Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.
We agree that the principle that residual risk can be lower but never higher than the inherent risk generally should be upheld. The methodology for calculating residual risk is from our understanding not in line with common practice – where the residual risk score is its inherent risk score minus its AML control quality score. Using an average of the inherent risk score and the controls’ quality score to calculate residual risk, will result in more entities being regarded as higher risk, which may not be the best solution for a risk based approach to supervision.
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
The list in Annex I contains an extensive number of data points and it is not clear what would be the specific content of each data point. Not all data points are suitable for all obliged entities, and further clarification is needed. For many obliged entities gathering the required amount of data will require new systems or system adaptions.
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art. 1: Finance Norway proposes removing the second sentence in paragraph 1 (1). This amendment retains the general purpose of the article and removes a requirement that is impractical and unnecessary.
Art. 3: The proposed specification in this draft article - based on the understanding that Article 22 (1) (a) point (ii) of AMLR requires obtaining the place of birth in addition to the country name - is in the view of Finance Norway incorrect. Norwegian passports or official identity documents do not contain information on the place of birth. This means that the obliged entity would have to contact all customers, representing an unnecessary burden for both the obliged entity and the customer. It is under any circumstance difficult to see the added value of this requirement, and it does in our view go beyond the requirement set out in AMLR Art. 22(1)(a) point (iii).
Art. 4: The requirement in Article 4 is in our view unreasonably strict. It necessitates personal contact with the customer. A general requirement to “obtain necessary information to satisfy themselves” that they have knowledge of a customer’s double nationality is not in line with a risk-based approach.
It should be sufficient – and in line with the risk-based approach – that the requirement to identify whether a customer or a beneficial owner has two or more nationalities applies if the bank has indications of multiple nationalities (to the best of their knowledge).
Additionally, due to possible differences in the concept of “nationality” and to achieve a harmonized understanding of the provision, there needs to be clarification of the definition of “nationality” as obliged entities and customers may otherwise have different interpretations. It would be less subjective if “nationality” was replaced with “citizenship”. Finally, there is a concern that future risk requirements will be based on this customer measure, potentially leading to unnecessary monitoring of customers and possible discrimination issues, as well as raising questions concerning GDPR.
Art. 5: For all practical purposes, Article 5 (1) will disqualify ID documents issued in Norway. In the view of Finance Norway, Article 5 (1) needs to be amended. The “place of birth” requirement should be deleted as it creates extra burdens on banks and difficulties for many customers. Consequently, Articles 5 (2) and (3) need to be amended accordingly.
As currently drafted, all requirements in Article 5 (1) are mandatory, which undermines the risk-based approach.
This very strict approach does not harmonize well with rules and expectations regarding financial inclusion. It seems obvious that this legal basis can create significant challenges for refugees, elderly people, and minors.
Art. 5 (2): The criterion “legitimate reasons” does not provide much guidance. It should be further clarified in what circumstances this paragraph could/should apply. Is this paragraph to be understood as the safeguard for financial inclusion? The description of alternative means of identification is of limited value. The challenge with alternative identification is linked to the verification of the document(s)/information. It would be highly beneficial if the space for exercising discretion could be more accurately identified. Given the limited ease in requirements for customers eligible for alternative verification, Finance Norway propose that that the content of Art. 5(2) should be reconsidered. A more flexible approach would be beneficial in the context of financial inclusion.Art. 5 (3): “Reasonable steps” to ensure that identity documents are authentic is rather vague. Examples to better facilitate a common EU practice would be helpful.
Art. 5 (4): The example of certified translation does not correspond well with the concept of “reasonable steps”. Automated/AI translations could be satisfactory in many situations, and certified translation may be overburdensome.
Art. 5 (5): This paragraph raises concern in a Norwegian context. The concept of a certified copy has very limited use in Norway. Norway does not have notaries.
The concept of a “certified copy” therefore needs to be clarified. In Norway, a confirmed copy by a notarius publicus (Court of first instance) is only obtainable in very limited circumstances. Confirmed copies (signed and stamped) can be issued by different public authorities, lawyers, etc., but such verification does not have any statutory legal status. From a risk-based point of view, it would be better to replace “certified copy” with “trustworthy” or something similar. This could also be an alternative solution to “certified copy”.
In Norway, a birth certificate is accepted for minors in connection with the verification of the customer. On the basis of a risk-based approach, this is a practice that is accepted and used frequently. For the obliged entity, the birth certificate is obtained electronically from the National Population Register.
Art. 7: This article is slightly unclear. It is not clear which article in the Regulation this article is related to. Under any circumstance, our understanding is that it concerns categories of documents, not the credibility of all individual documents.
Art. 9: The requirement “.., and where the identity of the named person is certified by an independent professional” appears to be very strict. It would be beneficial if this could be further clarified.
Art. 10 (1): Finance Norway finds this article to be introducing very strict requirements concerning documentation on all companies in a structure. It is not absolutely clear that this is intended. This would mean that the same information must be registered for many customers. The possibility to use organizational charts for the description of the companies included in the group would be very useful.
Art. 10 (2): The exact content of this part of the article is a bit difficult to determine. This does not seem to be in line with a risk-based approach and would lead to the collection of substantial volumes of information that is not useful in the context of AML/TF.
Art. 11: This definition will lead to many “complex structures”. Two layers do not as a rule qualify as complex. It is difficult to understand that this is intended. The article as it reads describes a “tick the box approach”. EDD will need to be applied in a vast number of customer relations and undermines the risk-based approach. The definition will most certainly lead to resources being allocated to cases not well calibrated at identifying customers for EDD.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
Art. 6 (3): It is difficult to understand the draft requirement to obtain the explicit consent of the customer before identifying the customer remotely. Is this an introduction of a new requirement concerning the use of online solutions?
A question arises as to how this requirement is to be understood in the context of EBA Guidelines on remote onboarding.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art. 15(a): The requirement to identify “why” the customer has chosen certain services indicates something different from “purpose and intended nature”. It is, however, unclear if this is the case. The issue needs to be clarified. Furthermore, the terminology “..value and benefits expected” leaves some uncertainty. Is this to be understood as something different from “purpose and intended nature”? This should be clarified.
Art. 15(c): The term “wider group” should be specified.
Generally, given AMLR art. 20(1), cf. AMLR art. 25 and the issue of “purpose and nature”, this draft article seems superfluous, providing more uncertainty than clarity.
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art. 17: A question arises as to whether an additional criterion is introduced through “the person on whose behalf or for the benefit of whom a transaction or activity is carried out,…”. Or is this part of paragraph a already covered by the definition of ultimate beneficial owner? In our view, the latter understanding is correct. If this is not the case, the issue needs to be explained and clarified, also in relation to whether such an understanding is within the scope of article 20 of the regulation.
Art. 17(2): This article introduces automatic PEP-screening. The screening requirement lacks a description of what sort of lists/criteria the customers should be screened against. In today’s situation, screening of family members and close associates (RCA’s) is particularly demanding.
Finance Norway proposes that the individual member states be given the obligation to establish and maintain national lists of PEPs and RCA’s. Such lists should be exhaustive.
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art. 18: Finance Norway is of the view that an obligation to obtain information on the place of birth is unnecessary. Concerning nationality, it would be helpful if it could be clarified if it is sufficient to ask the customer.
Art. 20: It should be clarified what types of accounts are to be identified as “pooled accounts”. Specific questions arise regarding lawyers and their client accounts. Lawyers are only covered by the AML framework for parts of their work. There might be a conflict between lawyer-client confidentiality and the obligation to give information to the bank on demand. Generally, there is limited room for categorizing such accounts as low-risk. In the view of Finance Norway, the possibility for simplified measures in this regard should not be limited to low-risk situations. It would be beneficial if the term “satisfied” in article 20(1) could be further clarified.
Art. 22: The article as it is currently drafted represents a substantive challenge for obliged entities. For obliged entities, the process of obtaining updated information from the customers can be time and resource-consuming, as the customers in many instances respond late or only after several reminders provide the necessary information. For high-risk customers in particular, the proposed text would mean that intervals for updating customer information would need to be very short.
Finance Norway suggests that the RTS should indicate the interval at which the request/procedure for obtaining updated information should be initiated, not the deadline for all information being updated. This would facilitate necessary flexibility in ODD and also be better designed to protect vulnerable customer groups and contribute to ensuring financial inclusion.
Art. 23: The article concerns low-risk situations. In the view of Finance Norway, the article does not well reflect a risk-based approach. There are still quite extensive measures that need to be taken in these situations. The scope for a risk-based approach is very narrow.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art. 24: The general observation is that this article goes unreasonably far in demanding information on the customer. A question arises as to whether this article in the RTS goes beyond the criteria in AMLR art. 34 itself, cf. the wording “shall, at least”.
The wording of the RTS art. 24 1(d) is difficult to comprehend. If reasonable grounds to suspect criminal activity are established, the next step would be to report the transaction/circumstances to the FIU. Obviously, the RTS is not meant to deviate from the AMLR itself. Based on the wording of the draft article, there may arise issues relating to the prohibition of tipping-off and GDPR. In the view of Finance Norway, it is absolutely necessary to clarify the content of this article and clearly align it with the AMLR.
Art. 25: The question arises as to whether the draft RTS goes beyond the AMLR Art. 34(4). The AMLR uses the term “may include”, while the RTS uses the terminology “shall”. In the view of Finance Norway, it is necessary to clarify the content of this article and align it with the AMLR.
Art. 26: This draft article also contains comprehensive obligations concerning documentation. A first question is how far back in time are obliged entities required to go? The source of wealth issue should also be clarified. Is this restricted to assets related to the customer relationship?
Finance Norway also questions whether this draft article goes further than what is required by article 34(4) of AMLR, cf. the terms “may” and “shall” used in the AMLR and the draft RTS, respectively. As currently drafted, this article further limits the possibilities of applying a risk-based approach.
The concept of “certified copy” is not applicable in a Norwegian context.
Art. 27: Finance Norway again points to the difference in wording between AMLR 34(4) and the draft RTS, cf. comments on draft articles 24 and 25. Again, the issue of “obtain a deeper understanding of the customer, etc.” in case there are reasonable grounds to suspect criminal activity is difficult to comprehend. In our understanding, such situations should lead to a report to the FIU. Under any circumstance, there are clear limits as to what information obliged entities can obtain on family members and close associates.
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art. 28: It is unclear what the added value of this draft article is. The article concerns the screening of customers. Clarification would be beneficial regarding how the term “control” is to be understood in this context.
Art. 29: In relation to the draft article, paragraph b, it should be sufficient to check selected sources of information to clarify that a match is a false positive. In paragraph d, it is stated that screening should take place using updated targeted sanctions lists without undue delay. To secure a harmonized approach to this requirement, some additional clarification would be beneficial.
Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.
The article is very detailed. It is the understanding of Finance Norway that the list of indicators are not exhaustive, cf. art. 1(1).
It would in our view be beneficial - and facilitate predictability and harmonization - that the concrete content of Article 1(1) be clarified.
Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.
Applying administrative measures in a harmonized manner across the EU/EEA can be challenging.
It is fundamentally important that due process and the principle of contradiction are duly observed.
It is not clear how the proposed system of four categories facilitates for a "correct" and harmonized administrative sanctions regime. It could potetially lead to a leck of flexibility. It is however difficult to have very firm views as this system is not tested.