Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

Executive summary

These answers set out the French Banking Federation’s (FBF) collective views on the draft Regulatory Technical Standards (RTSs) issued by the European Banking Authority (EBA) under the new EU Anti-Money Laundering (AML) framework. Drawing on input from major French banking groups, it provides practical insights and targeted feedback.

Answers address four RTSs currently under consultation:

1. Draft RTS under Article 28(1) of the AMLR on Customer Due Diligence
2. Draft RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40(2) of the AMLD   
3. Draft RTS on the risk assessment for the purpose of selection of credit institutions, financial institutions and groups of credit and financial institutions for direct supervision under Article 12(7) of the AMLAR
4. Draft RTS under Article 53(10) of the AMLD6 on pecuniary sanctions, administrative measures and periodic penalty payments 

Across all areas, FBF supports the aims of harmonization, risk-based supervision, and regulatory clarity. 

However, the answers identify several areas where refinement is needed to reduce operational complexity, address ambiguities, and better align with established industry practices.

FBF recommends targeted changes to ensure that the RTSs:

•           Enable proportional, risk-based implementation reflective of operational realities

•           Foster consistency and comparability across jurisdictions

•           Support data preparedness and phased implementation, particularly for complex risk assessments

•           Enhance legal certainty and supervisory communication

•           Protect EU banking industry’s competitiveness by avoiding excessive technical compliance costs. 
 

• Data point production: 

  The number of data points seems high (156 for Inherent Risk and 112 for Quality of Controls). Out of the 268 identified data points, only 31 are currently required in the questionnaire mandated by the French authority. The significant volume of new data to be produced is substantial and will lead to important costs and operational efforts for obligated entities. At this stage, feasibility remains uncertain for more than half of these data points. Approximately 30 data points currently appear to be too complex to collect for certain obligated entities. The current test exercise on data points launched in May by national supervisor will allow to identify/confirm the ones that obliged entities will not be able to provide on due time. Therefore, we suggest, for the first data collection exercise, to limit the data points campaign to the ones that can be provided and to complete the list for the next risk assessment exercise.

In any case, sufficient time will be required for IT developments to process and produce the necessary data. The precise definition of certain data points will only become clear after the publication of the interpretative note and national legislative transposition work, leaving financial institutions with little time to implement the necessary IT developments. It is important to note that a timeframe of 1.5 to 2 years may be required to ensure reliable data collection. 

Methodology: 

• The presentation of the methodology is sometimes difficult to understand due to the lack of definition of some terms. As an example, we would appreciate having definitions of i) data points, ii) risk factor, iii) indicator, and more generally of all the relevant notions specifying the risk assessment methodology. 
   
• When scoring and assigning a weighting to an indicator/risk factor, it is understood that the “exposure” (i.e. value/volume reported) will be used to score the indicator/risk factor and that “the ML/TF sensitivity” of the indicator/risk factor will be used for setting its respective weighting. This would lead to a scoring relying more on a volume-based approach, and where the ML/TF sensibility is only used to weight the indicator/risk factor. Can it be confirmed that the ML/TF sensitivity of the indicator/risk factor is instead reflected in the threshold applicable to value/volume used for scoring the indicator/risk factor? If not, further explanations would be welcome to understand how the risk-based approach is used for the scoring of indicator/risk factor. 
   
• In the calculation of the overall ML/TF Inherent Risk (IR) score, in the RTS draft consultation paper, it is understood that the weighting given to the combined score of each category (Customers, Products Services and Transactions etc.) / sub-category, will be proportionate to the score obtained to the category  i.e. the higher the score/risk of the category, the higher the weighting of the category is in the calculation of the overall ML/TF IR score. 
  We would welcome to know the reasons which have led to adopt this dynamic approach in setting the weighting and not relying on predefined weighting as defined in the Wolfsberg approach (the Wolfsberg Frequently Asked Questions on Risk Assessments for Money Laundering, Sanctions and Bribery & Corruption” 2015), assuming that a category (e.g. customers) in itself may have a stronger impact/influence when assessing a ML/TF IR risk?  
   
• We note that a 5-level weighting scale will be used, proportionate to the risk significance of the indicator (i.e. the higher the ML/TF sensitivity/risk of the indicator, the higher the weighting is). Given that the ML-TF Inherent Risk (IR) is scored according to a 4-level scale and that it is understood that the ML/TF IR reflects in the end a ML/TF sensitivity/risk, to which degree of ML/TF risk corresponds this 5th level when setting the weighting? (given 1=Low, 2=Medium, 3= Substantial, 4=High) Why the 4-level scale used for scoring the IR has not been considered, and why a more granular approach shall be used for the weighting of the residual risk? 
   
• We note that the geographical risk linked to transactions is assessed through the customer, the transactions & products and the geographical categories. We do not understand why these data are not assessed through the transaction category and would like to get clarification on the methodology followed so that to avoid duplication. 
   
• The data's categories do not appear proportionate: too many products/services and transactions' data and few data on other risks' categories. Will the weighting be proportionate with the quantity of data in each category? If data points are unavailable: will a tolerance be applied? Are they mandatory and optional data? If data points don't concern an obliged entity, the possibility of the choice N/A should be provided in the data points. Concerning the data points on AML/CFT controls: too much metric data to the detriment of data relating to the evaluation of the framework, including in particular the quality of the framework, which could favor the score. 
   
• The possibility of adjustment by national supervisors on inherent risks and quality of controls' scores creates a risk of subjectivity in relation to a methodology based on objective data. Considerations that may lead to an adjustment are subject to interpretation. Risk of unequal treatment between obliged Entities depending on the severity of the national supervisors even though the AML Package was designed with the aim of harmonization. A quick position of supervisors is expected on the discretion given to them on data collection. The weights of risk indicators are not provided.  

However, the entity selected by AMLA will have to be aware of the weighting of these risk indicators in order to be able to position itself in relation to the other obliged entities. The selection by AMLA and the publication of this selection constitutes a form of "name and shame" for the selected entity and may have consequences: 

• With its financial counterparties (which will require the entity to justify its AML/CFT arrangements); 

• With the regulator to make the necessary improvements to its AML/CFT framework. 

  This approach leads to a lack of clarity for obliged entities. In particular if the internal risk assessments are to be modeled on this evaluation to reduce the burden.  

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

We agree on the proposed residual risk calculation (Residual risk = Inherent risk - Control effectiveness). And we agree with the proposed approach whereby the residual risk can be lower but never be higher than the inherent risk.  

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

Should the EBA be interested in our full gap analysis, we can provide it separately in an excel format. It is important to note that the study, based a selection of obliged entities, highlights different situations. So, the capacity to produce data, and the timeframe to produce it, may vary from one entity to another. As mentioned above, the current test exercise on data points launched in May by national supervisor will allow to identify/confirm the ones that obliged entities will not be able to provide on due time.

Impacts are currently difficult to assess, as assessment is still ongoing for many entities, but are expected given the many new data points currently not available and the difficulties expected (please see below). In addition, clarifications would be needed to ensure a harmonised appreciation of the information to provide, which may change the availability or non-availability of the data.

Currently, the listed data points in the Annex I could be separated in 4 categories: 

• Data available:
  1. For all French banks (31 data points of the annex 1 are already requested by the French supervisor),
  2. For some French banks (depending on internal reporting processes),
• Data non available:
  3. Existing data that is not currently produced, so it could be provided in mid- or long-term depending on IT works to produce it.
  4. For which some obliged entities currently identify major difficulties to provide it and might not be in a position to produce (30 data points please see question 3b).
  5. Which are currently still under assessment to determine whether it could be produced or not. And if so, under which timeframe. (more than 200 data points, please see question 3b)

We would appreciate also clarifications regarding the following points: 

• In the introduction to Section 1-A on inherent risk :
  1. we note that “(1) The data points in this annex are not the same as the indicators supervisors will use to calculate the ML/TF risk of each financial institution.” We therefore question the reasons why supervisors continue to use different indicators to assess inherent risk related to AML/CFT.

  2. Related to the interpretative note mentioned point 2), we would also like to remind that time will be needed for IT developments to adjust and produce the data.

     Furthermore, the definition of certain data points will only be fully established after the publication of this interpretative note, leaving financial institutions with limited time to implement the necessary IT developments.

• In the section 1-A on inherent risk:
  1. Number of PEPs related business relationships (including family members and close associates) by country: at this stage, we anticipate the production of this data by country would be heavy to produce.
  2. Number of legal entities with complex structure: we need to revise the definition of complex structure and this data being currently not produced, we anticipate difficulties to provide the expected data point in the 2027 exercise (on 2026 data).
  3. Number of customers with high-risk activities: it is unclear whether these high-risk activities are to be defined by the obliged entity or if AMLA will provide a list of these activities. Should the AMLA publish this list for harmonization purposes across the EU, it will be necessary to wait for the AMLA list to start working on data production. In the meantime, the data could be collected based on a list of high-risk activities defined by each financial institution.
  4. Number of customers with cross border transactions involving non-EEA countries: we understand only wire transfers related information is to be produced.
  5. Number of walk-in customers: we understand it as persons performing occasional transactions.
  6. Number of customers with requests from FIU whose matter or nature of the request is linked with AML/CFT: we would like to limit the production of data to requests related with High-Risk clients.
  7. Number of payment accounts: we consider this data should be limited to payment accounts and not deposit accounts and would appreciate a confirmation.
  8. Payment accounts, we noticed Tables A and B appear to use two different wordings in relation to payment flows: Incoming transactions / flows (table A) / inbound transfer (table B), and Outgoing transaction / flows (table A) / outbound transfer (table B). The wording should be harmonized in order to avoid confusion.
  9. "Prepaid Card" is not defined in the AMLR. Therefore, this section should clarify which products it covers (and how this section interacts with the section relating to electronic money). In particular, does this refer exclusively to card-based supports, or does it also include other physical material supports?
  10. Total Number and Value (EUR) of loan repayments during the previous year: Should all scheduled repayments be included, along with early repayments?
  11. Total Number and Value (EUR) of prematurely repaid loans during the previous year: Should the reporting include only total repayments, or should partial repayments also be considered?
  12. Total Number and Value (EUR) of loan repayments from non-EEA countries during the previous year: it is complex to isolate the country for certain institutions.
  13. Total Value (EUR) of factoring contracts granted to obligors established in non-EEA countries during the previous year: Clarification is needed on who exactly is referred to by "obligators".
  14. Life insurance contracts: Regarding life insurance in France, distributors within the group network do not respond when the Group has already provided a response.

  15. Currency Exchange (involving cash): it should be clarified:

      - what is exactly meant by sell or buy, 

      - if only customer related transactions are to be considered, 

      - are transactions on own account included, 

      - should payments with fx conversion be included.

  16. Invest. Services and Activities, Management of UCITS & AIFs: we would appreciate a definition of a retail client (MIF or not), and of professional client.
  17. Number of customers for which customer holding total assets with a value of at least EUR 5 000 000: we can provide this data for assets under custody. We would like confirmation that it is indeed the data expected.
  18. Money remittance: Are these data points applicable only for MSBs' activities?
  19. Total Number of customers (NP) that fall under the definition of private banking (RFGLs): definition of Private banking is not standardised and may vary from one bank to another. Thresholds will be appreciated.
  20. Total Number of customers (NP) with total assets over a value of at least EUR 50,000,000: guidelines will be necessary as soon as possible to define the measures to be taken to establish wither a customer holds assets with a value of at least EUR 50M.
  21. Correspond services: Is correspondent services definition the same as correspondent relationship in AMLR art. 2 (22)?
  22. Total Value (EUR) of transactions going through payable through accounts in the previous year (incoming): While there are limited references to "payable-through accounts" in the AMLR, there is no definition associated to it. A definition should be given in order for supervisor to get data that enable comparability between obliged entities (i.e. definition by the FATF : "correspondent accounts that are used directly by third parties to transact business on their own behalf"
  23. Total Value (EUR) of transactions going through nested accounts in the previous year (incoming): "Nested accounts" is neither defined nor mentioned in the AMLR. A definition should be given in order for supervisor to get data that enable comparability between obliged entities (i.e. BCBS Guidelines on Sound management of risks related to ML-FT : “Nested correspondent banking refers to the use of a bank’s correspondent relationship by a number of respondent banks through their relationships with the bank’s direct respondent bank to conduct transactions and obtain access to other financial services.”
  24. TCSP services: "TCSP" are neither defined nor mentioned in the AMLR. A definition should be given in order for supervisor to get data that enable comparability between obliged entities (i.e. FATF definition: providers of trust and company services, to the exclusion of financial institutions, lawyers, notaries, other independent legal professionals and accountants);
  25. Number of professional investor customers: The term "professional" needs further clarification. Does the scope of application refer exclusively to security services activities, or does it extend to other sectors as well?
  26. Number of cash transactions in the previous year (withdrawals): We wish to limit the transmitted data to payment deposit accounts, excluding financial institutions.
  27. Geographies: The scope of transactions should be limited to cross-border transfers, excluding cards, checks, and other payment methods: it should be clarified whether all branches and subsidiaries should be included in the calculation (regardless of their activities) or only branches and subsidiaries carrying out regulated activities. Could the last data point be rephrased as "parent undertaking" whis is the defined term in the AMLR (instead of "the entities owner" and "parent company")?
• Regarding 1-B:
  1. 1B: Internal controls and Reporting systems: could the notion of deficiency be defined?
  2. 1C: data is currently not available for CDD and training.
  3. 1C: is intragroup outsourcing included in outsourced AML/CFT tasks?

  4. 1D: The term "Dedicated compliance staff" should be precisely defined to ensure supervisors receive data that enables comparability among obliged entities.

     Does it refer exclusively to specialists in the second line of defense (i.e., the compliance function), or does it also include staff exposed to ML/TF risks, such as sales teams and first-line employees? → Based on our understanding, it applies only to second-line defense personnel.

     Does it include only permanent staff, or should seconded employees, interns, and other temporary personnel also be considered?

  5. 1D: could the difference between compliance staff and compliance officers be clarified? We would like clarification on the objectives thought.
  6. 1E: Does "a) AML specialist" refer to the same category as "AML/CFT compliance staff" mentioned in a previous data point? We understand it as the same topic and would also appreciate clarification whether it includes Sanctions staff.
  7. 1F and below: what is the meaning and rationale of “N/A (no automated score)”?
  8. IG and 2A: does the Business-wide risk assessment refer to the Internal Risk Assessment performed by the entity / group or to the Risk classification ?
  9. 2 B: This concept seems not to refer to a defined term in the AMLR (as it is a different concept from the business-wide risk assessment - BWRA). It should be clarified whether the CRA refers to (i) customers' related risk factors or (ii) the internal risk scoring attributed to customers by obliged entities. 2 B a: Does it refer to the risk assessment or the determination of ML/TF risk profile of customers in a business relationship?

  10. 3E: Does this refer exclusively to EU sanctions lists, or does it also extend to other international sanctions frameworks?
      The two AML/CFT risk assessment methodologies—one for supervisors in general and another for the selection of banks under AMLA's direct supervision—are based on scoring indicators related to inherent risk and control framework quality, as outlined in Annex I-A and I-B of the consultation document.
      While Sections 4.1 and 4.2 provide a standard rating methodology, our comments focus on the annexes, where we note a limited presence of indicators related to targeted financial sanctions ("TFS"). This topic is mostly addressed indirectly, alongside other AML/CFT themes—through indicators related to geographies (Section I-A on inherent risk), procedures, outsourcing, and risk assessment (Section I-B on the control framework).
      A notable exception is Indicator 3E, which quantifies the delay between the publication of a TFS and its implementation in an institution's screening tools, measured in hours:

      • Average number of hours between the publication of the TFS by authorities and the implementation of the changes in screening tools
      • Maximum number of hours between the publication of the TFS by authorities and implementation in screening tools

      Switching to an hour-based calculation aligns with the "immediate verification" principle introduced in the IP regulation and the "immediate investigation of alerts" standard set by EBA in its new restrictive measures compliance guidelines. Depending on how supervisors weight this indicator, it may carry significant implications.

      At the very least, the delay should be measured from the TFS effective date, rather than the publication date, to account for cases where enforcement starts a day later than the publication date.

  11. 4D: Precisions should be provided on the perimeter that should be considered for this data point : EU obliged entites or the all group entities? This data point is unclear about the type of "reports" to be taken into account (does this term refer to reports issued as a result of ongoing monitoring, inspections/audits, information regarding changes in group entities AML arrangements, etc.?). 
      We understand audit reviews are not covered by the second data point of this section, only compliance reviews are. 
      In the last data point, we wonder why a distinction made between EU/EEA entities and Non EU/EEA entities for this data when it is not made for previous data. 

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

Regarding data non available, please find the details of: 

I. Data for which some obliged entities currently identify major difficulties to provide it and might not be in a position to produce.

II. Data which are currently still under assessment to determine whether it could be produced or not. And if so, under which timeframe. 

I. For 30 data points, data is not available and some obliged entities currently anticipate major difficulties to provide this data and might not be in a position to produce (point 5): 

Number of occasional transactions carried by walk in customers;

Total Number of re-issued IBANs;

Total Number of re-issued IBANs where the end-user is not a customer of the obliged entity;

Total Number and Value (EUR) of outstanding asset backed loans with cash collateral (We are experiencing particular difficulty in identifying the operations concerned.);

Total Number and Value (EUR) of loan repayments during the previous year;

Total Number and Value (EUR) of prematurely repaid loans during the previous year;

Total Number and Value (EUR) of loan repayments from non-EEA countries during the  previous year;

Total Number and Value (EUR) of consumer loans granted during the previous year that are  not associated to the acquisition of any product/service;

% of amounts of orders transmitted involving unlisted financial instruments, other than financial instruments issued by the obliged entity or its group (We do not have this information, and implementing such reporting would be both difficult and costly. For certain cases, the data will not be collectible) 

% of assets under custody for which the obliged entity does not have a direct business relationship with the final investor (We do not have this information, and implementing such reporting would be both difficult and costly. For certain cases, the data will not be collectible);

Number of AML/CFT regulated customers outside the EEA;

Total Number of trade finance transactions in the previous year (incoming);

Total Number of trade finance transactions in the previous year (outgoing);

Total Value (EUR) of trade finance transactions in the previous year (outgoing);

Number of e-money transactions in the previous year (incoming);

Total Number of natural persons totalling cash transactions over 20 000 EUR during the previous year;

Number of incoming transactions in the previous year by country;

Total value (EUR) of incoming transactions in the previous year by country;

Number of outgoing transactions in the previous year by country;

Total value (EUR) of outgoing transactions in the previous year by country;

Total value (EUR) of entity's investment undertakings (CIUs) by country;

Total value (EUR) of all assets by country (for IFs and AMCs);

Number of new customers onboarded in the previous year by third parties;

Number of new customers onboarded in the previous year by third parties not directly subject to AML/CFT supervision;

Number of Compliance Officers appointed over the last 5 years or since the entity's authorisation, if the authorisation was granted less than 5 years ago;

Number of customers that are legal entities /trusts whose beneficial owners have not been identified (Data point that should be considered for entities undergoing remediation. Otherwise, it seems at this stage that this data point would not be available);

Number of customers without identification and verification documentation/ information (Data point that should be considered for entities undergoing remediation. Otherwise, it seems at this stage that this data point would not be available. Moreover, this data seems rather applicable to the inherent risk);

Number of customers with incomplete identification and verification documentation/ information (Data point that should be considered for entities undergoing remediation. Otherwise, it seems at this stage that this data point would not be available. Moreover, this data seems rather applicable to the inherent risk; 

Number of customers for whom no information on the purpose and intended nature of the business relationship has been obtained (excluding customers with whom the obliged entity does not have a business relationship) (At this stage, we doubt that this information can be reliably reported.

Regarding customers with whom the obliged entity does not have a business relationship. Does this refer specifically to occasional clients or does it also include prospects?

We understand that prospects are not meant to be considered, but further clarification—along with concrete examples—would be helpful for a clearer interpretation.);

Number of customers, who are natural persons, for whom all identification details (name/ dob, nationality, tax number) are entered in the institution's database (The use of a tax number as an element of identification should indeed be carefully assessed. While it is included in identity documents in some countries, this is not the case in France. Additionally, certain categories of clients—such as minors—do not have a tax number, which raises concerns about its universal applicability for identification purposes.);

II. Currently, the availability of the following data points is uncertain for somes entities, which are still assessing whether suc data  could be provided and, if so, under which timeframe : 

Number of customers with high risk activities

Number of occasional transactions carried by walk in customers

Total Number of master accounts with linked vIBANS

Number of transactions on Virtual IBANs (incoming) in the previous year

Total Value (EUR) of transactions on Virtual IBANs (incoming) in the previous year

Number of transactions on Virtual IBANs (outgoing) in the previous year

Total Number of Prepaid Cards issued during the previous year

Total Value (EUR) of the issued prepaid cards during the previous year

Total Value (EUR) outstanding on prepaid cards issued during the previous year

Total number of customers using prepaid cards

Total number of customers using prepaid cards with more than 3 prepaid cards

Total Number and Value (EUR) of outstanding loans

Total Number and Value (EUR) of loans granted during the previous year

Total Number and Value (EUR) of outstanding asset backed loans with cash collateral

Total Number and Value (EUR) of loan repayments during the previous year

Total Number and Value (EUR) of prematurely repaid loans during the previous year

Total Number and Value (EUR) of loan repayments from non-EEA countries during the  previous year

Total Number and Value (EUR) of consumer loans granted during the previous year that are  not associated to the acquisition of any product/service

Total Number of factoring contracts granted in the previous year

Total Value (EUR) of factoring contracts granted during the previous year

Total Value (EUR) of factoring contracts granted to obligors established in non-EEA countries during the previous year

Total amount of gross written premiums in the previous year (incoming)

Total of amount (EUR) of surrender value of the insurance contracts at the end of the previous year

% of all gross written premium (amount) paid directly to the life insurance broker in the previous year

% of contracts (amount) that are not used for low risk contracts

Number of currency exchange transactions carried out during the previous year (sell)

Number of currency exchange transactions carried out during the previous year (buy)

Number of currency exchange transactions carried out during the previous year, where the transaction is above 1000 euros (sell)

Number of currency exchange transactions carried out during the previous year, where the transaction is above 1000 euros (buy)

Total Value (EUR) of currency exchange transactions carried out during the previous year (sell)

Total Value (EUR) of currency exchange transactions carried out during the previous year (buy)

Value (EUR) of currency exchange transactions cash-to-cash carried out during the previous year

Number of retail clients

Number of professional clients

% of amounts of orders transmitted involving unlisted financial instruments, other than financial instruments issued by the obliged entity or its group 

Number of AML/CFT regulated customers outside the EEA

Number of retail clients

Number of professional clients

% of assets under custody for which the obliged entity does not have a direct business relationship with the final investor

Number of AML/CFT regulated customers outside the EEA

Number of retail clients

Number of professional clients

Total assets under management

Number of customers for which customer holding total assets with a value of at least EUR 5 000 000

Total Number of money remittance payments in the previous year (incoming)

Total Number of money remittance payments in the previous year (outgoing)

Total Value (EUR) of remittance payments in the previous year (incoming)

Total Value (EUR) of remittance payments in the previous year (outgoing)

Total Number of money remittance transactions above 1000 euro in the previous year (incoming)

Total Number of money remittance transactions above 1000 euro in the previous year (outgoing)

Total Number of customers (NP) with total assets under management over a value of at least EUR 5,000,000

Total Value (EUR) of transactions executed on behalf of the respondent client in the previous year (incoming)

Total Value (EUR) of transactions going through payable through accounts in the previous year (incoming)

Total Value (EUR) of transactions going through payable through accounts in the previous year (outgoing)

Total Value (EUR) of transactions going through nested accounts in the previous year (incoming)

Total Value (EUR) of transactions going through nested accounts in the previous year (outgoing)

Total Number of trade finance customers

Total Number of trade finance transactions in the previous year (incoming)

Total Number of trade finance transactions in the previous year (outgoing)

Total Value (EUR) of trade finance transactions in the previous year (incoming)

Total Value (EUR) of trade finance transactions in the previous year (outgoing)

Number of e-money transactions in the previous year (incoming)

Number of e-money transactions in the previous year (outgoing)

Total Value (EUR) of e-money transactions in the previous year (incoming)

Total Value (EUR) of e-money transactions in the previous year (outgoing)

Total Number of e-money transactions by non-identified customers in the previous year 

Value (EUR) of e-money transactions by non-identified customers in the previous year

Total Number of legal entity customers using TCSP services in the previous year

Number of retail investor customers

Number of professional investor customers 

Total assets under management

Total assets under management in unlisted financial instruments

Number of open-ended funds

Number of closed-ended funds

Total assets under management

Total assets under management in unlisted financial instruments

Assets other than financial instruments as defined in section C of annex 1 of MIFID

Total Number of customers using safe deposit boxes

Total Value (EUR) of funding projects in the previous year

Total Number of projects being funded in the previous year

Total Number of donors from high-risk countries

Total Number of projects where the owner is from a high-risk country

Total Number of projects funded for philanthropic purposes in the previous year

Number of cash transactions in the previous year (withdrawals)

Number of cash transactions in the previous year (deposits)

Total Value (EUR) of cash transactions in the previous year (withdrawals)

Total Value (EUR) of cash transactions in the previous year (deposits)

Number of incoming transactions in the previous year by country

Total value (EUR) of incoming transactions in the previous year by country

Number of outgoing transactions in the previous year by country

Total value (EUR) of outgoing transactions in the previous year by country

Total value (EUR) of entity's investment undertakings (CIUs) by country

Number of investors by country (for AMCs) 

Total value of investments (EUR) by country (for AMCs)

Number of institutions established in foreign countries to whom you provide correspondent services (by country)

Total value of incoming funds moved on behalf of the respondent's clients by country of respondent's establishment

Total value of outgoing funds moved on behalf of the respondent's clients by country of respondent's establishment

Number of branches by country

Number of subsidiaries by country

Country where the entities owner is located (parent company)

Number of new customers onboarded in the previous year by third parties

Number of new customers onboarded in the previous year by third parties not directly subject to AML/CFT supervision

Number of agents by country

Number of distributors by country

Total value of gross written premiums through insurance contracts issued through brokers, broken down by country the brokers are established

Number of white labelling partners by country of establishment

Date when the reports on the following AML/CFT aspects have been submitted to the senior management in the last calendar year:
a) the areas where the operation of AML/CFT controls should be implemented or improved and suggested improvements; 
b) compliance monitoring actions and a plan of activities of AML/CFT compliance officer;
c) a progress report of any significant remedial programmes;
d) adequacy of the human and technical resources in the AML/CFT compliance function;
e) the main findings of the business-wide ML/TF risk assessment;
f) changes in the methodology for assessing customer risk profiles; 
g) the classification of customers by risk category;
h) statistical data on unusual and suspicious transactions;
i) AML/CFT related findings of internal and external audits;
j) AML/CFT training activities and plan.

Number of deficiencies pending at the end of the calendar year? Of which: 
a) number of deficiencies with high criticality
b) number of deficiencies for which remediation is exceeding the initial timeline by more than 6 months
c) number of critical deficiencies for which remediation is exceeding the initial timeline by more than 6 months

% of outsourced AML/CFT tasks that are covered by a written agreement governing the outsourced relationship

Number of Compliance Officers appointed over the last 5 years or since the entity's authorisation, if the authorisation wasgranted less than 5 years ago

Average number of hours of AML training in the last calendar year attended by (per person):
a) AML specialist staff 
b) non-AML specialist staff (including management, 1st line of defence)
c) Board members / non-executive directors

% of staff or trainees for whom at least one training was validated by a test

Dates when the AML/CFT obligations/ controls were last assessed by an internal audit or external expert:
a. Business-wide risk assessment
b. determination of ML/TF risk profile of customers in a business relationship
c. AML/CFT-related awareness-raising and staff training measures
d. Identification and identity verification procedures
e. Policies and procedures for monitoring and analysing business relationships, including transaction monitoring
f. Policies and procedures for suspicious transaction reporting
g. Record keeping policies and procedures
h. Resources dedicated to AML/CFT
i. Organisation of the AML/CFT system, governance and reporting to management bodies.

Exemption applies from having in place the BWRA in accordance with Article 10(3) AMLR

Date when the obliged entity assessed the need to update the BWRA for the last time

Senior management approved the last version of the BWRA (Y/N)

Frequency at which the obliged entity assesses the need to review the BWRA

Date when the obliged entity assessed the need to update the CRA for the last time

Number of customers that are legal entities /trusts whose beneficial owners have not been identified

Number of high-risk customers that are legal entities /trusts whose beneficial ownership has been identified, but the identity of whom has not been verified

Number of customers without identification and verification documentation/ information

Number of customers with incomplete identification and verification documentation/ information 

Number of high-risk customers with missing or incomplete CDD data or information 

Number of customers without ML/TF risk profile (excluding customers with whom the obliged entity does not have a business relationship)

Number of customers for whom no information on the purpose and intended nature of the business relationship has been obtained (excluding customers with whom the obliged entity does not have a business relationship)

Number of customers for whom no information has been obtained on the nature of the customers’ business, or of their employment or occupation (excluding customers with whom the obliged entity does not have a business relationship)

Number of customers (excluding natural persons) for whom beneficial ownership identification details are entered in the institution's database

Number of customers, who are natural persons, for whom all identification details (name/ dob, nationality, tax number) are entered in the institution's database

Number of customers for whom updates of customer information were due in the last calendar year, in accordance with the obliged entity's policies and procedures

Number of customers for whom customer information was reviewed and updated in the last calendar year

If automated system: The system can generate alerts in case of inconsistencies between CDD information relating to the customer and the following elements:
a) Number of transactions
b) Value of aggregated transactions
c) value of single transactions
d) counterparties
e) countries

If automated system: Number of alerts not analysed at the end of the calendar year

If automated system: Average time to analyse an alert in the last calendar year (number of days between issuance of the alert and closing of the alert)

If automated system: Ratio between number of alerts and number of STRs

Average number of hours between the publication of the TFS by the authorities and the implementation of these changes in the institution's screening tools

Maximum number of hours between the publication of the TFS by the authorities and the implementation of these changes in the institution's screening tools

Number of outbound transfers for which requests were received from a counterparty in the transfer chain for information that is missing, incomplete or provided using inadmissible characters in the last calendar year

% of outbound transfers rejected or returned by the counterparty in the transfer chain due to information that is missing, incomplete or provided using inadmissible characters in the last calendar year

Total number of counterparties of outbound and inbound transfers in the last calendar year

% of group entities that provided reports to the Group AML compliance on the following areas in the last calendar year:
a) CDD
b) ongoing monitoring
c) STRs
d) identity and transaction level information on high risk customers 
e) deficiencies

% of jurisdictions in which the group is established covered by reviews (including access to customer and transaction level data) performed by the group AML/CFT compliance function in the last three calendar years. (applies only to groups that have been existing for more than 3 years)

Number of group entities for which deficiencies were identified by competent AML/CFT supervisors in the last calendar year
- EU/EEA entities
- Non-EU/EEA

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

Not applicable to the FBF

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

 We advocate for a single annual assessment, aiming to maximize harmonization so that institutions can share a common language. Should the AMLA exercise not fully replace the national assessment (e.g.: French questionnaire), by so subjecting obliged entities to two different assessments, a triennial frequency will be preferable for the AMLA exercise. Indeed, even once the rules are established, data extraction remains a resource-intensive task, mobilizing personnel who could otherwise be allocated to higher-risk activities. Additionally, the likelihood of significant changes in risk exposure over a three-year period is low. If such changes were to occur, the RTS already provides for updates in case of specific events. 

Regarding the data collection process, we seek confirmation that this exercise will be conducted based on data from the previous calendar year, with a reporting cut-off date of December 31. This is the current widespread practice, and altering the reporting dates would further complicate the process. 

Notably, the first data collection would take place in 2027, based on data from 2026 (January 1 to December 31, 2026). To initiate the necessary IT developments for retrieving this data, finalized versions of the data to be used, along with the full set of associated guidelines, should be available by the end of 2025. This would ensure a clear understanding of the data requirements and scope. If publication is delayed, the 2026 data collection may need to be conducted on a simplified basis, based on available data as mentioned above. 

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

In line with the previous comment, in case national assessments are maintained or partially maintained annually, we would support a provision establishing a triennial periodicity for all obliged entities, with an ad hoc annual assessment in cases of material change, as defined in Article 5, "The assessment and classification of the inherent and residual risk profile of obliged entities." 

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

We would recommend differentiating based on the country's risk level, taking into account factors such as the FATF rating, rather than between EEA and non-EEA countries. 

The distinction between EEA and non-EEA countries does not always accurately reflect geographical risk. Some EEA countries, such as Bulgaria and Croatia, are classified by the FATF as presenting ML/FT risks. Conversely, not all non-EEA countries should be considered high-risk or necessarily higher-risk. 

Furthermore, Annex 2 of the AMLR, which outlines geographical lower-risk factors, does not differentiate between EEA and non-EEA jurisdictions in this regard. 

We believe it is more relevant to assess transactions involving high-risk countries - namely, those designated in Articles 29, 30, and 31 of the AMLR - separately from transactions with non-high-risk countries. This approach will avoid creating distortions in cross-border operations. 

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

The FBF reiterates its supports to the aims of harmonization, risk-based supervision, and regulatory clarity. Regarding this RTS, our key recommendations are to: 

• Refine AMLA supervision criteria by combining quantitative (e.g., customer volumes, transaction sizes) and qualitative risk indicators. High-risk entities such as fintechs, VASPs, or those active in high-risk jurisdictions should qualify for direct supervision, regardless of size. Transparent communication should mitigate potential reputational impacts.
• Adopt a risk-sensitive approach to profiling frequency. Annual reviews for all entities are excessive; a triennial cycle would be more effective and proportionate, unless an anticipated update is triggered by a material change.
• Clarify Group-wide risk assessment methodology as regards Group entities which are not EU obliged entities.

We believe that AMLA should ensure that its direct supervision applies to a representative sample of obligated entities, particularly in terms of their size. However, the established thresholds are notably high, raising concerns about the potential exclusion of smaller yet high-risk institutions. Indeed, entities with lower volumes have structurally higher exposure to financial crime risk. As an illustration, crypto lending and/or borrowing is being provided in 16 Member States, with many of the identified providers offering those services active in multiple jurisdictions. The size of Decentralized Finance (“DeFi”) lending and borrowing in the EU is approx. EUR 1.8 billion, and for DeFi staking approx. EUR 3.6 billion. EU credit institutions appear to have very limited or no engagement with these activities. (source: 2025 joint EBA-ESMA report on recent developments in crypto-assets). These high thresholds seem to limit the selection to large groups, which do not necessarily have the highest inherent risk levels. On the contrary, such groups have often made significant investments in strengthening their compliance frameworks, resulting in a generally lower residual risk. 

As a consequence, we would recommend to complete the thresholds criteria with additional qualitative risk indicators, such as sectoral exposure or customer typology. 

To consider alternative thresholds, clarification would be required on the methodology used for their determination. In any case, such clarifications would be highly beneficial to ensure a well-informed approach.

The freedom to provide services is inherently characterized by the temporary nature of the activities, distinguishing it from the freedom of establishment. However, Article 1 does not specify a temporality criterion (such as a minimum duration of activity), unlike Article 40, which requires a minimum of one year of activity for assessment. 

There is a possibility for institutions to do "derisking" by using the freedom to provide services, by establishments, using thresholds.  

Furthermore, it is essential to maintain alternative and non-cumulative criteria to enable a broader assessment framework.  

Regarding the thresholds for the free provision of services, the two current thresholds appear excessively high: 20.000 clients or 50 million transactions under LPS. In relation with our previous commentary regarding the need to select entities of various sizes, the criterion consisting in the presence in six different countries seems excessive. 

Practically, these criteria seem to automatically exclude smaller Scandinavian and Mediterranean institutions while primarily favoring establishments in France, Spain, and Germany. 

The selection method should indeed enable at least one institution per country but also ensure diversity in size and preventing the selection of only the largest establishments. 

Setting an appropriate threshold is challenging without a clear understanding of how the current thresholds were determined. By establishing rigid thresholds, there is a risk that institutions may engage in derisking strategies solely to remain below the defined limits. 

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

As detailed in the previous response, we believe it would be prudent to lower these thresholds, as doing so, it would allow AMLA to directly supervise a representative sample of entities, particularly in terms of their size. This adjustment would ensure that supervision is not limited solely to large groups. 

In practice, we understand that the current methodology would exclude smaller Scandinavian and Mediterranean institutions while primarily targeting establishments in France, Spain, and Germany. It does not seem appropriate to disproportionately represent highly regulated countries such as France, nor to exclude medium- and small-sized institutions. 

Particular attention must be given to ensuring the representativity of the European banking sector. 

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

While the objective of simplifying a single threshold is commendable, we believe there is a clear distinction in risk levels between retail customers and institutional customers. We recommend even to distinguish between retail customers, corporate and institutional customers. 

For the sake of clarity, it would be advisable to provide precise definitions of "retail customers" and "institutional customers", (and “corporate” customers should this category be included). In the absence of such definitions, an alternative approach would be to differentiate between individual clients and corporate clients, thus establishing two distinct thresholds. These thresholds should reflect the varying levels of risk, which are intrinsically higher for corporate clients than for individual clients. 

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

We are struggling to reconcile the interpretation of Articles 12(7) of the AMLD and 40(2) of the AMLAR, and uncertainty remains regarding the collection of data in Annex 1 for the evaluation under these articles. See page 84: "Data Points to be collected for the purpose of the RTS under Article 40(2) of the AMLD and Article 12(7) of the AMLA Regulation" and "The data points in this annex are not the same as the indicators supervisors will use to calculate the ML/TF risk of each financial institution." 

We strongly support the use of a unified methodology to reduce the reporting burden on obligated entities by leveraging extracted data and ensuring alignment between the two methods. 

Additionally, we alert the EBA and AMLA to the risk of stigmatizing institutions selected for direct supervision. We identify a significant risk of financial market confidence erosion, which could lead to particular challenges for banks engaged in correspondent banking or trade finance activities. 

We expect clear communication from AMLA to inform and reassure financial markets that the selection was carried out solely for supervisory purposes and does not imply or reflect any particular risk associated with the institutions or weaknesses in their AML/CFT framework. 

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

We share AMLA’s approach on this matter, as we understand that this adjustment is only permitted to local supervisors, who have the necessary expertise to manage local risks. AMLA’s approach, which restricts this adjustment to a specific category, appears proportionate and helps to minimize discrepancies in supervisory approaches across different EU countries. 

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

The methodology places a strong emphasis on quantitative data. However, risk is not necessarily linked to volume alone—activities targeted at a small client portfolio can still present high-risk exposure, as seen in private banking. 

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

Concerns remain regarding the entities included within the group-wide perimeter—should non-EU entities and branches of an EU group be covered? Given that this is a European regulation, it would be reasonable for it to apply exclusively to the European entities within the group. However, uncertainties persist regarding Articles 16 and 17 of the Regulation, which address group-wide requirements and branches and subsidiaries in third countries, respectively. 

If non-EU entities are included, challenges may arise due to legal obstacles preventing the exchange of information in certain jurisdictions. At the same time, excluding non-EU entities may fail to capture the full intrinsic risk profile of the group, particularly when it has a presence in high-risk countries. 

The scope of obliged entities needs to be clarified—does the regulation apply only to entities subject to AML/CFT obligations within a group, or does it also extend to non-obliged entities? 

Regarding data collection and transmission, we support the EBA article requiring each relevant entity to report a questionnaire, with the authority responsible for aggregating the data. We also agree with the proposal that does not mandate the production of consolidated data points at the group level. 

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

We consider it appropriate to apply the same criteria to the parent company and other group entities when determining the group-wide risk profile. Once objective criteria for the risk assessment -— including indicators and weights -—are established, the parent company should be required to align fully with these, ensuring methodological consistency across the group. 

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Questions remain regarding the purpose of this transitional rule. If the rationale behind this exclusion is to mitigate the risk of subjectivity among national supervisors, then allowing national supervisors to adjust the inherent risk score for the Article 40(2) of the AMLAR assessment seems unjustified. This approach appears inconsistent with the choice of using the Article 40(2) of the AMLAR assessment for the selection process under Article 12(7) of the AMLD. 

Additionally, there are concerns about the exclusion of supervisory assessments and external controls in the initial evaluation round. Such an exclusion could prove disadvantageous when calculating results, particularly in cases where supervisory assessments and external controls are favorable. 

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Through our comments on this RTS articles, we seek to reinforce the risk-based approach adopted by institutions. The pursuit of harmonization appears fully compatible with the implementation of this risk-based approach, ensuring a more coherent and effective regulatory framework.

Indeed, the provisions are overly prescriptive and not sufficiently driven by the risk-based approach recognized by the FATF and the AMLR; we notably recommend to: 

• Simplify and align data requirements with industry norms (including for activities other than retail banking) and actual risk exposure. Identity verification obligations should be proportionate, avoiding undue system burdens or exclusion of legitimate clients (i.e. very expanded EDD, limited applicability of SDD…).
• Review the definition and diligence for Complex Ownership Structures: requirements for identifying & verifying ownership structures are too extensive and challenging to implement, particularly for intermediary connections and nominee shareholders. Complex structures definition is too broad to be relevant for a risk-based approach.

While still supporting convergence and improved quality of the EU Customer Due Diligence regulatory requirements, these recommendations will preserve EU banking industry’s competitiveness by avoiding excessive technical compliance costs. 

We also take the opportunity to acknowledge and support a transitional implementation period of RTS CDD based on a risk-based approach for existing clients, in a maximum period of 5 years. All RTS should incorporate this transitional period to facilitate conduct adjustments. It is important to consider that financial institutions will update their internal processes once all RTS have been published, while the current RTS publication schedule appears to leave little room for conduct changes and IT developments.

Clarity of targeted population (Article 1 to 6): 

Article 22 (1) of the AMLR requires obliged entities to obtain specific information to identify ‘the customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted’. Article 1 (1) of the draft RTS cites Article 22 (1) AMLR, but then sets out requirements citing only ‘the customer’, with no mention of the additional classes of persons set out in Article 22 (1) AMLR. It is unclear whether this is an oversight, or whether the EBA intends to target measures at a more limited population than that identified in the AMLR.

We therefore request the following clarifications: 

• whether the reference in Article 1 (1) draft RTS to a more limited population (of ‘customer[s]’) than that cited in Article 22 (1) AMLR is an oversight, or a deliberate choice,
• the scope of the information to be obtained with regard to the identification of persons purporting to act on behalf of the customer, and of natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted, and
• whether the requirements set out for ‘customers’ similarly apply to the identification of
  • natural person trustees of an express trust or persons holding an equivalent position in a similar legal arrangement, pursuant to Article 22 (1) (c) AMLR, and
  • beneficial owners pursuant to Article 22 (2) AMLR, in combination with Article 62 (1) AMLR and/or also, where appropriate, to the identification of individuals as per Article 22 (1) (c) AMLR, in combination with Articles 57 to 60 AMLR. 

These questions apply mutatis mutandis to Articles 1 to 6 draft RTS. 

• In general, we appreciate the segmentation of these articles based on the data collected. However, we have identified several impacts regarding the information to be collected, while some information could be gathered on a best-effort to induce an approach more proportionate to risks. Notably:
• Article 1: Commercial Name - This should be collected only when available in the provided documentation.
• Article 2: Address - This information should not be verified. Apart from the country and city, all other details should be collected on a best-effort basis, where available in the provided documentation. Applying this measure to all clients seems disproportionate. We recommend applying it to high-risk clients.
• Article 3: Place of Birth - It is necessary to consider the specificities of certain identity documents that do not include the mention of the country and city of birth (when available, see Portuguese ID card).
• Article 4: All nationalities - The implementation of Article 4 is only feasible on a declarative basis. In most cases, the bank will only be informed of multiple nationalities through the client's spontaneous declaration and will not be in a position to challenge this information. Article 5 (2) : The criteria set out in Article 5(1) and (2) specifying mandatory data fields for identity documents (verification) are too rigid and do not reflect the diversity of legally valid ID documents used across Member States – and may lead to exclude legitimate clients, or to onboarding delays (particularly for non-EU residents and vulnerable populations, as well as disable people, young minors without proper ID documents for which accounts are often open by their legal representatives). As such alternative documents should be considered[CD1] . 

We understand the objective of harmonizing regulation and we fully support it. However, this harmonization should not lead to a systematic collection of information whose use would not be systematic for the purpose of AML/CFT.

Onboarding solutions in a non-face-to-face context (Article 6), please see Question 2

• Ultimate Beneficial Owners (UBOs) - Section 1, article 9
  • Applying city of birth to UBOs/SMOs appears disproportionate and goes beyond AMLR. Only state of birth should be collected on UBOs and SMOs.

  • Request to maintain local exemption to identify UBOs of listed companies (recital 127 et article 65 AMLR):

    Recital 127 of the AMLR states that "The exemption for legal entities from the obligation to determine their own beneficial owner and to register it should not affect the obligation of obliged entities to identify the beneficial owner of a customer when performing customer due diligence." However, this provision does not seem consistent with the exemption granted to listed companies from identifying or registering their beneficial owners (article 65 AMLR). 

    As a result, the remediation that financial institutions will have to implement will be burdensome, given that the current exemption applies to listed companies and their subsidiaries with more than 75% ownership. This remediation will be costly despite its limited added value. 

    Therefore, the RTS should clarify that financial institutions are not required to identify and verify the identity of UBOs when the client entity is listed on a regulated market in the EU or EEA, or when it is a public authority or body meeting certain transparency criteria.

  • Access to national registers –Section 1 - article 9 reasonable measure for verification of BO: Articles 9 RTS and 22.7 AMLR grant access to national registers, including passport databases and tax records, which will be beneficial for obliged entities. However, such access is not universally permitted. For instance, France currently restricts obliged entities from accessing these registers. We support this provision and therefore request access to these databases. In any case, it is essential that such access does not come with additional obligations for banks, such as reporting discrepancies, as this would place a significant burden on financial institutions

• Little differentiation between requirements of Articles 10 and 11 

Article 10 draft RTS sets requirements to build understanding of the ownership and control structure of the customer in standard cases. Article 11 sets requirements to build understanding in complex cases. The sole additional provision for higher risk entities as set out in Article 11 (2) draft RTS is that an organigram must be obtained. The level of information which obliged entities must obtain for standard and complex cases is therefore essentially the same at both levels. This is not in keeping with the risk-based approach, and suggests the requirements set out in Article 10 for standard cases are excessive.

Suggested amendments:

We suggest that the text of this Article be redrafted to focus on understanding the ownership and control structure of customers, in complex and higher-risk situations, as follows: (please read addition in Bold and deletions in _underscript)

“For the purposes of understanding the ownership and control structure of the customer in accordance with Article 20(1) (b) of Regulation (EU) 2024/1624, where the customer's structure appears unusually or excessively complex given the nature of the customer’s business, _{and may pose a higher risk of ML/TF and in situations where the customer’s ownership and control structure contains more than one legal entity or legal arrangement,} obliged entities shall take reasonable measures to obtain where necessary the following information:  

a. _{a reference to all} the names of the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners that are relevant for the determination of the beneficial owner and which own or control a substantive share of the customer structure, if any;

b. with respect to each legal entity or legal arrangement within the referred intermediary connections, the legal form of each legal entity or legal arrangement, and reference to the existence of any known nominee shareholders; the jurisdiction of incorporation or registration of the legal person or legal arrangement, or, in the case of a trust, the jurisdiction of its governing law _{and; where applicable, the shares of interest held by each legal entity or legal arrangement, its sub-division, by class or type of shares and/or voting rights expressed as a percentage of the respective total, where beneficial ownership is determined on the basis of control, understanding how this is expressed and exercised}. 

_{c. information on the regulated market on which the securities are listed, in case a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, and the extent of the listing if not all the legal entity’s securities are listed on a regulated market’}.”

• Senior managing officials (SMOs) (Section 1 – article 12): 

The RTS do not incorporate the concept of an ultimate fallback UBO, meaning that SMOs are not classified as UBOs. Consequently, financial institutions should not be expected to collect the same identity elements for SMOs as they do for UBOs. It is important to reiterate that SMOs are not bank clients. We anticipate refusals to provide the required information from these UBOs, leading to increasing tensions and potential disruptions in business relationships. To mitigate these concerns, further clarification in the RTS would be beneficial.

Since SMOs are not classified as UBOs, we understand that the obligations applicable to UBOs do not extend to SMOs. Specifically, banks are not required to screen SMOs against sanction lists or PEP lists. Clarifying this distinction in the RTS would be beneficial to ensure consistent application of compliance measures.

Article 63 of the AMLR defines SMOs as the executive members of the management body, as well as the natural persons who exercise executive functions within a legal entity and are responsible, and accountable to the management body, for the day-to-day management of the entity. This definition appears overly broad and would capture a very large number of natural persons. We request a more targeted interpretation, in line with the risk-based approach: only individuals who exercise actual executive power (have the authority to commit the company and are not the customers of the banks). The obligation to identify SMOs should better align with a risk-based approach.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

• Onboarding solutions in a non-face-to-face context (Article 6): We acknowledge the value of implementing alternative onboarding solutions to eiDAS. However, in its current drafting, article 6 appears not to be compliant with a risk-based approach since it allows the implementation of alternative measures to an eIDAS qualified electronic identification means or trust service only where such means is “not available on the market, or cannot reasonably be expect to be provided” by customers” without sufficient rationale. Therefore, it should be amended to enable obliged entities to determine themselves which verification measures are appropriate in non-face-to-face situations, depending on the specific risk factors of their clients and products.

Going further, article 6 should also clarify that the following methods (or a combination thereof) can be applied: 

1. electronic identification means provided under domestic schemes (with similar level of guarantee and technical specifications as eIDAS),
   1. service providers specialized in remote verification of ID and subject to robust security and anti-fraud requirements under domestic rules certified by a national authority, in line with EBA Guidelines on the use of Remote Customer Onboarding Solutions (EBA/GL/2022/15 §54).  In France, ID verification providers (“PVID”) are certified by ANSSI, the French cybersecurity agency. ANSSI delivers a certification as “PVID” to services providers and solutions which enable the verification of the identity of natural persons willing to access public and private services online without possessing their own digital identity (i.e. either an eIDAS certified electronic identification means or any other domestic digital identity). As a result, PVIDs are considered to offer a similar level of reliability and safety as a verification in a face-to-face context; and
   2. a first payment transfer made from or to an account held in the client's name with an obliged entity established in a EU/EEE Member State, or a third country imposing equivalent obligations in terms of anti-money laundering and counter-terrorism financing. When applying such measure, financial institutions may implement additional fraud risk mitigation tools to ensure that that account has not be obtained by fraud : restriction on the means of payment to be used for this first payment, i.e. exclusion of card-based payments ; black lists of payment services providers within the EU flagged for poor client due diligences procedures following public measures or sanctions by supervisors, etc.).   

Should these methods not be authorized by the RTS, onboarding processes in French banks would be widely impacted, especially since the solutions meeting the requirements of Article 6 are not well adopted in France and since some entities have recently invested in PVID. This is why, we request that this provision only come into force in 2029.Indeed, as of July 2027, banks that do not currently use solutions that comply with Article 6 will no longer be able to enroll new customers. 

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Firstly, in France, we hold the view that only the issuer of the virtual IBAN is authorized to service the credit or financial institution managing the account. Consequently, we find the following wording problematic: “other than the issuer of the virtual IBAN and other than the credit or financial institution servicing the account.” 

Regarding the communication of user information to the issuer, this could be considered a good practice. However, in France, we do not support the cascading redistribution of virtual IBANs. Therefore, our exposure to this measure should be limited. 

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Regarding Section 2 of the draft RTS, measures prescribed in articles 15 and 16 of the RTS appear more restrictive than the provisions of Article 25 AMLR of the AMLR. The articles expect the same information for occasional client than for client relationship, while they are different in nature and while the regulation refers to occasional transactions without qualifying the persons performing occasional transactions as 'clients' as per Article 19 (differences between occasional transactions and business relationships). In complement, article 25 AMLR states that obliged entity shall obtain related information “where necessary” and Article 20 AMLR mentions “as appropriate”, which seems better aligned with a risk-based approach while all measures expected in article 15 and 16 seem mandatory. Furthermore, these articles emphasize individual clients, even though domestic clients are considered to present lower risks according to the AMLR. These requirements may appear redundant and contradictory given the low risk highlighted in the AMLR annex and the necessity for everyone to have a current account. Therefore, point (a) has limited relevance when it comes to opening a current account for retail clients. 

We recommend the RTS be amended to reflect the risk-based approach evident in the AMLR. Even if the RTS refer to “risk sensitive measures, it is not clear that obliged entities should first assess whether the measures need to be applied at all. Where the purpose and intended nature of the relationship or transaction is self-evident from the products and services themselves, there should be no requirement to collect any further information. 

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Regarding section 3 related to Politically Exposed Persons (PEPs), 

- The responsibility for identifying PEPs should not rest solely on the bank. PEP and RCA clients should proactively disclose their status to their bank. In any case, the obligation incumbent upon banks to identify PPEs can only constitute an obligation of means and never an obligation of result. 

- The definition of a person on whose behalf or for the benefit of whom a transaction or activity is being carried out should be clarified. Recital 51 in the AMLR makes it clear that this does not refer to the beneficiary of banking transactions. Our understanding is that a person on whose behalf or for the benefit of whom a transaction or activity is being carried out would be identified in limited situations such as a nominee acting on behalf of a PEP. A clear definition of this term is necessary, or a removal would be prefered. And identifying all transactions conducted by a client We believe such measures would increase the difficulties encountered with these clients (tensions related to information collection). And the scope of persons “on behalf of or for the benefit of a PEP or their family” appears impossible to maintain. 

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We would like a rewording of Article 22 or a relevant change in the client's risk profile and/or suspicious transactions. 

With regard to Article 22 (2), it should be said that the client's identification data is deemed to be up-to-date, unless there is a relevant change in the profile of risks or suspicious transactions. 

Over-transposition by Article 23 in relation to Article 33(c) of the AMLR, which provides that the type of information required may be inferred from the nature of the transaction 

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

Certain financial sectors and products inherently present lower risks of money laundering and terrorist financing due to their structure, regulatory oversight, and limited exposure to complex transactions. As such, they should benefit from sector-specific simplified due diligence (SDD) measures explicitly outlined under Section 4 of the draft RTS. While some criteria are mentioned in the AMLR Appendix, French regulation includes a specific list of lower risk products (article R561-16). The RTS could be enriched with this list:  

• Low-Value Life Insurance and Capitalization Contracts Life insurance or capitalization contracts with annual premiums not exceeding €1,000 or single premiums not exceeding €2,500 pose minimal financial crime risks due to their limited transactional scope.
• Non-Investment Insurance Contracts Insurance products that do not cover life/death, marriage/birth contingencies, are not linked to investment funds, and do not involve collective capitalization arrangements significantly limit ML/TF exposure.
• Retirement Insurance Contracts Retirement contracts that cannot be redeemed, cannot be used as collateral, and only provide annuity payments upon retirement—such as those referenced in insurance, mutual, and social security codes—do not offer liquidity or anonymity, mitigating potential misuse.
• Borrower Insurance Policies linked to loan agreements, serve as financial security mechanisms and are not investment products, thus presenting lower ML/TF risks.
• Professional Asset Financing of physical or intangible assets, where ownership remains with the financier or until contract termination and the average annual financial lease does not exceed €15,000 (excluding tax), limits risk by maintaining traceability when repayment is made exclusively from an account opened in the customer's name with a regulated financial institution.
• Low-Value Consumer Credit Transactions when repayment is made exclusively from an account opened in the customer's name with a regulated financial institution (e.g. under €1,000 or when they have a repayment period not exceeding three months and are either interest-free and fee-free or only subject to negligible interest and fees).
• Funds deposited in corporate collective plans within specified regulatory limits (€8,000) and sourced from regulated financial institutions.
• Securities Accounts used solely for capital increases, stock grants, or stock options, with values capped at €15,000, operate within transparent and well-regulated frameworks, limiting misuse.
• Payment initiation services
• Low-Value Cash Payments made by an individual made through regulated payment service providers for essential expenses—such as social housing rents (€600), utility bills (€150–200), phone bills (€50), insurance premiums (€300), and transport fees (€50). In addition to these individual thresholds, payment service providers may accept transaction with or below a monthly threshold of 1 200 euros to ensure overall risk mitigation. 

Given their structural safeguards, these financial products and services should benefit from sector-specific simplified due diligence measures to ensure a balanced approach to AML compliance. 

Condition in 21 (c) is problematic. The business relationship with a collective investment undertaking is a mix of the relationship with the collective investment undertaking itself, and with the relevant investment manager. If rated other than low, then the overall relationship could be out of the scope of SDD. This would mean that the RTS envisages the possibility of not performing DD on final clients only if the relationship is low. In other word, if this condition is not in place, the Asset Manager would not be able to rely on the DD performed by the distributor. This would lead to an enormous and unmanageable impacts for for asset managers (which are not structured to perform DD on final retail clients – as relying on distributors has always been allowed). We request the removal of the condition (c).

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Regarding enhanced due diligence measures (Articles 24 to 27 of the RTS), there appears to be confusion between the investigation of suspicious transactions _ exceptional measures that fall within the investigative authority of the FIU _ and traditional enhanced due diligence measures. The proposed measures extend beyond the provisions of Article 34(4) of the AMLR. 

Regarding Article 24 of the RTS: 

There is a need for a proportionate, risk-based approach.  Article 24 draft RTS should be read in conjunction with Article 34 (4) AMLR, which states that ‘in cases of higher risk … obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures…’. Appropriate measures which obliged entities may take are then set out in points (a) to (g) of that paragraph. From this, it is clear that obliged entities to follow a proportionate, risk based approach, tailored to the specific circumstances of each situation. It is also clear that list of measures is illustrative, and it was not intended that all the measures set out be undertaken in every case. The approach set out in the draft RTS is however very different. The use of ‘shall’ and ‘at least’ in Article 24 is very prescriptive and is not in keeping with the approach of the AMLR. We therefore request that the text be amended to make clear that obliged entities may tailor the measures they take, in accordance with the risk-based approach.

Point 24(a) should be removed, as no explanation is provided on how to verify the relevance and authenticity of the information. 

Point 24(b) should be removed: Enhanced due diligence requires the collection of supporting documents to verify the information provided by the client and the beneficial owner, assess their reputation, and identify risks associated with both their current and past activities. However, it is unclear how their reputation—especially past reputation—could be effectively evaluated for clients or stakeholders in the relationship within the context of retail banking for entry-level customer segments. 

In cases of suspicion, Point 24(d) should be removed: It requires obtaining information on family members, associates, or the ultimate beneficial owner. Given that these individuals may not be directly involved in the relationship or referenced in public sources, it is unclear how institutions could comply with these obligations. These requirements also raise concerns regarding data protection and privacy, particularly for family members. 

Regarding article 25 RTS:  

Same comment as above, for article 24

Point (a), the bank is not responsible for assessing the legitimacy of the destination of funds, but rather ensuring their consistency (reformulated as: "verify the consistency of the destination of funds"). Additionally, it is unclear which specific information held by authorities and other obligated entities is being referenced. 

The obligation to report financial flows appears to extend significantly beyond the measures set out in Article 34(4) of the AMLR, which are left to the discretion of institutions ("enhanced due diligence measures, which may include the following"). This measure should only be applied in cases of suspicious transactions or, where applicable, to PEPs, depending on the nature of risks associated with the relationship (e.g., large-scale international investigations). 

We propose alternative text for Article 27 to set out requirements more in keeping with the risk-based approach and which take into account that what is complex or unusual depends on the particular circumstances of the obliged entity, the customer, and the situation at hand. 

Article 27 – Additional information or assessment on the reasons for the intended or performed transactions and their consistency with the business relationship. 

“The additional information obliged entities obtain on the reasons for the intended or performed transactions and their consistency with the business relationship, in accordance with Article 34(4) point (d) of Regulation (EU) 2024/1624 shall enable the obliged entity to: 

a. determine the transaction activity and whether this activity is consistent with the expected behaviour for this customer or category of customers

b. determine whether transactions that are assessed by the obliged entity to be complex or unusually large follow a suspicious pattern without any apparent economic or lawful purpose”

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We do not agree with the proposals outlined in Section 6 of the draft RTS. 

The topics addressed in this section were recently covered in detail by the European Banking Authority in its guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures under Regulation (EU) 2023/1113 (EBA/GL/2024/15); these guidelines were published in November 2024 and are scheduled to enter into force in December 2025. 

We have identified certain discrepancies between the provisions set out in the guidelines — which constitute a final document — and those in the draft RTS currently under consultation. For example: 

• The guidelines state that PSPs and CASPs should screen at least, in the case of a natural person, the first name and surname (section 17. a. a.); however, as per draft RTS that, for natural persons, obliged entities shall screen all first names and surnames. The drat RTS is more stringent.
• The guidelines state that trigger events for screening should include significant changes in the customer due diligence data of an existing customer; however, as per draft RTS, trigger events should include significant changes occur in the customer due diligence data of an existing customer, or beneficial owner. Although guidelines target only customer in this specific article, guidelines also provide much more details about how screening of beneficial owner should be handled (for example, see sections 16 and 18). Such details are missing in the draft RTS. 

In order to avoid confusion or inconsistencies between the two texts, we believe that the content of the RTS should be fully aligned with the guidelines. 

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The impact is not measurable at this stage because the conditions for benefiting from the exemption for anonymous electronic money are to be determined by national supervisors. Disparities will remain between member states. However, it seems to us that some of these criteria alone will not be sufficient to reduce the risk. 

The EBA needs to define the criteria below that could be considered as working on their own and those that need to be combined with others. 

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

This article is to be linked with Article 6 regarding remote onboarding. The attributes to be verified correspond to the information required for KYC. 

In paragraph 3, the reference to Article 22(6) of the AMLR creates a circular reasoning because Article 22(6) mandates the use of a Remote Identity Verification Service Provider. Therefore, regarding Article 22(6) and 6 of the RTS, there is an obligation to use a Remote Identity Verification Service Provider (or alternative measures in case of client-related impossibility). Regarding article 31 of the RTS, if a Remote Identity Verification Service Provider is used, it must allow for the verification of a list of attributes. If it is not sufficiently comprehensive, we return to the beginning. 

The RTS should be revised to: 

• Specify, in article 31 or in Article 6, that banks can apply alternative measures to the Remote Identity Verification Service Provider in the situation described in point 3 of this article; or Simply remove from Article 6 the condition of the unavailability of a Remote Identity Verification Service Provider ("is not available or cannot reasonably be expected to be provided") to use alternative measures.
• Consider the use of phygital: "Electronic identification means can also be used for the verification of the customer in a face-to-face context, it should be explicitly stated in this article." NB: The European Wallet, which is still in the project phase, could contain an exhaustive list of identity attributes. In the absence of this data in the wallet, it will be necessary to obtain the data elsewhere (31.3) and therefore presumably from a reliable source. 

Regarding article 32, it is important to recall that remediation for existing customers will be implemented once all RTS have been published. The implementation timelines for these RTS (including those yet to be released) must be taken into account. To this end, the five-year period should commence from the date of application of this regulation for all existing customers, regardless of their risk profile.  

Future RTS should also benefit from this five-year implementation period, starting from the AML regulation’s effective date, and applicable to all customers regardless of their risk level. 

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

Regarding this RTS it appears key to clarify enforcement boundaries between administrative penalties and civil/criminal liability. Overlapping regimes (e.g., AMLR and GDPR) risk double penalties. Clear guidance is needed to prevent conflicting obligations and ensure legal certainty.

In details, please find below our comments and suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS: 

(a) Necessity to delimit the duration to avoid discrepancies between supervisors and create unfairness within obliged entities. The question of the limitation period should be also taken into account and specified. Paragraphs (a) and (b) should be merged.

(b) Notion of repetition to be clarified in terms of time. The question of the limitation period should be considered. Paragraphs (a) and (b) could be merged.

(c) This indicator is not taken into account in the art 2 "Classification of the level of gravity of breaches". We would appreciate understanding its purpose.

(e) Redundant with paragraph (d). This should be clarified and merged with paragraph (d).

(g) This kind of assessment falls in the competence of criminal judges, not supervisors. This sentence should be deleted.

(h) To be clarified. Necessity to define what is a structural failure.

Point of attention: this concept refers to banking failures with a prudential analysis falling within the competence of the issuing authorities in relation to the ECB. This analysis of a structural failure (with a resolution procedure) of an authorized entity affecting the stability of the banking and financial sector cannot fall within the competence of the AMLA but of the supervisory authorities, since conditions suspending the retention of the authorization.  It is therefore requested to review the concept of structural failure to recall the supervisory and decision-making powers of the other competent authorities on the subject. 

(i) To be clarified. In particular the criteria on which the supervisors will rely to assess if the breach has an actual or potential impact on the financial viability of the obliged entity.

(j) We would appreciate to understand if it means that the impact of the breach will be judged more severely for systemic financial institutions. 

(k) This seems redundant with the article 1(a) related to the repetition.

(l) Too broad. This should be deleted considering the previous indicators that give the possibility to cover most of situations of breach.

If not deleted, other indicator identified by supervisors should be prior communicated to obliged entities

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

Article 2 (2): "Supervisors may classify under those categories other breaches that the ones dealt with in paragraphs 3 to 6." The phrasing of this sentence is unclear and requires clarification. Specifically, the term "other breaches" should be explicitly restricted to AML/CTF matters and must not be extended to other compliance topics.

Article 2 (3) This requires clarification, particularly regarding the criteria for determining direct and indirect impacts. Additionally, it is unclear why a breach would be considered if there is no direct impact.

Criteria should be established to assess the impact as minor, moderate, significant, or very significant.

Additionally, criteria should be defined to determine when a breach is considered significant.

Article 2 (6) The classification falls within the prerogative of the criminal judge, whose role is to determine whether the breach has facilitated or led to criminal activities. This responsibility does not lie with supervisors and should therefore be removed.

Article 2 (7) It is not logical that combined breaches could be classified under categories 3 or 4 when each individual breach does not fall into these categories when assessed separately. This provision should be removed.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

This assumption is not relevant, as these characteristics should first be considered in determining the level of gravity of breaches. Consequently, this article should be removed.

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

Article 4 (2) The level of cooperation should be assessed based on the overall behavior of the obliged entity. Additionally, natural persons who may be held responsible alongside the supervisor should be precisely identified, and clear mechanisms for individual liability should be established.

Article 4 (3)

(a) The obligation of natural and legal persons held responsible alongside supervisors should be limited to responding to supervisors' requests. They should not be expected to determine supervisory expectations. Therefore, this provision should be removed.

(c) Clarification is needed regarding whether a graduated system exists to assess the degree of responsibility.

(f) A limitation period should be taken into account.

(g) The scope is too broad and should be removed, as previous criteria already provide sufficient coverage for most situations.

If this provision is not deleted, any additional criteria identified by supervisors should be communicated to obliged entities in advance.

Article 4 (6)

The criteria for assessing financial strength should be clearly defined and restricted to the financial capacity of the individuals held responsible, explicitly excluding the financial strength of partners. The evaluation should be conducted on an individual basis.

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

To answer this questions, please find below our comments on article 5 to 8 of the draft RTS. 
 

Article 5(2) 

The phrase "network of institutions comprising the obliged entity" is too vague and requires clarification.

(e) is overly broad and should be removed.
 

Article 5(3) 

c) The level of cooperation and the conduct should be taken into account by considering the behaviour of the obliged entity overall instead. 

(d) To be clarified. Necessity to define what is a structural failure. Point of attention: this concept refers to banking failures with a prudential analysis falling within the competence of the issuing authorities in relation to the ECB. This analysis of a structural failure (with a resolution procedure) of an authorized entity affecting the stability of the banking and financial sector cannot fall within the competence of the AMLA but of the supervisory authorities, since conditions suspending the retention of the authorization. It is therefore requested to review the concept of structural failure to recall the supervisory and decision-making powers of the other competent authorities on the subject. 

(e) Too broad. This should be deleted. If not deleted, other criteria identified by supervisors should be prior communicated to obliged entities.
 

Article 6(1)

We propose restricting this topic exclusively to “mise en demeure” (formal notice), without extending it to “lettre de suite” (follow-up letter).
 

Article 7(2)

Four weeks is an insufficient timeframe and should be extended. Additionally, the duration should be calculated based on working days rather than calendar days.
 

Article 7(4)

The fundamental rights associated with a fair trial should be guaranteed comprehensively. This includes the right to legal assistance and representation by a lawyer, as well as the right to appeal the decision.
 

Article 8(2)

The right to appeal should be explicitly stated in the decision itself. Additionally, the decision should remain confidential and not be made public.
 

Article 9(1)

Having three different frequencies is unnecessary. It would be more effective to standardize and adopt a single frequency instead.

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

 please see above

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

 please see above

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

Question non applicable to the FBF activities. 

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

Question non applicable to the FBF activities. 

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

The pursuit of harmonization seems to be an objective worth emphasizing. However, at this stage, we do not have any specific recommendations regarding its implementation.

Name of the organization