Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

The approach proposed by the EBA concerning the assessment and classification of the inherent risk profile of obliged entities does not specify particular risk indicators or assign corresponding weights. The responsibility for developing related guidance is delegated to AMLA “in cooperation with the national competent authorities”.

To ensure that compliance costs remain proportionate and to avoid duplicate work and undue administrative burdens, it is imperative that the data points requested by the AMLA are the same as those requested by the national supervisor. 

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

Yes. We agree with the proposed relationship between inherent and residual risk.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

After an initial analysis, the data appears to be broadly consistent with the information collected through the Belgian “AML Questionnaire” (and other internal questionnaires).

However, it should be noted that not all data-related information are currently stored in separate data fields. Although for example the complexity of a structure is considered for the risk assessment of the client during onboarding or re-identification, this is not something that is separately recorded in the systems. Therefore, implementing this will require a significant IT investment and lookback, which will entail considerable cost of compliance.

Finally, to promote a harmonised implementation across Member States, we recommend that key concepts—such as the definition of a 'professional client'—be clearly defined  within the framework of the "interpretative note" announced in Annex I which will be included in the final version of the RTS. It would be desirable for stakeholders to also be consulted before the publication of this interpretative note to ensure clarity, consistency, and operational feasibility.

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

OK, yearly frequency is already applied by a lot of banks on their Enterprise-Wide Risk Assessment & the reduced frequency is suited to entities less exposed to ML/TF risk (e.g. with limited number of products/services/activities).

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

Yes, we agree.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

Yes, the rationale being that they would apply equivalent AML standards, especially in the context of the new AML Package which pushes toward a more uniform interpretation and application of EU regulation across jurisdictions.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

  • Concerning the number of customers that are resident in each Member State were the obliged entity is operating under the freedom to provide services, which have to be above 20.000 : What is the appropriate course of action for customers who were onboarded in Belgium as Belgian residents but are currently residing abroad? Are these to be considered as clients obtained under the freedom to provide services? In Belgium, a substantial number of individuals retire abroad while maintaining their bank accounts. Notably, these individuals present a very low Anti-Money Laundering (AML) risk, with their primary account credits being pension payments. 

 

  • Concerning the total value in Euro of incoming and outgoing transactions generated by these customers, which have to be above 50,000,000 Euros : Does this threshold concern an aggregate total of 50 million euros for all customers (natural persons and entities) residing abroad of the financial institution home member state? If affirmed, this threshold appears to be exceedingly low, especially if corporate clients have to be accounted for.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

For the reasons outlined above, we do not consider lowering the thresholds to be appropriate. It would unnecessarily expand the pool of obliged entities subject to potential selection without a proportionate benefit.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

A differentiation must be made between natural persons and legal entities, given that natural persons generally present a significantly lower ML/TF risk.

Retail customers behaviour is more homogeneous than that of institutional/corporate clients. The materiality of a single institutional client is usually much greater than that of a single retail client.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

Article 40 focuses on money laundering and terrorist financing risk present in the Member State. However, draft RTS page 70 extends it to include proliferation financing. Reference text as below. Please confirm whether this is intentional.

The assessment of the risks of money laundering and terrorist financing and of non-implementation and evasion of targeted financial sanctions affecting the internal market and relating to cross-border activities conducted by the Commission pursuant  to Article 7 of Directive (EU) 2024/1640 should be used as a source of information to determine the extent to which adjustments are needed for the different sectors

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

We consider it inconsistent that when a financial institution is not under direct supervision, the national supervisor can adjust the inherent risk score based on ML/TF "specific characteristics or other circumstances" and increase or decrease it by one risk class, while the Anti-Money Laundering Authority (AMLA) cannot do so. 

When AMLA identifies ML/TF-specific characteristics or other circumstances at the national level that warrant greater or lesser consideration, AMLA should also adjust the risk score of the financial institution by one risk class at its level. This adjustment could be carried out in consultation with national supervisors and with full transparency towards financial institutions. 

The entire framework of the AML package is designed as a single rulebook. It is possible that two similar financial institutions, situated within the same jurisdiction, could end up with different risk scores, which does not appear logical to us.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

We agree with the general methodology but wish to emphasize that the data should preferably be delivered outside the general vacation periods (July, August, September). This is because, during these periods, the occupancy rate at financial institutions is lower, which could impede the operational functioning of the institution during these periods.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

In our understanding, a shared client (for example, a client with both a banking relationship and an insurance relationship, where the bank is the holding and the insurance company the subsidiary of the holding) will be considered twice when calculating the risk score of the entity. For instance, a PEP client with a mortgage loan and credit balance insurance will, in this case, weigh twice as heavily. Logically, the criteria for shared clients within the same group should be taken into account.

 

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

Yes, we agree with weighting method in art. 5 (i.e. same consideration ≠ same weight).

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

no comment

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

  • Article 1 - Information to be obtained in relation to names

We agree with the provision of collecting ‘those names that feature on their identity document, passport or equivalent’, which is already market practice. However, it would be preferable to remove mention of ‘all of the customer’s full names and surnames’ which is confusing and can be contradictory with the minimal requirement provided by the RTS (ie name in the identity document).

We hence recommend revising Article 1(1) to state that ‘In relation to the names and surnames of a natural person as referred to in Article 22(1)(a) point (i) of Regulation (EU) 2024/1624, obliged entities shall obtain the customer’s full names and surnames as featured on their identity document, passport of equivalent’.

  • Article 2 – Information to be obtained in relation to addresses

Article 2 requires obtaining ‘full country name’, ‘postal code’, ‘city’, ‘street name’ and ‘where available, building number and the apartment number’. Although the apartment number may be useful in certain circumstances, we believe street name and building number should be considered sufficient to fulfil the address requirement, as a mandatory requirement.

We suggest the following amendment:

The information on the address as referred to in Article 22(1) (a) point (iv) and 22(1) (b) point

(ii) of Regulation (EU) 2024/1624 shall consist of the following information: the full country name or the abbreviation in accordance with the International Standard for country codes (ISO 3166) (alpha-2 or alpha-3), city, and where available other aspects of the address in accordance with the resident country conventions such as postal code, street name, and building number, building name and the apartment number.

  • Article 3 – Specification on the provision of the place of birth

The requirement to obtain the city of birth (in addition to the country) to fulfil the ‘place of birth’ requirement could lead to unnecessary additional costs of compliance vs low added value for the identification of the individual. 

How shall the obliged entity verify the country of birth on the eID or ID card in cases where it only contains a city of birth, given that no birth certificate or other document is requested? (e.g. the city Hasselt exists both in Belgium and the Netherlands)

Not all passports and identification documents contain the same data points, which can vary based on the customer's location and whether they are within the EU or not. The RTS should acknowledge this variability and provide flexibility in the data points required when certain information is not present in government-issued IDs.

We recommend limiting the requirement under Section 1 Article 3 RTS to obtaining the country of birth, leaving the option for obliged entities to obtain further information such as city of birth when deemed necessary.

  • Article 4 – Specification on nationalities

Since in Belgium, nationality is one of the so-called "protected criteria" on the basis of which discrimination is prohibited, this data can only be used for the purpose of verifying the identity of the person. We do not see how customer identification would be improved by asking for all the customer's nationalities. On the contrary.

The requirement to ‘obtain necessary information to satisfy themselves that they know of any other nationalities their customers may hold’ could represent an important cost for initial implementation, as it requires to ask specific questions to the customer to ensure all nationalities have been identified, without relying only on the identification documentation provided which generally indicate only one nationality.

Furthermore, there is no central record to verify nationalities held by an individual. As such, obliged entities must rely on declarations made by the individual. 

This raises a number of practical questions, such as:

- How will all nationalities be checked? 

- How far should the investigation go? Should this information only be requested from the customer? 

- If the client denies holding other nationalities, is no further action necessary? 

- What if the client indicates possessing dual nationality, should the passport of the second nationality be requested? Can the onboarding/re-identification process not proceed until this passport is provided? What if this second passport is no longer valid?

- What happens if the customer obtains a new nationality subsequently? Financial institutions will not be notified.

We therefore believe that the wording of Article 4 requiring that obliged entities ‘shall obtain necessary information’ is too far-reaching. We propose that the text of the provision is changed to ‘obliged entities shall ask customers to disclose any other nationalities they may hold’. The RTS should also clarify that “obliged entities will not be held to account for not discovering additional nationalities, where such are not disclosed by the individual, and in the absence of any other source to verify their existence”.

 

  • Article 5 – Documents for the verification of the identity

Article 5 (1) provides a list of cumulative conditions a document must meet to be considered equivalent to an identity document for the verification of identity of natural persons. This paragraph raises many questions and observations:

  • it is issued by a state or public authority / if it contains at least all the customer’s names and surnames, place and date of birth, nationality /a facial image of the document holder”: This hypothesis mainly targets persons with precarious residence rights (asylum seekers, ...). Currently, in Belgium, there is a list of documents that can be validly used to verify the identity of asylum seekers who are not always in possession of official identity documents. Several of these documents do not meet the conditions set out in the RTS, so their application will certainly be disadvantageous for people with a precarious right of residence
  • it contains a machine-readable zone” :
    • How are obliged entities expected to verify the presence of a machine-readable zone in case of verification of paper documents (e.g. passports)?
    • Which standards apply here to define the presence of a machine-readable zone and are obliged entities expected to verify the authenticity of the machine-readable zone?
  • it contains, where available, biometric data”:
    • The mention “where available” indicates that identification documents without biometric data are acceptable if it does not exist.
    • Are obliged entities expected to maintain a reference of every existing identification means per country of issuance and verify whether the country of issuance stores biometric data on the identification document or not?

We believe the criteria included under paragraphs (e), (f) and (g) to be unclear and excessive (i.e. document containing a ‘machine-readable zone’, ‘security features’ and ‘biometric data’), consequently voiding the possibility for any equivalent document for the verification of identity.

In addition, imposing cumulative criteria (‘where all of the following conditions are met’) with a condition that appears to be non-mandatory in paragraph (g) (‘it contains, where available, biometric data’) creates confusion.

We recommend removing the conditions listed in paragraphs (e), (f) and (g), or removing the cumulative condition i.e. not requiring that ‘all’ the listed requirements are met.

For the purposes of verifying the identity of the person in accordance with Article 22(6) (a) and Article 22(7)(a) of Regulation (EU) 2024/1624 a document, in the case of natural persons, shall be considered to be equivalent to an identity document or passport where all of the following conditions are met:

  1. it is issued by a state or public authority,
  2. it contains the legal name (first and surname),date of birth
  3. it contains information on the period of validity and a document number,
  4. it contains a facial image and the signature of the document holder,

Article 5 (2) refers to the case where a customer cannot provide a document that meets the requirements in paragraph (1) “for legitimate reason”. A clarification of this notion would be appreciated. What is considered “legitimate”? 

Article 5 (3) requires obliged entities to ‘take reasonable steps’ to ensure the documentation obtained for purposes of verification of identity is authentic and has not been forged / tampered with.  We recommend providing examples to illustrate the minimum verifications expected from obliged entities to fulfil this requirement.

Article 5 (4) provides that a ‘certified translation’ of the content of documents in foreign language should be obtained ‘when deemed necessary’. It is not clear in which cases such certified translation would be considered necessary; hence we recommend providing guidance or examples illustrating further this requirement. How will the regulator qualify a translation as “certified” ? Can you confirm that a certified translation would not be necessary if the entity is able to translate the document by itself (e.g. staff member fluent in said foreign language)?

Article 5 (5) indicates, referring to article 22(6), “these persons shall provide the obliged entity with original identity document, passport or equivalent, or a certified copy thereof”. One wonders to what standards obliged entities should refer to qualify a copy as ‘certified’? 

If entities are expected to resort to electronic identities / eiDAS-compliant solutions only to the extent that such solutions would available and can be reasonably expected:

  • Which authority will regulate and define the presence of eiDAS-compliant solutions available per country of issuance of identification means ?
  • Or will this assessment be left to the discretion of each obliged entity?

 

  • Article 9 – Reasonable measures for the verification of the beneficial owner

We believe the requirements under Article 9 are not clear and create an unnecessary complex framework for the verification of identity of the beneficial owner. 

We believe that obliged entities should be able to rely on central registers that verify the identity of beneficial owners themselves. This principle of single data collection (“only once” principle) would simplify the various procedures and forms that companies must complete. The objective is to avoid companies being obliged to communicate the same identification data multiple times in cases where this data has already been transmitted to an administration. This would avoid administrative burdens for companies and would resolve the frequent difficulties that banks currently have in obtaining data from customers who do not understand why they must complete forms when they have correctly registered with the Central Register of Beneficial Owners.

Alternatively, if this "only once" principle is not retained, we recommend requiring identification document as a principle (similar as for the customer and person purporting to act on behalf of the customer), with alternatively identification through public registers as provided in for current Article 9(a). 

However, we recommend removing the confusion-producing Article 9(b) : Under what circumstances or conditions can another credit/financial institution be contacted to obtain information to verify the identity of the Ultimate Beneficial Owner (UBO)? This is, to our knowledge, not stipulated in the law and could, unless mistaken, constitute a breach of GDPR legislation.

 

  • Article 10 – Understanding the ownership and control structure of the customer

In addition to the data required under Article 62(1)(d) AMLR, Article 10 RTS requires information such as legal form, reference to the existence of any nominee shareholders, jurisdiction of incorporation or registration and the sub-division by class or type of shares and/or voting rights for each legal entity part of the structure.

Overall, the proposed requirements do not seem to be sufficiently-risk based and would impose a significant burden on obliged entities, particularly those dealing primarily with other financial institutions or similar intermediaries where the customers would in almost all cases have a control structure containing more than one legal entity or legal arrangement. Consequently, this would have a large impact in terms of related costs and would render the establishment of business relationships and the ongoing due diligence more complex.

We suggest a risk-based approach whereby the information listed in Article 10(1)(b) and (c), that is not mentioned in Article 62(1)(d) AMLR, is required only for enhanced due diligence. The requirements for  low- and medium-risk cases should be limited to the information laid down in let. (a) and the data points of (b) that are explicitly mentioned by Article 62(1)(d) AMLR.

Article (10)(2) requires in addition for obliged entities to assess if the information obtained on the ownership structure is ‘plausible’ and if there is ‘economic rationale behind the structure’. We consider it unclear on by what means an obliged entity is able to assess the ‘plausibility’ of the information on the ownership structure as provided by the customer and how to demonstrate compliance with this requirement. We recommend clarifying and providing concrete examples on how to meet such requirement.

  • Article 11 – Understanding the ownership and control structure of the customer in case of complex structures

The criteria under Article 11(1)(b), ‘the customer and any legal entities present at any of these layers are registered in different jurisdictions’, will cause to classify most international groups as having ‘complex’ ownership structures. 

Such a strict interpretation would be detrimental to smaller jurisdictions where it is common for an entity from one of the neighbouring countries to be above the entity-customer. This would entail an increased cost of compliance especially for smaller sized institutions located in smaller jurisdictions since more Enhanced Due Diligence will have to be applied. 

A more appropriate criterium would be: “Two or more shareholder structures between the entity customer and the ultimate shareholders-natural persons are located in a different jurisdiction than the company-customer."

The practical impact is limited since the additional measure required, i.e. obtaining an organigram, is standard market practice to understand ownership structure of legal entities. 

However, it would be preferable to reserve the term ‘complex’ to structures that are unusual or unnecessary complex and consequently are usually factored as a higher risk factor.

We suggest the following text:

To understand the complexity level of the ownership and control structure of the customer in accordance with Article 20(1)(b) of Regulation (EU) 2024/1624, obliged entities shall establish adequate policies and procedures specifying the criteria that make ownership and control structures complex for the business relationships for which the obliged entity provides products and services.

These criteria should include considerations for risk-factors such as 

  1. the number of layers between the customer and the beneficial owner that may be an indicator of complex ownership structure
  2. the high-risk third countries in which these entities are incorporated or domiciled, if any
  3. indications of non-transparent ownership with no legitimate economic rationale or justification and
  4. the presence of known nominee shareholders and / or directors that are involved in the structure.

 


 

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

FACE TO FACE CONTEXT: We consider that the requirements under Section 1 Article 6 RTS are not adapted to the identification of the ‘person purporting to act on behalf of the customer’ for relationships with customers that are not natural persons:

  • Article 6(3) requires to ‘obtain from the person to be identified their explicit consent’, which may be difficult to implement when identifying representatives / agents of a customer that is a not a natural person. Indeed, in a non-face-to-face context, the obliged entity is often not in direct contact with the representative/agent of the customer. We recommend clarifying that regarding the ‘person purporting to act on behalf of the customer’, the consent to identification may be provided by the customer and not from the identified individual.

Furthermore, the article specifies that this consent must be recorded. Is a digital consent through a non face-to-face channel sufficient?

 

  • For the same reasons, the requirements of Article 6(4) are overall too restrictive in the context of non-face-to-face business with legal persons, where all natural persons identified are the representatives of the legal person.

 

  • Difficult articulation with Article 6(5) which seems to provide for a different treatment for ‘customers that are not natural persons’, without clearly excluding the provisions of Article 6(3) and 6(4) for such customers.

We recommend implementing a clear differentiation of requirements between the identification of a natural customer vs the identification of the ‘person purporting to act on behalf of the customer’ when dealing with customers that are not natural persons.

 

e-IDAS : No. Imposing strictly e-IDAS only compliant solutions is not feasible when considering financial inclusion. This is particularly relevant to non-EU citizens who do not necessarily have access to an e-ID solution such as the national schemes notified pursuant to the e-IDAS.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

The articles places the burden on the client who uses the virtual IBANs to notify the issuer (the Bank) if they in turn make the VIBAN available to a third party, then share identification of said third party. However, does it absolve the issuer if their client does not fulfil this obligation or does the issuer remain responsible for detecting such situations? Additionally, obliged entities cannot identify VIBANs used by counterparties (no way to tell whether an incoming transfer is from a IBAN or a VIBAN).

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Generally speaking, the proposed questions seem excessively detailed and the standard client will not be able to answer them. It is suggested that the assessments can be made in a risk-sensitive manner; however, this leaves considerable room for interpretation. It would greatly assist us if a list could be provided detailing the minimum information required for a low-risk client, a standard-risk client, a substantial-risk client, and a high-risk client. 

Additionally, it is unclear what falls under the category of 'lower' risk and what falls under the category of 'higher' risk. We request clarification on this in the RTS. Specifically, whether low and standard clients constitute a 'lower' risk (and thus require an SDD to be performed), substantial-risk clients constitute a 'normal' risk (and thus require a CDD to be performed), and high-risk clients constitute an elevated risk (and thus require an EDD to be performed).

Furthermore, we consider that Article 15 (c)  (specifically “additional relationships with [the entity’s] wider group”) can be extremely challenging, particularly in retail sector, and not necessarily relevant for common, low risk relationships (e.g. “typical” retail account for a private individual with regular income and everyday outgoing payments). 

We consider also that the requirements included under Article 16(d) and 16(e) to be excessive for standard due diligence, and should be limited to higher-risk relationships or for example where required for the investigation of unusual activity.

  • Article 16(d) requires, to understand the destination of the funds, to obtain information on ‘the expected types of recipient(s)’, the ‘jurisdiction where the transactions are to be received’ and the ‘intermediaries used’. This data may vary greatly for each transaction performed by a single customer, and the customer itself may not have visibility on for example the intermediaries used. Requiring obliged entities to gather this information as a minimal requirement would have a very high impact in terms of cost. We recommend removing these requirements, or limiting them to enhanced due diligence.
  • Article 16(e) requires, to understand the business activity of the customer, to obtain information on the ‘key stakeholders’ and ‘revenue streams’. We do not believe this data to be critical, for standard due diligence, to understand the business activity of the customer and apply appropriate monitoring of the relationship and transactions, where sufficient information on the industry and products/services has been obtained. Consequently, this creates unnecessary additional costs and complexity of due diligence process. We recommend limiting such requirements to enhanced due diligence.

Generally, we would like to highlight that the detailed provisions of Article 16 are not coherent with a risk-based approach and create unnecessary burden and costs for the obliged entities, as well as lengthening delays of processing of financial transactions.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The RTS states that PEP screenings should be conducted on a risk-based basis and at least when there are relevant changes in the customer due diligence data. Preliminary considerations include the nature of the customer's business, employment, or occupation, among others. We infer from this that if there is a change in the KYC data, rescreening must be performed. 

Currently, PEP screening primarily occurs through the comparison of a PEP database with customer data (first name, last name, date of birth, and place of birth). We therefore propose that rescreening should be required only if the data to be collected under Article 22(1) of the AMLR changes, and that this should not be extended to other KYC data. 

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

  • Article 18 RTS – Minimum requirements for the customer identification in situations of lower risk 

Article 18(1)(a) repeats the requirements listed under Article 22(1)(a) AMLR, with the exception of ‘national identification number’ (Article 22(1)(a)(iii)) and ‘usual place of residence’ (Article 22(1)(a)(iii)). We believe this paragraph requires the following clarifications:

  • Clear indication that national identification number and place of residence are not required to be obtained when applying simplified due diligence, if this is the case. We further question why ‘usual place of residence’ is not required in case of simplified due diligence, as this information is usually a critical factor in the customer risk assessment. Excluding this as mandatory requirement in simplified due diligence situations may create difficulties for obliged entities to obtain such information from well-informed customers.
  • Do the provisions that precise the requirements of Article 22(1)(a) AMLR, ie Section 1 Articles 1, 2 and 4 of the RTS, apply in case of simplified due diligence? For example, when obtaining ‘place and full date of birth’ in the case of simplified due diligence, is all the information required under Section 1 Article 3 RTS required? The articulation between Section 4 and Section 1 should be better clarified.

Article 18(1)(b) repeats the requirements listed under Article 22(1)(b) AMLR, with the exception of ‘principal place of business’ and ‘country of creation’ (Article 22(1)(b)(ii)), ‘names of the legal representatives’ (Article 22(1)(b)(iii)) and ‘names of persons holding shares or a directorship position in nominee form’ (Article 22(1)(b)(iv)). We believe this paragraph requires, if this is the case, the clear indication that principal place of business, country of creation, names of legal representatives and names of nominee shareholders/directors are not required to be obtained when applying simplified due diligence, if this is the case. We further question why ‘principal place of business’, ‘names of legal representatives’ and ‘names of persons holding shares or a directorship in nominee form’ is not required in case of simplified due diligence, as this information is usually a critical factor in the customer risk assessment to determine country risk exposure and understand ownership and control of the customer. Excluding this as mandatory requirement in simplified due diligence situations may create difficulties for obliged entities to obtain such information from well-informed customers.

 

  • Article 19 RTS – Minimum requirements for the identification and verification of the beneficial owner or senior managing officials in low-risk situations

We consider the requirements set out in Article 19 draft RTS to be excessively prescriptive. 

As drafted, obliged entities would be required to use a central register or company register to identify the beneficial owner or SMOs (a), and then a confirmatory statement from the customer (b) or publicly available reliable sources of information (c) to verify that information.

We do not consider that such a tiered process is appropriate. We consider instead that an obliged entity should have the choice of taking ‘appropriate measures’ to identify and verify the beneficial owner and SMOs in situation of lower risk, without a limitation to any of the methods mentioned under lit (a) to (c).

 

  1. Article 20 RTS - Sectoral simplified measures: Pooled accounts

We disagree with the proposals set out in Section 4 Article 20 RTS.

Article 20(1)(h) AMLR requires obliged entities to identify and verify the identity of the natural persons on behalf of which or for the benefit of which a transaction or activity is being conducted. Section 4 article 20 dRTS implies that ‘pooled account’ situations fall under the scope of Article 20(1)(h) AMLR by implementing simplified measures in such cases to fulfil the requirements provided by said Article. We disagree with the proposal based on the following rationale:

  • The classification of pooled accounts as ‘low risk’ does not reflect international market practice

We emphasise that the classification of pooled accounts as 'low risk is at odds with international standards and best practices. In its guidance for the securities sector, FATF has explicitly singled out pooled/omnibus accounts as running a high inherent risk for money laundering/terrorist financing[1].

This is also aligned with the approach towards correspondent banking relationships described in more detail below.

  • Absence of clear definition of 'pooled account' and difficult articulation with correspondent banking framework

The preamble for the proposals of the RTS under Article 28(1) AMLR provides that identified sectors may benefit from simplified due diligence measures ‘when associated with a low risk of money laundering or terrorism financing’ which includes ‘situations where a credit institution opens a pooled account for its customer’. Section 4 Article 20 RTS gives some context by providing that the simplified measures may be applied ‘where a credit institution's customer opens a 'pooled account' in order for that customer to hold or administer funds that belong to the customer's own clients’. There are no further elements of definition of the term 'pooled account' in the RTS.

Based on the above, it is unclear if there is an overlap between a 'pooled account' situation and a 'correspondent relationship', which often involve pooled accounts where the correspondent institution allows the respondent institution to open pooled/omnibus accounts for the assets of the respondent's underlying customers. The correspondent institution is not in principle required to perform CDD on the underlying customers of the respondent, whereas Section 4 Article 20 RTS implies that 'pooled accounts' may be considered as low-risk, however the principle is that CDD on the underlying customers that are natural persons is required except where simplified measures may be applied.

Consequently, credit institutions that engage in correspondent relationships will not be able to determine which framework applies and/or if Section 4 Article 20 RTS prevails on correspondent relationship framework where 'pooled accounts' are involved. If such is the case, this will create the absurd situation where a correspondent relationship is assessed as high-risk except in cases where 'pooled accounts' are involved, despite the presence of pooled accounts generally being considered a risk increasing factor.

  • Restrictive conditions for the application of the simplified measures (ie exemption to identify and verify the identify of the underlying customers of the customer of the obliged entity that are natural persons)

In consideration with the arguments presented in the previous paragraph, we consider that the conditions required to allow the application of simplified CDD measures on 'pooled accounts' (ie exemption to identify and verify the identity of the underlying customers of the obliged entity's customer that are natural persons) are too restrictive and will lead to both a very high cost of compliance and loss of business, especially in respect to relationships with non-EU counterparties. More specifically:

Point a) requires the customer to be an obliged entity that is subject to AML/CFT obligations in an EU Member State or a third country with AML/CFT requirements not less robust than those required by AMLR. In the absence of any ‘EU equivalent country list’ issued by an EU authority, this requires each obliged entity to make their own in-depth assessment of third country's AML/CFT framework (with probable misalignment between obliged entities). In addition, very few countries will be able to be considered as having ‘not less robust’ requirements than AMLR. Consequently it is unlikely that simplified measures will be applied with non-EU counterparties, which may cause significant loss of business. Indeed, requiring an obliged entity to provide the CDD documentation/information on all its underlying customers that are natural persons for each pooled account it opens with another entity is very costly, creates delays in onboarding and execution of transactions, and will deter such customers to engage with EU entities.

Point b) requires that the customer is ‘effectively’ supervised for compliance with AML/CFT requirements. Although it is a simple verification to ensure that a counterparty is supervised for compliance with AML/CFT requirements, requirement that the supervision is ‘effective’ seems to require the obliged entity to make an assessment of the quality of supervision in the country where its customer is supervised. In the absence of ‘EU equivalent country list’, this creates a high cost of compliance, and it is difficult to foresee by which means an obliged entity will be able to make such assessment.

  •  Limitation of Article 20 RTS to credit institutions

Article 20 RTS limits the sectoral simplified measures only to credit institutions. Consequently, we understand that other financial institutions that open 'pooled accounts' (e.g. securities firms etc) will systematically be required to identify and verify the identity of all the underlying customers of their own customers that are natural persons. We believe this will lead to a very high cost of compliance as well as loss of business, as detailed in the previous arguments. 

  • Recommendation

Based on the considerations above, we stress that the provision of Article 20 poses two separate sets of challenges. First, it runs against international standards of risk classification and creates a potential clash with the correspondent banking framework. Second, it states that, in case the listed conditions are not met, credit institutions need to perform CDD on the customers of their customer that are natural persons which would entail an extreme increase in compliance burden and related costs.

To avoid the aforementioned challenges, we recommend the following:

  1. Pooled accounts are not considered as inherently low risk to align with market practice and the correspondent banking framework;
  2. Moreover, we recommend that the requirement under Article 20(1)(h) of the AMLR is considered fulfilled where the institution providing the pooled/omnibus account (not restricted to credit institutions only) has assessed the customer’s AML/CFT compliance framework (as laid down in let. ‘d’) also taking into account the factors listed in let. ‘a’-‘b’; and
  3. The institution is satisfied that the customer will provide CDD information and documents on its own clients for whom it maintains the pooled account immediately upon their request.

This approach would also be aligned with Guideline 9.16 of the EBA ML/TF Risk Factors Guidelines (i.e. sectoral guideline for retail banks) whereby full CDD measures need to be applied in cases of pooled/omnibus accounts, including treating the customer’s clients as the beneficial owners of the funds in the pooled accounts (i.e. identifying and taking reasonable measures to verify the identity of those underlying clients that meet the UBO threshold under the AMLR).

 

  • Section 4 Article 21 RS - Sectoral simplified measures: Collective investment undertakings

We disagree with the proposals set out in Section 4 Article 21 RTS, which provides for the same simplified measures permitted by Section 4 Article 20 RTS and under the same restrictive conditions, but here for collective investment undertakings. For the same reasons as exposed for Article 20, we consider that the conditions required to allow the application of simplified CDD measures (ie exemption to identify and verify the identity of the investors of the collective investment undertaking) are too restrictive and will lead to a very high cost of compliance and loss of business for collective investment undertakings as well as all intermediaries involved in the chain of transactions and custody for the investment in collective investment undertakings.

 

  • Section 4 Article 23 RTS - Minimum information to identify the purpose and intended nature of the business relationship or occasional transaction in low-risk situations

We question whether the data points required under this article (‘why the customer has chosen the obliged entities’ products and services’, ‘source of funds’ and ‘how the customer plans to use the products or services provided’) are to be read together with the requirements under Section 2 Article 16 RTS, which requires very specific data points to be obtained to comply with each general requirement.


 

[1]FATF – ‘Risk Based Approach Guidance for the Securities Sector’, October 2018, para. 82. Available at Risk-based Approach Guidance for the Securities Sector.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

Is the intent to provide a blanket assessment of a whole sector of activity and classify all of its members as LR? Any LR sector will have specific clients with risk factors that require standard on enhanced DD. Sectors and products ML/TF sensitivity are assessed as part of the KYC process and risk scoring, but cannot be the sole drivers of the decision to apply simplified DD.

Article 20: we need a common list of “third countries with AML/CFT requirements that are not less robust than those required by Regulation (EU) 2024/1624;”, otherwise separate assessment by various obliged entities and groups will inevitably vary, leading to discrepancies in application.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We partially disagree with the proposals set out in Section 5 RTS - Enhanced Due Diligence measures.

When applying enhanced due diligence measures, Section 5 RTS requires obliged entities to verify the « authenticity », « accuracy », « legitimacy » or « consistency » of the information obtained for the purposes of the CDD:

  • Article 24 a. RTS: ‘enable the obliged entity to verify the authenticity and accuracy of the information on the customer and the beneficial owner or the ownership and control structure of the customer’
  • Article 25 a. RTS: ‘enable the obliged entity to verify the legitimacy of the destination of funds’
  • Article 25 b. RTS: ‘enable the obliged entity to verify the legitimacy of the expected number, size, volume and frequency of transactions that are likely to pass through the account, as well as their recipient(s)’
  • Article 27 a. RTS: ‘verify the accuracy of the information for why the transaction was intended or conducted including the legitimacy of its intended outcome’
  • Article 27 b. RTS: ‘assess the consistency of the overall transactions made during the business relationship with the activities carried out and the customer's turnover’
  • Article 27 c. RTS: ‘assess the legitimacy of the parties involved in the transaction, including any intermediaries, and their relationship with the customer’

We consider it unclear on by what means an obliged entity is able to assess the ‘legitimacy’ of this type of information and/or what type of documentation is expected to be obtained to demonstrate the accuracy of for example the ownership structure of the customer or the purpose of a transaction, as such information is usually obtained solely from customer declarations.

In general, such verifications of ‘legitimacy’, ‘accuracy’ or ‘consistency’ are performed when conducting investigations on potentially suspicious transactions, where in-depth verifications are performed and extensive documentation is obtained from the customer. However, Section 5 appears to impose such verifications as a baseline in presence of high-risk relationships, by employing ‘shall at least enable the obliged entity to’ in the beginning of each Article of Section 5. If this is the case, the cost of compliance is expected to be very high while also having a negative impact on the customer resulting in a lengthy and complex onboarding/recertification process and possible exclusion. If this is not the case, we recommend clarifying and providing concrete examples on how to meet such requirements.

For example, concerning Article 25: for verification of the source of funds of UBOs of legal entities, it should be made clear that this applies to those funds that are involved in the relationship with the legal entity. If the sole relationship with an individual is as UBO of a legal entity, it would not be proportionate to verify the full extent of their wealth, when unrelated to the relationship with the legal entity.

Concerning Article 27: Guidance should be provided on the extent to which due diligence obligations would apply to family members and close associates. If these individuals have no relationship with the bank and we request information about them, this could, unless mistaken, constitute a GDPR violation. Could this not also have the adverse consequence that family members of suspected clients are wrongfully penalized?

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We have questions about Article 29 on several aspects:

  • The requirement to consider all other names, aliases and wallet names may be challenging in practice. Further clarification on possible ways to delineate the scope of this requirement and access alternative names would be appreciated.
  • For natural persons, to which extent are obliged entities expected to collect and make a correspondence between the official names shared during the identification process and other type of names [aliases, other type of names, wallet addresses]?
  • How are obliged entities expected to assess /verify the availability of aliases/other names (see previous comment on the topic) or wallet addresses?

However, we note that the screening requirements under Section 6 pertain to customer and beneficial ownership information only (including entities or persons which own or control such customers). The section does not mention that screening should be performed vis-à-vis persons on whose behalf or for the benefit of whom a transaction or activity is being carried out. Sanctions regulations tend to be stricter in that regard. For example, Article 2(2) of Regulation 269/2014 provides that ‘no funds or economic resources shall be made available, directly or indirectly, to or for the benefit of natural or legal persons, entities or bodies, or natural or legal persons, entities or bodies associated with them’. We caution that the aforementioned cases would not necessarily be covered by the ownership and control element[1].

In line with the argument above we further recommend including the names of agents (authorised signatories/beneficiaries of a power of attorney) in the screening process. For example, if a sanctioned individual holds a power of attorney for a non-sanctioned entity, this could be an indicator that the latter is associated with the sanctioned person and consequently falling in scope of Article 2 of Regulation 269/2014.

  • The requirement resulting from a screening match concerns a determination if the person is the intended target. 'Intended' leaves from for a verification of other data, such as transactional information, to make such determination, which is otherwise not specified. We would agree that, in order to not unjustifiably submit freeze measures on innocent individuals/entities, FIs are permitted to make a sound judgement regarding their customers potential Sanctioned status, however this does not appear consistent with the absolute prohibition to allow any assets to be released in favour of designated targets.
  • The article holds a requirement to screen dates of birth. Whilst indeed they can be used to screen in combination with full names or as an additional criterium to use to discard a potential match, we believe it should be clarified that a date of birth as such should not be screened, and whether the matching methodology should take into account the date of birth directly in the screening process (to avoid irrelevant alert generation and processing).
  • We deem that the screening requirements should be accompanied with a deadline for generation and processing of alerts in case of new designations. We believe that if such deadline would be set in accordance with the Instant Payment Regulation (immediately; yet to be further defined to avoid confusion and high operational impact by designing 24/7/365 permanency systems) it could be accompanied with a restriction to filter intra-EU payment messages on EU Sanctions lists, in order to reduce the costs of compliance on assessing payments between two parties which have already been timely pre-screened by EU Fis.

[1] Para. 70 of the EU Best Practices for the effective implementation of restrictive measures explicitly provides that  ‘the indirect making available of funds or economic resources to listed persons or entities may also include the making available of these items to persons or entities which are not owned or controlled by listed entities’.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

It is not clear whether each criterion must be taken on its own, if some are cumulative (e.g. instrument must not be reloadable and not store more than EUR 150), otherwise this severely limits the instruments eligible to this exemption. Are further details/rules expected to come from supervisors (“Supervisors shall consider the following risk reducing factors when determining the extent of the exemption”) or the EBA/AMLA?

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

No particular comment, the proposed criteria to be used by supervisors are coherent with those used internally to assess historical incidents.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

Will supervisors be required to design and share a detailed methodology (based on quantitative & qualitative data) to determine the category, to ensure consistency in their assessment of obliged entities?

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

Similar to mitigants taken into account by OFAC (voluntary disclosure, proactivity, remediation measures, structural changes in processes/policies…)

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

Will the supervisors define tiers of administrative fines based on the level of gravity, similarly for example to those levied for GDPR violations (EUR or x% of turnover)?

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

/

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

Given the seriousness of such a sanction: 

  • “conduct of the natural or legal person held responsible” should make explicit reference to uncooperative or deceitful behaviour
  • “whether there is a structural failure…”: would additionally qualify the failure as one that the obliged entity failed or proved unable to remediate readily. If remedied decisively as soon as identified, a structural failure would not warrant withdrawal of the entity’s license.

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

/

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

/

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

The personal liability of obliged entities’ staff (the natural persons vs. the legal entity itself) should be made clear.

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

Yes, see previous comments on questions 2 and 4.

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

/

Name of the organization

Febelfin