of countries, to offer a better detailed picture of where the risk of the obliged entity actually resides.

As you may appreciate, each firm has its own methodology for assessing customer and country risk rating, leading to different conclusions. 

Further, certain items are not linked to quantitative data (“No automated score”), and thus rather entail a qualitative assessment (e.g. 1F: AML/CFT risk culture; 3G: Record keeping; 4A: AML/CFT governance structures e.g. oversight by the parent of group activities, reporting by the group to the parent entity, group’s internal AML/CFT control system; 4B: Group-wide ML/TF risk assessment; 4C: Group policies and procedures, including sharing of information within the group (Art 73(3) AMLR)). To the extent these data points are based on subjective assessments, there is a risk that all entities may not be evaluated using same methodology or objective criteria.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

Section A – Inherent risk 

Customers

• Number of legal entities with complex structure

If the definition of complex structure is confirmed, the number of legal entities reported could be very high. This may artificially elevate the perceived risk level of an entity, even though such structures do not necessarily present a heightened money laundering risk.  (Please also refer to our answer to question 1 on RTS on art. 28(1) AMLR).

As a reminder, a complex structure is defined as the situation where there are 2 or more layers between the customer and the BO, and in addition, one of the following conditions is met:

a. there is a legal arrangement in any of the layers;

b. the customer and any legal entities present at any of these layers are registered in different jurisdictions;

c. there are nominee shareholders and/or directors involved in the structure; or

d. there are indications of non-transparent ownership with no legitimate economic rationale or justification. 

It is common for any international firm to have multiple layers of legal entities between a local entity and the ultimate parent company. This is the case for most banks and asset managers, primarily due to their size and cross border activities. In particular, point b will apply to any firm with international business, which not only applies across financial services but also for most listed entities.

In practice, condition b. in itself does not represent a heightened risk of money laundering at all.

Moreover, whilst the industry already assesses whether a complex structure is present as a component of their customer risk assessment, this information is not necessarily recorded as such in any system, at the level of the obliged entity (but rather is documented in the KYC file of each relevant customer).

Collecting this data point would therefore require significant system upgrades and process changes and a full re-review of all customer data and documentation. The cost of that would be significant and it would not significantly concur at assessing and classifying the inherent and residual risk profile of

obliged entities.

Please note that as a significant portion of customers for asset management are financial institutions and listed entities (and for example employer pension schemes), we roughly estimate that around 80% of legal entity customers could fall under this definition and would therefore be reported .in this data point, even if the vast majority of them would not represent a high risk, but a low one.

• Number of customers with high-risk activities

Please note that in the collective investment sector, it could be difficult to obtain such data point, since a classification of customers according to their activities is not necessarily market practice. This is primarily because customer types are significantly more restricted than they would be for banks, as most investments are conducted through banking institutions that advise customers on suitable investment options. Additionally, large corporations or pension schemes constitute a considerable portion of the customer base. It is uncommon for numerous small firms to invest directly, as these entities generally require professional advice, which a product manufacturer, unlike a bank, is unable to provide. Finally, please kindly consider there is no harmonised or standardised manner within the market to classify sectors of activity and doing so would go against the risk-based approach and play against the financial inclusion principle.

• Number of legal entities with at least 1 UBOs located in non-EEA countries (residence) 

Please note that this data point is not captured as such in systems/tools currently in place and would require further significant IT developments and enhancements. Firms would have country of UBO registered and the country risk of that residence factored into risk assessment, but likely will look for equivalence of regulatory standard or other money laundering risks. 

In addition, the information may not be relevant in case of a Senior Manager Official registered as UBO at least for a legal entity subject to AML/CFT obligations in an EU Member State or in a

third country that has AML/CFT requirements that are not less robust than those required by Regulation (EU) 2024/1624.

• Number of customers with foreign residency by country (natural persons)
• Number of customers registered abroad by country (legal entities)
• Number of customers with cross border transactions involving non-EEA countries 

Please note that in the Investment Fund/Asset Management Industry (especially in Luxembourg and Ireland), most of the customers are typically registered abroad. This is not a representation of AML risk, but a representation of the excellent reputation of the UCITS regime and in particular to the level of investor protection offered by the EU regime which makes those funds attractive on a global level. Therefore, the number reported would be very significant, with a potential impact on the level of risk of the firm without representing an indication of the actual money laundering risk.

The firm will be a product manufacturer. These products by their design (eg UCITS) are meant for cross border usage (in the sense of having investors that are not based in the country; without this transpiring and cross border risks that other activities might have) and provides investors across the EU and beyond a safe vehicle for investment.

• Number of walk-in customers
• Number of occasional transactions carried by walk in customers

These data points are not applicable for the Investment Fund/Asset Management Industry.

Product Services and Transactions

1. Correspondent services

• Total Value (EUR) of transactions executed on behalf of the respondent client in the previous year (incoming)

   

• Total Value (EUR) of transactions executed on behalf of the respondent client in the previous year (outgoing)

   

• Total Value (EUR) of transactions going through nested accounts in the previous year (incoming)

   

• Total Value (EUR) of transactions going through nested accounts in the previous year (outgoing)"

All those data points are not applicable for the Investment Fund/Asset Management Industry as it does not provide any correspondent services.

2. Management of UCITS

• Number of retail investor customers
• Number of professional investor customers

We understand that customers are herein referred to in line with the definition provided in par. 16.14 of EBA Guidelines (EBA/GL/2021/02).

The investors are the customers of the UCITS only (and not of the UCITS management company – the customers of the management company being the UCITS). Worded as such, this data point is therefore relevant only at UCITS level (and not at the level of the UCITS management company). We would expect the wording to be adjusted.

• Total assets under management in unlisted financial instruments

Please note that securities which are eligible under the UCITS regime are generally exposed to a lower risk of ML/TF, due in particular to the applicable strict liquidity and disclosure requirements. 

Those assets largely consist of securities admitted to trading on regulated markets and money market instruments or instruments traded via regulated entities. These assets inherently have high levels of transparency, significantly reducing their exposure to financial crime risks, including ML. We would therefore suggest removing this datapoint. As this request requires a breakdown of all investments per country in the country table which is an entirely manual exercise and will give an indication of what the potential risk profile of the fund is from an investment perspective (to a limited extent, as there is no data on issuers) but not at all from a money laundering perspective.

3. Management of AIF

• Total assets under management in unlisted financial instruments
• Assets other than financial instruments as defined in section C of annex 1 of MIFID

We propose to combine the two data points and include a clear definition of what should be considered as “listed financial instruments” versus “unlisted financial instrument”, otherwise the data point will not be consistent from one entity to the other.

In such context, we propose to define “Listed financial instrument” as a “financial instrument which is or would be eligible under the UCITS regime (Directive 2009/65/EC)”. Alternatively, we propose to use the following definition: a “financial instrument:

(i)         admitted to trading on a regulated market,

(ii)        issued by a company whose securities are admitted to trading on a regulated market, and/or

(iii)       issued, guaranteed, or managed by a company which is subject to ML/TF supervision."

Geographies

• Number of incoming transactions in the previous year by country
• Total value (EUR) of incoming transactions in the previous year by country
• Number of outgoing transactions in the previous year by country
• Total value (EUR) of outgoing transactions in the previous year by country 

For the Investment Fund/Asset Management Industry Sector gathering such information by country will be extremely challenging to obtain. Asset Management is not banking; there is not a flurry of payments incoming from any non-customers.

Data would capture subscriptions and redemptions, but they do not necessarily indicate new funds but switches from existing holdings (due to investment performance or similar). This data point therefore does not contribute to the assessment of the inherent and residual risk profile of obliged entities. We propose to delete it for the Asset Management industry.

We propose therefore to capture the total of investor AUM per country only. Given the size of the industry and market volatility, this number would otherwise be very high and would not necessarily represent new money coming in but rather switches from one product to another.

• Total value of investments (EUR) by country (for AMCs)
• Total value (EUR) of all assets by country (for IFs and AMCs)"

Please kindly clarify the term “investments”.

• Number of institutions established in foreign countries to whom you provide correspondent services (by country)
• Total value of incoming funds moved on behalf of the respondent's clients by country of respondent's establishment
• Total value of outgoing funds moved on behalf of the respondent's clients by country of respondent's establishment

These data points are not applicable for the Investment Fund/Asset Management Industry as this activity/service is not provided.

• Country where the entities owner is located (parent company)

In relation to “parent company”, we propose to refer here to the ultimate parent undertaking as defined by art. 2.1.(42) of AML Regulation (2024/1624).

Distribution channels

• Number of new customers onboarded remotely in the previous year 

Please kindly note that for the Investment Fund/Asset Management Industry most if not all of the customers are onboarded remotely due to the nature of the specific activity of providing products as a product manufacturer in contrast to banks or other financial institutions which maintain a broader relationship and provide a range of services to their customers.

• Number of new customers onboarded in the previous year by third parties

Please kindly define the term “third parties”, as, especially for the Investment Fund/Asset Management Industry, it is not clear. In case this includes outsourcing arrangements such as Transfer Agents, this would include all customers.

• Number of agents by country 

This data point is not applicable for the Investment Fund/Asset Management Industry.

• Total value of gross written premiums through insurance contracts issued through brokers, broken down by country the brokers are established

This data point is not applicable for the Investment Fund/Asset Management Industry as this activity/service is not provided.

• Number of new customers onboarded in the previous year by third parties not directly subject to AML/CFT supervision.

Please kindly clarify the data point, as in the Investment Fund/Asset Management Industry it is not possible to onboard new customers through third parties that are not directly subject to AML/CFT supervision.

Section B – AML/CFT Controls

AML/CFT governance structures

1. 1C. Outsourcing and reliance on third parties

• Existence of AML/CFT tasks outsourced to an external service provider located in high risk third country (excluding outsourcing to other entities of the group located in high risk third countries)

Relevance of this data point should be reconsidered, since, in principle, outsourcing to high risk third countries (outside group entities) is no longer possible under AML 6 (EU Regulation 2024/1624, art.18, 4.).

2. 1E. AML/CFT training (employees, officers, agents and distributors)

• % of staff who have received AML training during the last calendar year: 

  a) AML Specialist

  b)  non-AML/CFT specialist staff (customer facing staff, executive directors)

  c) agents and distributors

The asset manager provides training to its employees. Please kindly note that distributors are external firms such as banks who are themselves subject to AML/CTF laws and regulations and therefore have obligations to train their staff. The point is covered in relevant distribution contracts and as part of the overall oversight measures. However, collecting such level of information would be onerous and not proportionate and generate a significant cost.

As mentioned, these distributors are all regulated Financial Institutions and are under AML supervision by their local (often EU based) regulators.

Whilst firms will collect some level of information on training of staff, not this level of detail as there is no added value. There is already significant time and effort spent on due diligence of regulated Financial Institutions which comes at great cost and very little added value, to even further increase these efforts is not proportionate.

Distributor means in most cases a bank making a product available to their customers, under their own processes and regulatory requirements. In order to provide the best advice and service to their clients, they will likely offer a wide range of products from different manufacturers and have to then in turn provide a great level of detail of information to all manufacturers, which is not proportionate, nor relevant to assess the inherent and residual risk profile of obliged entities.

Risk Assessment

1. 2A. Business Wide Risk Assessment

• Date when the obliged entity assessed the need to update the BWRA for the last time
• Senior management approved the last version of the BWRA (Y/N)

We propose combining the two data points to reflect the date on which the risk assessment was last reviewed and approved by senior management, as both actions are expected to occur within the same timeframe.

2. 2B. Customer ML/TF risk assessment and classification

• Date when the obliged entity assessed the need to update the CRA for the last time
• Number of customers per ML/TF risk category (low risk, medium-low risk, medium-high risk, high-risk)

We propose to request the date when the CRA has been last reviewed and updated. As such documents should be subject to annual reviews.

Please kindly note that several risk categorization bucket methodologies exist across obliged entities and Member States. This data point (and suggested risk categorization bucket methodology) would therefore engender significant work (from a policy, process and documentation and IT systems points of view) for each obliged entity, without bringing any significant value in terms of fight to ML/TF. We propose to only request the number of high-risk customers as per the obliged entity’s risk methodology. The challenge is in particular the two medium risk categories.

AML/CFT Policies and Procedures

1. 3A Customer Due Diligence

• Number of customers that are legal entities /trusts whose beneficial owners have not been identified
• Number of high-risk customers that are legal entities /trusts whose beneficial ownership has been identified, but the identity of whom has not been verified
• Number of customers without identification and verification documentation/ information
• Number of customers with incomplete identification and verification documentation/ information
• Number of high-risk customers with missing or incomplete CDD data or information
• Number of customers without ML/TF risk profile (excluding customers with whom the obliged entity does not have a business relationship)
• Number of customers for whom no information on the purpose and intended nature of the business relationship has been obtained (excluding customers with whom the obliged entity does not have a business relationship)
• Number of customers for whom no information has been obtained on the nature of the customers’ business, or of their employment or occupation (excluding customers with whom the obliged entity does not have a business relationship)
• Number of customers (excluding natural persons) for whom beneficial ownership identification details are entered in the institution's database
• Number of customers, who are natural persons, for whom all identification details (name/ dob, nationality, tax number) are entered in the institution's database

From a general point of view, all questions under section 3A CDD relate to deficiencies and risks, they do not cover measures implemented in the control framework to mitigate them. 

These questions should therefore have been covered under the inherent risk section. In relation to those data points, it is however also worth highlighting that the same customers may fall under different buckets and will therefore be counted multiple times. The granularity of detail will not currently be captured in systems and would therefore require changes in policy, procedures, technology infrastructure and would require a fully manual review of all customer files and documentation– thus entailing additional costs for compliance, ultimately borne by the customers/investors. And/or some of these points cover the same thing, e.g. missing CDD would include customers with incomplete verification. 

As pointed out, the level of detail of these data points would not be routinely captured and would require policy, process and significant system changes. For example, if significant information or documentation is missing, accounts would need to be blocked. Regardless of whether one of the data points or three. As such the recording would capture the blocking and the rationale but not this level of detail. This level of detail is covered and addressed through period reviews and captured in customer files only. We would therefore recommend to obtain number of blocked accounts due to missing (not expired) KYC only.

Finally, reporting those data points in terms of absolute number of customers may not provide a fair idea of the effective ML/TF risk which an obliged entity is exposed to.

2. 3C Transaction monitoring

• If automated system: Average time to analyse an alert in the last calendar year (number of days between issuance of the alert and closing of the alert)

Please kindly note that such data point is challenging to obtain and would likely result in IT development and time resource costs to gather it.

• If automated system: Ratio between number of alerts and number of STRs

Please kindly note that the ratio between number of transaction monitoring alerts and number of STRs does not per se provide conclusive information on the established mitigation measures, as it may be largely influenced by the business model (i.e. in Asset Management, 3^rd party payments are not permissible and due to the low risk nature of the business in general, any transaction monitoring is likely to produce a high number of false positives), effectiveness of the transaction monitoring tool (including the risk appetite of the entity) or other specific circumstances (e.g. several alerts can lead to a single ML/TF doubt / suspicion). 

Any automated systems could capture time between alert generation and closure of alert which would not directly correspond to time spent investigating the alert. Therefore, we propose not to take this into account for obliged entities that are not providing payment or banking services.

3. 3D: Suspicious Activity Reporting

• Average number of days between the date of identification of potential suspicious transactions (prior to the analysis of the transaction) and the date when the transaction is reported to the FIU (after the analysis of the transaction) during the last calendar year
• Number of STRs submitted to the FIU before the completion of the transaction during the last calendar year
• Total number of STRs submitted to the FIU during the last calendar year

As a general comment, we understand that these questions are part/linked to section 3C on transaction monitoring

4. 3E: Targeted Financial Sanctions

• Average number of hours between the publication of the TFS by the authorities and the implementation of these changes in the institution's screening tools.
• Maximum number of hours between the publication of the TFS by the authorities and the implementation of these changes in the institution's screening tools

Please kindly note that both data points are not available to obliged entities for technical reasons, nor such level of detail (hours) would in many cases be relevant (for example in case where the screening on the already existing customer base is carried out on a daily basis, during the “night run”).

For Asset Managers which do not make instant payments and where there is always a delay between a redemption request and any actual payment via a bank account (from a bank that also has screening obligations), this risk is not based on a number of hours but more likely business days. 

It would be more useful to confirm within ranges rather than absolute number of hours on average.

5. 3F: Compliance with Fund Transfers Regulation

• Number of outbound transfers for which requests were received from a counterparty in the transfer chain for information that is missing, incomplete or provided using inadmissible characters in the last calendar year
• Total number of outbound transfers in the last calendar year
• % of outbound transfers rejected or returned by the counterparty in the transfer chain due to information that is missing, incomplete or provided using inadmissible characters in the last calendar year
• Number of repeatedly failing counterparties flagged to the supervisor in the last calendar year
• Total number of counterparties of outbound and inbound transfers in the last calendar year

These data points are not applicable for the Investment Fund/Asset Management industry.

Group oversight

1. 4D: Group-wide AML/CFT function

• % of group entities that provided reports to the Group AML compliance on the following areas in the last calendar year:

  a) CDD

  b) ongoing monitoring

  c) STRs

  d) identity and transaction level information on high risk customers

  e) deficiencies

   

• % of jurisdictions in which the group is established covered by reviews (including access to customer and transaction level data) performed by the group AML/CFT compliance function in the last three calendar years. (applies only to groups that have been existing for more than 3 years)

   

• Number of group entities for which deficiencies were identified by competent AML/CFT supervisors in the last calendar year

  - EU/EEA entities

  - Non-EU/EEA

We understand that such data points should only be answered if the obliged entity is acting as parent company and the other entities of the Group provide AML/CTF related tasks.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

In the short to medium term, several data points are not available as not recorded in the IT system at onboarding stage, not relevant for the specific industry sector or not relevant to assess the inherent and residual risk profile of obliged entities. 

In the longer term, the request related to some data points will have an impact on the obliged entity in term of costs as:

1. Obliged entity will have to conduct a gap analysis between current available data and target data points.
2. Obliged entity will have to (i) consider the feasibility of existing systems to incorporate the new data points/criteria in the existing operating system; (ii) design and implement the process to capture the new data points for existing and new clients; (iii) perform a manual review of all existing relationships and all data and documentation in order to upload/input the data.
3. The process described under point 2) could have a significant impact in terms of costs related to IT development, time spent for the review of database to retrieve and update the data for existing relationships (that could be captured on paper but not on system), as well as project management and potentially having to implement entirely new IT systems and tools. Such costs will be ultimately borne by the customers/investors, thus impact EU competitiveness as a financial center.

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

We agree

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

We agree, however it is our understanding that the reduced frequency would likely apply to a very limited extent (if at all), given the scope is so narrow.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

EEA countries are in principle subject to the AML 6 rules and thus should be presumed to present lower risk, as opposed to third countries, for which the quality of the AML framework requires a more detailed assessment. As a result, transactions linked with EEA jurisdictions should indeed be assessed differently than transactions linked with third countries.

More fundamentally, as obliged entities already take into account the geographical risk for the overall assessment of the customer risk, we recommend not to focus on high risk countries, but on high risk customers. 

Indeed, the fact that a country is non-EU/EEA does not necessarily entail a higher risk. Nor does the fact that a country is in the EEA does necessarily always equate to a low-risk scenario. 

In the investment fund sector, firms typically register the country of the customer and Ultimate Beneficial Owner (UBO) and incorporate the associated country risk into their risk assessments. Country exposure for the investment fund sector is in principle global, especially for markets that are specialised in this sector, like Luxembourg and Ireland. Firms are likely to consider the equivalence of regulatory standards in general by assessing this equivalency specifically in their country risk assessment. It is unlikely that a firm would automatically assign a low-risk rating to every country within the EEA or, conversely, a high-risk rating to every country outside of it.

Therefore, we consider that an automatic distinction would not add specific value.   

We would also like to add that there are quite common scenarios of very low risk customer types in higher risk countries, for example public pension schemes in South America, which by their nature are very low risk (funded by deduction of % of employees’ salaries). And on the other hand, there might be customer types in lower risk countries with a high risk of money laundering, which would warrant a high-risk client rating, such as significant PEP exposure or very high-risk activities. Therefore, focusing on high-risk customers instead of only the country might ultimately be the better option and gives a more detailed picture of where the risk actually sits.

As you will be aware for both customer risk rating and country risk rating, firms will have developed their own methodologies and will come to different conclusions. 

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

We are of the opinion that the thresholds provided in Article 1 should only be taken into account in case the activities provided under freedom to provide services are related to the execution of the AML/CFT control framework (e.g. client take-on, transactions or payments) put in place by the credit institution or financial institution.

The relevance of such preliminary condition appears clear, for example in the case where a management company or investment firm only carries out marketing services in one or several different countries through the freedom to provide services. Marketing services are provided on the parent’s behalf to the parent’s customers and the parent will complete all relevant AML/CTF controls as well as contracting with the customer. Most firms currently have to provide such reporting to regulators in the EU, which is filled with nil reports given these branches have no customers. This is a significant administrative burden at present and we hope that within the principle of simplification, this will not be the case in future.

Additionally, in relation to the second threshold - Article 1(1)(b) – we note that using the total value in Euro of “incoming and outgoing transactions by the customers” is extremely difficult to calculate or not relevant for certain types of relationships as customers will switch from one investment product to another due to market volatility and performance return. It must be underlined that an asset manager captures and assessed all transactions and not just incoming ones. We suggest using the value of managed assets of customers referred to under letter (a) at the end of the period instead.

Furthermore, in order to limit the number of entities that will have to be assessed by AMLA in order to determine if they shall be selected for direct supervision, we would suggest making the two thresholds (i.e. number of customers and value of managed assets) cumulative rather than alternative. This would enable AMLA to focus its assessment efforts only on the entities carrying out, from a quantitative perspective, material activities, thus reducing the operations costs of AMLA.

Additionally, we suggest using the term “domiciled” in conjunction with “resident”, to encompass legal entities.

In respect to investment funds managers, we finally note that the term “customer” should be understood as referring to the investment fund itself, in light of the definition provided in the Sectoral guideline for providers of investment funds (par. 16.14) of EBA/GL/2021/02, investors are the customers of the investment fund (and not of the investment funds manager). If that is not the intention, this will need to be clarified. 

Based on the above, we suggest rephrasing Article 1(1) as follows:

The activities of a credit institution or a financial institution under the freedom to provide services in a Member State other than where it is established shall be considered material for the purposes of meeting the conditions of Article 12(1) of Regulation (EU) 2024/1620, where:

a) those activities are related to the execution of the AML/CFT control framework (for example AML/CFT customer due diligence in the context of customer onboarding); and

b) the number of its customers that are resident/domiciled in that Member State is above 20,000; and

c) the total value in Euro generated by the customers referred to under letter (a) is above 50,000,000.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

We agree. 

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

We agree. 

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

We agree. 

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

We are of the opinion that, similarly to Article 1, only those obliged entities that are obliged entities and carry out activities related to the execution of the AML/CFT control framework should be taken into account to calculate the group-wide risk profile of a group.

Based on the above, we suggest to re-define “N” in the formula of Article 5(2) as:

N: number of obliged entities in the group carrying out AML/CFT controls

In addition, we are of the opinion that the second threshold referred to in Article 5.3 (i.e. “the total amount in Euro of incoming and outgoing transactions”) may be difficult to calculate or not relevant for certain types of businesses, such as the Investment Fund Industry. We suggest therefore deleting it.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

We understand that the group-wide perimeter is defined through the definition of “selected obliged entity” provided by Article 2(1)(1) of Regulation (EU) 2024/1620, i.e. “a group of credit institutions or financial institutions at the highest level of consolidation in the Union in accordance with applicable accounting standards”. This means that entities part of a credit or financial group which is solely consolidating outside of the Union shall not be treated as part of the same group-wide perimeter for the application of Article 5.

In addition, as mentioned under Answer 7, we are of the opinion that only those obliged entities that are carrying out activities which are related to the execution of the AML/CFT control framework established by a credit institution or financial institution should be taken into account to define the group-wide perimeter.

Such clarification is needed to allow AMLA to determine the risk profile of a group based on the ML/FT risk exposure given by the (weighted adjusted) number of entities in the group carrying out AML/CFT controls (e.g. client take-on, transactions or payments).

The reason appears clear, for example in the case where a management company or investment firm only carries out marketing services in one or several different countries, whilst all AML/CFT controls are carried out by the mother company.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

We agree. 

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

We agree. 

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 1:

We propose the following re-wording of article 1: 

Art 1(1) - "In relation to the names and surnames of a natural person as referred to in Article 22(1)(a) point (i) of Regulation (EU) 2024/1624, obliged entities shall obtain all of the customer's full names and surnames. Obliged entities shall gather at least those names that feature on their identity document, passport or equivalent or that are available from independent reliable sources."

Art 1(2) - For legal entities, firms must obtain both the registered name and the commercial name if it differs from the registered name and if available. "

Article 2: 

We propose the following re-wording of article 2: 

Art.2: “The information on the address as referred to in Article 22(1) (a) point (iv) and 22(1) (b) point (ii) of Regulation (EU) 2024/1624 shall consist of the full country name, postal code, city, street name, and where available, building number and apartment number as appropriate.

In the case of any person purporting to act on behalf of a legal entity customer or a Senior Managing Official who is identified as the ultimate beneficial owner but who acts in their professional capacity, the address of the registered office of the legal entity will suffice.

The requirement for collecting full residential addresses appears to be drafted from a retail customer perspective. For related parties in a wholesale/institutional context, the personal address may not be adding value and we believe that the country of residence might suffice. The RTS should consider this distinction and provide flexibility and using risk sensitive measures accordingly. 

Persons purporting to act on behalf are by and large employees of a legal entity and we consider the collection of the business address sufficient, as they are acting in their capacity as an employee and not as an individual.

In addition, the article is too prescriptive. Indeed, not all countries have postal code, and not all customers (especially outside of EU) live on defined streets or cities.  We therefore suggest to add “as appropriate” at the end of the article.

Article 4

We propose the following re-wording of article 4:

For the purposes of Article 22 (1) (a) point (iii) of Regulation (EU) 2024/1624 obliged entities shall take reasonable measures to know of any other nationalities their customer may hold.

Indeed, it is unclear how obliged entities would be able to satisfy themselves that they know of any other nationalities their customers may hold.

Article 5

We propose the following re-wording of article 5(5): 

For the purposes of verifying the identity of the person referred to in Article 22(6) of Regulation (EU) 2024/1624, the obliged entity shall gather from the person or from other reliable sources, an identity document, passport or equivalent. For customers posing a higher risk of ML/TF the obliged entities shall adopt appropriate mitigation measures such as, for example, those referred under Article 6.

Below are the reasons supporting our proposal, 

• especially taking into account the specificities of the collective investment/ Asset Management sector:

We would like to highlight that when investors invest in funds, they are already a client of a bank, and a first level of identification and verification has already been performed by the bank (i.e. at the placement stage), which is itself subject to AML/CFT due diligence obligations. Every investor, whether retail or institutional, will invest into an investment fund using their own bank account. Investing in investment funds is a single purpose business relationship, which is inherent in the business. Any payment to the investor or to the financial intermediary (a regulated financial institution) is made via a bank account that is recorded at the beginning of the relationship with the investor. The payment is always made to a bank account, in the investors name only as 3^rd party payments are not facilitated. No subscription is made through cash.  The focus should be to mitigate the risk of money laundering and terrorist financing and the way the identity of a person could be verified should follow a risk-based approach.

• And more in general:

1. The requirement of collecting the original/certified documents is not aligned to a risk-based approach and consequently creates unnecessary administrative burden and additional costs on the investors which is contrary to the principle of investor protection and its best interest. In addition, this burden discourages investors to invest in funds. This goes against the Commission’s plan to increase financial inclusion and investors' participation in financing the economy. The current concern in Europe is to channel individuals’ savings towards the real economy, which has led the EU to engage into improving the CMU further. Moreover, this would in fact impact the cost of compliance and would, as a consequence, also have an impact on the EU Markets competitiveness compared to non-EU ones.

    

2. Risk based approach needs to be applied when collecting IDs to avoid unnecessary costs and burden. The effort and focus of obtaining IDs in original and/or certified form should be required only in case of inconsistencies or doubts on the actual identity of the customer. In particular, document certification is solely one of the numerous measures (and certainly not the most effective) an obliged entity can take to verify the obtained information.

3. Not all passports and identification documents contain the same elements, such as place of birth, facial image, machine-readable zone, which may not be present in documents like driver's licenses or certain national passports. The RTS should acknowledge these differences and provide flexibility.

4. There is an inconsistency between the data points required for identification and verification. While identification requires names as they appear on the ID, verification demands all names and surnames, which may not be mandatory in some jurisdictions.

5. The requirement for a "certified translation" may not add value, in particular where the relevant entity may avail of internal human resources having appropriate command of the language in which the ID document is drafted, and also the availability of AI or other translation tools. 

Article 10 

We propose the following re-wording of art. 10:

For the purposes of understanding the ownership and control structure of the customer in accordance with Article 20(1) (b) of Regulation (EU) 2024/1624, in situations where the customer’s ownership and control structure is complex and posing a higher risk of ML/TF, obliged entities shall obtain the following information:

a. a reference to the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their economical beneficial owners owning more than 25% within the customer structure, if any;

b. with respect to each legal entity or legal arrangement within the referred intermediary connections, the legal form of each legal entity or legal arrangement, the jurisdiction of incorporation or registration of the legal person or legal arrangement, or, in the case of a trust, the jurisdiction of its governing law and; 

c. information on the regulated market on which the securities are listed, in case a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, and the extent of the listing if not all the legal entity’s securities are listed on a regulated market.

Rationale: For consistency purposes, we suggest that the requirements reflected in this Article are triggered only in case a high-risk complex structure is identified (noting that a definition of “complex structure” is provided by Article 11 – please refer to our comments on this Article hereafter). Further, prescribing such requirements for any ownership or control structure involving more than one legal entity or legal arrangement denies the principle of risk-based approach, as this type of structure does not necessarily result in a higher risk (please refer to our comments under Article 11). Relatedly, this would imply gathering additional information and documentation for a number of customers/investors, thus representing additional costs for compliance, ultimately borne by investors and hindering the competitiveness of the EU financial center.   

Article 11 

We propose the following re-wording of art. 11:

"To understand the ownership and control structure of the customer in accordance with Article 20(1)(b) of Regulation (EU) 2024/1624, obliged entities shall treat an ownership and control structure as complex where there are multiple layers between the customer and the beneficial owner and in addition, one of the following conditions are met:

a. there is an anomalous legal arrangement within the structure;

b. the structure presents at any of its layers legal arrangements/legal entities which are incorporated or domiciled in a jurisdiction included in the EU list of non-cooperative jurisdictions for tax purposes;

c. there are nominee shareholders and/or directors involved in the structure;  or

d. there are indications of non-transparent ownership with no legitimate economic rationale or justification."

Rationale: 

Defining as complex two-layer structures having entities in different jurisdictions, would result in considering the vast majority of the customers of investment funds and investment funds managers as complex. is not reflective of the actual risk and would de facto encompass all international firms, in particular Financial Institutions that likely have multiple layers of legal entities between a local entity and the ultimate parent. For those firms, these structures are in place for business and organisational purposes and not to hide any (ultimate) ownership, as the ultimate ownership is always known. By maintain the original wording of the article, significant administrative burdens and costs will be engendered without any mitigation effect on the money laundering and terrorist financing risks.

Flexibility is needed to focus on structures that are truly complex and high risk, no matter how many layers they have. The risk of considering too many entities as complex is that obliged entities will miss the actual money laundering and terrorist financing risks and focus on a tick box approach instead.

Article 12: 

We propose the following re-wording of art. 12:

In relation to senior managing officials as referred to in Article 22(2) second paragraph of Regulation (EU) 2024/1624, obliged entities shall:

a. collect the information for identification purposes; and

b. verify the identity of senior managing officials using risk sensitive measures

Below are the reasons supporting our proposal:

A distinction should be made between a senior managing official identified in the absence of beneficial owners identified based on control or ownership, and stricto sensu beneficial owners. The money laundering and terrorist financing risk to a senior managing official is low as a senior managing official may be, and often is, simply an employee in an entity and does not normally have a personal financial interest in the investment being placed in relevant investment fund and/or may not have control by other means in the entity.  On the other hand, a beneficial owner who may have a personal financial interest and may control the entity by other means has a different risk. It is important to focus on the real risk and stick to the follow the money principle.

In practice, the vast majority of cases of SMO beneficial owners are for publicly listed entities and large firms with no significant single shareholders.

These entities pose a low money laundering risk regarding the beneficial owner side and obtaining an official ID document of e.g. the CEO of Apple and details of his personal address will not be feasible for security concerns. In addition, there is no doubt about this individual role, nor that he exists. Collecting ID and address of a SMO does not impact the overall risk profile of the customer, therefore not adding any added value or comfort to the obliged entity.

This point is likely to create significant damage to EU businesses: as a consequence, instead of asking an EU firm to manage a pension fund for Apple, they will likely ask a firm in the US or the UK to do so where the burden for them will be significantly lower for SMO (and authorised signatories).

Article 13

We suggest to redraft Article 13 (1):

 “For the purposes of Article 22(4) of Regulation (EU) 2024/1624, the information obliged entities shall collect includes: a. a description of the class of beneficiaries and its characteristics, which shall contain sufficient information to allow the obliged entity to determine whether individual beneficiaries are ascertainable and shall be treated as beneficial owners at the point of payment request; and b. relevant documents to enable the obliged entity to establish that the description is correct and up-to-date on a risk-based approach."

Rationale: 

Most trusts, such as UK trusts will for example have beneficiaries designated whenever a new child/grandchild is born. That child will have no impact on the customer risk profile and is not to be considered a beneficial owner until a payment is made. We therefore recommend having this control whenever a payment is requested to a beneficiary.

We suggest to redraft Article 13 (2):

“Obliged entities shall take risk-sensitive measures to ensure that the trustee, the legal entity or the legal arrangement provide, at the point of payment request relevant information on beneficiaries previously identified by class or characteristics.”

Rationale: Regarding the requirement under Article 13(2) for obliged entities to “take risk-sensitive measures to ensure that the trustee, the legal entity or the legal arrangement provide timely updates, including on specific events that may lead to beneficiaries previously identified by class or characteristics becoming ascertainable and thus beneficial owners”, it is likely that trusts will refuse to take such commitment to inform proactively the fund or its manager. Hence, same as above, we suggest to have this control at the time when a payment is requested to a beneficiary 

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

We propose the following re-wording of art. 6:

 “1. To comply with the requirements of Article 22(6) of Regulation (EU) 2024/1624 in a non face to face context, obliged entities a) shall apply additional and appropriate measures, on a risk-based approach, to mitigate the inherent higher risk that this type of customer relationship may present or b) may use electronic identification means, which meet the requirements of Regulation (EU) No 910/2014 with regard to the assurance levels ‘substantial’ or ‘high’, or relevant qualified trust services as set out in that Regulation. 

2. Alternatively to the electronic solution described in paragraph 1, obliged entities may acquire the customer’s identity information (or document) using remote solutions that meet the conditions set out in paragraphs 3-6 of this Article. Such solutions shall be commensurate to the size, nature and complexity of the obliged entity’s business and its exposure to ML/TF risks. 

3. Obliged entities shall ensure that the solution described in paragraph 2 uses reliable and independent information sources and includes the following safeguards regarding the quality and accuracy of the data and documents to be collected: 

a. controls ensuring that the person presenting the customer’s identity document (or equivalent) is the same person as the person on the picture of the document; 

b. the integrity and confidentiality of the communication with the person should be adequately ensured;

c. any images, video, sound and/or data are captured in a readable format and with sufficient quality so that the customer is unambiguously recognisable; 

d. where applicable, the identification process does not continue if technical shortcomings or unexpected connection interruptions are detected;   

e. the information obtained through the remote solution is up to-date; 

f. the documents and information collected during the remote identification process, which are required to be retained, are time-stamped and stored securely by the obliged entity. The content of stored records, including images, videos, sound and data shall be available in a readable format and allow for ex-post verifications. 

 4. Where obliged entities accept reproductions of an original document, for customers that are not natural persons, and do not examine the original document, obliged entities shall take steps to ascertain that the reproduction is reliable. Where available, during the verification process, obliged entities shall verify the security features embedded in the official document, if any, such as holograms, as a proof of their authenticity. Such steps shall be undertaken on a risk-based approach, and, in particular, limited to cases where the obliged entity has grounds to question the reliability of the reproduction so obtained. 

5. Obliged entities using remote solutions shall be able to demonstrate to their competent authority that the remote verification solutions they use comply with this article.”

In the context of the asset management industry certain overarching elements and specificities should be taken into account:

• Most client relationships exist between the asset manager and regulated financial institutions who might act as intermediaries on their clients behalf, who – in accordance with par. 100 of FATF Guidance for a Risk-Based Approach for the Securities Sector (October 2018) - are considered the customer and acting on behalf of their own clients (who are not considered clients of the fund but merely beneficial owners in some circumstances such as holding or controlling 25% of the intermediaries’ investment). 

• It is unlikely to see face to face meetings between the regulated FI and the Asset Manager at the point of investment. That is the nature of the relationship and this business model does not increase the ML risk.

   

• Article 6 of the Draft RTS seems to consider that all customers are met, either face-to-face or on a remote basis (in the latter case, through video conference or equivalent). This approach may be relevant for certain obliged entities, such as private banks, which traditionally maintain close relationships with their customers. On the contrary, investment funds, in particular open-ended investment funds, as per their business model, can onboard a large number of investors over limited periods of time (even on a daily basis), resident in a wide range of jurisdictions, being either private individuals or institutional/corporate investors (including regulated and/or listed entities, or subsidiaries thereof). Asset Managers are product manufacturers and are not providing a range of services to investors other than investment products with different investment objectives.

Taking into consideration such considerations, we are of the opinion that imposing similar requirements in terms of face-to-face or remote identification of customers to the asset management sector and other financial sector obliged entities would result in ignoring the specificities of the asset management sector, imposing to it requirements that are not, in practice, achievable for them, and, in any case, not commensurate to any risk-based approach. Imposing such requirements would fundamentally jeopardize the current business model of investment funds, and, at least, impose disproportionate costs for compliance. 

Bearing in mind the overarching principles, we would like to make the following comments:

1. article 6(1) should allow obliged entities to apply specific and additional measures to compensate the potentially higher risk that this type of customer relationship presents as an alternative to the use of electronic identification means.

    

2. it should remain up to the obliged entities to determine the (higher risk) cases in which they deem necessary to get ID documents, passports or equivalent and/or to resort to additional verification means (e.g. video conference, e-IDAS verification means). This may for example be the case of relationships involving high risk countries, and/or where actual concerns are identified as to the reliability of the information/documents provided. The fact that a relevant individual is seen by the obliged entity (either on a face-to-face basis or through video chat) does not necessarily bring additional comfort if in practice, on a risk-based approach, the obliged entity has gained comfort that the source/channel used to provide relevant identification information/documentation is reliable. 

3. in the same vein, it does not appear in line with the risk-based approach principle to impose the same requirements in respect of customers and proxyholders, as their respective involvement in the business relationship and, accordingly, the risk presented by them, is fundamentally not the same. For example, it is typically an employee of the legal entity customer (in most cases, regulated financial institutions themselves) who acts on the entity’s behalf. Persons acting in their professional capacity as employees should not need to provide their ID cards to potentially hundreds of different asset managers just because their employers want to offer a wide range of products to their customers. Article 6 should allow a risk-based approach for the verification of such employees. 

4. Article 22(6) of Regulation (EU) 2024/1624 does not expressly require systematic collection of an ID document, passport or equivalent, but rather provides that the collection of such documents is an alternative to get relevant information / data to corroborate the identity information otherwise gathered, along with the use of “electronic identification means” (art.22(6), (b)). In other words, the use of electronic identification means should not necessarily entail providing, through such means, an ID document, passport or equivalent. Rather, it should be admissible that these means are used to ensure that the person providing information is actually who he/she claims to be, thus providing comfort as to the reliability of the corroborating information provided through this channel.

5. The use of e-IDAS compliant solutions should not be imposed, as this would go against the risk-based approach and technological neutrality principles. On the contrary, obliged entities should remain in position to assess the reliability of identification supporting documents presented to them, be they provided through e-IDAS solutions or, for example, simple emails. Moreover, all natural persons do not necessarily have access to such solutions, either because they are resident in a non-EU/EEA country, or, even in the latter case, because they are not familiar with, or do not have easy access to such type of technology. Imposing such technology would result in such categories of persons to be excluded from financial services, including asset management services.

6. The RTS should remain neutral as to the means to be used by the obliged entities for verification of identity purposes, even where non-e-IDAS solutions are used.

7. Art.6 should make a distinction between investors who are private individuals, on the one hand, and institutional/corporate investors, on the other hand, since, in the latter case, video identification is not relevant. 

Accordingly:

• Art.6(2), as currently drafted, provides that non-e-IDAS solutions shall be considered only where e-IDAS solutions are “not available, or cannot reasonably be expected to be provided”. It should be made clearer in the draft RTS that the possibility to resort to non-e-IDAS compliant solutions is always available to the obliged entities, i.e. is not an alternative available only in case e-IDAS compliant solutions are not available;

• the extensive conditions provided by art.6(4) notably in terms of technological features (e.g. only end-to-end encrypted video chats are permitted; images, video, sound and data are captured in a readable format and with sufficient quality; documents and information collected are time-stamped and stored securely) impair the possibility for the obliged entities to define and implement their own risk-based approach. Art.6 should merely stick to the risk-based approach principle, as currently provided under art.6(2) (i.e.“ […] Such solutions shall be commensurate to the size, nature and complexity of the obliged entity’s business and its exposure to ML/TF risks.”). At least, art. 6(4) should merely provide the principle that the obliged entity shall ensure that the solution used includes appropriate safeguards as to the quality and accuracy of the data and documents collected, without entering into further details (i.e. removing the items / conditions currently listed under a. to f. of art.6.(4));

• as noted hereabove, it should remain up to the obliged entity to decide, on a risk-based approach, whether video identification is required. Indeed, as noted hereabove, the fact that a relevant individual is seen by the obliged entity (either on a face-to-face basis or through video chat) does not necessarily bring additional comfort if in practice, on a risk-based approach, the obliged entity has gained comfort that the source/channel used to provide relevant identification information/documentation is reliable.

In light of the above, art.6(4) shall be updated as follows:

• sub b.: references to “audiovisual communication” and “video chats” shall be removed;
• sub c.: wording “any images, video, sound and data” shall be clarified as “any images, video, sound and/or data”;
• sub d.: this item, providing that “the identification process does not continue if technical shortcomings or unexpected connection interruptions are detected”, presupposes that verification of identity necessarily entails a live stream of data. This item shall thus be removed, or, at least, clarified as follows: “where applicable, the identification process does not continue if technical shortcomings or unexpected connection interruptions are detected”.

8. Consent for personal data processing under remote onboarding is not a matter of AML/CFT legislation, but rather of data protection legislation (i.e. GDPR). As such, this provision is not relevant for these RTS and should thus be removed.

9. According to art.6(5), (the only paragraph applicable to legal persons),where obliged entities take reproductions of an original document without examining relevant original document, “obliged entities shall take steps to ascertain that the reproduction is reliable”. This wording shall be clarified to state that such steps shall be undertaken on a risk-based approach, and, in particular, limited to cases where the obliged entity has grounds to question the reliability of the reproduction so obtained.

    

10. The article should recognize and allow other forms of acceptable verification, in particular open sources such as the website of the legal entity, and regulator and recognised stock exchange, to provide independent confirmation of a legal entity’s licence and particulars. 

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 15

Art 15(c) states that: “[…] obliged entities shall take risk-sensitive measures to determine […] whether the customer has additional business relationships with the obliged entity or its wider group where applicable, and the extent to which that influences the obliged entity’s understanding of the customer and the source of funds”.

In this article, the reference to the wider group appears unclear in the case of investment funds. The wording should be qualified with “where relevant”, and/or “on a risk-based approach”.

Article 16

Art.16 provides a list of information to be gathered in connection with the purpose and intended nature of the business relationship. The introductory sentence should expressly limit these data “where relevant”, and/or “on a risk-based approach”. In the asset management sector, the sole purpose of the relationship and intended nature is long term investment and investment growth. By default, an asset manager is a product manufacturer and offers investment solutions only. It does not provide any other products or services.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 17

Art.17(1)(b) provides that it shall be reassessed whether existing customers/BOs have become PEPs under certain circumstances, including “at least if significant changes in the customer due diligence data occur, such as the nature of the customers’ business, employment or occupation”. The appreciation of the “significant changes” triggering a reassessment should be left to the obliged entities, applying a risk-based approach. In particular, a change in the customer’s business, employment or occupation does not necessarily exposes to the risk of PEP (re)qualification: these items should be qualified with “where relevant”. 

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

General comments and remarks on section 4 of the draft RTS 

We welcome the inclusion of section 4 in the draft RTS. It provides valuable guidance and enables the application of the risk-based approach to money laundering and terrorism financing risks. 

The EU collective investment sector, which represents net assets of investment funds domiciled in Europe, UCITS and AIFs, totalled EUR 22.7 trillion at the end of Q3 2024. Luxembourg and Ireland are the two largest domiciles of UCITS and AIFs, with a market share of 25% and 21%, respectively (end Q3 2024). Germany, France and the United Kingdom follow in this ranking. The sector includes a variety of distribution models and is often characterized by a high degree of intermediation and multiple obliged entities (e.g. platforms, banks, distributors …) between the investment fund and the private individual investing their assets into a product through and in the name of their bank. Business relationships have a global span and are by nature mostly remote, without representing necessarily a heightened ML/TF risk as the investors always via a bank account, cash or occasional transactions are excluded. 

Private individuals can access a UCITS product of multiple product manufacturers without needing a direct relationship with them which makes the investment easier, cheaper and safer for the individual as the individual will solely face his/her bank who can advise holistically on the best products for the individuals risk profile and financial situation. The individual also does not need to maintain different relationships with different providers and have easy overview over their financial situation in its entirety.

In most cases, the intermediary is registered in the fund’s share/unitholder register and typically nets all of its customers’ orders and submits a single net order to the investment fund each day. In line with the FATF guidelines on the securities sector, the intermediary is therefore treated as customer/investor and is subject to AML/CFT due diligence as such (rather than the intermediaries’ customers who, as explained above, have for their benefit not direct relationship with the product manufacturer).

In consideration of the above, section 4 of the RTS could potentially have unforeseen adverse effects on the investment fund industry as a whole and risk counteracting the efforts made to increase the retail investments in the EU. There is a real risk that this additional burden will be at the detriment of the private individual (as explained above).

Please find below our comments on the articles of the RTS that we believe to be problematic.

Remarks on specific articles

Article 18

We propose the below re-wording of art. 18(2): “Paragraph 1 shall apply also to persons on whose behalf or for the benefit of whom a transaction or activity is being conducted, where appropriate based on the economic activity of the customer”

We note that this article is limited to the identification of the customer and not the verification. 

Article 18 states that obliged entities shall also obtain the information listed in paragraph 1 for persons on whose behalf or for the benefit of whom a transaction or activity is being conducted. 

While we understand the intent of the wording, it is important to highlight that this could be understood to include those entities that would fall under point 16.14 paragraph b) of guideline 16 of EBA's Guidelines (EBA/GL/2021/02), for example other investment funds (fund of fund type situation), pension providers, certain types of insurance products etc. 

Identifying all individuals that ultimately benefit from such an investment is not in line with the ML and TF risk associated with the client type and is likely to cause material administrative and operational costs. Moreover, there are GDPR related concerns given that the entities are the legal owners of the shares/units. If there are investments made by a bank on behalf of 10000 of their customers, it is neither practical for the asset manager nor for any of the individuals having to provide their ID documentation twice for the same transaction. However, the intermediaries’ customers are identified if they represent a significant investor in the fund (i.e. more than 25% of the shares/units) and thus could be considered as beneficial owners of the investment fund itself.

Moreover, art.18(1)(b) requires systematic collection (even in case of lower risk), for legal entities, of notably “the tax identification number or the legal entity identifier where applicable”. Systematic relevance of this information for AML/KYC due diligence purposes is questionable – noting that same article requires in any case the collection of the “registration number” of the entity.

Article 21

Art. 21

We understand that the intention of article 21 is to clarify the simplified due diligence measures, as well as the extent of these measures, an investment fund shall perform with regards to intermediaries that invest in their own name on behalf of customers in the fund as described in paragraph c) of the point 16.14 of the guideline EBA/GL/2021/02.

In order to avoid any confusion and to align with the FATF securities sector guidelines, we suggest amending the text of the article as follows:

When an entity is acting as intermediary by subscribing for shares, units or other ownership interests of a collective investment undertaking in its own name, but on behalf of its customers, such collective investment undertaking may fulfil the requirement under Article 20(1)(h) of Regulation (EU) 2024/1624 by following up with the intermediary by making a request for information on any particular transaction(s), possibly leading to more information being requested on the underlying customers of the intermediary on a risk-sensitive basis, in  case of any unusual activity or transaction on the part of the intermediary, or any potential deviations from the agreed terms of the arrangements governing the business relationship. 

In addition, the collective investment undertaking shall be satisfied that: 

a. the intermediary is subject to AML/CFT obligations in an EU Member State or in a third country that has AML/CFT requirements that are comparable to those required by Regulation (EU) 2024/1624; 

b. the intermediary is effectively supervised for compliance with these requirements; 

c. the risk associated with the business relationship is not high;

d. the fund or fund manager is satisfied that the intermediary applies robust and risk sensitive CDD measures to its own customers and its customers’ beneficial owners.

Please find below some typical examples of due diligence that we would apply in line with FATF guidance on risk-based approach guidance for the securities sector from 2018. In particular, in cases or EDD, additional measures are taken in addition to those mentioned above:

SDD:    

• Verifying regulatory status and the comparability of the AML/CFT framework

EDD:

• Obtaining additional customer information, such as the customer’s reputation and background from a wider variety of sources before the establishment of the business risk profile;
• Being satisfied that the intermediary applies robust and risk sensitive CDD measures to its own customers and its customers’ beneficial owners.

Rationale:

The requirement to ensure that the intermediary provides DD information and documents on their customers immediately upon their request is highly problematic. Such an approach is not in line with FATF securities sector guidelines and mentioned above, of limited value. Their customers are already subject to CDD measures performed by the intermediary, an obliged entity in its own right and the robustness of the intermediaries AML process has already been scrutinized by the investment fund (in addition to their own internal processes, their auditors and their regulators). 

In this context, we refer to paragraph 108 of the FATF securities sector Guidelines “The correspondent institution should monitor the respondent institution’s transactions with a view to detecting any changes in the respondent institution’s risk profile (i.e. compliance with AML/CFT measures and applicable targeted financial sanctions), any unusual activity or transaction on the part of the respondent, or any potential deviations from the agreed terms of the arrangements governing the correspondent relationship. Where such concerns are detected, the securities provider should follow-up with the intermediary by making a request for information on any particular transaction(s), possibly leading to more information being requested on the underlying customers of the intermediary on a risk-sensitive basis.” 

This would for example include a loss of license or significant fine for shortcomings with AML/CTF legislation which is not adequately addressed and, in these situations, the Asset manager should and is taking action.

Below are the supporting reasons:

1. We note that the current wording of the article implies that for intermediaries that are not low risk (e.g. medium-low risk or medium risk) a full look-trough on their client base is required. In practice, this is very difficult to achieve and only yields limited insights given that the underlying customers can change on a daily basis as well as the complexities of the possible distribution set-ups. When banks invest on behalf of their customers, it is likely to be tens of thousands of customers with small value investments or regular savings plans/retirement plans. For their data to be provides, processed and screened (for a 2^nd, 3^rd, 5^th or 10^th time depending on how many products they invest in to diversify their investment) will significantly overflow current processes and systems and will create massive costs to Asset Managers. Costs that they would not need to incur if domiciled in other jurisdictions, such as the UK.
2. We suggest, more generally and not limited to the application of simplified Due Diligence, to put the emphasis on the due measures performed on the intermediary and the robustness of its AML processes, in line with FATF recommendations. This already very onerous process which duplicates regulatory oversight and audit regimes provides more assurance, is far less disruptive and generates lower costs. Under the current proposal, it would be virtually impossible to distribute EU investment funds in certain medium risk markets. It would significantly hurt the competitiveness of the UCITS brand especially outside of EU and we would see significant downsides to all EU providers and what is a trillion EUR industry diminish.
3. There are also practical hurdles requesting information on underlying customers, such as privacy and data protection laws in certain EU and non-EU countries. Regardless of the business impact for the European Investment Fund Industry, the costs associated with implementing such measures are significant (e.g. changing existing distribution agreements) and outweigh the fleeting gains that could be derived from it.
4. Generally speaking, we consider that this measure could lead to duplication (if only one product manufacturer chosen, if 10 the efforts would be multiplied by 10) of efforts and introduce inefficiencies and unnecessary burden and cost for private individual. In our view, the due diligence measures should focus on understanding and assessing the intermediaries' AML/CDD processes. 

Article 22 

We propose the following wording:

“Obliged entities shall take the necessary risk-based measures to ensure that they hold up-to-date customer identification documents and/or information.

Below are the reasons supporting our proposal:

We have concerns that this could be interpreted as requiring obliged entities to check on a daily basis that the customer information is up to date, which would be very onerous and costly and not at all risk based. 

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

In general, we believe that the obliged entities should apply a risk-based approach to determine which specific situations are to be considered as lower risk situations, allowing the application of simplified due diligence. 

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 26 defines some additional information on the source of funds, and source of wealth of the customer and of the beneficial owners to be collected in cases of enhanced due diligence. We propose to replace the terms “This information shall consist of one or more of the following evidence” with “the information to be collected may include the following evidence”.

Articles 24, 25 and 27 define minimum obligations to be complied with by obliged entities with regard to additional information on customer and the beneficial owners, on the intended nature of the business relationship and on the reasons for the intended or performed transactions and their consistency with the business relationship. These obligations should only illustrative and not prescriptive. It should be left to the responsible entities’ risk-based approach, commensurate to their risk appetite, to define the precise and tailored measures to apply to each case. Potentially, such measures may be based on factors such as the size of investment, the profile / regulatory status of the investor concerned. It must be underlined that many of the mentioned measures are not currently applied in practice. For example, entities obtain confirmation of source of wealth but not necessarily proof (only on specific higher risk or red flags cases). Finally, the mandatory application of all of the EDD measures considered, might shift the focus from the real risk to a “tick the box” exercise and lead to a de facto financial exclusion of certain customers. We therefore propose to replace the terms “shall, at least” with “should, for instance”.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Art. 28 

Art.28 of the Draft RTS provides that, based on art.20(1)(d) of the AML Regulation, obliged entities shall apply screening measures to customers and to “all the entities or persons which own or control such customers”.

However, aforementioned art.20(1)(d) of the AML Regulation only sets forth the obligation, notably, to verify (emphasis added) “[…] whether natural or legal persons subject to targeted financial sanctions control the legal entity or have more than 50 % of the proprietary rights of that legal entity or majority interest in it, whether individually or collectively”. 

Art. 28 of the Draft RTS, to the extent requiring the screening of “all” entities owning the customer, thus go beyond the requirements of the AML Regulation, which limits the requirement to a majority interest or a 50%-ownership threshold. Art. 28 of the Draft RTS shall therefore be amended to comply with art. 20(1)(d) of the AML Regulation, as follows: 

“To comply with Article 20(1)(d) of Regulation (EU) 2024/1624, obliged entities shall apply screening measures to their customers and to the relevant entities or persons which control or meet the ownership conditions over such customers as provided by this Article.”

Article 29

Art. 29(a) notably requires systematic screening of:

• date of birth of natural person customers (i): while information such as e.g. date of birth may indeed be used, in case of positive hit, to further analyse the hit and determine whether the screened person actually corresponds to the sanctioned person identified, there should be no obligation to take this type of information into account for the screening in itself;
• where available, wallet address in the case of a natural person, legal person, body or entity (iii): the obligation to screen this information shall be strictly limited to cases where this information is otherwise held in the KYC file, to the extent relevant to the activities / services provided under the business relationship with the customer;
• in the case of a legal person, “beneficial ownership information” (iv): “beneficial ownership information”, as defined under art.62 of the AML Regulation, includes a number of information on the beneficial owners, such as, without limitation:
  • all names and surnames, place and full date of birth, residential address, country of residence and nationality(ies), number of identity document, and, where it exists, unique personal identification number assigned to the person by his or her country of usual residence;
  • the nature and extent of the beneficial interest held, as well as the date as of which the beneficial interest is held;
  • where the ownership and control structure contains more than one legal entity or legal arrangement, a description of such structure, including names and, where it exists, identification numbers of the individual legal entities or legal arrangements that are part of that structure, and a description of the relationships between them, including the share of the interest held.

While this type of information may indeed be used, in case of positive hit, to further analyse the hit and determine whether the screened person actually corresponds to the sanctioned person identified, there should be no obligation to take this type of information into account for the screening in itself, which should be limited to the identity of the identified beneficial owner(s), together with additional information that the obliged entity may consider relevant.

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

Other indicators could be taken into account, e.g.:

• is the breach due to a failure by the obliged entity itself, or a third party / delegate of the obliged entity?;
• whether the obliged entity took appropriate / reasonable steps to define mitigation measures / controls;
• making a distinction between breach to applicable AML/CFT laws/regulations, as opposed to. breach to the obliged entity’s own AML/CFT policies/procedures (which did not result in breach to applicable laws/regulations).

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

The criteria to be taken into account for certain notions used in this article should be defined/harmonized, such as:

• qualification of the impact (minor / moderate / significant / very significant);
• duration of the breach (short vs. significant period of time)

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

With respect to Article 4(2), the level of pecuniary sanctions should decrease in equivalent amount to take into account the amounts already invested by the obliged entity to remedy the identified / sanctioned breach.

With respect to Article 4(4), pecuniary sanctions on natural persons which are not themselves obliged entities (e.g. board members, conducting officers… of an obliged entity) should be limited to cases where it may be demonstrated that the individual conduct of such natural persons had a direct impact on the identified / sanctioned breach. Please further refer to the developments under question 4 below with respect to the compliance staff.

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

We are concerned about the implication that compliance professionals could be held personally responsible for breaches occurring in the organisation. While the role of compliance functions is undeniably critical, it is important to recognize that responsibility for regulatory breaches does not rest solely with compliance officers.

Compliance staff often serve in advisory roles without final decision-making power. Holding second-line functions personally liable - without executive powers – might be disproportionate. Staff in the second line of defense provide oversight and advice. They do not have executive power over business lines, nor are they the final decision-makers. Holding them personally liable for breaches caused by failures in the first line or senior management is disproportionate. Moreover, there is a risk that institutions could shift blame onto individual compliance officers as a defensive tactic, especially in high-profile cases.

Hence the proposed regime might undermine the internationally and EBA (paragraph 31 EBA GL/2022/05) recognized “three lines of defense” model. The second line (compliance, risk) is designed to monitor and advise. Assigning liability to these functions distorts governance principles and weakens accountability in the first line and senior management.

In line with the principles of company law, particularly the principle of collegial responsibility of the management body, accountability for decisions and oversight should be shared among the members of the management body collectively. Under the principles of civil law, and in line with the concept of collegial responsibility of the management body, liability for institutional failings must rest with the collective governing body, not with individual staff members acting within their defined responsibilities and without decision-making authority. It follows that the liability should not rest with individual staff members. 

Furthermore, compliance professionals, particularly MLROs, already operate under significant pressure and face substantial personal liability under existing AML frameworks. In several EU jurisdictions, MLROs are subject to administrative, civil, and even criminal sanctions in the event of serious failings—despite often lacking the authority to enforce decisions or allocate resources. The threat of further personal penalties risks undermining the attractiveness of these critical roles and may deter experienced professionals from taking them on.

The attribution of individual liability to compliance professionals for failures that may originate from broader organizational or strategic decisions risks misrepresenting the nature of their role. Furthermore, assigning personal liability to individuals who lack control over final decisions is inappropriate and potentially harmful. The threat of individual sanctions, in a context where decision-making is collective, could undermine the attractiveness of these positions and weaken the overall effectiveness of the compliance function. The increased personal risk associated with compliance roles could lead to talent drain, as experienced professionals either leave the sector or avoid such roles altogether. This can lead to a shortage of qualified staff across the EU financial system. As a consequence, this will lead most likely to a weakening of the compliance function and increasing systemic risk rather than reducing it.

Imposing personal liability on compliance staff risks blurring the lines between supervisory oversight and operational management. It would represent a shift from regulating institutions to regulating individuals within specific functions, which might exceed the intended scope of the regulatory framework. A strong compliance culture is better supported by clear institutional accountability, adequate resourcing, and effective governance structures - not by imposing personal penalties on individual staff.

In any case, should the EBA still decide to introduce individual sanctions, we are in the view that, the financial strength of the natural person, including where applicable the annual income (fixed and variable remuneration) should not be taken into account to set the level of pecuniary sanctions. The EBA or AML/CFT supervisors do not in fact have the authority to request and obtain such type of personal information. 

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

For all these measures, given their impact, they should be reserved for the breaches with the highest level of gravity, i.e. breaches with gravity classified as category four (while current draft refers to category three or four). Alternatively, they could be extended to category three breaches e.g. in case of failure by relevant obliged entity to remedy within a predefined timeframe.

Name of the organization