Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

Transparency of Assigned Risk Ratings: There is concern that obliged entities may not be informed of the risk rating assigned by their supervisors. Without visibility or the right to respond, discrepancies between internal and supervisory ratings could lead to misalignment in risk management. MIA recommends that supervisors be required to communicate the assigned risk ratings to obliged entities and allow entities to challenge or provide context, especially in cases of upward classification.

Sector-Specific Flexibility: Different financial and non-financial sectors (e.g. banks, corporate service providers) face inherently different risk profiles. A one-size-fits-all model risks failing to accommodate these differences. The RTS should allow supervisors to apply sector-sensitive criteria and scoring adjustments, with clear documentation to ensure harmonisation.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

Residual Risk Calculation Method: The current model proposes an automated scoring mechanism where residual risk is derived through weighted averages. This deviates from the more common methodology of determining residual risk as inherent risk minus the effectiveness of controls. The approach risks oversimplifying complex risk control relationships and may understate actual risk in entities with deteriorating controls. MIA encourages the EBA to consider adopting or permitting a deductive model where residual risk can, in exceptional cases, exceed inherent risk (e.g., when control failures are significant).

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

While many institutions already collect a significant subset of these data points, others (particularly smaller institutions) may lack the infrastructure to gather and report all required information. • Short- and Medium-Term Costs: Updating internal systems to accommodate new fields, modifying reporting templates, and training personnel to compile and interpret the data will entail both one-time investments and ongoing costs. MIA estimates this would disproportionately affect small firms and sole practitioners.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

Certain data points may not be relevant for some sectors (e.g., fields about real-time transaction processing may not apply to manual accountants or advisory firms). The RTS should include "where applicable" qualifiers for such data categories.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

N/A

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

• The proposed dual-frequency model (annual vs. triennial) is not well aligned with the four-category risk classification system (low, medium, substantial, high). MIA suggests matching review frequency more closely with risk category, e.g.: o High risk: Annual or more frequent reviews. o Medium risk: Every 1-2 years. o Low risk: Every three years. 

• Further, triggers should be included to allow ad hoc reviews when risk indicators change significantly. 

• Cost Considerations: Due to lack of quantitative data across sectors, MIA cannot provide a cost estimate. However, manual reviews, data extractions, and updating profiles require significant resources and vary with entity complexity

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

• MIA agrees with the criteria proposed but urges the EBA to also consider: o An entity’s compliance history, o Staff competence and AML training frameworks, and o Robust internal controls as factors supporting reduced review frequency.

• A rigid application of criteria may penalise low-risk but structurally complex firms. Risk-based judgment should remain a core supervisory principle. 

• MIA seeks clarification on how these criteria will be applied consistently across different sectors.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

• MIA does not support a blanket low-risk designation for EEA transactions. Instead, we advocate a risk-based approach where risk is attributed based on jurisdictional assessments (including enforcement effectiveness and FATF standings), not simply location. 

• The EBA should consider issuing harmonised jurisdictional risk ratings to prevent inconsistencies between national supervisors.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

N/A

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

N/A

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

N/A

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

N/A

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

N/A

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

N/A

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

N/A

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

N/A

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

N/A

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

• Electronic Identification: The RTS appears to favour eIDAS-compliant solutions. However, many member states do not yet widely support these. MIA recommends permitting equivalent alternatives (e.g. certified video verification or biometric checks), especially for non-EU clients. 

• Document Verification: The reliance on machine-readable zone (MRZ) documents is limiting. Many legitimate identification documents (e.g. local ID cards, driver’s licenses) lack MRZ. Non-MRZ alternatives should be explicitly allowed. 

• Ownership Complexity: The RTS defines structures with two layers of ownership as complex. MIA proposes raising this to three layers, to avoid overburdening standard international group structures. 

• Economic Rationale: Requiring entities to assess or document the economic rationale of a corporate structure is vague and potentially unfeasible. Obliged entities are often not in a position to judge legal or tax motivations. MIA recommends this requirement be clarified or removed.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

• Remote verification methods described in paragraphs 2-6 should be accepted as longterm alternatives, not temporary until eIDAS is available. 

• Consent Challenges: Explicit consent as the legal basis for verification can create issues due to GDPR reversibility. Further clarification is needed on whether consent from each director/beneficial owner is required.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

N/A

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

• Terms such as “value and benefits expected” and “expected types of recipients” are ambiguous. MIA requests clearer definitions and applicability guidance

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

If automated screening is to be required for Politically Exposed Persons, the MIA requests feedback on whether there is a benchmark criteria re “size, business model, complexity or nature of the business of the obliged entity allows for manual checks only."

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

• The MIA has concerns with the assumption in the RTS that, in the context of pooled accounts, customers will share their due diligence. This may not always reflect actual practice. 

• Regarding Article 23, the RTS should clarify what the proposed risk-sensitive measures are. Greater specificity is needed to guide uniform application.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

• Beyond pooled accounts and CIVs, we believe the RTS should provide sector-specific simplified due diligence measures for: 

• Companies owned by a listed entity. • Regulated entities in a reputable jurisdiction. • Government-owned entities. 

• The MIA requires clarity as regards to those partially owned by a listed entity. RTS should also clarify whether partially listed entities or subsidiaries qualify and how transparency and control thresholds are to be applied. 

• The MIA requires more clarity as regards to identifying the SMOs. Clarification will aid harmonisation and consistency.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Paragraph (d) of Section 5 raises concern, as it proposes collecting data on family members and associates where criminal activity is suspected. At that stage, an STR would typically be filed. The rationale behind such paragraph needs clarification. 

• The document mentions the requirement to enable the obliged entity to verify ownership/control structure. The RTS should clarify whether further guidance will be issued, e.g. from the FIAU. 

• Articles 25 a, b, and c are too burdensome. These should remain discretionary and not become de facto requirements. 

• The same applies to original or certified copies of probate or sales contracts. These should be discretionary.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

• There is concern around the feasibility of implementing Article 29(a) from a systems perspective. Including aliases, trade names, and wallet addresses where available in lists may not be consistently supported by IT systems. • The term "where available" should be clarified: does this mean available in the list, or accessible to the obliged entity?

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

N/A

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

N/A

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

N/A

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

N/A

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

N/A

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

N/A

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

N/A

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

N/A

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

N/A

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

N/A

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

N/A

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

N/A

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

N/A

Name of the organization