Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
The mandate for advice given to EBA sets out, among other things, the principles that the EBA must take into account when preparing the drafts. The principle of proportionality is a key element to fulfil the objectives of the AML package. Under no circumstances should the drafts create unnecessary administrative and procedural burdens for supervisory authorities and obliged entities. At the same time, it must be noted that the mandate is based on the fact that the requirements in relation to due diligence obligations follow a horizontal approach in order to allow all categories of obliged entities to comply with the input.
The current draft of RTS 1 is significantly influenced by the supervision of (large and predominantly systemically important) credit institutions. Experience from this area is postulated as the central benchmark for the draft's requirements without adequately recognising the heterogeneous business models of the financial sector's obliged entities (such as payment and e-money institutions) as a whole. Furthermore, the requirement for a numerical score ranging from 1 to 4 can only be operationally implemented at the level of the supervisory authorities if the obliged entities introduce and apply corresponding models to the same extent. Otherwise, comparability will already fail due to the inconsistent provision of data by the obliged entities.
With regard to obligated parties in the financial sector that are not credit institutions, it can be said that a three-tier model - low, medium and high - has been established practice in Germany for two decades. Switching to a more differentiated model is neither proportional nor does it fulfil the requirements of the AML package. In the area of the non-financial market the three-tier model was implemented since 2017.
The one-sided focus on credit institutions also ignores the fact that a significant number of obligated parties in the financial sector have only a few employees. The personnel resources are adapted to the size of the company. The requirements set out in the draft contradict the basic principle of proportionality. If these ideas are applied to the non-financial sector, the requirements of the draft are neither tenable nor transferable. This assessment is reinforced in particular by the fact that the EBA refers to "supervisors" across the board in the drafts presented, without taking into account the differentiation between "financial supervisors" and "non-financial sector supervisors" set out in Article 2 No. 1 and 2 of the AMLD.
The RTS should provide more guidance on minimum data standards for all categories of obliged entities and, besides this, address potential gaps, perhaps by allowing for supervisory judgment or the use of proxies where data is not available.
Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.
Non-Applicable
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
The data points in Section B of Annex 1 are characterised by experience with credit institutions and are largely based on the structures, activities and processes established there. However, if these standards are declared to be a matter of principle, this will inevitably result in a significant and additional administrative and procedural burden for both the supervisory authorities and the obliged entities. Apart from the category of credit institutions that are obliged to maintain transaction monitoring systems due to special legal requirements, comparable legal requirements are not prescribed by law for the majority of other obliged entities. This alone results in a divergence that must have a lasting effect on the definition of data points. A “one-size-fits-all” data set risks imposing excessive costs and operational burdens, particularly where data is not already collected for other regulatory purposes or is even not available based on the particular business model of the obliged entity. The benchmark should be the general risk based approach rather than a standardised model.
3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?
Apart from those data points to the identity of the relevant person it should be considered that the other data points are not or only partially available.
3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?
The transferability of the data points presented in the draft for the financial sector to the non-financial sector will already fail due to the fact that there are currently no standardised legal requirements for the operation of data processing systems in which the respective data points can be recorded, processed and analysed. The introduction of such data processing systems is associated with an enormous expenditure of financial and human resources for all obligated parties.
Additionally, the number of data points is quite extensive and a large number are not (easily) available at this point in time. There is a significant impact in respect of the time and costs involved to collect those data points and it would also take a substantial amount of time to implement those reporting capabilities. In order to collect and report the new data points regularly, there will have to be substantial IT development in all obliged entities. The preventative effect of some of the details data points should be re-considered i.e. “Number of customers with at least one transaction in the previous year” or “Number of occasional transactions carried by walk in customers”. This information is not available in the non-financial sector.
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
The annual update of the risk analysis at the level of the obliged entities is already a task that requires a particularly high level of human resources. Any additional requirement to provide risk profiles to the supervisory authorities, with the respective expected data points, will place unreasonable demands on the available resources.
It seems incomprehensible why Member States should only be required to produce a national risk analysis at least every 4 years, but all obliged entities should be required to provide data points more frequently in a relatively shorter cycle.
Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.
Non-Applicable
Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.
Non-Applicable
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
The proposed thresholds (e.g., 20,000 resident customers or 50 million EUR in transaction volume per host state) may not sufficiently account for the diversity of business models and risk profiles across the EU financial sector. The thresholds in Article 1 are meaningful in the retail context but not when it comes to wholesale banking or payment services. The data points itself allow no interpretation for the risk for being misused for money laundering or terrorist financing. Furthermore, there is a risk that the thresholds could create an unlevel playing field, disproportionately impacting larger, more diversified credit institutes and other financial institutions that naturally exceed these thresholds due to their scale, rather than their inherent ML/TF risk.
Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.
In general, please refer to our answer to question 1. In addition to this it remains unclear why the ML/TF risks of the obliged entities are being assessed on basis of a complex set of data points in accordance with Article 40 (2) without making use of this level of information for determining the thresholds based on the residual risks.
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
Non-Applicable
Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.
Non-Applicable
Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.
Non-Applicable
Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
Non-Applicable
Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.
Non-Applicable
Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?
Non-Applicable
Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
Non-Applicable
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
The intention is well understood and recognized, but the wording of the statutory provisions is the benchmark for the drafting of Articles 1 to 13 of the RTS.
Preceding our individual remarks to the Articles of Section 1, Article 1 – 6 mainly reference “The customer” even though the introduction mentions other roles like the person purporting to act on behalf of the customer. There is currently different interpretation in the EU Member States whether a “person purporting to act on behalf of a customer” can only by a “natural person” or also a “legal entity”. Under civil law, it is of course possible to grant a power of attorney to a legal entity which is then authorized to act on behalf of the customer. If the identification is limited to natural persons the “real” proxy holder will never be subject to identification measures. Instead of this an employee of the proxy holder (the legal entity) will be identified. It would be beneficial to clarify whether the requirements are supposed to be limited to the customer or are applicable to all roles listed in Article 1, first sentence of the Draft RTS.
Article 1(2) of RTS 3 goes beyond the requirements of Article 22(1)(b)(i) of Regulation (EU) No 2024/1624. It refers to the "legal form and name of the legal entity". It is known that it is common practice in some member states to use one or more "trade names" in addition to the "name of the legal entity". This judgement is irrelevant because the "name of the legal entity" is the only important factor for the legally defined identification. A trade name cannot be used as an alternative data point for identification purposes.
Article 2 of RTS 3 represents an administrative and procedural burden. The requirement for the country is not provided for in Article 22(1)(a)(iv) of Regulation (EU) No 2024/1624. It is also incomprehensible why obliged entities whose business model is limited to servicing contractual partners in the obliged entity's country of domicile should also be required to record the country of the contractual partner as a data point for the address. The requirement also contradicts the principle of data minimisation.
Article 3 of the RTS represents an administrative and procedural burden. The regulation is based solely on the place of birth and not additionally on the country of birth. The fact that this is a different data point that is not required by the Regulation is already clear from the fact that the Regulation does refer to the "country" as a separate data point, as Article 22(1)(b)(ii) of Regulation (EU) No 2024/1624 makes clear.
Article 4 of the RTS represents an administrative and procedural burden. This requirement cannot be met by the obliged entities using appropriate means. In principle, there are no publicly accessible registers in the Member States from which the nationality of a natural person can be derived. Even if there were such registers for the member states, there are no such registers in third countries. The obliged entities can only ask the persons to be identified about their nationality, but cannot "make sure" that the information is complete. Even in the context of identity verification, only one identity document needs to be checked and not all identity documents for which nationalities exist.
Article 5 (1) and (2) of the RTS represent an administrative and procedural burden. The regulation also means that it would no longer be possible to identify children for whom no identity documents have yet to be issued on the basis of the birth certificate that is normally used. A birth certificate contains neither a facial image nor a machine-readable line. Nevertheless, this document is the most commonly used proof for verifying the identity of minors.
Article 5(3) of the RTS represents an administrative and procedural burden. Regulation (EU) No 2024/1624 does not specify any further requirements for the verification of the evidence used to verify identity. It is not easy even for experienced law enforcement experts to determine that, for example, identity documents are genuine and not forged or falsified.
Article 5 para. 4 of the RTS represents an administrative and procedural burden. It is not clear what other benefits a certified translation of an identity document into the official language applicable to the obligated party should have.
Article 5 para. 5 of the RTS constitutes an administrative and procedural burden. It is not clear what additional security should be provided by a certified copy submitted by the person to be identified. The issuing of a "notarisation" is not a legally protected sovereign act. Therefore, notarisations can in principle be issued by any person in public life. The value of such a notarisation is not clear.
Article 7 of the RTS leaves it unclear how the reliability and independence of the information source can be assessed. Ultimately, another administrative and procedural burden is created whose added value in terms of content appears questionable in relation to the resulting effort.
Article 8 of the RTS represents an administrative and procedural burden. No obliged entity has access to a reliable register from which it could be determined whether an IBAN is a real or a virtual one. The national bank account registers are only available for inspection by public authorities. Irrespective of this, there is no reliable source of information from which a differentiation of the type of IBAN can be derived, at least for the foreseeable future. This regulation must therefore be rejected due to the contradiction in judgement.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
Non-Applicable
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
Article 8 of the RTS represents an administrative and procedural burden. No obliged entity has access to a reliable register that would show whether an IBAN is a real or a virtual one. The national bank account registers are only available for inspection by public authorities. Irrespective of this, there is no reliable source of information from which a differentiation of the type of IBAN can be derived, at least for the foreseeable future. This regulation must therefore be rejected due to the contradiction in judgement.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
The Draft make it clear that the business models of credit institutions were taken into account here, but not the business models of other obligated parties. If the questions are transferred to the non-financial sector and goods traders, the question as to why a customer absolutely wants to have a "Birkin" bag is certainly not a criterion from which a conclusive statement for a suspicion under money laundering law can be derived.
Similarly, the questioning of singular events, as listed in Article 16 letter c. of the RTS, is one-sidedly focussed on credit institutions, but not on the heterogeneous business models of obliged entities. In addition, this approach discriminates against every innocent citizen in a legally unjustifiable manner and is assessed negatively if no justification for a fairer origin is provided.
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Non-Applicable
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Non-Applicable
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
Non-Applicable
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Non-Applicable
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 28 draft RTS requires screening of customers and ‘all the entities or persons which own or control such customers’. This could suggest screening all intermediary layers between the UBO and the customer. This would not lead to effective use of scarce resource. We request that screening be limited to relevant layers, such as the direct shareholder and the ultimate parent entity, or based on a percentage of ownership. This approach would focus efforts on meaningful control and ownership and would be in keeping with the risk-based approach evident in the Level 1 text.
Article 29 (a) draft RTS requires screening of first names, surnames, and date of birth for natural persons. Noting that date of birth is not always included in listings of sanctioned persons, we request that the RTS clarify whether the date of birth should be used in the screening match process, or only in alert management to confirm true hits. We suggest that it may be preferable to remove date of birth from initial screening requirements.
Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Non-Applicable
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Non-Applicable
Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.
Non-Applicable
Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.
Non-Applicable
Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.
Non-Applicable
Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.
Non-Applicable
5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?
Non-Applicable
5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?
Non-Applicable
5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?
Non-Applicable
Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.
Non-Applicable
Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.
Non-Applicable
Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?
Non-Applicable
Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?
Non-Applicable