Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
Regarding Art. 2 (Assessment and classification of the inherent risk profile of obliged entities) the draft RTS under Art. 40 (2) AMLD does not include specific risk indicators or their respective weights. Art. 2 (1) sets out that „these inherent risk indicators shall be based on the data points mentioned in Annex I, section A“. However Annex 1, Section A does not draw a connection between the data points and the risk indicators: („The data points in this annex are not the same as the indicators supervisors will use to calculate the ML/TF risk of each financial institution.)“ We ask to clarify when and how these risk indicators will be defined.
As drafted, the approach leaves obliged entities without the necessary clarity on how to define and apply risk indicators, thresholds, and weights, or on how to calculate inherent and residual risk. These elements are critical to ensuring a consistent and harmonised risk assessment framework and could serve as a reference for obliged entities’ self-assessment methodologies.
The introduction of a longer, 3-year minimum frequency in Art. 5 (3) of the draft RTS under Art. 40 (2) AMLD for the risk assessment of obliged entities with a low-risk residual profile, or with activities that do not fall under the scope of Regulation (EU) 2024/1624, is appreciated.
However, the proposed application of the longer minimum frequency to obliged entities with less than or equal to five FTE employees in Art. 5 (3a) of the Draft RTS risks falling short of having a meaningful impact due to the marginally low number of entities captured under that scope. Therefore, and in the case of credit institutions, we propose to replace the threshold of five FTE employees in Art. 5 (3a) of the Draft RTS under Art. 40 AMLD with the SNCI definition for small and non-complex institutions in Art. 4 (1), (145) of Regulation (EU) 2013/575 as a commonly recognized regulatory definition. This would avoid the introduction of an additional arbitrary threshold.
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
Given that the final RTS will include an interpretive note specifying the single data points, we would like to take this opportunity to already point out the data points that particularly require further specification. This should not be understood as a conclusive assessment, but as specifically appearing to need interpretation at the present time.
Generally speaking, it would be necessary to get a clear information on group level reporting. Whereas the information/numbers on Section A can be aggregated easily, the soft information on Section B are more critical, as an aggregation is more difficult (e.g. the date of the approval of the AML Policy in different group entities). We understand that references to the previous year mean the previous calendar year.
We would also welcome a general information on when the first reporting is planned to be requested.
Section A
Category “Customer”:
“Number of customers”:
It is of particular importance for the quality of the evaluation to specify what is meant by "customer." Which relationships (account holder, co-account holder, authorized signatory, beneficial owner, power of attorney, applicant without account connection) fall under this term? Additionally it should be clarified if the number of customers for the entire group is needed or whether it has to be separated by subsidiaries / foreign branches and parent companies?
“Number of PEP’s related business relationships (including family members and close associates) by country”:
We assume that the country indication refers to the contracting party. It is unclear however, which country is meant, while it could be Country of residence, Country of Incorporation or Country of Birth. We furthermore suggest clarifying if “number of new customers” includes the number for the entire group or if it has to be separated by subsidiaries / foreign branches and parental companies.
“Number of customers with at least one transaction in the previous year”:
We request clarification on what type of transaction is meant here. Is it meant to include only customer-related/initiated transaction, or do other types, such as account fee settlements, also count? In this context, is a transaction synonymous with a booking on an account? We recommend considering a pragmatic definition of the transaction term, as otherwise determining this data point could be very time-consuming and complex, what results in significant effort.
“Number of NPOs with cross-border transactions to/from non-EEA countries” and “number of NPOs”:
The required data points involve considerable effort. The status of an NPO cannot be inferred from the legal form, and the current classification of economic sectors by the German Bundesbank does not contain such a feature. The data is currently not available in the institution's systems.
“Number of legal entities” and “number of natural persons”:
These data fields require clarification on which groups of persons are included. Is this limited to account holders/co-account holders? Are authorized signatories and beneficial owners included?
“Number of legal entities with complex structure”:
A complex structure is currently defined as customers with at least two levels of ownership to determine the beneficial owner. The current requirement for credit institutions is to determine the beneficial owner but not to map the full ownership structure of the customer. The necessary information is not available in the systems and would entail significant effort if determined.
“Number of customers with high-risk activities”:
It is currently unclear how high-risk activities are defined for this data point. We request clarification on which activities could be included and how these can be derived from existing data. The definition should align with existing classifications.
“Number of customers registered abroad by country (legal entities)”:
There is no information stored in the data model regarding the country of registration, as this is not currently collected. The collection and creation of new data fields would involve significant effort, as there is currently no obligation to record this data.
“Number of walk-in customers” and “number of occasional transactions carried out by walk-in customers”:
How is this data point defined? There is currently no structured collection of this information, and it would involve considerable additional effort. In addition "Number of occasional transactions carried out by walk-in customers" is also not recorded in the systems. How are these transactions defined? Do they include, for example, cash withdrawals by card-users at an institution’s ATMs?
“Number of customers with requests from FIU whose matter or nature of the request is linked with AML/CFT”:
This information is currently not stored in the system in a structured way. It is only known to the AML department and is not stored with the customers record to comply with the prohibition on information sharing and data minimization, as there is a risk that this information might be disclosed in a data protection inquiry.
Category “Products Services and Transactions”
Sub-categories:
- “Payment accounts”: Does “Number of Payment accounts” include main accounts only or all sub-accounts as well? To ensure precise selection, a definition of a payment account is necessary. Which accounts (e.g. loan accounts, securities accounts) are not to be selected?
“Prepaid Cards”:
Clarification on the Prepaid Card itself and the determination of “total Value” is necessary.
“Lending”:
“Total number and value (EUR) of outstanding asset-backed loans with cash collateral”
How is "cash collateral" defined in this data point? Does it also include the use of a securities account as collateral? We kindly request clarification in this regard.
“Total Number and Value (EUR) of loan repayments during the previous year”
Does this include also partial paybacks, where the loan is still existing after a payment; how shall several paybacks being counted on the same loan account?
“Total number and value (EUR) of loan repayments from non-EEA countries during the previous year”
Currently, there is no structured collection of foreign loan payments in the system. How is a foreign payment defined in this context? Does it depend on the residence or the location of the bank account of the payer? In any case, analyzing and collecting payment data would entail significant additional effort.
“Currency Exchange (involving cash)”:
We understand this Data in relation to sales and purchases link to an account. Due to cooperation within the German banking sector and the recording of these transactions via regional banks, the collection of all these data points would involve considerable effort. No counters or data fields are available at the customer level to statistically capture and evaluate these transactions.
“Invest, Services and Activities – Portfolio management”:
In this regard we ask for more clarification on whether Assets under Management (AuM) or the Total Assets of the firm are referred to here, as the 5m threshold is only mentioned in relation with AuM in the regulation.
“Money remittance”:
A definition of “Money remittance” payments is required (does it include Transfer, Direct Debit, Check?).
“Correspondent Services”:
All the listed data points would entail considerable additional effort due to the need for statistical collection and evaluation.
“E-Money”:
A definition of e-money transactions would be helpful. In particular, do prepaid cards fall under this category?
Category “geographies”:
Clarification what type of institution in a correspondent situation is meant (ordering/beneficiary or sending/receiving institution)?
Category “Distribution channels”:
“Number of new customers onboarded remotely in the previous year”
In this regard specification on the type of remote onboarding as well as the “agents” and “distributors” is needed. Does this include video identification or eID/other electronic identification methods? Is it about the special case of customer identification without physical presence, which comes with enhanced due diligence obligations? Or does this point refer to customers who have used digital processes to open an account at the institution for the first time? Also, the included type of third party – onboarding should be clarified.
“Number of new customers onboarded in the previous year by third parties” and “Number of new customers onboarded in the previous year by third parties not directly subject to AML/CFT supervision”
How is onboarding by third parties defined here? Does it also include the (partial) fulfillment of due diligence obligations by third parties? Does it only refer to cases where the institution itself does not perform any activities in the customer onboarding process? In our view, this data point requires a precise definition and cannot be represented without significant additional effort.
Section B
Category “AML/CFT governance structures”
Sub-categories:
“1B: Internal Controls and reporting systems”:
We understand that internal and external auditor reports are covered here and ask for specification on the type of report included.
“1C: Outsourcing and reliance on third parties”:
“% of outsourced AML/CFT tasks that are covered by a written agreement governing the outsourced relationship”: A definition of “AML/CFT tasks” is required. How is the share of outsourced activities calculated? It is generally assumed that all outsourced activities require a written agreement, as this a service agreement in terms of civil law.
“1D AML/CFT Compliance function and resources” and “Internal audit function/external expert”:
Clarification on how the group is included would be helpful. We kindly ask for specification: Does this involve only the domestic PLC without domestic subsidiaries, or the entire group? Additionally, does it pertain solely to compliance staff or also to 1LoD employees or those to whom activities have been outsourced? How are employees with AML specific tasks defined (e.g. a front office employee also performs core KYC tasks)?
“1E. AML/CFT Training (employees, officers, agents, and distributors)”
“% of staff who have received AML training during the last calendar year”
Does this refer to the group or the parent company? Or is it also including (intra group) outsourcing? We would also need clarification on what roles are considered AML- and non-AML specialists under a) and b).
“c) agents and distributors”
Due to the collaboration within the German banking sector, reporting on training measures for agents and distributors would be associated with considerable effort. “Agents and distributors” also require further definition.
Category “Risk assessment”
Sub-category 2B ML/TF risk assessment and classification (CRA)
So far there is no requirement to have (at least) these four catgories and/or clear defintion what each category should include - as this is crucial to be able to compace different obliged entities. How should this be considered on group level, as there might be deviations in the risk evaliation between entities and jurisdictions.
Category “AML/CFT policies and procedures”
Sub-category “3A: Customer Due Diligence”
The conditions for the data points need to be more clearly defined. For example, it is technically possible to open an account for a customer before they are identified according to the regulations. In this case, the account would be fully restricted for transactions and only unlocked once all requirements are met. Do these accounts already fall within the scope of the evaluation. In particular, a definition of “identification details” is needed.
Sub-category “3C: Transaction Monitoring”
How is the data point requirement intended in the context of an automated system? Does the request refer to the general capability of the monitoring system to generate the listed alerts by having comparable objects available at the stated levels?
Category “Group Oversight”
Sub-category “4D: Group-wide AML/CFT function”
“% of group entities that provided reports to the group AML compliance on the following areas in the last calendar year”
We ask for further definition of the evaluation requirements of the basis of group entities (share, industry, obliged entities). Some banking groups might have hundreds of group entites - whereas only few might be relevant from AML perspective - the informative value of this data point can therefore be very limited.
Overall, for Section B, it should be noted that the desired scope of evaluations and data mostly comes from manual records within the institutions and is therefore not structured for querying. Due to the intensity, a generally high effort for data collection within the institutions is to be expected.
3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?
Please see our answer to question 3a.
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
I. General Remarks on RTS under Art. 28 (1) AMLR
1. Missing Risk-Based Approach
We acknowledge that the implementation of a proportional and risk-based approach within the framework of technical standards is a major challenge. However, in the context of customer due diligence obligations, we are critical of the fact that the RTS allow a purely principles-based approach in certain situations. Although Recital Nr. 41 in chapter 3.2.3 of the draft RTS generally provides for a risk-based approach, it explicitly permits that „the draft RTS adopts a principles-based approach in relation to the type and source of information to be collected by obliged entities but does not list specific documents“. This independent principle-based approach is questionable and may fail to produce efficient outcomes.
The consequences of the lack of risk-based approach are thoroughly reflected in the regulations of the RTS. For instance, Art. 10 sets up data collection requirements for intermediary companies in the context of the customers ownership and control structure. The scope of the data and necessary information on the intermediary companies, however, is not reduced depending on the risk level through allowing simplified due diligence obligations. Art. 10 therefore applies comprehensively to every possible risk category of a business relationship.
In its five main principles in Recital 5 of chapter 3.2 (The EBA's approach), the EBA only states a “proportionate risk-based approach”. It remains unclear why this principle is deviated from in the context of customer due diligence obligations. Moreover, we have doubts whether this goes along with the explicit choice of a risk-based approach that the AMLR sets out in several places such as Art. 20 (2), Art. 25 AMLR (“if necessary”), Art. 34 (3) and (4) AMLR.
It furthermore contradicts FATF’s general call for proportionality and support of risk-based measures as set out in its guidance on the Risk-Based Approach to Combating Money Laundering and Terrorist Financing – High Level Principles and Procedures. FATF aims for revising its standards to ensure countries apply a risk-based approach to their AML/CTF measures.
The principles-based approach pursued by the EBA eventually threatens to create further bureaucratic hurdles in the context of customer identification and the general fulfillment of customer due diligence obligations under the EU AML Regulation. This is expected to result in increased compliance costs for obliged entities and not being conducive to the goal of effective money laundering prevention. This contradicts the aim of reducing compliance costs and bureaucracy which is set out in the recital of the draft RTS.
2. Missing purpose of data collection
In light of this approach, the objective and purpose of some data remain unclear. In the context of data collection, it is not apparent how the registration of the city and country of birth as laid out in Art. 3 adds value to the prevention of money laundering and terrorism financing. No evident purpose is apparent beyond the documentation of this specific data. This is highly critical not only regarding a risk-based approach but also from a data protection point of view. The same applies, for example, to the collection of comprehensive data from family members pursuant to Art. 24 (d) and Art. 27 (d).
3. Understanding of the term „satisfy themselves“
While we acknowledge that the requirement to “satisfy themselves” (e.g. in Art. 4, Art. 22 draft RTS) contains a subjective element, we interpret it in such a way that institutions must ask the customer to declare the requested information. We consider that this generally fulfills the requirement unless the institution has actual knowledge of contradictory information. Only in that case, further verification may be warranted.
To ensure clarity and consistency, it would be helpful if the RTS could explicitly state that institutions may rely on information provided by the customer unless there are risk factors or red flags that would warrant additional verification. In our view, this would support a proportionate, risk-based application.
II. Answer to Question 1:
1. As a general comment on Section 1 of the RTS Draft, we would like to draw attention to ambiguities in the addressees of the identification measures.
The scope of persons to be identified is generally determined by Art. 22 (1) AMLR and includes “the customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted”. Although Art. 1 (1) refers to Art. 22 (1) AMLR, it only mentions the customer. It remains unclear whether the provisions of Art. 1 to 6 refer to the remaining persons named in the AMLR or whether the RTS reduce the scope of application. In this regard, we ask for clarification whether
- the reference in Art. 1 – Art. 6 draft RTS to a more limited group (of “customer[s]”) than that cited in Article 22 (1) AMLR is an oversight, or a deliberate choice,
- the scope of the information to be obtained with regard to the identification of persons purporting to act on behalf of the customer, and of natural persons on whose behalf or to the benefit of whom a transaction or activity is being conducted and,
- whether the requirements set out for ‘customers’ similarly apply the identification of
- Natural person trustees of an express trust or persons holding an equivalent position in a similar legal arrangement, pursuant to Art. 22 (1) (c) AMLR, and
- Beneficial owners pursuant to Article 22 (2) AMLR, in combination with Article 62 (1) AMLR and/or also, where appropriate, to the identification of individuals as per Article 22 (1) (c) AMLR, in combination with Articles 57 - 60 AMLR.
In this context we suggest further clarifying the term “person purporting to act on behalf of the customer”. In our understanding this role includes only the natural person being present on behalf of the customer when the business relationship is established, and not any other representative of the customer. For the detailed differences in the provisions of the AMLR and the draft RTS, please refer to the overview attached as Annex.
2. We would also like to highlight an ambiguity in the current draft RTS concerning the role of the EUDI Wallet in the collection of identification data for customer due diligence purposes under Article 26 AMLR.
The implementation of the European Digital Identity Wallet (EUDI Wallet) under the revised eIDAS Regulation (eIDAS-2) represents one of the most ambitious and strategically important digital transformation initiatives undertaken by the European Union. Its success will be measured not only by its technical robustness, but by the extent to which it is adopted and used across sectors, including in regulated financial services. For the EUDI Wallet to deliver on its promise of enabling secure, user-centric, and cross-border digital identity interactions, legal clarity and regulatory alignment are essential. This applies in particular to its use under the AML framework, which is one of the most relevant and high-impact application areas.
While it appears reasonable to assume that the use of the EUDI Wallet could extend to the collection of identification data, the text does not provide an explicit legal basis for this. A strictly systematic understanding of Art. 22 AMLR could lead to the interpretation that paragraphs 1 to 5 exclusively govern data collection, whereas paragraphs 6 and 7 relate solely to the verification of collected identification data.
This interpretative gap introduces significant legal uncertainty. If market participants were to conclude that the EUDI Wallet may only be used for verification, but not for the initial data collection, this would substantially undermine its practical utility. This would not constitute a regulatory novelty – under current national frameworks, existing eID schemes are already used both for the collection and verification of identification data in AML processes. To fully realise the EUDI Wallet’s potential in AML compliance, it is essential that its use for data collection is expressly permitted. Otherwise, key benefits would be lost, including:
- Error-free data input through machine-readable attributes,
- Input from a trusted source,
- Faster digital onboarding and completion of customer journeys,
- Improved user experience,
- Reduced compliance costs and process redundancies across the financial sector.
We therefore strongly recommend that the Delegated Regulation includes an explicit clarification that the use of the EUDI Wallet is permissible for both the collection and verification of identification data pursuant to Art. 22 AMLR. A wording could be:
“Obliged entities may use the European Digital Identity Wallet (EUDI Wallet), as defined under Regulation (EU) 2024/1183 (eIDAS 2), not only for the verification but also for the collection of identification data.”
This clarification is critical to ensure legal certainty, enable harmonised implementation across Member States, and avoid unintended regulatory obstacles to secure and efficient digital identity usage in the financial sector.
Art. 1 – Names of natural persons and legal entities
In our view the collection of the name should be limited to the requirements in Art. 1 (2) sentence 2 (“obliged entities shall ask the customer to provide at least the names that appear on their identity card, passport or equivalent document”). Information provided by the customer on names that are not on the identity document in accordance with sentence 2 cannot be verified and does not represent any added value for customer identification.
In the current wording, the exact obligation remains unclear since sentence 1 and sentence 2 of paragraph (1) are contradictory (“shall obtain all” and “shall ask the customer to provide at least”).
Regarding the required information on the legal entity name we propose to add that a commercial name should only be requested where available. Otherwise, there is a risk of legal uncertainty in the application of this regulation since “commercial names” of legal entities are not collected in a standardized way through public registers or similar databases. Additionally, we ask to clarify that an available commercial name should only be required in cases where it differs from the registered name. Otherwise, this information holds no evident added value. Besides, a commercial name may not be a clear and uniformly used name.
Moreover, we’d like to point out that the AMLR makes no use of the terms “commercial name” and “trade name” that can be found in Art. 1 (2), Art. 18 (1) (b) Art. 29 (a) (iii). We suggest that the RTS clarify the term “commercial name” and straighten out whether “trade name” is intended to be synonymous with “commercial name”.
We also note that according to Art. 18, the requirement to collect the commercial name shall also apply to other organisations (“…for a legal entity and other organisations that have legal capacity under national law…”). In this context, however, the draft RTS does not clearly state whether the requirements of Art. 1 (2) also apply to these organizations. We therefore request clarification of this question.
Art. 2 – Information to be obtained in relation to addresses
We understand Art. 2 to apply specifically to natural and legal persons as referred to in Art. 22 (1) (a) and (b) AMLR. It is unclear whether the same requirements apply to persons and entities mentioned under Art. 22 (1) (c) and (d) AMLR such as trustees of an express trust or equivalent, other organisations that have legal capacity under national law, and beneficial owners. We recommend clarifying this in the RTS text.
We advocate a more adaptable approach in situations where no postal code or street name exists. In this case it should be sufficient for the obliged entity to document the address as provided by the customer. This should also enable obliged entities to accept PO box addresses of companies, which are particularly common outside the EU. Besides, it should not be necessary to collect documents for the proof of address if this information is not included in the identification documents (e.g. passport or ID) consistent with Article 22 (1) (a) (iv) AMLR.
The specific nature of the requirements makes it not appear suitable for wholesalers, representatives of the customer and Ultimate Beneficial Owner (UBO) or Senior Managing Officials (SMO). In a wholesale context we don’t see necessity to obtain information going beyond the country of residence.
Regarding UBO and SMO the collection of such detailed and sensitive data points poses a high risk for corporate customers. In particular, disclosing the street name of natural persons in high-risk jurisdictions may lead to the danger of robbery, kidnapping and other serious crime. This could lead to these individuals not entering a business relationship. The personal risk of affected individuals and the economic consequences outweigh the benefits of this detailed data collection.
For screening purposes, it should be sufficient to obtain the country of residence and – only to an extent where available when taking reasonable measures – the name of the city. Further investigations could be restricted to hits (i.e., the results of searches) where further data are required to assess the hit.
We understand that the requirements regarding the collection of data are limited to collection from the customer. They do not, however, make any statement on the verification. It should be sufficient to ask the customer to submit these data.
Art. 3 – Specification on the provision of the place of birth
We propose removing the requirement to obtain the city and the country of birth.
In practice, there are considerable differences in the recording of the place of birth in identity documents. While most documents only state the city of birth (e.g. Germany) it is rare that both the city and country of birth are stated in the document. There are even jurisdictions whose passports neither show the country nor the city of birth. Therefore, determining both parameters is associated with uncertainties. This particularly applies to countries that no longer exist in their previous forms. The risk of collecting incorrect data or collecting information differently due to a lack of clear standards is higher than the added value of such a regulation.
In the alternative, we advocate to at least limit this requirement to cases and to the extend where available in the referred ID document.
We assume that the reference to ‘country name’ in Article 3 follows the same standard as outlined in Article 2 of the draft RTS, meaning either the full country name or the ISO 3166 alpha-2 or alpha-3 code.
Art. 4 – Specification on nationalities
As outlined in the general remarks, regarding the term “satisfy themselves” we suggest to explicitly state that institutions may rely on customer-provided information unless there are risk factors or red flags that would warrant additional verification. Current “identification documents” may not be available for all nationalities (e.g. Iranian refugees), which makes certain reliance on the customer necessary.
Art. 5 – Documents for the verification of the identity
In our understanding Art. 5 (1) only applies to documents that are not official passports or national identity documents. This Article consequently establishes an exhaustive list of features that a document must contain in order to be treated as equivalent to a passport or national identity document for the purpose of verifying a customer’s identity, in line with Art. 22 (1) (a) AMLR. Where the document presented is a valid passport or national identity document issued by a state or public authority, we understand that this can be accepted without further conditions, even if certain elements listed in Art. 5 (1) are missing. For example, a passport that does not contain an MRZ does not have to be excluded from use if it is a valid government-issued identity document. This should not only be applicable to low-risk situations as mentioned in recital 14.
We consider that these criteria can be interpreted with sufficient flexibility to include valid identity documents commonly accepted under domestic legislation. For instance, regarding Art. 5 (2) and Art. 3, we note that not all identification documents provide the country of birth or nationality. In other cases, the issuing authority may not be explicitly mentioned in the identity document. We therefore interpret Art. 5 (2) to allow for reasonable flexibility, whereby such identification documents are still acceptable, and any missing data can be supplemented by information from the customer.
Finally, young minors are often identified by their birth certificate as they have no other identity document. In these cases, the missing of a facial image should be accepted. The “legitimate reason” in Art. 5 (2) should be understood in a wide sense and give the obliged entity the necessary room for discretion.
Other fields of application where more flexibility is needed are customers such as refugees or persons from jurisdictions where standardised identity documentation is not widely available. In such cases, we consider that institutions must retain the discretion to determine equivalence on a case-by-case basis, based on its source, reliability and the specific context. For example, related to refugees, travel documents issued to non-nationals or documents for stateless persons should suffice for identification. This would ultimately support financial inclusion.
We understand that where the identity of a customer has already been verified under national legislation prior to the AMLR becoming applicable, this verification remains valid and there is no obligation to reverify a customer’s identity merely because the document no longer meets all the conditions of Art. 5 (1). Once the identity has been verified, it should remain valid, unless risk-based triggers indicate a need for renewed verification.
In connection with Art. 5 (1) (d) it is unclear how the signature requirement can serve the verification process. It is prone to changes and not a person-specific identification feature.
Regarding paragraph (4), we propose clarification that the reference to “a foreign language” should be interpreted as “a language which the obliged entity does not understand”. Additionally, certified translations should not be mandatory where the institution can reasonably determine the content of the document through other means, such as (online) translation tools or internal expertise.
Regarding paragraph (5), the terms “provide” and “certified” require further clarification, particularly in the context of remote or online onboarding. We interpret the term “provide” to mean that the customer must make the identification document available to the obliged entity, either in person or through secure digital means in line with Article 6, including digital uploads in secure portals. The term “certified” in our understanding is applicable to both physical and digital certification. This would support a risk-based approach and further reducing bureaucracy.
In this context we ask for clarification that electronic identification is applicable in face-to-face situations as well. Art. 5 (5) draft RTS allows verification through original documents, certified copies thereof and through means pursuing Art. 6. Art. 6 however is designed for non face-to-face situations only but includes scenarios that are being used in a face-to-face context as well. Otherwise, it is questionable why electronic identification among physically present persons should not be possible, although additional digital risks are only to be expected in non-face-to-face scenarios. Furthermore, the stricter requirements regarding the scope of data in physical ID documents will lead to fewer customers carrying ID documents to banks. The widespread use of electronic identification means and the digital availability underscores the importance of universal acceptance of electronic identification for both efficiency and financial inclusion reasons. The current draft would then appear to be at odds not only with current trends, but also with the Union’s ambitions regarding electronic identification and trust services, as evident by the eIDAS Regulation.
Art. 7 – Reliable and independent sources of information
We consider that the reference in Art. 22 (6) (a) AMLR to the use of reliable and independent sources “where relevant” should be interpreted in a risk-based manner. Following this approach, it may not be necessary to acquire additional information beyond the identification document to verify a non-high-risk customer’s identity. In these cases, a customer declaration can fall within the scope of a reliable and independent information in lower-risk scenarios, unless the obliged entity has a valid reason to believe otherwise. For high-risk customers, however, the acquisition of additional information may be appropriate.
In this regard we advocate a clear definition of “risk-sensitive measures to assess the credibility of the source.” The current wording leaves room for different interpretations, particularly regarding the expected level of due diligence depending on the level of risk.
We also advocate further clarification of the term “up-to-date”. There is no consistent practice across EU Member States regarding the acceptable age or ‘up-to-datedness’ of legal entity data and supporting documentation used for KYC reviews. This includes both the duration of the acceptable age and the starting point for determining ‘up-to-datedness’. We request that the RTS clarify the duration for which relevant documents are to be considered recent or ‘up-to-date’. This could be done by imposing the “up-to-date” requirement only for documents that originate from a public register and are therefore provided with an extract date and then set a deadline for these extracts.
Art. 9 - Reasonable measures for the verification of the beneficial owner
In line with a risk-based approach we suggest that in it should not be necessary to verify the beneficial owner’s identity, in situations of low-risk such as inoperative entities, public entities, listed companies.
Alternatively, we ask to explicitly include credit reporting agencies as an example for reliable sources under Art. 9 (b), since they represent an important field of application in practice.
Furthermore, we suggest that so-called AML letters signed by the compliance department or legal department where the beneficial owner of the entity are named are understood as “documents from the legal entity (...) where the beneficial owner is named, and where the identity of the named person is certified by an independent professional”.
Art. 10 – Understanding the ownership and control structure of the customer
The extensive requirements in order to understand the ownership and control structure of the customer in case of complex structures go beyond the wording of the AMLR. It furthermore contradicts the risk-based approach, that the AMLR is promoting, by not leaving the option of a less strict information collection in a low-risk scenario.
Regarding Art. 10 (1) (c), the term “extent of the listing” is unclear. We suggest using “the number or proportion of outstanding shares listed” to reflect transparency obligations under market regulations. To ensure a harmonized approach across the EU, a list of regulated markets (or markets considered equivalent) should be made available at the European level.
In this context the term “economic rationale” in Art. 10 (2) remains vague. While a general requirement for economic plausibility is understandable, this assessment might not be feasible in practice, particularly for large international corporations. In many cases, foreign legal and/or tax considerations may underlie the chosen structures, which cannot be verified by obliged entities or might stem from legitimate interests regarding liability issues of the chosen structure. Therefore, we suggest focusing on identifiable aspects indicating that the chosen structures do not have economically plausible justification. The wording of Art. 10 should be modified accordingly.
Art. 10 does also not specify from whom and by what means this information is to be obtained. We understand that it is up to the obliged entities to obtain the information by themselves as well as through public sources if necessary.
Art. 11 – Understanding the ownership and control structure of the customer in case of complex structures
The definition of “complex structures” in Art. 11 is too extensive and will lead to additional administrative effort and compliance costs if applied without any risk-based differentiation. Many international clients naturally have multiple ownership layers across jurisdictions. We recommend allowing for proportionality by adding the requirement of “further risk indicators” to Art. 11 (1).
We furthermore ask for clarification of the term “organigram”. We interpret it as the ownership/control path between the customer and its UBO, not however the entire related structure. Where reliable sources are available, entities should not be required to obtain organigrams from customers.
Art. 12 – Information on senior managing officials
In our view, Art. 12 of the draft RTS exceeds the mandate given in Art. 22 (2) AMLR by equating the requirements regarding UBO and SMO.
Since the draft RTS make a clear distinction between UBO and SMO we understand that they should not necessarily fall under the same scope of rules. Art. 22 (2) AMLR solely requires to “identify” the SMO. This distinction made from a legislative point of view cannot be exceeded by the RTS.
We therefore ask for further guidance which information should be collected for SMO in accordance with the AMLR. We consider that a business address should suffice for senior managing officials. Requiring a residential address is disproportionate and questionable since SMO do not act as and are explicitly not being considered UBO.
Art. 13 & 14
We suggest clarifying what constitutes ‘sufficient information’ under both articles, e.g. by providing practical examples, especially for complex trust structures or where information is not publicly available.
In Article 14 (2) (b), we recommend adding the word ‘reasonable’ before ‘measures’ to reinforce that a risk-based approach is permitted, as this aligns with the principle of proportionality and existing AML/CFT practices.
III. Annex to our comments under A. II. Question 1 of the Consultation Paper
The individual comments are listed in the following order:
- Details on referred AMLR article: Following roles are covered
- (but) RTS text uses or refers to
- Which role is (completely) missing / Where is clarification needed / Comments
Art. 22 (1)(a) AMLR: natural person - customer, person purporting to act, natural person on whose behalf
Art. 1 draft RTS (Customer): full name and surname; obliged entities shall ask customer to provide at least those names and surnames that features on their ID/passport
RTS does not explicitly mention:
- person purporting to act on behalf of the customer
- natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted;
completely missing:
- beneficial owner
- natural person trustees etc. pursuant to Art. 22 (1) (c) AMLR
Art. 22 (1) (b) AMLR: legal entity - customer, person purporting to act, natural person on whose behalf
Art. 1 draft RTS (legal entities): registered name, and commercial name where it differs
missing role:
- non-natural Trustees etc. pursuant to Art. 22 (1) (c) AMLR
- other organisation with legal capacity pursuant to Art. 22 (1) (d) AMLR E4
Art. 22 (1) AMLR: natural person and legal entity - customer, purporting toact, natural person on whose behalf
Art. 2 draft RTS: the full country name or the abbreviation in accordance with the International Standard for country codes (ISO 3166) (alpha-2 or alpha-3), postal code, city, street name, and where available, building number and the apartment number
missing role/need for clarification:
- role pursuant to Art. 22 (1) (c) point (ii) AMLR, i.e., a trustee of an express trust or a person holding an equivalent position in a similar legal arrangement) (note: the registered address also belongs to the basic information to be collected in relation to the legal entity/legal arrangement (see Art. 2 (1) No. 33 AMLR)
- other organizations pursuant to Art. 22 (1) (d) point (i) AMLR
- beneficial owner
Art. 22 (1) (a) (ii) AMLR: natural person`s place of birth
Art. 3 draft RTS: city and country name
missing role/need for clarification: beneficial owner
Art. 22(1)(a)(iii): natural person’s nationality/ies or statelessness, refugee or subsidiary protection status, identification number where applicable - of customer, person purporting to act, natural person on whose behalf
Art. 4 draft RTS: necessary info to satisfy themselves that they know of any other nationalities their customer may hold
RTS does not explicitly mention:
- person purporting to act on behalf of the customer
- natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted
completely missing:
- beneficial owner
Art. 22 (6) (a) customer and of any person purporting to act on their behalf) and Art. 22 (7) (a) (beneficial owner, and where relevant, natural persons on whose behalf
Art. 5 draft RTS:
- para. (1) references to “natural person”
- para. (2) references to “customer”
- para. (3) references to “person pursuant to Art. 22(6)(a) and Art. 22 (7)(a) AMLR”
- para. (5) reference to “person in Art. 22(6) AMLR”
missing role/need for clarification:
- para. (2) - clarification required: All other natural person roles covered by Art. 22 (6) and (7) AMLR
- para. (3) - confirmation required: We interpret the reference to "person" as follows (please confirm): It includes both, i.e., natural and legal persons, therefore also legal persons etc. pursuant to Art. 22 (1) (b, c, d) AMLR
para. (5) - clarification required: includes all different roles a natural person may have (including BO and natural persons on whose behalf due to reference in Art. 22 (7) AMLR to Art. 22 (6) AMLR)
Art. 22 (6) AMLR customer and of any person purporting to act on their behalf
Art. 6 (1) draft RTS: reference to “Art. 22 (6) AMLR
Proposal: Also include Art. 22 (7) AMLR to make it clear that all roles a natural person may have are covered.
Art. 22 (6) AMLR: customer and of any person purporting to act on their behalf
Art. 6 (2) draft RTS: reference to “customer’s identity document”
Comment:
- The wording with the reference to “customer” narrows the scope of application of Art. 6 RTS.
- We need flexibility also for the verification of KYC data of the person purporting to act, the natural person on whose behalf and the beneficial owner.
- The reference in Art. 6 (1) draft RTS indicates that your intention actually is to cover all scenarios for the verification of data under the AMLR. If our assumption is correct, please adjust the wording in the header and in Art. 6 (2) draft RTS.
Art. 22 (6) AMLR customer and of any person purporting to act on their behalf
Art. 6 (3) draft RTS: reference to “before identifying a customer remotely…obliged entity must obtain from the person…”
Comment:
- The wording with the reference to “customer” narrows the scope of application of Art. 6 RTS. We need flexibility also for the verification of KYC data of the person purporting to act, the natural person on whose behalf and the beneficial owner.
- The reference in Art. 6 (1) draft RTS indicates that your intention actually is to cover all scenarios for the verification of data under the AMLR. If our understanding is correct please adjust the wording in the header and in Art. 6 (2) draft RTS.
Art. 22 (6) AMLR: customer and of any person purporting to act on their behalf
Art. 6 (4) draft RTS: “a. person presenting the customer’s identity doc…”; b. “communication with the person…”
Comment:
- The wording with the reference to “customer” narrows the scope of application of Art. 6 RTS. We need flexibility also for the verification of KYC data of the person purporting to act, the natural person on whose behalf and the beneficial owner.
- The reference in Art. 6 (1) draft RTS indicates that all scenarios for verification of data under the AMLR are intended to be covered If this assumption is correct please adjust the wording in the header and in Art. 6 (2) draft RTS.
Art. 22 (6) AMLR customer and of any person purporting to act on their behalf
Art. 6 (5) draft RTS: reference to “customer that are not natural persons”
Comment:
- The wording with the reference to “customer” narrows the scope of application of Art. 6 RTS. We need flexibility also for the verification of KYC data of the person purporting to act, the natural person on whose behalf and the beneficial owner.
The reference in Art. 6 (1) draft RTS indicates that all scenarios for verification of data under the AMLR are intended to be covered If this assumption is correct, please adjust the wording in the header and in Art. 6 (2) draft RTS.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
While we recognize the potential of eIDAS-certified remote tools, we advocate an equal treatment of currently used remote tools. In this context, we ask for more guidance under what circumstances currently used tools can be classified as relevant qualified trust services in the future.
Further, there should be no time limit on recognition, as this would force obliged entities to end the use solutions that have been established for years and have proven to be reliable. This could lead to additional costs on the part of the obliged entities, especially if new interfaces to new solutions would have to be established. A “same level of protection” can be assumed in particular when fulfilling the requirements of the EBA Guidelines on Remote Onboarding (EBA/GL/2022/15 of 22/11/2022). Customers should be allowed to decide for themselves which remote procedure offered by the obliged entity they want to use, as they are not obliged to obtain an eIDAS-compliant electronic identity.
In this context we also ask to clarify the circumstances of the requirements “not available” in Art. 6 (2). Additionally, specification of the requirement “this consent must be recorded” pursuing Art. 6 (3) is needed regarding the form.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Articles 15 and 16 contain a large number of requirements that are too extensive in the context of standard risk scenarios. This contradicts the risk-based approach, as the wording of the provisions already make quite detailed requirements and leaves no room for flexibility. In cases where no higher risk is apparent, it will tie up unnecessary capacity and impair the customer relationship. In line with rationale 2 and the principle of proportionality, we advocate that the obliged entities be given more flexibility in obtaining the relevant information, as these scenarios do not fall under enhanced due diligence (EDD) measures.
Art. 15 - Identification of the purpose and intended nature of the business relationship or the occasional transaction
The provisions in Art. 15 partly go beyond the legal basis in Art. 20 (1) (c) AMLR regarding the terminology “wider group” in point (b) and “source of wealth in point (c):
The requirement to determine the “source of wealth” should be deleted, as it is not part of the general due diligence measures under the AMLR. Art. 15 of the draft RTS only specifies the general due diligence obligations pursuant to Art. 20 (1) (c) AMLR. Even within the context of EDD, determining the source of wealth should not be a standard requirement due to its intrusive character (see our comments to Article 27). Introducing it as a standard obligation in any high risk context is counterproductive and does not support effective risk prioritisation. Due to the drafted in-depth requirements, it ties up enormous resources and increases compliance costs.
We also request to delete the term “wider group” in lit. b as it extends the AMLR as well.
Regarding the determination of the customers motivation pursuing Art. 15 (a), implementation hurdles arise, particularly in mass customer business, which is frequently conducted online. The inner motivation of a customer can hardly be ascertained and verified. We therefore ask to delete this requirement.
When the draft RTS uses term “higher risk” we assume it is synonymous with “high risk”.
Art. 16 - Understanding the purpose and intended nature of the business relationship or the occasional transaction
We are critical of the requirement under Art. 16 (b) to forecast expected future transactions and activities. An average private customer is regularly unable to provide any information on this himself.
The requirement set out in Art. 16 (c) to obtain detailed information on a customer’s employment income (including salary, wages, bonuses, pension or retirement funds, government benefits, business revenue, savings, loans, investment income, inheritance, gifts, and other asset disposals) is too extensive in the absence of any risk indicators. While we understand that such information can be useful for clarification in cases of doubt or suspicion, it seems disproportionate in standard CDD scenarios such as a natural person opening a payment account or engaging in routine transactions.
Our statements above equally apply to the requirement to determine the “jurisdiction where the transactions are to be received” pursuant Art. 16 (d) and the collection of details on the customer's business activity or occupation pursuant to Art. 16 (e).
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art. 17 – Identification of Politically Exposed Persons
We suggest that Art. 17 introduces a more risk-based approach regarding relatives and close associates (RCA’s) of PEPs based on the individual scenario and the nature of the relationship. A clarification opening the possibility to rely on information available in different vendor lists (e.g. Factiva, Dow Jones) would be helpful.
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art. 18 / 19
Insofar as the draft RTS refers to “lower risk” in Art. 18 and 19, we assume that this is to be understood as the term “low risk” within the meaning of Art. 33 AMLR. Consequently, all customers who do not fall under high-risk are to be regarded as low-risk customers, to whom the application of simplified due diligence obligations is generally possible on a risk basis. We ask for clarification of this interpretation.
In this sense we would find a definition of “senior managing officials” helpful as the AMLR does not define it as a whole. In our understanding it should only include members of the managing body in its management function and not further management.
In practice, the requirement pursuing Art. 18 subpara. (2) to also gather information on a refugee status of persons other than the customer is likely ineffective as the customer of an oblied entity regularly does not have this information either. For example, a landlord, who falls under low risk and opens a rental deposit account (trust account), might have basic customer data but no knowledge of a possible refugee status. We would appreciate an adjustment or removal of this requirement, particularly a clarification for cases with normal risk.
Regarding Art. 19 (a) we understand that a public register can serve as a mean for both identification and verification.
Art. 20 – Sectoral Simplified Measures: Pooled Accounts
In practice, there are various forms of pooled accounts in low-risk situations, but in which the customer is not an obliged entity within the meaning of the regulation. This includes collective rent deposit accounts, escrow accounts of bailiffs, debt collection agencies. Assuming that the conditions set out in Art. 20 must be met cumulatively, these accounts will no longer be subject to simplified due diligence (SDD) measures. These accounts are generally of low risk and often subject to public service and/or (national) regulation and should therefore fall under SDD as well.
With regard to Art. 20 (b) we understand that there is no further verification obligation if it is known, for example, that professional chambers oversee this group of obligated legal entities.
Art. 22 – Customer Identification data updates in low-risk situations
In our understanding, in cases of low risk, (which we understand as all cases that are not high risk and not only those that fall under SDD; see comments on Art. 18/19) the obliged entities may rely on their automated prevention for trigger events under Art. 22 (1). Otherwise, it would be unclear how an obliged entity - outside of the regular process - is supposed to determine a relevant change with regard to customer data.
With respect to customer identification data, clarification is requested as to whether such data is to be distinguished from verification of customer identity. If so, Art. 22 (2) should consequently be understood as not demanding “re-identification,” i.e. repeated verification of the customer’s identity.
Regarding Art. 22 (2) the maximum period of 5 years should be extended with regards to Art. 33 (1) (b) AMLR. Otherwise, there is no valid scope of application on this rule.
We understand that Art. 32 refers to Art 22 (1) of this RTS and suggest adding a “risk-based” as laid out in our comments on Art. 32.
Art. 23 - Minimum information to identify the purpose and intended nature of the business relationship or occasional transaction in low-risk situations
The wording of Art. 23 indicates that the obliged entity must actively make minimum findings on the purpose and intended nature of the business relationship. We advocate a clarification that, according to Art. 33 (1) (c) AMLR, inferring it from the type of transactions or business relationship established is sufficient.
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
Other forms of pooled accounts such as collective rent deposit accounts and escrow accounts of bailiffs, debt collection agencies and landlords who manage rent deposit accounts. (see comments on Art. 20 under Question 6). The same statements apply to pooled accounts for lawyers, notaries and similar professionals in case they do not fall under the provisions of Art. 20. So far, this has been market practice, allowed by the German Federal Financial Supervisory Authority BaFin.
In addition, we would welcome details on whether simplified measures can be applied in the KYC update. In some cases, where the client has barely any operations with the entity and presents no risk factors, the update may be based on certain triggers, such as restarting activity or exceeding certain thresholds, rather than every five years. We advocate for more details on when simplified due diligence measures can be applied.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Art. 24 – Additional information on the customer and the beneficial owners
Since the AMLR introduces a new definition of the Politically exposed person the number of Persons falling under EDD will increase. At the same time the requirements for additional information on the customer and UBO are being considerably extended which will lead to significant additional effort.
Due to the current wording of Art. 24, “shall, at least” on one hand and “and/or” on the other hand, it remains unclear which specific obligations are to be fulfilled. We therefore ask for amending the wording accordingly.
With regard to Point (b) we understand “reputation” to be necessarily AML/CFT-related. Reputation risk management in Financial Institutions addresses multiple risk factors (e.g. ESG) that are not AML/CFT related. We suggest clarifying the wording.
Point (c) raises questions regarding the methods for collecting and documenting the beneficial owner‘s previous business activities and whether any changes should be tracked. Additionally, it is unclear how far back the documentation should cover. Since the AMLR establishes a maximum retention period of 5 years we recommend that the RTS follow this in the context of Art. 24 (d).
Point (d) of the regulation raises concerns regarding the data protection of family members, persons known to be close associates, or any other close business partners. In order to conduct a risk assessment lots of personal data would have to be obtained with the involvement of the internal data protection board. In our view, there is no legal basis for such a wide collection of personal information in the AMLR.
Besides, collecting the information in question might be practically impossible as the targeted persons are not the customers of the obliged entity. Consequently, there is no direct contact and only few of the required information might be publicly available.
At the same time, it is unclear how the collection of the required parameters will go along with the ban on tipping-off according to Art. 73 AMLR? If the obliged entity has “reasonable grounds to suspect criminal activity” it is likely to submit a suspicious activity report and shall not disclose this to the customer. However, a disclosure can hardly be avoided regarding the extensive investigation obligations. The RTS should acknowledge that customer outreach in cases of suspicion is critical and therefore limit the wording of Art. 24 (d).
We also ask for clarification of the term “any other close business partners or associates”. Art. 17 uses a similar definition but limits it to “person known to be a close associate”. We ask for a definition of the term used in Art. 24 and, if necessary, adaptation of the wording to Art. 17.
Art. 25 – Additional information on the intended nature of the business relationship
Due to an open and extensive wording in this Article, several requirements cannot be defined clearly.
Our comments on the use of the terms “shall at least” and “and/or” in Art. 24 apply equally in this section. We suggest clarifying that Art. 25 (a) is only applicable to outgoing transactions.
We understand that “information of authorities” does not pose an obligation on the obliged entities to proactively investigate and obtain information from authorities. In most cases, the request for information from authorities would not be successful for data protection reasons. Therefore, we see this requirement as a need to obtain publicly available information from authorities only. We advocate this to be clarified in the RTS.
Verification of the “legitimacy of the expected number, size, volume and frequency of transactions that are likely to pass through the account” pursuing Art. 25 (b) is understood to be fulfilled through transaction monitoring with a focus on unusual deviations. Further substantiation through additional gathering of information is not required in our understanding.
We would appreciate further specification on what the obligation to collect information on the customer's key customers entails, as mentioned in Art. 25 (c). The AMLR does not include these groups of persons in the scope of due diligence obligations. In our opinion, the RTS cannot extend the scope of due diligence measures regarding this group of persons.
In this context, we particularly request clarification on how the key customer is to be identified, considering that there is no relationship between the obliged entity and the customer’s key customers.
Art. 26 – Additional information on the source of funds, and source of wealth of the customer and of the beneficial owners
The wording of Art. 26 does not – unlike Art. 24 and 25 - allow evidence according to the assessment of the obliged entity. There is no apparent reason for this distinction and in the light of the risk-based approach obliged entities should be able to use other documents than the mentioned ones in order to verify the source of funds and source of wealth.
Regarding point (a), the expectation that pay slips or employment documentation must be signed by the employer is antiquated and no longer standard in view of digital payroll systems. In this regard we also understand that “certified” as mentioned in Art. 26 (a), (b), (e), (f) be defined in a way that reflects practices in both physical and digital certification. This would support a risk-based approach and further reduce bureaucracy. We suggest clarifying this in the RTS text.
Generally, if an obliged entity has seen the original document before in a different setting, it should be allowed to retain a copy and certify that it has reviewed the original. External certification should not be warranted in this case since the act of verification has already been carried out.
With reference to point (d), assets stemming from inheritance are not generally officially documented in all jurisdictions. In these cases other type of evidence should be permitted.
Art. 27 – Additional information on the reasons for the intended or performed transactions and their consistency with the business relationship
We also request clarification of the unclear obligation in view of the wording “shall at least” and “and/or”, as set out in our comments on Art. 24 and 25.
With regard to point (c), the obligation to assess the “legitimacy of the parties involved” in a transaction includes a highly vague wording that might lead to legal uncertainty. It implies that a duty to perform due diligence towards third parties must be carried out. This is not practicable and regularly impossible for obliged entities. It should not be part of the EDD requirements as it goes beyond the mandate that the AMLR provides for the content of the RTS. We advocate for less strict requirements at least where a third party is a customer of another obliged entity. In this scenario, no further determination of the legitimacy of the party involved should be required.
Our comments on Art. 24 (d) apply equally on Art. 27 (d).
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Regarding Art. 29 (a) (iv) we understand that "beneficial ownership information" only includes information relating to the person who ultimately owns or controls the customer, not however any intermediary. This view is supported by the clear statement in Recital 19.
In the context of Art. 29 (a) a deviation can be found. In case of the screening of a natural person it requires “the original and/or transliteration of such data”, whilst Recital 3 requires obliged entities ‘should collect data and information, for the purpose of identification and verification of the customer, of a natural person or a legal person, in the same way in relation to the transcription of …’. We advocate for explaining the term or consistently using one term. Further clarification is needed as well on the term “significant changes” in Art. 29 (c) (iii).
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
We understand that Art. 32 generally comprehends a five year-grace period for risk-based updating of all customers that are not high risk in line with Art. 22 of this RTS. High-Risk customers are to be prioritised and consequently updated within a year. In view of Recital 16 of the draft RTS and comment 43 in chapter 3.2.3 of the consultation document, we understand this to include the application of all customer due diligence obligations. However, Art. 32 contains a deviation from Recital 16 regarding the start date of the five-year period. We understand the regulation to mean that the 5-year period begins with the applicability of the RTS. This date begins at the earliest when the AMLR is applicable on 10/07/2027. Furthermore, clarification is needed that a grace period as seems to be intended in Art. 32 and Art. 22 also applies to beneficial owner information.
To clarify this understanding, we propose to
- replace the term “entry into force” with “applicability” in Art. 32
- Introduce a clear grandfathering clause into Art. 32 that includes a 5-year grace period for all customers (prioritised by their risk status) and a 1-year grace period for high-risk customers after the application date of this regulation. Clarify that the relevant grace period also applies for the beneficial owner information.
- For the purpose of clarification, we ask to include a provision that the 5-year period applies on a risk basis to all customers who are not considered high-risk customers. Consequently, the wording “risk-based” should be added to Art 22 (2).
With regard to Annex I, we comment as follows:
Remarks on the minimum corresponding attributes to Article 22 (1) (a) (iii):
The refugee or subsidiary protection status of a customer is currently not collected due to existing regulations and would, in addition to the primary identification, require an additional document. From an AML prevention perspective, the additional value of this information is not apparent, as it is already derived from the identity document used or the person's nationality/residence. Expanding both the data model and the customer onboarding process would result in a significant increase in effort. The "personal administrative number" requires further clarification as well.
Remarks on the minimum corresponding attributes to Article 22 (1) (b) (i):
How is the unique identifier defined that should be used for the customer? What is the difference between this identifier and the LEI requested under (b) (iii)?
Remarks on the minimum corresponding attributes to Article 22 (1) (b) (ii):
The "country of creation" is currently not an available data point. The relevant identifier under the current regulations is the legal form. Collecting this data and adjusting the customer onboarding process would incur additional effort.