Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
BIPAR supports the objective of the proposed approach that is to allow for the much needed AML/CFT EU supervisory convergence at EU level and welcomes the fact that the assessment and classification of the quality of AML/CFT controls put in place by obliged entities (article 3) is based upon control points defined by the RTS in its annex 1.
However, BIPAR believes that some of the proposed provisions go against the simplification process initiated by the current European Commission. The methodology to assess and classify the quality of the AML control by supervisors appears to be overly complex (ex. article 2 of the RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40(2) of the AMLD).
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
BIPAR supports the EBA proposal to ask supervisors to limit the data they will collect from obliged entities to that which is strictly necessary for entity/level ML/TF risk assessment purposes as this represents significant costs for the entities, and in particular for SMEs intermediaries.
For credit intermediaries, for many insurance /financial intermediaries, mostly SMEs, providing the requested data points to their respective supervisors will be a first, it will mean setting up new IT infrastructure to report the data that they had not previously reported. It will trigger significant costs in the near, medium and long term , cost that will be very difficult to cover for SMEs. BIPAR therefore does not agree with the conclusion of the draft cost-benefit analysis /impact assessment for the RTS under Article 40(2). The main impact in terms of costs will not be on supervisors, it will also be on obliged entities, and in particular on obliged entities like SMEs intermediaries.
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
The proposed Article 5 does not take the principle of proportionality enough into account:
The frequency at which risk profiles should be reviewed should be more proportionate to the size and nature of the obliged entities. We believe that the criteria of 5 full time equivalent employees is too low, in particular when applied to insurance intermediaries who are mainly SMEs.
We do not agree with the explanations provided in the impact assessment, and we believe that the criteria regarding the level of ML/TF risk is missing. Why would small or medium intermediaries acting in life insurance with a low risks be assessed? This would divert supervisory resources and attention away from other higher risk areas.
Besides the time given for the first assessment to take place, 9 months after the date of entry into force of the Regulation, is much too short and not realistic, in particular for SMEs, like credit intermediaries, which have never reported before.
BIPAR therefore proposes the following drafting for Article 5:
Article 5 – Timelines and updates of the assessment and classification of the inherent and residual risk profile of obliged entities
1.Supervisors shall carry out the first assessment and classification of the inherent and residual risk profile of obliged entities pursuant to Articles 2, 3 and 4 of this Regulation at the latest twenty four (24 months) nine (9) months after the date of entry into force of this Regulation.
1a. By way of derogation from paragraph 1 above, supervisors shall not have to assess and classify the inherent and residual risk profile of obliged entities with fewer than or equal to fifty (50) full-time employees, exercising an activity as referred to in Article 2, paragraph 1, point 6(c), of Regulation (EU) 2024/1624. Random and non-compulsory surveys could be sent every 3 years to these entities.
Lastly, we believe that in order to introduce more proportionality into Article 5, the possibility for obliged entities to save and use some of the data – data that does not need to be updated - that were used to respond to previous data points collection by supervisors, should be introduced in the draft RTS. This possibility exists in some countries like Belgium and is very useful and helpful for SMEs obliged entities.
Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.
(see also above)
BIPAR believes that an additional criteria for the frequency of the review could be the level of ML/TF risk of the obliged entity.
This should be translated that, where the exposure to ML/TF risks is low, the frequency of the AML supervision should be lowered accordingly. Also, some financial activities/transactions are examined for compliance more than once at different stages of the process. The option to distribute/divide the AML activities between the various operators in a chain should be maintained (or even encouraged).
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
The materiality of the activities exercised under the freedom to provide services by insurance intermediaries may be difficult to assess as there is no clear definition of what triggers these activities in EU texts.
The IDD itself does not specify the “triggering element” of FOS , i.e. when (and in which Member State) an intermediary is deemed to be pursuing insurance distribution activity on an FOS basis. Absent any Court of Justice precedents or a legal definition in the IDD, the EIOPA’s understanding of the FOS concept in the insurance distribution provides today the only authoritative clarification when and where an intermediary is carrying out cross-border business under FOS (September 2018 Decision of EIOPA’s Board of Supervisors on the cooperation of national competent authorities with regard to the IDD).
The term “customer” is not defined in the draft RTS. Which persons does the RTS intend to cover? In order to ensure legal clarity, the term” customer” should be defined or reference to EU directive where it is defined should be included.
In any case, it should be clarified that the term customer here does not mean natural persons who are acting for purposes other than their trade, business or profession.
The thresholds referred to in paragraph b) of Article 1 .1 apply to very different activities of very different obliged entities (ex: intermediaries, insurers etc..) and should be amended in order to better reflect this reality.
BIPAR believes that for intermediaries, b) should read as follows:
“ the total value in Euro of commissions/fees collected/received from customers referred to under the letter a) is above 50,000,000”.
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
(see response to question 1)
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
BIPAR welcomes the opportunity to provide feedback with regards to the proposed regulatory technical standards (RTS) proposed by the EBA in the context of its response to the European Commission’s Call for advice on new AMLA mandates.
BIPAR and its member associations across the EU welcome and support EU rules to prevent that the insurance sector is used for money laundering or terrorism financing.
BIPAR welcomes that the scope of the new EU AML/CFT framework excludes (and should continue to) the non-life insurance sector. The risk of ML/TF in the life sector, which is heavily regulated and for money launderers unattractive because of long term policies, is already very low. Nevertheless, BIPAR understands that the life sector should be protected against ML/TF even when the risk is very low. However, for the non-life sector the risk of mis-using a non-life policy, paying out only in the case of a proven damage, is non-existent.
The new EU AML/CFT framework covers insurance intermediaries who act “with respect to life insurance and other investment-related insurance services”. Therefore, its RTS and their application in national law should not apply to non-life insurance intermediaries. They are drafted accordingly.
BIPAR endorses EBA objective to have its work on the RTS guided by the principles of proportionality and effectivity. It is essential that the RTS take into account the differences in AML/CTF risk exposure undertaken by various obliged entities. However, BIPAR is concerned that some of its proposed provisions do not appear to follow these principles. They will complicate the regulatory framework applicable to intermediaries and they will be burdensome for not particular reasons. It is important to remember here that according to the March 2021 EBA Opinion on “ML/TF risks affecting the European Union’s financial sector”, the sector of life insurance intermediaries is considered as presenting less significant exposure to ML/TF inherent risks.
Member States and RTS should continue to consider the differences between sectors and specific products within the financial services sector and the range of different actors carrying out activities within the same sector. This way, implementation of the (new) AML rules will be promoted, and they will not end up being just an administrative burden and extra costs for the obliged entities, particularly for small and medium intermediaries.
In summary, the key BIPAR messages in relation to the EBA proposed RTS are the following:
- Risk-based approach and proportionality principle should apply to the greatest possible extent in order to take account of the size, nature, complexity and the risk of the activities in question.
- The RTS should not introduce new requirements that are not in the level 1 text.
- Double work should be avoided and the possibility to distribute AML work between parties in the same chain (such as a life insurance intermediary and life insurance company) should be possible.
- AML Supervisory Authorities should be careful not to follow an “one size fits all” approach and to integrate proportionality in their supervision. The various business models of obliged entities and their different levels of exposure to ML/TF risks should be taken into account by EU and national supervisory authorities.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
BIPAR believes that that requirements in the draft RTS are too complex to comply with. Provisions of Article 6 would be difficult if not impossible to comply with by SMEs intermediaries.
For example, it is required to use of electronic identification means which meets the eIDAS requirements. The §2 of Article 6 states that if this solution is not available, obliged entities shall acquire the customer’s identity document using remote solutions that meet very precise conditions set out in paragraphs 3 to 6. .c) is for example simply not realistic and workable for SMEs. They would trigger disproportionate costs.
BIPAR believes that these conditions will discourage intermediaries, in particular SMEs, from using distance selling or marketing. They won’t be able to comply with the new rules and this situation will create a distortion of competition. A more proportionate approach with realistic requirements is needed and should be adopted.
BIPAR believes that the requirements set out in § 4 to 6 of Art.6 go beyond what is provided for in Level I (Art.22-6 of Regulation 2024/1624) which only applies to an identification system that meets the e-IDAS standards and an identity document.
EBA existing Guidelines on the issue as well as existing national measures provide enough clarity and have introduced appropriate requirements for obliged entities that work well in practice. EBA existing guidelines have already introduced the harmonisation of due diligence measures that the draft RTS seeks to achieve.
BIPAR suggest to delete paragraphs 3 and 4. And in any case, for the above reasons, the use of such remote solutions should be considered only temporary, until such time when e-IDAS- compliant solutions are made available.
BIPAR believes that it should be clarified that this article only applies to customers who are natural persons .
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
According to Article 22 – Customer identification data updates in low-risk situations, obliged entities shall take the measures necessary to ensure that they hold up-to-date customer identification data at all times, and that they update the information they hold on customers onboarded before this Regulation applied within 5 years after the application date of this Regulation
BIPAR believes that in low risk situations, the update should take place on an event driven frequence.