Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
In our view, several RTS provisions lack proportionality and risk-based nuance. Requirements such as the collection of detailed data on intermediary companies in a structure for parties with whom no business relationship exists, extensive documentation requirements for non-face-to-face onboarding or exact information on addresses and countries of birth, without consideration of the risks, mean a considerable cost burden for all parties involved without any corresponding added value in the fight against money laundering.
In our view, several RTS provisions lack proportionality and risk-based nuance.
As currently drafted, the lack of flexibility will lead to disproportionately high compliance costs, unnecessary customer contact and delays in implementation, without limiting the corresponding risk-mitigating effects. We therefore propose the following amendments:
Art. 1 - Names of natural persons and legal entities
With regard to the requested information on the name of the legal entity, please add that a trade name should only be requested if it is available.
Art. 2 - Information to be obtained in relation to addresses
We propose flexibility in situations where no postcode or street name exists. In such cases, institutions should be allowed to record the address provided by the customer, in accordance with Article 22 (1) (a) (iv) AMLR.
We assume that the requirements for data collection are limited to collection from the customer, but not to further verification. It should be sufficient to ask the customer to provide this data.
Art. 3 - Clarification of the indication of the place of birth
We propose deleting the requirement to state the country of birth.
In practice, there are considerable differences in the indication of the place of birth in identity documents. While most documents only state the place of birth (e.g. in Germany), it is rare for both the place and country of birth to be stated in the document. Determining the country of birth is therefore associated with uncertainties. This applies in particular to countries that no longer exist in their former form. The risk of collecting incorrect data or recording information differently due to a lack of clear standards is higher than the added value of such a regulation.
Art. 4 - Specification of nationalities
As set out in the general comments, in relation to the term "satisfy themselves", we suggest explicitly stating that institutions may rely on the information provided by the client unless there are risk factors or warning signals that would justify additional verification
Art. 5 - Documents to verify identity
In our understanding, Art. 5 (1) only applies to documents that are not official passports or national identity documents and we assume that this article contains an exhaustive list of characteristics that a document must contain in order to be treated as equivalent to a passport or national identity document for the purposes of verifying a customer's identity under Article 22 (1)(a) of the AMLR. If the document presented is a valid passport or national identity document issued by a state or public authority (e.g. in the Netherlands identity card, driving licence), we consider that this can be accepted without further conditions, even if certain elements listed in Article 5(1) are missing. For example, a passport that does not contain an MRZ does not have to be excluded from use if it is a valid national identity document. This should not only apply to low-risk situations, as mentioned in recital 14.
We consider that these criteria can be interpreted with sufficient flexibility to take into account valid identity documents that are generally accepted in national legislation. For example, in relation to Article 5 (2) and Article 3 of the RTS, we note that not all identity documents include country of birth or nationality. We interpret Art. 5 (2) to allow for reasonable flexibility, whereby such identity documents are still accepted and any missing data can be supplemented by information provided by the customer. This also applies to information such as habitual residence, which is not included in most identity documents but is required under Article 22 (1) (a) AMLR. Such information is obtained directly from the customer.
We assume that in cases where the identity of a customer has already been verified under national law prior to the entry into force of the AMLR, this verification remains valid and there is no obligation to re-verify the identity of a customer simply because the document no longer fulfils all the conditions of Art. 5 (1). Once the identity has been verified, it should remain valid unless risk-based triggers indicate the need for re-verification.
Art. 7 - Reliable and independent sources of information
We are of the opinion that the reference in Art. 22 (6) (a) AMLR to the use of reliable and independent sources "where relevant" should be interpreted on a risk basis. This means that for customers categorised as low or medium risk, it may not be necessary to obtain additional information beyond the identification document to verify the customer's identity. In these cases, a customer declaration in lower risk scenarios may fall within the scope of reliable and independent information, unless the obliged entity has a valid reason to believe otherwise. For high-risk customers, however, obtaining additional information may be appropriate.
Further clarification is needed on what is meant by "risk-sensitive measures to assess the credibility of the source". The current wording leaves room for different interpretations, particularly with regard to the level of due diligence expected for different risk categories.
We are also in favour of further clarification of the term "current". There is no harmonised practice across EU Member States regarding the acceptable age or "currency" of data on legal persons and supporting documentation used for KYC checks. This applies both to the duration of the acceptable age and to the starting point for determining "currency". We request that the RTS clarify the duration for which relevant documents are considered new or "current". This could be done by making the requirement of "current" only for documents that originate from a public register and therefore have an extract date, and then setting a time limit for these extracts.
Art. 10 - Understanding the client's ownership and control structure
The extensive requirements to understand the customer's ownership and control structure in the case of complex structures go beyond the wording of the AMLR. Furthermore, it contradicts the risk-based approach that the AMLR explicitly promotes by not allowing the option of less stringent information collection in a low-risk scenario.
Furthermore, the draft does not specify from whom and how this information is to be obtained. We conclude from this that it is up to the obligated parties to obtain the information themselves, if necessary also via public sources.
Art. 11 - Understanding the client's ownership and control structure in the case of complex structures
Article 11 contains a very broad definition of "complex structures". Many customers naturally have several layers of ownership, sometimes in different jurisdictions. Applying this definition without a risk-based differentiation could lead to unnecessary bureaucracy. We recommend allowing proportionality and a risk-based assessment.
We also ask for clarification of the term "organisation chart". We interpret it as the ownership/control path between the customer and its UBO, but not the entire structure. Where reliable sources are available, companies should not be obliged to obtain organisational charts from customers.
Art. 12 - Information on senior executives
In our view, Art. 12 of the RTS goes beyond the mandate of Art. 22 (2) AMLR by equating the requirements for UBOs and SMOs.
As the RTS makes a clear distinction between UBO and SMO, we believe that they should not fall under the same requirements.
We believe that a business address should be sufficient for senior executives. Requiring a residential address is disproportionate and questionable as SMOs do not act as UBOs and are explicitly not considered as such.
Art. 13 & 14
We suggest clarifying what is meant by "sufficient information" in the context of both articles, e.g. by providing practical examples, in particular for complex trust structures or for cases where information is not publicly available.
We recommend inserting the word "proportionate" before "measures" in Article 14(2)(b) to clarify that a risk-based approach is allowed, as this is in line with the principle of proportionality and existing anti-money laundering practices.
In general, recourse to third parties is very important for guarantee institutions in the case of individual guarantees, where the guarantee institution guarantees a credit transaction between the financing bank and the beneficiary company. This avoids the same information being requested twice for the same transaction.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
We support the use of remote solutions for customer verification without an in-person visit, as described in Article 6(2)-(6), as these solutions provide sufficient protection against identity fraud. Remote solutions may be more accessible for customers who may not have e-IDAS-compliant electronic identities, such as members of vulnerable groups, which is particularly important for guarantee institutions whose role is specifically to ensure financial inclusion. In this sense, we are in favour of remote solutions being a permanent alternative when e-IDAS compliant solutions are not feasible/accessible. Furthermore, we welcome the possibility for obliged entities to accept reproductions of an original document, as this is often the easiest and most straightforward way to verify a customer's identity when they are not present in person.
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
We generally support the proposals in Article 8 in relation to virtual IBANs, as for SME customers the nature of a guarantee transaction inherently involves a relationship with the credit or financial institution offering the credit. This approach not only streamlines the verification process but also reduces unnecessary bureaucracy as the guarantee scheme customers are managed and monitored by the banks themselves.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Articles 15 and 16 contain a large number of requirements that are too extensive in terms of content as part of the general due diligence obligations in normal risk scenarios.
This contradicts the risk-based approach, as the wording of the provisions already sets out very detailed requirements and leaves no room for choice. In cases where no higher risk is apparent, this unnecessarily ties up capacity and impairs the customer relationship. In line with the reasoning (2) and the principle of proportionality, we call for obliged entities to be given greater leeway in obtaining the relevant information, as these scenarios are explicitly not covered by the EDD. In terms of content, we simply do not see any need to collect the aforementioned documents in order to recognise and understand the purpose and nature of the business relationship or occasional transaction.
Art. 15 - Indication of the purpose and intended nature of the business relationship or occasional transaction
The provisions in Art. 15 partially go beyond the legal basis in Art. 20 (1) (c) AMLR.
Even under the EDD, tracing the source of wealth should not be a standard requirement (see our comments on Article 27). It is an intrusive measure that should be applied selectively and only in clear high-risk situations. Treating it as a default requirement in any higher risk context is counterproductive and inconsistent with effective risk prioritisation.
Art. 16 - Understanding the purpose and intended nature of the business relationship or occasional transaction
The requirement under Art. 16 (c) to obtain detailed information about a customer's employment income (including salary, wages, bonuses, pension or retirement funds, government benefits, business income, savings, loans, capital gains, inheritances, gifts and other asset disposals) is excessive as there are no risk indicators. While we understand that such information may be useful for clarification in cases of doubt or suspicion, it seems disproportionate in standard CDD scenarios such as the opening of a payment account by an individual or the execution of routine transactions.
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
We welcome the possibility for less complex obliged entities such as guarantee schemes to rely on manual checks for the identification and verification of politically exposed persons (PEPs). This provision is particularly beneficial as it reflects the operational realities and capabilities of guarantee schemes. In the case of individual guarantees, guarantee schemes often have a direct and well-established relationship with their SME clients, making manual checks particularly useful and effective in verifying the necessary information. By allowing manual verifications, the draft RTS recognises the unique operational framework of guarantee schemes and ensures that they can comply with CDD obligations in a way that is both practical and efficient without creating unnecessary technical or administrative burdens.
Art. 17 - Identification of politically exposed persons
However, as an improvement, we suggest that Art. 17 introduces a more risk-based approach in relation to relatives and related parties (RCAs) of PEPs, based on the individual scenario and the nature of the relationship. A clarification that opens up the possibility to rely on information available in various provider lists (e.g. Factiva, Dow Jones, Info4c ...) could be helpful in this sense.
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
We generally welcome the simplified due diligence requirements proposed in Section 4 of the draft RTS, as they are particularly suitable for low-risk transactions, such as SME support guarantees. As set out in Article 18, it is appropriate to collect only the most basic information such as legal form, registered name and address and to minimise the unnecessary administrative burden for both low-risk obliged entities and their SME clients. The provisions in Article 19 on the identification and verification of beneficial owners or officers in low-risk situations are also balanced and allow the use of reliable sources such as central registers or customer declarations, which is already widely practised by guarantee schemes.
However, we suggest the following improvements.
Art. 18 / 19
Insofar as the RTS refer to Art. 18 and 19, we assume that the term "low risk" within the meaning of Art. 33 AMLR IS TO BE UNDERSTOOD. Consequently, all customers who do not fall under high risk are to be regarded as low-risk customers for whom the application of simplified due diligence obligations is generally possible on a risk basis. We suggest that this interpretation be clarified.
With regard to Art. 19 (a), we understand that a public register can serve as a means of identification and verification.
In this sense, we would find a definition of the term "executive employee" helpful, as it is not defined in concrete terms in the AMLR.
Art. 22 - Updating customer identification data in low-risk situations
As we understand it, obliged entities can opt out in low-risk cases (by this we mean all cases that do not pose a high risk and not just those that fall under the SDD, see comments on Art. 18/19).
With regard to Art. 22 (2), the maximum period of 5 years should be extended with regard to Art. 33 (1) (b) AMLR. Otherwise, there is no valid scope of application for this provision.
Art. 23 -Minimum information to identify the purpose and intended nature of the business relationship or occasional transaction in low-risk situations
It is clear from the wording of Art. 23 that the obliged entity must actively make minimum determinations about the purpose and intended nature of the business relationship. We are in favour of clarifying that, according to Art. 33 para. 1 lit. c ARBO, it is sufficient to draw conclusions from the nature of the transactions or the business relationship entered into.
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
We strongly welcome the categorisation of SME promotional guarantees as financial products that should benefit from specific sectoral simplified due diligence measures. Guarantee institutions play an important role in overcoming the market failure in access to finance for SMEs as they provide guarantees to SMEs that have a commercially sound project but lack sufficient bankable collateral. In this sense, and according to our understanding, point 2.d of Annex II of the AMLR precisely covers promotional guarantees for SMEs as "financial products or services that provide appropriately defined and limited services to specific types of clients to improve access for the purpose of financial inclusion". Indeed, SME support guarantees are inherently particularly low-risk in terms of money laundering and terrorist financing for several important reasons. Firstly, these guarantees do not involve cash payment services, which inherently reduces the risk of money laundering activities.
Secondly, the funding guarantee business is inherently long-term in nature and subject to extensive state aid requirements and scrutiny, making it unattractive to money laundering schemes that typically target quick and anonymous transactions. In addition, the funding guarantees granted by guarantee banks and other guarantee institutions are usually small in scale, which further reduces their attractiveness for illegal financial activities. In addition, the projects financed are closely monitored either by the guarantee institution in the case of individual guarantees or by the financing bank in the case of portfolio guarantees, or both. This close monitoring ensures that any irregularities can be quickly recognised and rectified. Finally, beneficiary companies must present a viable business plan in order to be eligible for guarantee support, which adds an extra layer of control and legitimacy to the process.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art. 24 - Additional information about the customer and the beneficial owners
As the AMLR introduces a new definition of a politically exposed person, the number of persons covered by the EDD will increase. At the same time, the requirements for additional information about the customer and the UBO will be significantly expanded.
Letter c) raises questions about the methods for recording and documenting the beneficial owner's previous business activities and whether any changes should be tracked. It is also unclear how far back the documentation should go. In our view, a maximum of five years should not be exceeded as this is the maximum retention period prescribed by the AMLR. A shorter period (e.g. 3 years) should also be sufficient.
Letter d of the Regulation raises concerns about the data protection of family members, persons known to be close associates or other close business partners. In order to carry out a risk assessment, a lot of personal data must be obtained with the involvement of the internal data protection committee. Little of the information required is generally publicly available.
At the same time, it is unclear how the collection of the required parameters relates to the ban on tipping under Art. 73 AMLR? If the obliged entity has a "reasonable suspicion of a criminal offence", it must submit a suspicious activity report and may not disclose this to the customer. In view of the extensive investigation obligations, however, disclosure can hardly be avoided. The RTS should clarify that informing customers in cases of suspicion is crucial and therefore Art. 24 (d).
Art. 25 - Additional information on the intended nature of the business relationship
Due to the open and extensive formulation in this article, several requirements cannot be clearly defined.
We assume that the "information from authorities" does not oblige the obligated parties to proactively investigate and obtain information from authorities. In most cases, the request for information would not be successful for data protection reasons. We therefore only see this requirement as a necessity to obtain publicly accessible information from authorities. We are in favour of clarifying this in the RTS.
In our opinion, it is also necessary to clarify what the obligation to collect information about the customer's most important clients entails. The AMLR does not include these groups of persons in the scope of the due diligence obligations. The RTS can therefore not easily extend the due diligence obligations.
Art. 26 - Additional information on the origin of the client's funds and assets and the beneficial owners
Art. 26 - in contrast to Art. 24 and 25 - does not allow for evidence based on the assessment of the obliged entity. There is no obvious reason for this distinction and, in light of the risk-based approach, obliged entities should be able to use documents other than those mentioned to verify the origin of the funds and assets.
Re (a): The expectation that payslips or employment documents must be signed by the employer is outdated and incompatible with modern digital payroll systems where physical signatures are not the norm.
In this context, we also assume that the term "certified" as mentioned in Article 26 (a), (b), (e), (f) will be defined to reflect the practices of both physical and digital certification. This would support a risk-based approach and further reduce the bureaucratic burden. We request further clarification.
If an obliged entity has seen the original document, it should generally be allowed to keep a copy and certify that it has examined the original without requiring external certification. Especially if the documentation can be retrieved from public sources
With regard to letter d), it cannot be assumed that official public documents are available for assets arising from an inheritance. In many jurisdictions, an inheritance may be settled informally within the family if the legal heir is obvious and no will exists. In such cases, alternative evidence or declarations should be used.
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art. 28/29
We understand Art. 29 (a) (iv) to mean that "beneficial ownership information" only includes information about the UBO itself and not about the intermediary companies. This is also the only way to understand recital 19 of the RTS.
The term "substantial changes" in Article 29 (c) (iii) requires further clarification. 29 (c) (iii).
Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
We understand that Article 32 generally provides for a five-year period for updating all customers who do not pose a high risk. In combination with Recital 16 of the RTS and Guideline 43 in Chapter 3.2.3 of the consultation document, we understand this to include the application of all customer due diligence requirements.
Although Art. 32 refers to the entry into force of this Regulation (i.e. this RTS on the CDD), we consider that the five-year period should start from the date of application of Regulation (EU) 2024/1624 (the AMLR), as confirmed in Art. 90 AMLR, which sets this date as 10 July 2027. Recital 16 of the RTS supports this interpretation by explicitly referring to the "date of application" as the date from which the update obligation is to be calculated. Accordingly, we interpret Art. 32 to mean that all existing customer information must be updated on a risk-based basis by 10 July 2032.
With regard to low-risk customers, we ask for explicit confirmation that the general period of 5 years for updating can be extended on a risk-based basis; see also our comments on question 7.
We kindly ask you to consider the topics presented in the further development of the RTS and will be happy to answer any questions you may have.