Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

France Assureurs agrees with EBA's observation (paragraph 17 of point 3.2.1 of part 3 “Background and rationale”) that the proposed approach should also ensure that the cost of compliance with the new requirements does not exceed what is strictly necessary to achieve the objective pursued, which is to guarantee consistent methods of assessing money-laundering-terrorism financing (ML/TF) risk in all member states.

France Assureurs points out that changes to the supervisory authorities' data collection questionnaires require insurers to make considerable efforts to be able to provide the data requested (even a minor change of indicator can entail significant costs and delays in upgrading internal tools).

France Assureurs stresses the need to make maximum use of data already available and to measure the impact of any new data requests, minimizing these new requests as far as possible.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

France Assureurs agrees with the principle that the residual risk score should not be greater than the inherent risk score.

The AML/CFT control framework put in place by an obliged entity may not have the effect of increasing the inherent risk to which the entity is exposed prior to any mitigating measures, even if the AML/CFT control framework put in place by that entity is deficient.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

France Assureurs notes that the volume of data listed is very large and points out that French insurers have already had to make a major effort in 2023 to adapt to the new ML/TF risk questionnaire (the number of questions on which has been significantly increased) issued by the French supervisory authority. For entities distributing insurance products with a low level of ML/TF risk, such as provident contracts with a temporary death coverage alone, contracts with a lifetime guarantee whose purpose is solely to finance the insured's funeral, pension operations with no surrender value, or insurance contracts against the risk of death of a borrower, the principle of the risk-based approach should lead to these entities being subject to a simplified questionnaire, proportionate to their level of risk. Thus, the companies subject to AML/CFT with a low level of risk should be exempt from certain questions.

The granularity of the questions is also very fine, and the provision of certain data (for example, data by country) could be difficult.

Regarding the relevance of the indicators to the insurance sector, France Assureurs notes that:

  • These indicators, which are common to the financial sector as a whole, are not always adapted to the insurance sector.
  • Given the diversity of life insurance products, indicators specific to life insurance products are not appropriate.

France Assureurs notes that certain data could be clarified or better defined:

Section A - Inherent risk:

- Number of legal entities with a complex structure

- Number of walk-in customers

- Number of occasional transactions carried out by walk-in customers

- Number of outgoing transactions during the previous year, by country

The notion of “transaction” should be clarified for insurance: payment of a claim? collection of premiums? modification of a beneficiary clause? etc.

In some cases, it may be difficult to provide data by country, for example:

- Number of investors per country (for Asset Management Companies - AMCs) 

- Total value of investments (EUR) by country (for AMCs)

Concerning distribution chains:

- There are many types of distributors in the insurance sector, and it can be difficult to identify them according to whether they are part of a third-party network (i.e. all networks that are not employee-based) or proprietary, once customers have been integrated into the tools.

- The categories of agents, distributors and brokers should be clarified with regard to EBA's expectations: what should be included in these categories?

Regarding section B - AML/CFT Controls:

Data points relating to outsourcing (1C) refer to suspicious transaction reports, but pursuant to article 18 of regulation 2024/1624 of May 31, 2024, suspicious transaction reports cannot be outsourced.

Indicators relating to the average number of hours or the maximum number of hours between publication of a list of sanctions and integration into filtering tools are too granular.

France Assureurs observes that some indicator categories are marked “N/A” (not applicable). What is the EBA's expectation for these indicators?

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

France Assureurs points out the problematic timetable for implementing the 1st risk assessment and classification of reporting institutions:

  • Drafting of the RTS pursuant to Article 40 (2) of the 6th Directive by July 10, 2026 at the latest.
    • Entry into force of the RTS on the 20th day following publication in the Official Journal of the European Union (OJEU).
    • Supervisors must carry out the first assessment and classification of inherent and residual risks no later than 9 months after the RTS come into force. 

Insurers will need to adapt their IT tools to enable them to collect the new data required for this assessment. However, work on upgrading these tools cannot begin until the list of data to be collected has been fixed, i.e. until the text has been published in the OJEU (i.e. by July 2026 at the latest). The supervisor will then have a maximum of 9 months to assess and classify risks. It is impossible for insurers to be able to upgrade their IT tools to meet the new RTS requirements in such a short timeframe. IT projects are costly and time-consuming for companies and need to be anticipated sufficiently in advance to allow for an estimation phase and a budget validation phase by management, followed by a technical implementation phase.

The timeframe stipulated in the RTS should therefore be adapted to take into account the budgetary and technical constraints of obliged entities. France Assureurs suggests providing for a transition period, for the first data collection exercise for example, during which companies would have the option of not answering certain questions relating to new data, if they are not in a position to do so. 

The questions should also be adapted in line with the risk-based approach: companies with a low level of risk should be exempted from certain questions.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

Concerning article 5, 3. b) iii, why does the draft RTS refer to article 2 paragraph 6 (a) when insurance is covered by paragraph 6 (b)?

Furthermore, the criteria set out in this article for the application of a reduced frequency of assessment and classification of the risk profile of obliged entities are unrealistic. The obliged entity must exclusively distribute the following contracts or products: non-redeemable contracts or products, contracts or products that insure a lender against the death of a borrower, and contracts or products whose annual premium does not exceed EUR 1,000 or whose single premium does not exceed EUR 2,500. In practice, the hypothesis of a player distributing only these products seems marginal, if not non-existent.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

France Assureurs observes that it is indeed logical for there to be a differentiated assessment, while stressing that a nuance should be made for certain countries within the EU or within the monetary zone which may be on the FATF list or which present specific risk criteria.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

France Assureurs observes that, insofar as the proposed criteria are alternative, the threshold of 20,000 customers seems low in the case of retail customers.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

The threshold of 20,000 customers already seems low. Too low a threshold would mean considering financial institutions that do not present a sufficiently high risk at EU level.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

As mentioned above, the 20,000-customer threshold seems low for retail customers. However, for institutional customers, the threshold is much higher. A different threshold for retail and institutional customers could therefore be justified.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

Yes, it's consistent. The choice of a different methodology for RTS based on article 40 (2) and RTS based on article 12 (7) would not be justified in terms of risk analysis and would make the system more complex to understand for all stakeholders (supervisory authorities and reporting entities).

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

Yes, with regard to the assessment methodology for direct supervision by the AMLA, it is preferable for the approach adopted to be fully harmonized by an assessment method based on objective criteria set at European Union level.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

France Assureurs agrees with the proposed methodology.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

Since the entities at the head of the group may be nothing more than holding companies with no activity, it is not consistent to give the same consideration to the parent company and the other entities in the group when determining the risk profile of the group as a whole.

The management of the group system does not justify the group head entity being assessed in the same way as the other entities within the group.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Concerning the draft RTS issued in application of Article 28(1) of the AMLR, relating to Know Your Customer (KYC), a number of measures do not take sufficient account of the risk-based approach and appear to correspond to a high level of risk. This is particularly the case for section 1.

 

France Assureurs points out that on the ML/TF risk scale, life insurance products fall between moderate and low risk:

  • Moderate risk corresponds to savings-type life insurance contracts with surrender value, which in this sense meet the notion of insurance-based investment contracts;
  • Low risk corresponds to various types of insurance products:
    • life insurance contracts with a temporary death coverage alone, or combined with disability benefits with no surrender value;
    • contracts with a lifetime guarantee, the sole purpose of which is to finance the insured's funeral, although these contracts may include surrender values, their purpose is not to make the contributions paid grow, as in a savings contract, and they do not include any investment elements ;
    • pension operations with no surrender value;
    • insurance policies taken out by a lender against the risk of the borrower's death.

Many life insurance products do not include investment components or surrender values. The draft RTS should take better account of the risk-based approach for products classified as moderate to low risk, such as life insurance products, particularly for life insurance products with no investment component or surrender value.

 

Any measure disproportionate to the risk generates an impact in terms of cost and efficiency, consuming means and resources that could be better used.

 

Comments on article 4 of the draft RTS :

 

On article 22 (1) (a) point (iii) of regulation 2024/1624 of May 31, 2024, could EBA confirm that the information to be collected is nationalities or refugee status and not nationalities and refugee status: a stateless person will necessarily have a refugee status. So what situation is covered by this statelessness status?

            

The wording of article 4 of the draft RTS is very demanding: what means do reporting entities use to obtain the information they need to ensure that they know their customers' other nationalities, if any? What documentary evidence should be requested?

If the customer does not provide all the information or documents, how will reporting entities proceed in practice? Information on customer nationalities is necessarily declarative. France Assureurs suggests that the wording be clarified to explicitly state that this obligation can only be implemented in cases where reporting entities have the information.

Comments on article 5 of the draft RTS :

The draft RTS indicates that a document, in the case of natural persons, is considered equivalent to an identity document or passport when certain conditions are met. One of these conditions is that the document must mention nationality. France Assureurs notes that nationality is not mentioned on the driving license, even though this document is currently the most widely used for identity verification after the identity card and passport. The driving license is a document that should be accepted as it meets all the other conditions mentioned in article 5. France Assureurs therefore suggests amending the wording of article 5 paragraph 1 as follows:

“b. it contains at least all names and surnames, the holder’s date and place of birth 

and, where available, their nationality,”

Comments on article 10 of the draft RTS:

France Assureurs notes the systematic nature of the obligations set out in this article and suggests introducing greater proportionality through the application of the risk-based approach principle.

Comments on article 11 of the draft RTS:

France Assureurs notes the systematic nature of the obligations set out in this article and suggests introducing greater proportionality through the application of the risk-based approach principle.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

France Assureurs notes that solutions based on the eIDAS regulation are still not sufficiently available in France (in particular, electronic means of identification offering either a substantial or high level of guarantee). It is important that the identity verification measures authorized by the regulations in the context of entering into a remote relationship are:

  • widely available
    • reasonably priced
    • not too cumbersome or complex to implement.

In addition, it is important that the regulations provide for alternative identity verification methods to those provided for in the eIDAS regulation, so that obliged entities can always have remote access solutions at their disposal, even if solutions based on the eIDAS regulation are not sufficiently available or cease to be available for whatever reason.

The methods used to enter into a relationship with a customer are a crucial issue for an insurance company and should not be jeopardized for reasons relating to the availability or non-availability of remote identity verification tools.

France Assureurs notes that the alternative solution proposed in paragraphs 2 to 6 of article 6:

  • is based on conditions that are very onerous to implement, and would represent a major departure from the alternative solutions currently authorized in France;
    • would entail very high costs;
    • would be disproportionate for certain products, particularly low-risk products;
    • could make it difficult for certain categories of customers (e.g. vulnerable or elderly people) to access insurance services.

France Assureurs suggests maintaining the alternative solutions that exist in France today in the event of the unavailability of solutions based on the eIDAS regulation, and in particular the possibility of resorting to the following two alternative measures:

  • request a copy of the identity card
    • and require that the first payment for transactions be made from or to an account opened in the customer's name with a person subject to AML/CFT regulations established in a member state of the European Union or in a state party to the European Economic Area agreement, or in a third country imposing equivalent obligations in terms of combating money laundering and the financing of terrorism.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Comments on article 15:

how the customer plans to use the products or services provided, including the volume of funds flowing through the account and their source;” => this measure is not adapted to insurance, France Assureurs proposes to specify the redaction as follows: “how the customer plans to use the products or services provided, including where applicable the volume of funds flowing through the account and their source;”

where the ML/TF risk is higher, to determine the source of wealth.”=> This measure should take better account of the risk-based approach. It should not be applied systematically to all high-risk customers (this would be disproportionate).

Comments on article 16:

When obtaining information in accordance with Article 25 of Regulation (EU) 2024/1624, obliged entities shall take risk-sensitive measures to obtain the following information:” => This wording is problematic in that it is not sufficiently clear, nor does it make it easy to understand how to implement the risk-based approach when the verb “shall” is used and a very precise list of information to be collected is provided.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Concerning the draft RTS issued in application of Article 28(1) of the AMLR, relating to Know Your Customer (KYC), a number of measures do not take sufficient account of the risk-based approach and appear to correspond to a high level of risk. This is particularly the case for section 4.

France Assureurs points out that on the ML/TF risk scale, life insurance products fall between moderate and low risk:

  • Moderate risk corresponds to savings-type life insurance contracts with surrender value, which in this sense meet the notion of insurance-based investment contracts;
  • Low risk corresponds to various types of insurance products:
    • life insurance contracts with a temporary death coverage alone, or combined with disability benefits with no surrender value;
    • contracts with a lifetime guarantee, the sole purpose of which is to finance the insured's funeral, although these contracts may include surrender values, their purpose is not to make the contributions paid grow, as in a savings contract, and they do not include any investment elements;
    • pension operations with no surrender value;
    • insurance policies taken out by a lender against the risk of the borrower's death.

Many life insurance products do not include investment components or surrender values. The draft RTS should take better account of the risk-based approach for products classified as moderate to low risk, such as life insurance products, particularly for life insurance products with no investment component or surrender value.

Any measure disproportionate to the risk generates an impact in terms of cost and efficiency, consuming means and resources that could be better used.

Comments on article 18 :

Regarding Article 18 1. b.: “for a legal entity and other organisations that have legal capacity under national law, the legal form and registered name of the legal entity including its commercial name, in case it differs from its registered name; the address of the registered or official office and the registration number, the tax identification number or the legal entity identifier where applicable.”

What is the purpose of this request? This information is not currently collected. Is it easily retrievable via official documents? The commercial name can change, the only relevant name is the one mentioned in the registration register.

Collecting this information will require an upgrade of the tools and therefore generate a cost.

Comments on article 19 :

In situations of lower risk, the obliged entity may consult one of the following sources for the identification of, and use another sources from the same list under b. or c. for the purposes of verification of the beneficial owner or the senior managing officials :” => Why conduct a double check in low-risk situations? This seems disproportionate to the risk and will generate an impact in terms of cost and efficiency, consuming means and resources that could be better used. Article 19 should better take into account the risk-based approach. In France today, consulting the Beneficial Owners Register is sufficient in itself. This possibility should be maintained.

Comments on article 22 :

The measures relating to the regular updating of identification data for low-risk customers seem disproportionate, especially for natural persons (given the data concerned, which, except in exceptional cases, is not likely to change over time).

This seems disproportionate to the risk and will generate an impact in terms of cost and efficiency, consuming resources that could be better used.

The obligation for obligated entities to take the necessary measures to ensure that they hold up-to-date customer identification data at all times is impossible to implement in practice. What does "at all times" mean? Can the EBA clarify?

Comments on article 23 :

According to Article 23,  “obligated entities shall, at a minimum, take risk-sensitive measures to understand why the customer has chosen the obligated entities’ products and services, the source of the funds used in the business relationship or occasional transaction, and how the customer plans to use the products or services provided, including, where applicable, the estimated amounts flowing through the account”. In low-risk situations, these obligations are excessive and are not based on a risk-based approach. Furthermore, the disclosure of the source of funds is not appropriate for all products. France Assureurs points out that not all life insurance products have an investment objective and suggests amending the wording of Article 23 as follows: “obliged entities shall, at minimum, take risk-sensitive measures to understand why the customer has chosen the obliged entities’ products and services, where applicable the source of the funds used in the business relationship or occasional transaction, and how the customer plans to use the products or services provided, including where applicable the estimated amounts flowing through the account.”

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

Annex II of Regulation 2024/1624 of May 31, 2024, relating to lower risk factors, explicitly mentions:

  • life insurance policies for which the premium is low;
  • insurance policies for pension schemes if there is no early surrender option and the policy cannot be used as collateral;

These products could benefit from specific simplified sector-specific due diligence measures.

Furthermore, France Assurers emphasizes that certain life insurance products not listed in Annex II of Regulation 2024/1624 of May 31, 2024, do not contain investment elements, are considered low risk in terms of AML/CFT, and should therefore benefit from simplified sector-specific due diligence measures. This is particularly the case for contracts without a surrender value that include a death coverage combined with disability/incapacity benefits, and life insurance contracts intended to finance funeral expenses. These two types of contracts do not contain investment elements. The insured chooses a capital amount to be insured. In the event of death, this capital will be paid out regardless of the amount of contributions paid, subject to exclusions. The contributions paid are not represented by the euro fund or units of life, as in a savings plan. France Assureurs proposes that this type of contracts benefit from sectoral simplified due diligence measures.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Concerning the draft RTS issued in application of Article 28(1) of the AMLR, relating to Know Your Customer (KYC), a number of measures do not take sufficient account of the risk-based approach and appear to correspond to a high level of risk. This is particularly the case for section 4.

France Assureurs points out that on the ML/TF risk scale, life insurance products fall between moderate and low risk:

  • Moderate risk corresponds to savings-type life insurance contracts with surrender value, which in this sense meet the notion of insurance-based investment contracts;
  • Low risk corresponds to various types of insurance products:
    • life insurance contracts with a temporary death coverage alone, or combined with disability benefits with no surrender value;
    • contracts with a lifetime guarantee, the sole purpose of which is to finance the insured's funeral, although these contracts may include surrender values, their purpose is not to make the contributions paid grow, as in a savings contract, and they do not include any investment elements;
    • pension operations with no surrender value;
    • insurance policies taken out by a lender against the risk of the borrower's death.

Many life insurance products do not include investment components or surrender values. The draft RTS should take better account of the risk-based approach for products classified as moderate to low risk, such as life insurance products, particularly for life insurance products with no investment component or surrender value.

Any measure disproportionate to the risk generates an impact in terms of cost and efficiency, consuming means and resources that could be better used.

Comments on article 24 :

France Assureurs notes that Article 24 provides, in particular, in point a., an obligation to verify the authenticity and accuracy of information on the customer and the beneficial owner. However, this obligation raises questions of costs, the means available to implement it, and feasibility. Indeed, this verification obligation does not apply to a document but to information. By what means can obligated organizations verify the authenticity and accuracy of information, such as negative media reports? The resources currently made available by Member States appear insufficient. The obligation provided for in point a. of Article 24 raises numerous difficulties: what means do obligated organizations have to implement this obligation? What is its purpose? How does it relate to personal data protection obligations?

Point d. of Article 24 requires obtaining information on family members. How can information on family members be obtained? What resources are made available to entities subject to the provisions of the Member States?

Comments on article 26 :

The obligations set out in Article 26, insofar as they also cover the source of wealth, are excessive. It will be very difficult in practice to request the aforementioned supporting documents, and this will create difficulties in customer relations. The application of these measures to beneficial owners is also excessive. France Assureurs suggests amending the wording of this article to better reflect the principle of the risk-based approach, by removing the reference to the source of wealth and beneficial owners.

Regarding point d. of Article 26, the search for information on family members is excessive. How can information on family members be obtained? What resources are made available to obliged entities by the Member States? Regarding beneficial owners, France Assureurs emphasizes that ensuring the reliability of existing registers is a priority.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

France Assureurs notes that solutions based on the eIDAS regulation are still not sufficiently available in France (in particular, electronic means of identification offering either a substantial or high level of guarantee). It is important that the identity verification measures authorized by the regulations in the context of entering into a remote relationship are:

  • widely available
    • reasonably priced
    • not too cumbersome or complex to implement.

In addition, it is important that the regulations provide for alternative identity verification methods to those provided for in the eIDAS regulation, so that obliged entities can always have remote access solutions at their disposal, even if solutions based on the eIDAS regulation are not sufficiently available, or cease to be available for whatever reason.

The methods used to enter into a relationship with a customer are a crucial issue for an insurance company and should not be jeopardized for reasons relating to the availability or non-availability of remote identity verification tools.

France Assureurs notes that the alternative solution proposed in paragraphs 2 to 6 of article 6:

  • is based on conditions that are very onerous to implement, and would represent a major departure from the alternative solutions currently authorized in France;
    • would entail very high costs;
    • would be disproportionate for certain products, particularly low-risk products;
    • could make it difficult for certain categories of customers (e.g. vulnerable or elderly people) to access insurance services.

France Assureurs suggests maintaining the alternative solutions that exist in France today in the event of the unavailability of solutions based on the eIDAS regulation, and in particular the possibility of resorting to the following two alternative measures:

  • request a copy of the identity card
    • and require that the first payment for transactions be made from or to an account opened in the customer's name with a person subject to AML/CFT regulations established in a member state of the European Union or in a state party to the European Economic Area agreement, or in a third country imposing equivalent obligations in terms of combating money laundering and the financing of terrorism.

Name of the organization

France Assureurs