Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

We do not have any specific comments in relation to the approach defined by the EBA to assess and classify the residual risk of obliged entities by considering the inherent risks and the control framework due to the limited information available as to which items of the data collection will trigger an increase in risk rating and to what extent. However, we have some remarks in relation to some data points which have been defined (please refer to question 3). 

The Draft RTS does not set forth how the “predetermined weights” to be applied to each risk indicators (see e.g. art.2(2)) are to be computed. On the contrary, according to paragraph 20 of Section 3 (Background and rationale) of the Consultation Paper (emphasis added): “[b]ecause risks vary and evolve, risk indicators and weights would not be included in the draft RTS. Instead, it would be the role of AMLA, in cooperation with national supervisors, to define the risk indicators and weights for each review cycle and to monitor the effective application of these indicators by supervisors in all Member States.” This approach leaves huge flexibility (and thus political power) to AMLA.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

We agree.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

Q3 answer:

We are concerned that the type of data points requested, and their granularity, are not aligned with the actual business activities. This creates an unnecessary administrative burden and significant additional costs. Now that simplification and burden reduction constitute a significant focus of the European Commission's Savings & Investments Union strategy, it is not consistent to introduce provisions that will likely lead to an additional reporting obligation. In addition, we note that the amount of data requested may not be consistent with the data minimization principle that has been part of the EU regulatory framework since GDPR and impacting the 5th AML Directive.

The concern is also that these requirements do not focus on identifying the real AML risks of our operations and are not necessarily consistent with the “follow the money” principle. To be clear, the issues is not really on the number of requested data points, as most asset managers are used to providing significant data sets in multiple EU countries already. If the data is available, we are of course ready to provide them. A portion of the data points require, however, significant changes in policy, process and systems engendering significant costs, without any benefit to allow an effective assessment of the inherent and residual risk profile of obliged entities. Such additional costs for compliance will be ultimately borne by investors, thus hindering the competitiveness of the EU financial center.

To make a specific example, in the case of the asset management industry and for the vast majority of investment funds, the data point “Number of retail investor customers/Number of professional investor customers” wouldn’t be possible to provide if the data point refers to the underlying investors. This is due to the specificities of the industry, which highly depends on the use of intermediaries, as we explain in our response to question no. 6 under the draft RTS on CDD. As illustrated also by section 16.14. b) of the EBA ML/TF Risk Factors Guidelines, the intermediary would often be the fund's customer. As a result, and in particular in the case of UCITS funds, the management company won’t be able to provide data on the number of retail end-investor customers as it won’t be in its possession. 

Moreover, data points that relate to non-EEA countries would not necessarily be an indication of a higher ML/TF risk, as many of the non-EEA countries would not be associated with such risk. Likewise, EEA countries do not guarantee a low ML/TF risk. Also, the risk level of the country is not necessarily a precondition to the level of risk that should be associated with the customer, as there can be low-risk customers from high-risk countries (e.g. pension schemes) and vice versa. Therefore, these data points do not serve well the objective of identifying the level of inherent and residual risk of the obliged entity. In addition, each firm has its own methodology for assessing customer and country risk rating, leading to different conclusions. 

Furthermore, data points that do allow for subjective assessment, i.e. those that are not linked to an automated score, would not serve the purpose of uniform evaluation of the obliged entities and their risks. It is quite probable that they will not be assessed using the same methodology and would not provide comparable results.

To summarize, we believe that data points should focus on indicators which would be helpful to identify high-risk situations, instead for example of countries, to offer a better detailed picture of where the risk of the obliged entity actually resides.

Finally, it is of utmost importance that all of the proposed data points are tested and checked under a practical exercise, that will involve a representative group of entities from all sectors and sufficient number of Member States.

Q3a answer:

In the short to medium term, several data points are not available as not recorded in the IT system at onboarding stage, not relevant for the specific industry sector or not relevant to assess the inherent and residual risk profile of obliged entities. 

In the longer term, the request related to some data points will have an impact on the obliged entity in term of costs as:

1. Obliged entity will have to conduct a gap analysis between current available data and target data points.
2. Obliged entity will have to (i) consider the feasibility of existing systems to incorporate the new data points/criteria in the existing operating system; (ii) design and implement the process to capture the new data points for existing and new clients; (iii) perform a manual review of all existing relationships and all data and documentation in order to upload/input the data.

The process described under point 2) could have a significant impact in terms of costs related to IT development, time spent for the review of database to retrieve and update the data for existing relationships (that could be captured on paper but not on system), as well as project management and potentially having to implement entirely new IT systems and tools. Such costs will be ultimately borne by the customers/investors, thus impact EU competitiveness as a financial center.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

As mentioned in our response to question 3, the best way to get clarity in this regard would be to conduct a practical exercise with a sufficiently wide group of entities. Not only particular industries differ in the data that would usually be available, but significant differences can be also seen between particular Member States.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

No comment.

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

We are of the opinion that an annual review for the normal frequency is too high, and the rationale for it is not clear. With the further steps of the procedure to be conducted, it is possible that once one review is finalised, another will already have to be initiated. It will add to the costs borne by the industry, as well as the supervisors, which will ultimately be paid by the sector, and in the case of the asset management industry, ultimately by the investors.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

We generally agree. However, it is our understanding that the reduced frequency would likely apply to a very limited extent (if at all), given the scope is so narrow.

In addition, we question the relevance of the criterion referring to the total number of full-time equivalent employees. We do not believe it to be a good indicator that would justify a reduced frequency for the review of the risk profile of the entity. The main impact it would have would be the narrower scope of entities that could be subject to the reduced frequency review.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

EEA countries are in principle subject to the AML 6 rules and thus should be presumed to present lower risk, as opposed to third countries, for which the quality of the AML framework requires a more detailed assessment. As a result, transactions linked with EEA jurisdictions should indeed be assessed differently than transactions linked with third countries.

More fundamentally, as obliged entities already take into account the geographical risk for the overall assessment of the customer’s risk, we recommend not to focus on high risk countries, but on high risk customers. 

Indeed, the fact that a country is non-EU/EEA does not necessarily entail a higher risk. Nor does the fact that a country is in the EEA does necessarily always equate to a low-risk scenario. 

In the investment fund sector, firms typically register the country of the customer and Ultimate Beneficial Owner (UBO) and incorporate the associated country risk into their risk assessments. Country exposure for the investment fund sector is in principle global, especially for markets that are specialized in this sector, like Luxembourg and Ireland. Firms are likely to consider the equivalence of regulatory standards in general by assessing this equivalency specifically in their country’s risk assessment.  It is unlikely that a firm would automatically assign a low-risk rating to every country within the EEA or, conversely, a high-risk rating to every country outside of it.

Therefore, we consider that an automatic distinction would not add specific value.   

We would also like to add that there are quite common scenarios of very low risk customer types in higher risk countries, for example public pension schemes in South America, which by their nature are very low risk (funded by deduction of % of employees’ salaries). And on the other hand, there might be customer types in lower risk countries with a high risk of money laundering, which would warrant a high-risk client rating, such as significant PEP exposure or very high-risk activities. Therefore, focusing on high-risk customers instead of only the country might ultimately be the better option and gives a more detailed picture of where the risk actually sits.

As you will be aware for both customer risk rating and country risk rating, firms will have developed their own methodologies and will come to different conclusions. 

Therefore, we do not believe that the proposed distinction will bring much added value.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

As in the case of the draft RTS on CDD, we believe it is crucial to take into account the specificities of the asset management industry and the significant implications this draft RTS on Selection might have on it. 

Management companies and AIFMs, as well as the funds that they manage, can be domiciled in one Member State; however, units/shares of the funds are made available for subscription to customers across various Member States and third countries. In the EU this is possible through the marketing passport established both in Chapter XI of UCISTD and Art. 32 of AIFMD. While not required by the provisions of these directives[1], managers often establish branches whose main or only purpose is to market these products in particular jurisdictions. These branches usually do not have a legal personality and do not act as distributors based on a separate marketing licence. All their activities are being done on behalf of the funds and/or the management company domiciled in another EU jurisdiction, with the business relationship between the customer and the fund also being governed by the law of the jurisdiction where the main office of the manager is located and where all AML obligations are also being conducted. The extent to which this is a common practice is well known to ESMA, as such activity must be notified not only to national competent authorities but also to ESMA.  

Therefore, we are of the opinion that these types of branches cannot be treated as an establishment under the provisions of AMLAR or be classified under the freedom to provide services. As was explained in the recital 28 of AMLR “It is important that AML/CFT requirements apply in a proportionate manner and that the imposition of any requirement is proportionate to the role that obliged entities are able to play in the prevention of money laundering and terrorist financing”. Accordingly, as long as the role of those branches is not related to the execution of the AML/CFT control framework (e.g. client take-on, transactions or payments), we consider they should not be taken into account when selecting entities for the direct supervision by AMLA. 

We would also like to highlight the magnitude of entities that could fall under the direct supervision should the materiality thresholds be too low. Article 1(1) of the Draft RTS on Selection provides two materiality conditions, with the fulfilment of just one of them being sufficient for the activities of the financial institution carried out in a Member State to be considered for the purposes of the selection of the entity for the direct supervision by AMLA. In the case of the asset management industry, where intermediaries should be treated as customers (according to the more detailed explanation provided in our response to question no. 6 on the draft RTS on CDD), the possibility of reaching a number of 20,000 customers per Member State is not very common. On the other hand, reaching a value of 50,000,000 EUR of incoming and outgoing transactions generated by customers in one Member State would be very probable. In particular, if subscriptions and redemptions coming into the fund are not netted but accumulated. This is due to the fact that in funds, in particular in the open-ended ones, but this may also apply to closed-ended funds (generally reserved to professional/institutional clients), the number of underlying clients subscribing to a fund through an intermediary can go into hundreds of thousands. Moreover, these clients are free to subscribe and redeem units or shares on a daily basis, which creates daily outflows and inflows to the fund.

Therefore, we are of the opinion that one additional criterion should be added to clarify that the activities mentioned in Art. 12(7) of AMLAR refers only to those activities that are related to the AML/CFT control framework. Further to that, we also believe that the thresholds should be reviewed to adapt to specific industry sectors, as well as met cumulatively in a particular Member State, in order for it to be considered as one of the Member States mentioned under Art. 12(7) AMLAR. 

We would propose the following wording for Art. 1(1) of the draft RTS on Selection:

“The activities of a credit institution or a financial institution under the freedom to provide services in a Member State other than where it is established shall be considered material for the purposes of meeting the conditions of Article 12(1) of Regulation (EU) 2024/1620, where:

a) those activities are related to the execution of the AML/CFT control framework (for example customer onboarding);

b) the number of its customers that are resident/domiciled in that Member State is above […]; and

c) the total value in Euro generated by the customers referred to under letter (a) is above […]”.

--- Footnote ---

[1] Article 92(2) of UCITSD provides that “Member States shall not require UCITS to have a physical presence in the host Member State or to appoint a third party for the purposes of paragraph 1.”

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

Please see our response to question no. 1 above.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

We do not believe a distinction should be made. Please also see our response to question 1 above.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

We agree.

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

No comment.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Please see our response to question no. 1. As in the case of individual entities, also in the case of groups, the assessment should be limited to the entities that are obliged entities under the AML framework and carry out activities related to the execution of the AML/CFT controls. 

Therefore, we propose for “N” in the formula provided under Art. 5(2) of the draft RTS on the Selection to be given the following wording:

“N: number of obliged entities in the group carrying out AML/CFT controls”

Moreover, the second threshold proposed under Article 5(2) of the draft RTS on Selection (i.e. “the total amount in Euro of incoming and outgoing transactions”) may be difficult to calculate or not relevant for certain types of businesses, such as the investment fund industry.

Therefore, we suggest deleting it.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

We understand that the group-wide perimeter is defined through the definition of “selected obliged entity” provided by Article 2(1)(1) of Regulation (EU) 2024/1620, i.e. “a group of credit institutions or financial institutions at the highest level of consolidation in the Union in accordance with applicable accounting standards”. This means that entities part of a credit or financial group which is solely consolidating outside of the Union shall not be treated as part of the same group-wide perimeter for the application of Article 5.

In addition, as mentioned under Answer 6, we are of the opinion that only those obliged entities that are carrying out activities which are related to the execution of the AML/CFT control framework established by a credit institution or financial institution should be taken into account to define the group-wide perimeter.

Such clarification is needed to allow AMLA to determine the risk profile of a group based on the ML/FT risk exposure given by the (weighted adjusted) number of entities in the group carrying out AML/CFT controls (e.g. client take-on, transactions or payments).

The reason appears clear, for example in the case where a management company or investment firm only carries out marketing services in one or several different countries, whilst all AML/CFT controls are carried out by the mother company.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

Please see our response to questions no. 1 and 6 above.

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

No comment.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

1. General remarks

As a general remark on the draft RTS on CDD we would like to raise that it highly limits the possibility to apply a risk-based approach to customer due diligence (CDD). While we understand and support the need for more harmonised efforts in the area of AML/CFT measures across the EU, the risk-based approach remains the core principle of the framework, as also highlighted in the recitals of AMLR[1]. Moreover, we believe that Art. 28(1)(b) and 33(1)(e) of the AMLR have been subject to overly restrictive interpretation, which has significantly limited the possibility to identify and define simplified measures for specific sectors. Particularly, we believe that some of the proposed rules are not possible to apply to the asset management sector, due to its specificities described in more detail under our response to question no. 6.

1. Referring now specifically to Section 1 of the Draft RTS on CDD, we would like to raise the need for more clarity regarding to whom these provisions will apply. Articles 1-5 indicate when they refer to “natural persons” and when to “legal entities”, directly or by mentioning relevant points of Art. 22(1) of AMLR. This is not the case for the following articles, which apply to “customers” or “persons purporting to act on behalf of customers”. These terms were not defined under the draft RTS on CDD, nor was a definition established under the AMLR. These circumstances do not bring clarity, particularly in the case of Art. 6 of the Draft RTS on CDD, where only paragraph 5 specifically stipulates that it applies to non-natural persons. While it could be interpreted a contrario that all the other paragraphs refer only to natural persons, more clarity would be beneficial to the appropriate application of these rules.

2. Moreover, in the case of different sectors of the financial industry and even in the case of different products offered by the same financial entities, different persons would be understood as their customers. This would particularly be the case in situations when multiple parties are involved. As explained in more detail under our response to question no. 6 below, in the case of the investment funds industry, the intermediaries would often be the customers of the fund. In such context, the FATF clarifies in its Guidance for a Risk-Based Approach for the Securities Sector[2] that: “Depending on how the investment fund is sold, with whom the business relationship is established or who is registered in the fund’s share/units register, the investment fund may be required to treat an underlying investor as its customer or the intermediary as its customer”. The EBA has acknowledged this particular case in its ML/TF Risk Factors Guidelines[3], where it provides that risk can be reduced in cases where “the customer is a firm subject to AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849”. 

   We are of the opinion that this recognition was an important achievement in understanding the complexities of different segments of the financial industry and how they impact the ML/TF risks caused by these business relationships. We believe that this additional clarity will be beneficial to a harmonised implementation of the new AML Package and, therefore, we urge EBA to include it in the recitals of the draft RTS on CDD.

3. It would be beneficial to provide obliged entities with more clarity, also by defining the term “persons purporting to act on behalf of the customer”. It would help ensure harmonisation and avoid divergent interpretations among Member States. Particularly in the case of legal entities, the group of individuals participating in the entity's operations can be very broad (directors, other employees etc.). In the case of bigger legal entities, such as financial institutions: (i) the lists of authorised signatories are long and subject to frequent changes, (ii) out of those individuals included on those lists, many may never have any interaction with the obliged entity, and (iii) requesting information such as nationality or place of residence may not be possible and could go against their right to privacy, given that these persons will be merely representing the legal entity and not acting in their own interest. Applying a full identification and verification process on all of them would be excessive and ineffective in battling financial crimes. Therefore, we believe that the definition should include those persons who are external to the customer (are not employed) and act based on a proxy of power of attorney.  

   Therefore, we would propose the following definition to be included in the draft RTS on CDD:

   ‘person purporting to act on behalf of the customer’ means (i) legal representative(s) of a customer who is an unfit natural person, or (ii) any legal or natural person, other than an employee or senior managing official of a legal person, authorised to act on behalf of the customer pursuant to a mandate, or proxy agreement

2. Information to be obtained in relation to the addresses (Art. 2)

We would like to highlight that the data points specified under Art. 2 of the draft RTS on CDD are too prescriptive and would not be possible to apply in the context of different jurisdictions where address conventions differ. As such, it is not always possible to provide postal codes, city names or street names, especially in a non-EU context. 

Moreover, such an approach does not seem entirely appropriate from the perspective of legal entities and other institutions. Also, in the case of persons purporting to act on behalf of a customer that is a legal entity or for senior managing officials being identified as the ultimate beneficial owners and acting solely in their professional capacity, not all of the proposed details are necessary.

Therefore, we would propose the following wording for Art. 2 of the draft RTS on CDD:

“1.The information on the addresses as referred to in Article 22(1)(a) point (iv) and 22(1)(b) point (ii) of the Regulation (EU) 2024/1624 shall consist of: the full country name,and where appropriate postal code, city, street name, building number and the apartment number.

2. In the case of persons purporting to act on behalf of a customer that is a legal entity or a Senior Managing Official who is identified as the ultimate beneficial owner and acts in its professional capacity, the address of the registered office of the legal entity will be sufficient.”

3. Specification on the provision of the place of birth (Art. 3)

The currently proposed provision of Art. 3 requires information on the place of birth to consist of both the city and the country name. We are of the opinion that this is too prescriptive, as not all data is always available in documents such as IDs or passports. We are also not aware of any added value that having both the city and the country name in all cases will bring for the AML/CFT purposes.

This will also create an issue in terms of Art. 5(1) and the set of information that is required on a document for identity verification purposes. Information on the full place of birth (i.e. both the city and the country) would not be included in national IDs or driving licences. It is not possible to expect that countries will change the documents that they issue because of the AML/CFT requirements. This is true for the EU Member States and even more so for third countries. 

Therefore, we would propose the following wording for the Art. 3 of the draft RTS on CDD:

“The information on the place of birth as referred to in Article 22(1)(a) point (ii) of Regulation (EU) 2024/1624 shall consist of the city or the country name.”

4. Specification of nationalities (Art. 4)

Article 4 of the draft RTS on CDD requires that obliged entities shall obtain necessary information to “satisfy themselves that they know of any other nationalities their customer may hold.” This obligation is very impractical given that obliged entities do not have access to any database that will give them such satisfaction and identification documents, such as passports or IDs, for obvious reasons inform only about the nationality of one country.

Therefore, we would propose the following wording for Art. 4 of the draft RTS on CDD:

"For the purposes of Article 22(1)(a) point (iii) of Regulation (EU) 2024/1624 obliged entities shall take reasonable measures to obtain necessary information about any other nationalities their customer may hold."

5. Identity verification (Art. 5)

We believe that paragraph 5 of Art. 5, which requires that the obliged entity is provided with “original identity document, passport or equivalent, or a certified copy thereof (…)” is excessive and does not leave room for the obliged entities to apply a risk-based approach. 

It is also not in line with provisions of the AMLR, which in Art. 22(6)(a) do not include the requirement of only originals or certified copies to be provided. Instead, it refers to “the submission of an identity document, passport or equivalent and, where relevant, the acquisition of information from reliable and independent sources, whether accessed directly or provided by the customer”, which we believe gives much more room for the obliged entities to decide on the means by which this submission and acquisition will take place, in accordance with the identified level of ML/TF risk.

From a retail customer perspective, the obligation to provide an original document or certified copy will highly increase the costs borne by the customers, as they will be the ones who would have to acquire and provide such a copy for themselves, their beneficial owners or persons purporting to act on their behalf. This will be even more challenging for customers from third countries. Our understanding is that the aim of the AML Package was to enhance the security of the system, and not to disincentivise customers from using services provided by the EU financial sector. 

Such an approach would contradict not only the EU efforts to encourage retail investors to use financial products in the EU, but also the recent works of the FATF that underscore the importance of financial inclusion. According to FATF, it is an essential element of the AML/CFT system as it “enhances financial sector transparency and integrity by increasing the reach and effectiveness of AML/CFT measures that help keep criminals out of the financial system and facilitate law enforcement investigations”[4]. The FATF highlights also the importance of a risk-based approach, as “applying overly cautious, non-proportionate AML/CFT safeguards when providing financial services and products can exclude legitimate consumers and entities from the regulated financial system (…)”. 

Moreover, risk based approach needs to be applied when collecting IDs to avoid unnecessary costs and burden. The effort and focus of obtaining IDs in original and/or certified form should be required only in case of inconsistencies or doubts on the actual identity of the customer. In particular, document certification is solely one of the numerous measures (and certainly not the most effective) an obliged entity can take to verify the obtained information.

The approach proposed in Art. 5(5) of the draft RTS on CDD will be simply not possible to achieve in the case of some sectors of the financial industry, which operate in a significantly different manner than the banking industry. A good example here is the asset management industry, which we describe in more detail under the response to question no. 6 below. Due to the specificities mentioned there, the verification of the customer’s identity rarely happens in person, and most of the customers are institutional investors. As such, the asset management industry won’t be able to apply the rules of Art. 5(5) to its customers. Also in the case of retail investors who would be customers of the fund directly (which is not typical for the most of the asset management industry) the identity verification would always happen first at the level of a bank. This is because subscriptions through cash do not exist in the fund reality and any payments to the fund and then to the investor always take place through a bank account.

Therefore, we would propose the following changes in Art. 5(5) of the draft RTS:

“5. For the purpose of verifying the identity of the person referred to in Article 22(6) of Regulation 2024/1624,  the obliged entity shall gather, from these persons or from other reliable sources, an identity document, passport or equivalent. In case of customers posing a higher risk of ML/TF obliged entities shall adopt appropriate mitigation measures, such as, for example, those referred under Article 6.”.

6. Understanding the ownership and control structure of the customer (Art. 10)

We are also of the opinion that the approach taken in Art. 10 of the Draft RTS on CDD is excessive and does not allow for the application of a risk-based approach, as it requires specified information to be obtained concerning all legal entities and/or legal arrangements between the customer and his beneficial owners. Many multilevel structures are created for business and operational reasons, and gathering all of the listed information will be unnecessary for the purpose of understanding the ownership and control structure of the customer. The approach here should depend on the complexity of the structure and the ML/TF risk it poses. 

In the asset management industry, which we describe in more detail under our response to question no. 6 below, it is common to find layers of intermediaries between the fund and investors (who are customers of the intermediary). These intermediaries are mainly banks or other financial entities that help investors invest in the funds and optimise costs and charges to provide them with lower fees. Given the characteristics of entities existing in the chain and the low level of ML/TF risk they could create, we do not believe that acquiring all of the information mentioned in Art. 10 regarding intermediaries at each level would be justified. 

Moreover, collecting additional information would create operational and technological burdens. Additional names would need to be recorded, kept updated and screened, requiring time, economic resources and often technological developments, without mitigating any actual ML/TF risk.

In such circumstances, we believe that to fulfil the requirements of Art. 62 of AMLR, it is sufficient for the obliged entity to understand the structure existing between the customer and the beneficial owner by collecting the names of entities in between and the percentage of their ownership. Any more detailed information on those entities could be required in cases where a higher level of ML/TF risk would be identified or they would exceed the threshold for beneficial ownership under Art. 52(1) of AMLR. 

Therefore, we would propose the following wording for Art. 10 of the draft RTS on CDD:

“1. For the purposes of understanding the ownership and control structure of the customer in accordance with Art. 20(1)(b) of Regulation (EU) 2024/1624, where the customer’s ownership and control structure is complex and posing a higher risk of ML/TF, obliged entities shall obtain the following information:

a. a reference of the legal entities and/or legal arrangements functioning as intermediary connections between the consumer and their beneficial owners owning more than 25% within the customer structure, if any

b. with respect to each legal entity or legal arrangement within the referred intermediary connections, the legal form of each legal entity or legal arrangement; the jurisdiction of incorporation or registration of the legal person or legal arrangement, or, in the case of a trust, the jurisdiction of its governing law; and

c. information on the regulated market on which the securities are listed, in case a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, and the extent of the listing if not all the legal entity’s securities are listed on a regulated market.

2. Obliged entities shall assess whether the information included in the description, as referred to in Article 62(1) of Regulation (EU) 2024/1624, is plausible, there is economic rationale behind the structure, and it explains how the overall structure affects the ML/TF risk associated with the customer.”

7. Complex structures (Art. 11)

Similarly, the proposed provisions of Art. 11 of the Draft RTS on CDD would result in the vast majority of ownership structures being treated as complex, as multinational companies and medium/large financial entities typically have multiple layers of ownership, and in the majority of cases, in different jurisdictions. We do not believe this was intended by the AML Package, and again would not be in line with the level of ML/TF risk posed by those structures. In fact, due to the vast majority of structures being recognised as complex, it could make it easier for those truly complex to be less visible. Therefore, we do not believe that Art. 11 is in line with the principle of a risk-based approach. It also doesn’t leave any room for a different approach to entities which have a clearly lower ML/TF risk, due to the highly regulated industry in which they operate (e.g., financial institutions) or the fact that they are publicly listed companies.  

Firstly, the proposed number of “two or more layers between the customer and the beneficial owner” is disproportionately low. In the case of the asset management industry, there can be multiple layers of entities in the intermediary chain; however, as they would all generally be regulated financial entities, the ML/TF risk posed would remain low. Therefore, not only the number of layers that would be considered as indicating a complex structure should be left for the decision of the obliged entity, according to its risk-based analysis, but also the fact that those are regulated financial entities should exempt the structure from being treated as complex. 

Furthermore, the proposed conditions, if applied separately, also don’t justify treating such structures as complex. In particular, the mere fact of registration in different jurisdictions doesn’t justify such classification in today's world where markets and businesses are very interconnected. These jurisdictions could include different Member States of the EU or other countries that uphold the same AML/CFT standards. Immediate classification of such structures as complex could disincentivise further integration and international collaboration. 

Therefore, we would propose the following wording for Art. 11(1) of the Draft RTS on CDD:

“1. To understand the ownership and control structure of the customer in accordance with Article 20(1)(b) of Regulation (EU) 2024/1624, obliged entities shall treat an ownership and control structure as complex where there are multiple layers between the customer and the beneficial owner and in addition, two of the following conditions are met;

1. there is a legal arrangement in any of the layers having no rationale in the structure;
2. the legal arrangements/ legal entities present at any of those layers are incorporated or domiciled in a jurisdiction included in the EU list of non-cooperative jurisdictions for tax purposes;
3. there are nominee shareholders and/or directors involved in the structure;

4. there are indications of non-transparent ownership with no legitimate economic rationale or justification”.

    

5. Information on Senior Managing Officials (SMOs) (Art. 12)

We would also like to highlight that the level of ML/TF risk that can be associated with SMOs is not the same as the potential risk that could be associated with beneficial owners (BOs). Firstly, the SMOs, unlike the BOs, do not hold ownership interest over the company and do not control it through that ownership or via other means. If they did, they would have to be identified as BOs. Instead, and according to Art. 63(4) of AMLR, their details are being provided in cases where it was not possible to identify BOs or their identification is uncertain. Secondly, as these are persons who exercise executive functions within the legal entity, their identity has already been verified multiple times, as they would usually have to perform actions vis-à-vis multiple national authorities, such as tax or national registers. Due to the same reasons, their important details are usually available through reliable and independent sources of information, mentioned under Art. 22(6)(a) of AMLR.  

Therefore, it does not seem justified to require the same set of information and verification rules for SMOs as for BOs. According to Art. 63(4)(b) of AMLR the details that are to be collected on SMOs are to be equivalent to those required under Art. 62(1), second subparagraph, point (a). It does not refer to all the information listed for the purpose of BOs identification under Art. 62, and moreover, the article clearly refers to “equivalent” information, which does not mean “the same”. 

Particularly, we are of the opinion that requiring a CEO of a big company to provide his ID would be disproportionate, as his data and identity can be easily retrieved through the relevant company’s registers. Moreover, acquiring information about his residential address will meet a strong and justified objection due to privacy and security reasons. This data is not necessary, nor commensurate with the limited ML/TF risk that he would pose. As a result, this overburdening obligation can have far-reaching implications, discouraging international companies to use the services of EU financial entities. 

Therefore, we would propose the following changes in Art. 12 of the Draft RTS on CDD:

“In relation to senior managing officials as referred to in Article 22(2) second paragraph of Regulation (EU) 2024/1624, obliged entities shall:

1. collect the information for identification purposes; and
2. verify their identity on a risk-based approach”.

9. Identification and verification of beneficiaries of trusts (Art. 13 and 14)

We would like to highlight that unlike Art. 13, where at least paragraph 2 provides for risk-sensitive measures to be taken while ensuring that timely updates are provided, Art. 14 of the draft RTS on CDD does not include elements introducing necessary proportionality. 

Therefore, we would propose the following wording for Art. 14(2) of the draft RTS on CDD:

“2. To comply with paragraph 1, obliged entities shall take risk-sensitive measures to:

1. obtain sufficient information about how and in which ways the power of discretion can be exercised by the trustee(s);
2. establish whether trustees have exercised their power of discretion and appointed one or more beneficiaries from amongst the objects of power or whether the default takers have become the beneficiaries due to the trustees’ failure to exercise their power of discretion.”

We also note that Art. 13 may not foresee certain situations, for example, in a case where a trust will designate the beneficiary only when a new child/grandchild is born.

Therefore, we would propose the following wording for Art. 13(1) of the draft RTS on CDD:

“1. For the purposes of Article 22(4) of Regulation (EU) 2024/1624, the information obliged entities shall collect includes:

1. a description of the class of beneficiaries and its characteristics, which shall contain sufficient information to allow the obliged entity to determine whether individual beneficiaries are ascertainable and shall be treated as beneficial owners at the point of payment request; and
2. relevant documents to enable the obliged entity to establish that the description is correct and up-to-date on a risk-based approach.”

--- Footnotes: ---

[1] According to the recital 29 of AMLR: “In line with the risk-based approach of this Regulation, those policies, procedures and controls should be proportionate to the nature of the business, including its risks and complexity, and the size of the obliged entity and respond to the risks of money laundering and terrorist financing that the entity faces, including, for crypto-asset service providers, transactions with self-hosted wallets.”

[2] FATF, Risk- based Approach Guidance for the Securities Sector, para. 48 and 100. 

[3] EBA, Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions (“The ML/TF Risk Factors Guidelines”), repealing and replacing Guidelines JC/2017/37, 1 March 2021, section 16.9. b).

[4] FATF, Public consultation on AML/CFT and Financial Inclusion – Updated FATF Guidance on AML/CFT measures and financial inclusion, Paris, 25 February 2025, (FATF guidance on financial inclusion), para. 26.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

With the increased use of online services in the financial industry, non-face-to-face interactions have become a standard business practice in many countries. Such circumstances can potentially be an example of a higher risk scenario; however, not in cases where other mitigating factors or measures apply. In the asset management industry, for example, the majority of interactions happen in non-face-to-face context. Nevertheless, the ML/FT risk is considered to be low in most cases, given that most fund customers will be institutional/regulated entities. Therefore, as already highlighted in our general remarks, it is essential that obliged entities are allowed to apply a risk-based approach, also in the context of non-face-to-face interactions. We do not believe this is possible under the proposed provisions of Art. 6 of the Draft RTS on CDD.  

Article 22(6) of AMLR provides two means for the verification of customers’ (and other persons') identity: submission of a document or acquisition of information from reliable and independent sources under letter (a) or the use of electronic means under letter (b). AMLR doesn’t favour one solution over the other, irrespective of whether the verification takes place in person or not, leaving the obliged entity the possibility to choose the best approach. On the contrary, Art. 6(1-2) of the draft RTS on CDD creates a clear preference for the use of electronic identification means, allowing obliged entities to acquire documents only if the “solution described in paragraph 1 is not available, or cannot reasonably be expected to be provided”. We believe that this approach goes against the logic of Art. 22(6) of AMLR and against the principle of a risk-based approach. While in some cases of high risk it might be justified to verify the identity of a natural person by the use of e-IDAS, in low risk circumstances it would be highly excessive. In instances where customers are mainly institutional/regulated entities, verification through documents or information coming from other reliable and independent sources would be sufficient. This is also because legal entities are usually registered in national registers and there are other, publicly available sources of information on their affairs (particularly if these are public companies listed on stock exchanges).

Also, in a broader context, such a strong preference for solutions such as e-IDAS is not sustainable. It is unrealistic to expect that all natural persons will have access to e-IDAS, as the uptake of those solutions in Member States is not sufficient. It also discriminates against customers from third countries, where the e-IDAS Regulation does not apply. Therefore, we do not think that the use of other solutions can be considered only as temporary, and there should always be other permissible ways to verify customer’s identity in a non-face-to-face context. 

We would also like to highlight issues with the conditions proposed for remote solutions under paragraphs 3-6 of Art. 6 of the Draft RTS on CDD. 

First of all, the rationale for obtaining the customer’s explicit consent to verify his identity in line with paragraph 2 is not clear. It has not been required under the EBA Guidelines on Customer Remote Onboarding[1]. It is also not an obligation under the provisions of AMLR, and the Consultation paper falls short of providing any arguments behind it. Given that the purpose of the identity verification is for the verified person to get access to a financial product, and as such cannot be made without their active participation, an obligation to obtain explicit consent seems highly excessive. It will become an additional element in the already complicated onboarding process, which doesn’t add value to the AML/CFT purposes. 

Secondly, the safeguards included in paragraph 4 seem too far-reaching and do not consider the specificities of different sectors, particularly those that operate in a different manner from the banking industry. The reference to audiovisual communication in letter b, or connection interruptions in letter c, seem to favour live data streams. As such, they highly limit the choice of technological solutions that could be used. This is unjustified and also goes beyond the approach that was previously established by the EBA Guidelines on Customer Remote Onboarding, which allowed for much more flexibility, leaving the choice of technological solutions to the industry. 

In particular, these requirements will not be suitable for the identification of legal entities and natural persons acting on behalf of them. In the case of the asset management industry, for example, where in many cases other financial institutions acting as intermediaries will be considered as customers (more on that under our response to question no. 6), it is common to acquire a list of authorised signatories with reproductions of their IDs or signature. Those lists can include multiple individuals (in some cases, going in tens or hundreds). A verification of each one of them via the remote solutions would not be in line with the risk-based approach and highly delay the onboarding process. It would have negative implications on the current business model of the majority of investment funds, which could further stifle the development of the EU capital market. Therefore, in those cases, only paragraph 5 should apply. 

Therefore, we are of the opinion that following changes to the wording of Art. 6 are necessary:

“1. To comply with the requirements of Article 22(6) of Regulation (EU) 2024/1624  in a non-face-to-face context, obliged entities shall :

(a) apply additional and appropriate measures, on a risk-based approach, to mitigate the inherent higher risk that this type of customer relationship may present; or 

(b) use electronic identification means, which meet the requirements of Regulation (EU) 910/2014 with regard to the assurance levels ‘substantial’ or ‘high’, or relevant qualified trust services as set out in that Regulation.

2. Alternatively to the solutions described in paragraph 1, obliged entities may acquire the customer’s identity document (or equivalent) using remote solutions that meet the conditions set out in paragraphs 3-5 of this Article. Such solutions shall be commensurate to the size, nature and complexity of the obliged entity’s business and exposure to ML/TF risks.

3. Obliged entities shall ensure that the remote solutions described in paragraph 2 use reliable and independent information sources and include where suitable the following safeguards regarding the quality and accuracy of the data and documents to be collected:

a. controls ensuring that the person presenting the customer’s identity document (or equivalent) is the same person as the person on the picture of the document;

b. the integrity and confidentiality of the communication with the person should be adequately ensured;

c. any images, video, sound and/or data are captured in a readable format and with sufficient quality so that the customer is unambiguously recognizable;

d. where applicable, the identification process does not continue if technical shortcomings or unexpected connection interruptions are detected;

e. the information obtained through the remote solution is up to-date;

f. the documents and information collected during the remote identification process, which are required to be retained, are time-stamped and stored securely by the obliged entity. The content of stored records, including images, videos, sound and data shall be available in a readable format and allow for ex-post verifications.

4. Where obliged entities accept reproductions of an original document, for customers that are not natural persons, and do not examine the original document, obliged entities shall take steps to ascertain that the reproduction is reliable. Where available, during the verification process, obliged entities shall verify the security features embedded in the official document, if any, such as holograms, as a proof of their authenticity. Such steps shall be undertaken on a risk-based approach, and, in particular, limited to cases where the obliged entity has grounds to question the reliability of the reproduction so obtained.

5. Obliged entities using remote solutions shall be able to demonstrate to their competent authority that the remote verification solutions they use comply with this article”.

--- Footnote: ---
[1] EBA, Final Report. Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849, 22.11.2022, EBA/GL/2022/15, (Guidelines on Customer Remote Onboarding).

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

No comment.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

1. Identification of the purpose and intended nature of the business relationship or the occasional transaction (Art. 15)

The reference to the wider group under Art. 15(c) of the draft RTS on CDD is unclear in the case of the investment fund industry. 

Therefore, we would propose the following changes in Art. 15(c) of the Draft RTS on CDD:

“c. whether the customer has additional business relationships with the obliged entity or its wider group, where applicable, and the extent to which that influences the obliged entity’s understanding of the customer and the source of funds; and”.

2. Understanding the purpose and intended nature of the business relationship or occasional transaction (Art. 16)

While the proposed Art. 16 of the draft RTS on CDD allows for risk-sensitive measures to be taken by obliged entities, the list of information to be obtained is excessive. Especially if it is expected to be collected in all circumstances. In particular, in the case of the asset management industry, the purpose of the relationship and the nature of the transaction are limited to long-term investment. 

Therefore, we believe that the introductory part of Art. 16 of the draft RTS on CDD should have the following wording:

“When obtaining information in accordance with Article 25 of Regulation (EU) 2024/1624 obliged entities shall take risk-sensitive measures to obtain the following information where relevant:”

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 17(1)(b) of the draft RTS on CDD, requires that, for existing customers (and other persons), a determination be made whether they have become PEP at least if significant changes in the customer due diligence data occur. As examples of those significant changes, “nature of the customer’s business, employment or occupation” are listed. This approach does not allow for the application of a risk-based approach. Moreover, we believe that such changes do not necessarily expose the customer to reclassification as PEP.

Therefore, we would propose the following change in Art. 17(1)(b) of the draft RTS on CDD:

“b. determine whether existing customers, the beneficial owner of the customer and where relevant, the person on whose behalf or for the benefit of whom a transaction or activity is being carried out have become politically exposed persons, with a frequency determined on a risk-based approach and at least if significant changes in the customer due diligence data occur, such as the nature of the customer’s business, employment of occupation where relevant; (…)”

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

General comments and remarks on section 4 of the draft RTS 

We welcome the inclusion of section 4 in the draft RTS. It provides valuable guidance and enables the application of the risk-based approach to money laundering and terrorism financing risks. 

Luxembourg and Ireland are the two largest domiciles of UCITS and AIFs. Germany, France and the United Kingdom follow in this ranking. The sector includes a variety of distribution models and is often characterized by a high degree of intermediation and multiple obliged entities (e.g. platforms, banks, distributors …) between the investment fund and the private individual investing their assets into a product through and in the name of their bank. Business relationships have a global span and are by nature mostly remote, without representing necessarily a heightened ML/TF risk as the investors always via a bank account, cash or occasional transactions are excluded. 

Private individuals can access a UCITS product of multiple product manufacturers without needing a direct relationship with them which makes the investment easier, cheaper and safer for the individual as the individual will solely face his/her bank who can advise holistically on the best products for the individuals risk profile and financial situation. The individual also does not need to maintain different relationships with different providers and have easy overview over their financial situation in its entirety.

In most cases, the intermediary is registered in the fund’s share/unitholder register and typically nets all of its customers’ orders and submits a single net order to the investment fund each day. In line with the FATF guidelines on the securities sector, the intermediary is therefore treated as customer/investor and is subject to AML/CFT due diligence as such (rather than the intermediaries’ customers who, as explained above, have for their benefit not direct relationship with the product manufacturer).

In consideration of the above, section 4 of the RTS could potentially have unforeseen adverse effects on the investment fund industry as a whole and risk counteracting the efforts made to increase the retail investments in the EU. There is a real risk that this additional burden will be at the detriment of the private individual (as explained above).

Please find below our comments on the articles of the RTS that we believe to be problematic.

Remarks on specific articles 

Article 18

We propose the below re-wording of art. 18(2): “Paragraph 1 shall apply also to persons on whose behalf or for the benefit of whom a transaction or activity is being conducted, where appropriate based on the economic activity of the customer”.

We note that this article is limited to the identification of the customer and not the verification. 

Article 18 states that obliged entities shall also obtain the information listed in paragraph 1 for persons on whose behalf or for the benefit of whom a transaction or activity is being conducted.

While we understand the intent of the wording, it is important to highlight that this could be understood to include those entities that would fall under point 16.14 paragraph b) of guideline 16 of EBA's Guidelines (EBA/GL/2021/02), for example other investment funds (fund of fund type situation), pension providers, certain types of insurance products etc. 

Identifying all individuals that ultimately benefit from such an investment is not in line with the ML and TF risk associated with the client type and is likely to cause material administrative and operational costs. Moreover, there are GDPR related concerns given that the entities are the legal owners of the shares/units. If there are investments made by a bank on behalf of 10,000 of their customers, it is neither practical for the asset manager nor for any of the individuals having to provide their ID documentation twice for the same transaction. However, the intermediaries’ customers are identified for example if they represent a significant investor in the fund (i.e. more than 25% of the shares/units) and thus could be considered as beneficial owners of the investment fund itself, or in other situations described bewlo.

Moreover, art.18(1)(b) requires systematic collection (even in case of lower risk), for legal entities, of notably “the tax identification number or the legal entity identifier where applicable”. Systematic relevance of this information for AML/KYC due diligence purposes is questionable – noting that same article requires in any case the collection of the “registration number” of the entity.

Article 21

We understand that the intention of article 21 is to clarify the simplified due diligence measures, as well as the extent of these measures, an investment fund shall perform with regards to intermediaries that invest in their own name on behalf of customers in the fund as described in paragraph c) of the point 16.14 of the guideline EBA/GL/2021/02.

To avoid any confusion and to align it with the FATF securities sector guidelines (2018), we suggest amending the text of the article as follows:

“When an entity is acting as intermediary by subscribing for shares, units or other ownership interests of a collective investment undertaking in its own name, but on behalf of its customers, such collective investment undertaking may fulfil the requirement under Article 20(1)(h) of Regulation (EU) 2024/1624 by following up with the intermediary by making a request for information on any particular transaction(s), possibly leading to more information being requested on the underlying customers of the intermediary on a risk-sensitive basis, in  case of any unusual activity or transaction on the part of the intermediary, or any potential deviations from the agreed terms of the arrangements governing the business relationship. 

In addition, the collective investment undertaking shall be satisfied that: 

1. the intermediary is subject to AML/CFT obligations in an EU Member State or in a third country that has AML/CFT requirements that are comparable to those required by Regulation (EU) 2024/1624;
2. the intermediary is effectively supervised for compliance with these requirements;
3. the risk associated with the business relationship is not high;
4. the fund or fund manager is satisfied that the intermediary applies robust and risk sensitive CDD measures to its own customers and its customers’ beneficial owners.

Rationale:

The requirement for intermediaries to provide due diligence information and documents on their customers upon request presents several challenges. This approach does not fully align with the FATF securities sector guidelines mentioned above. Customers are already undergoing customer due diligence measures by the intermediary, which is an obliged entity. Furthermore, the investment fund, as well as auditors and regulators, have reviewed the robustness of the intermediaries' AML processes.

In particular, paragraph 108 of the FATF securities sector Guidelines states that: “The correspondent institution should monitor the respondent institution’s transactions with a view to detecting any changes in the respondent institution’s risk profile (i.e. compliance with AML/CFT measures and applicable targeted financial sanctions), any unusual activity or transaction on the part of the respondent, or any potential deviations from the agreed terms of the arrangements governing the correspondent relationship. Where such concerns are detected, the securities provider should follow-up with the intermediary by making a request for information on any particular transaction(s), possibly leading to more information being requested on the underlying customers of the intermediary on a risk-sensitive basis.”

This would for example include a loss of license or significant fine for shortcomings with AML/CTF legislation which is not adequately addressed and, in these situations, the Asset manager should and is taking action.

Below are additional supporting reasons:

1. We note that the current wording of the article implies that for intermediaries that are not low risk (e.g. medium-low risk or medium risk) a full look-trough on their client base is required. In practice, this is very difficult to achieve and only yields limited insights given that the underlying customers can change on a daily basis as well as the complexities of the possible distribution set-ups. When banks invest on behalf of their customers, it is likely to be tens of thousands of customers with small value investments or regular savings plans/retirement plans. For their data to be provides, processed and screened (for a 2^nd, 3^rd, 5^th or 10^th time depending on how many products they invest in to diversify their investment) will significantly overflow current processes and systems and will create massive costs to Asset Managers. Costs that they would not need to incur if domiciled in other jurisdictions, such as the UK.
2. We suggest, more generally and not limited to the application of simplified Due Diligence, to put the emphasis on the due measures performed on the intermediary and the robustness of its AML processes, in line with FATF recommendations. This already very onerous process which duplicates regulatory oversight and audit regimes provides more assurance, is far less disruptive and generates lower costs. Under the current proposal, it would be virtually impossible to distribute EU investment funds in certain medium risk markets. It would significantly hurt the competitiveness of the UCITS brand especially outside of EU and we would see significant downsides to all EU providers and what is a trillion EUR industry diminish.
3. There are also practical hurdles requesting information on underlying customers, such as privacy and data protection laws in certain EU and non-EU countries. Regardless of the business impact for the European Investment Fund Industry, the costs associated with implementing such measures are significant (e.g. changing existing distribution agreements) and outweigh the fleeting gains that could be derived from it.
4. Generally speaking, we consider that this measure could lead to duplication (if only one product manufacturer chosen, if 10 the efforts would be multiplied by 10) of efforts and introduce inefficiencies and unnecessary burden and cost for private individual. In our view, the due diligence measures should focus on understanding and assessing the intermediaries' AML/CDD processes. 

Article 22 

We propose to delete “data at all times” to align with the following wording:

“Obliged entities shall take the necessary risk-based measures to ensure that they hold up-to-date customer identification documents and/or information”.

Below are the reasons supporting our proposal:

We have concerns that this could be interpreted as requiring obliged entities to check on a daily basis that the customer information is up to date, which would be very onerous and costly and not at all risk based. 

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

In general, we believe that the obliged entities should apply a risk-based approach to determine which specific situations are to be considered as lower risk situations, allowing the application of simplified due diligence.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Articles 24, 25 and 27 define minimum obligations to be complied with by obliged entities with regard to additional information on customer and the beneficial owners, on the intended nature of the business relationship and on the reasons for the intended or performed transactions and their consistency with the business relationship. These obligations should only illustrative and not prescriptive. It should be left to the responsible entities’ risk-based approach, commensurate to their risk appetite, to define the precise and tailored measures to apply to each case. Potentially, such measures may be based on factors such as the size of investment, the profile / regulatory status of the investor concerned. It must be underlined that many of the mentioned measures are not currently applied in practice. For example, entities obtain confirmation of source of wealth but not necessarily proof (only on specific higher risk or red flags cases). Finally, the mandatory application of all of the EDD measures considered, might shift the focus from the real risk to a “tick the box” exercise and lead to a de facto financial exclusion of certain customers. We therefore propose to replace the terms “shall, at least” with “should, for instance”.

Article 26 defines some additional information on the source of funds, and source of wealth of the customer and of the beneficial owners to be collected in cases of enhanced due diligence. We propose to replace the terms “This information shall consist of one or more of the following evidence” with “the information to be collected may include the following evidence”.

Therefore, we would propose the following changes in section 5 of the draft RTS on CDD:

1. Words “shall, at least” to be replaced by “may include” in all four articles.
2. Deletion of letter d in Art. 24 and in Art. 27, as it is not the responsibility of the obliged entities to investigate the criminal activity.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

1. Screening of customers (Art. 28)

We would like to highlight that Art. 28 of the draft RTS on CDD goes beyond what was prescribed by Art. 20(1)(d) of AMLR. It requires that scanning measures shall be applied by obliged entities not only to customers, but also to all entities and persons which own or control such customers. At the same time, in Art. 20(1)(d) of AMLR this scanning was limited in the case of legal entities to persons who control the legal entity or have more than 50% property rights or majority interest. This, to our understanding, clearly limits the scope of such scanning. 

In order to keep the provisions of the draft RTS on CDD in line with rules established by Level 1 provisions, we propose the following change in the wording of Art. 28:

“To comply with Article 20(1)(d) of Regulation (EU) 2014/1624, obliged entities shall apply screening measures to their customers and to the relevant entities or persons who control or meet the ownership conditions over such customers as provided by this Article.”

2. Screening requirements (Art. 29)

Article 29 is too prescriptive and risks multiplying the possible “hits” the obliged entity would get when screening its database. As multiple “hits” reduce the effectiveness of the whole process they are not desirable. 

Art. 29(a) notably requires systematic screening of:

• date of birth of natural person customers (i): while information such as e.g. date of birth may indeed be used, in case of positive hit, to further analyse the hit and determine whether the screened person actually corresponds to the sanctioned person identified, there should be no obligation to take this type of information into account for the screening in itself;
• where available, wallet address in the case of a natural person, legal person, body or entity (iii): the obligation to screen this information shall be strictly limited to cases where this information is otherwise held in the KYC file, to the extent relevant to the activities / services provided under the business relationship with the customer;
• in the case of a legal person, “beneficial ownership information” (iv): “beneficial ownership information”, as defined under art.62 of the AML Regulation, includes a number of information on the beneficial owners, such as, without limitation:
  • all names and surnames, place and full date of birth, residential address, country of residence and nationality(ies), number of identity document, and, where it exists, unique personal identification number assigned to the person by his or her country of usual residence;
  • the nature and extent of the beneficial interest held, as well as the date as of which the beneficial interest is held;
  • where the ownership and control structure contains more than one legal entity or legal arrangement, a description of such structure, including names and, where it exists, identification numbers of the individual legal entities or legal arrangements that are part of that structure, and a description of the relationships between them, including the share of the interest held.

While this type of information may indeed be used, in case of positive hit, to further analyse the hit and determine whether the screened person actually corresponds to the sanctioned person identified, there should be no obligation to take this type of information into account for the screening in itself, which should be limited to the identity of the identified beneficial owner(s), together with additional information that the obliged entity may consider relevant.

Therefore, we propose the following wording for the introductory part in Art. 29(a) of the draft RTS on CDD:

“a. Screen through automated screening tools or solutions, or a combination of automated screening tools and manual checks, unless the size, business model, complexity or nature of the business of the obliged entity allows for manual checks only, the following information where appropriate:”

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comment.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comment.

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

The following further elements could be taken into account under the list of indicators:

1. whether the breach was caused by the obliged entity itself or a third party;
2. whether the obliged entity took appropriate / reasonable steps to define mitigation measures / controls;
3. whether the breach related only to entity’s own AML/CFT procedures and policies or whether it also led to the breach of applicable regulatory obligations.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

The criteria to be taken into account for certain notions used in this article should be defined/harmonized, such as:

1. qualification of the impact (minor / moderate / significant / very significant);
2. duration of the breach (short vs. significant period of time).

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

With respect to Article 4(2), the level of pecuniary sanctions should decrease in equivalent amount to take into account the amounts already invested by the obliged entity to remedy the identified / sanctioned breach.

With respect to Article 4(4), pecuniary sanctions on natural persons which are not themselves obliged entities (e.g. board members, conducting officers… of an obliged entity) should be limited to cases where it may be demonstrated that the individual conduct of such natural persons had a direct impact on the identified / sanctioned breach. Please further refer to the developments under question 4 below with respect to the compliance staff.

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

We are concerned about the implication that compliance professionals could be held personally responsible for breaches occurring in the organization. While the role of compliance functions is undeniably critical, it is important to recognize that responsibility for regulatory breaches does not rest solely with compliance officers.

Compliance staff often serve in advisory roles without final decision-making power. Holding second-line functions personally liable - without executive powers – might be disproportionate. Staff in the second line of defense provide oversight and advice. They do not have executive power over business lines, nor are they the final decision-makers. Holding them personally liable for breaches caused by failures in the first line or senior management is disproportionate. Moreover, there is a risk that institutions could shift blame onto individual compliance officers as a defensive tactic, especially in high-profile cases.

Hence the proposed regime might undermine the internationally and EBA (paragraph 31 EBA GL/2022/05) recognized “three lines of defense” model. The second line (compliance, risk) is designed to monitor and advise. Assigning liability to these functions distorts governance principles and weakens accountability in the first line and senior management.

In line with the principles of company law, particularly the principle of collegial responsibility of the management body, accountability for decisions and oversight should be shared among the members of the management body collectively. Under the principles of civil law, and in line with the concept of collegial responsibility of the management body, liability for institutional failings must rest with the collective governing body, not with individual staff members acting within their defined responsibilities and without decision-making authority. It follows that the liability should not rest with individual staff members. 

Furthermore, compliance professionals, particularly MLROs, already operate under significant pressure and face substantial personal liability under existing AML frameworks. In several EU jurisdictions, MLROs are subject to administrative, civil, and even criminal sanctions in the event of serious failings—despite often lacking the authority to enforce decisions or allocate resources. The threat of further personal penalties risks undermining the attractiveness of these critical roles and may deter experienced professionals from taking them on.

The attribution of individual liability to compliance professionals for failures that may originate from broader organizational or strategic decisions risks misrepresenting the nature of their role. Furthermore, assigning personal liability to individuals who lack control over final decisions is inappropriate and potentially harmful. The threat of individual sanctions, in a context where decision-making is collective, could undermine the attractiveness of these positions and weaken the overall effectiveness of the compliance function. The increased personal risk associated with compliance roles could lead to talent drain, as experienced professionals either leave the sector or avoid such roles altogether. This can lead to a shortage of qualified staff across the EU financial system. As a consequence, this will lead most likely to a weakening of the compliance function and increasing systemic risk rather than reducing it.

Imposing personal liability on compliance staff risks blurring the lines between supervisory oversight and operational management. It would represent a shift from regulating institutions to regulating individuals within specific functions, which might exceed the intended scope of the regulatory framework. A strong compliance culture is better supported by clear institutional accountability, adequate resourcing, and effective governance structures - not by imposing personal penalties on individual staff.

In any case, should the EBA still decide to introduce individual sanctions, we are in the view that, the financial strength of the natural person, including where applicable the annual income (fixed and variable remuneration) should not be taken into account to set the level of pecuniary sanctions. The EBA or AML/CFT supervisors do not in fact have the authority to request and obtain such a type of personal information.

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

The proposed administrative measures will significantly impact an obliged entity's operations. In particular, the withdrawal or suspension of an authorisation and restriction or limitation of business operations or network will have significant implications for the obliged entity, which might not be possible to reverse once full compliance with AML/CFT obligations is restored. 

Therefore, we believe that these measures should be reserved for the most significant breaches i.e. classified under category four. 

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

Please see our response to question 5a above.

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

No comment.

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

No comment.

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

Please see our response to question 4.

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

No comment.

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

No comment. 

Name of the organization