Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

From a general standpoint, it appears that the proposed set of data points may not give sufficient weight to elements that could help mitigate inherent risk. In particular, the current framework does not seem to foresee specific indicators capable of adequately reflecting customer relationships that are typically associated with a lower risk profile—such as those involving other regulated financial institutions.

Moreover, we are concerned that the data points have been defined without sufficient consideration of the potential impact they may have on financial institutions’ own risk self-assessments.

As further detailed in our response to Question 4, there is a strong link between the classification of an obliged entity’s risk profile and its internal risk self-assessment. Both rely on the same data and information to determine inherent and residual risk. In this context, we recommend reviewing the data points with the aim of incorporating indicators that more effectively identify and reflect lower-risk situations

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

We welcome the decision to introduce a standardized set of data points for assessing the risk profile of each financial institution. This approach will enable national competent authorities to conduct risk classification and assessment in a consistent manner, while also reducing the administrative burden for financial institutions operating across multiple Member States. 

The asset management industry is ready to submit data and information concerning its clients, the products offered and the services provided. However, we are concerned that the proposed data points and the level of granularity do not appropriately reflect the actual operating model of the sector.

In the case of direct clients, asset managers are generally able to provide a broader set of data and information. By contrast, in all cases where an intermediary is involved between CIUs/asset managers and investors, the availability of data and information may vary significantly.

When defining the data points to be requested from asset managers—at least with regard to CIUs—it is essential to take into account the provisions that will be included in Article 21 of the draft RTS on Customer Due Diligence (CDD). In this respect, we refer to the considerations and proposals outlined in our response to Question 6 of the draft RTS on CDD.

As a general principle, we believe that whenever there is an intermediary between the CIU and the investor, irrespective of the specific modalities through which units or shares of CIUs are subscribed, it should be the intermediary who is responsible for fulfilling the CDD obligations. This would avoid duplication of measures by the CIU. Accordingly, the intermediary—typically a credit institution—would, by virtue of its direct relationship with the investor, be best placed to provide most of the required data.

We acknowledge that the transition toward greater standardization will involve initial implementation efforts and associated costs for obliged entities. It is therefore essential that:

• the data points be strictly limited to those elements that are truly necessary to assess the money laundering and terrorist financing (ML/TF) risk profile of each financial institution;
• each data point be clearly and thoroughly defined;
• the requested data and information enable the identification of low-risk customer relationships, particularly those involving other financial institutions, pension funds, or similar retirement schemes.

We also believe that, in order to effectively minimise costs, it is essential to align the timing and deadlines for the submission of data points with other supervisory reporting requirements—such as activity reports, risk self-assessment outcomes, and similar communications. Streamlining these processes by concentrating the transmission of information into a single reporting window and avoiding multiple requests for the same or similar data in different formats or documents, would help reduce administrative burden and improve overall efficiency.

In addition, to further support cost-effectiveness, it is important to ensure that the data points—and the resulting supervisory assessment of risk profiles—are closely aligned with the criteria, data, and information required for the internal risk assessment under Article 10 of the AMLR. This consistency would allow financial institutions to use a single set of data for both internal risk assessment purposes and for supporting supervisors in determining inherent and residual risk levels.

Nevertheless, with a view to contributing effectively to the definition of the data set, we provide below several comments and/or requests for clarification concerning specific data points:

Category: Costumers

Sub-Category:

• Number of legal entities with complex structure. As noted in our response to Question 1 on the draft RTS under Article 28(1) of the AMLR, we believe that the definition of “complex structure” should be reconsidered and treated as relevant only in cases involving a high level of risk.
  More generally, asset managers may encounter significant difficulties in identifying the number of existing clients falling under this category, as they are not currently required to classify legal entities based on structural complexity. This challenge is particularly evident in the context of CIUs, especially where units or shares are distributed through intermediaries and subscribed in the name of the end investor. In such cases, costumer due diligence is performed by the intermediary, and CIUs rely on the information collected by them. Retrieving such data retrospectively for existing clients or investors would represent a considerable burden.
• Number of customers with high risk activities: A clear and consistent definition of “high-risk activities” would be highly valuable, as the absence of such a definition could lead to diverging interpretations. In this respect, consideration could be given to the potential use of NACE codes as a reference point to identify sectors associated with higher ML/TF risk.
• Number of customers with at least one transaction in the previous year: Taking into account the specific features of the CIU sector, we note that identifying the number of customers who carried out at least one transaction in the preceding year would involve significant operational effort and cost. As this data point does not appear to contribute materially to the assessment of inherent risk, we suggest that it be removed.

Category: Products services and transactions

Sub-category:

• Investment Services and activities/reception and transmission of orders: we would appreciate clarification on whether the "% of amounts of orders transmitted involving unlisted financial instruments" refers to the percentage calculated on the number of orders or on their aggregate value, relative to the total value of all transmitted orders.
  We believe that, in the context of designing indicators that aim to capture the risk profile of the obliged entity, it is more appropriate to refer to the value of transactions rather than their volume.
• Investment Services and activities/ Management of UCITS: with regard to the category of “professional clients,” we suggest introducing sub-categories that allow for the identification of which types of professional clients, as defined in Annex II of the MiFID Directive, are clients of the CIUs. Likewise, it would be appropriate to disaggregate data, by breaking down assets under management according to whether they derive from retail or professional clients. In many cases, the clients of asset managers—particularly in the context of portfolio management—and of CIUs are financial intermediaries, pension funds, or insurance companies which, due to their institutional nature, may present a risk profile that is even lower than that of other professional clients.
• With regard to the data point “Total assets under management in unlisted financial instruments”, we note that—unlike the corresponding requirement under the RTO service—there is no explicit reference to unlisted financial instruments other than those issued by the obliged entity or its group. We would appreciate clarification on this point.
• Management of UCITS/AIFs: the requirement to report total AuM in listed or unlisted financial instruments would merit further clarification, particularly in the case of master-feeder structures. In such cases, the feeder fund should technically be considered listed or unlisted depending on the nature of its master fund, which is usually not listed. It would therefore be useful to clarify whether investments made by the feeder fund in the master fund should be included under this data point.
• Management of AIFs: Additional guidance is requested regarding the data point concerning “assets other than financial instruments as defined in Section C of Annex I of MiFID.” In particular, it would be helpful to provide a list of the financial instruments that should be considered for the purpose of this classification. In this context, we suggest considering the opportunity to distinguish AIFs based on the nature of their underlying investments (e.g., real estate funds).

Category: Geographies

We would welcome clarification on the intended scope of the term “transaction”. It is important to understand whether it refers exclusively to customer transactions, or whether it also includes transactions carried out by the obliged entity during its institutional activity.

For instance, in the context of UCITS management, it should be clarified whether “transactions” also cover investments made at the initiative of the asset manager.

• Total value (EUR) of all assets by country (for IFs and AMCs). We would appreciate clarification on the meaning of the data point “all assets by country”.
• Number of investors by country. This data point refers specifically to “investors” rather than “clients.” It would be helpful to receive further clarification on the distinction—if any—between investors and clients, in order to ensure the accurate and consistent provision of the requested information.

Category: AML/CFT governance structures

Sub-category:

• 1A: Role and Responsibilities of the management body We would welcome clarification on the meaning and coverage of the term “management body”.

In addition, we would like to highlight the following concerns regarding the data points required under this sub-category:

• policies and procedures are typically subject to different approval and review cycles and should therefore be addressed separately;
  • the topics listed may be covered across multiple policies and/or procedures, making it burdensome to provide all relevant approval dates—particularly for entities that are part of larger groups.
• 1B: Internal controls and reporting systems. With regard to the data point “Number of deficiencies pending at the end of the calendar year”, we would appreciate clarification on whether this refers exclusively to deficiencies identified by the AML/CFT function, or whether it also includes those reported by other control functions, such as internal audit.
• 1C: Outsourcing and reliance on third parties: This sub-category refers to both outsourcing and reliance on third parties, whereas the data points appear to concern outsourcing only. Clarification is requested as to whether “reliance on third parties” refers to the framework set out in Article 48 of the AMLR. If so, we recommend developing separate data points, as outsourcing and reliance on third parties are distinct concepts and should not be treated as interchangeable.
• 1D: Number of dedicated AML/CFT compliance staff (in FTE):  to ensure comprehensive and accurate reporting, it would be highly beneficial to provide a definition of “AML/CFT compliance staff.” This would help determine which staff members should be included for the purpose of this data point.
• 3F: Compliance with Fund Transfers Regulation: the data points under this section relate to the implementation of Regulation (EU) 2023/1113. It would therefore be appropriate to clarify that obliged entities are expected to provide the requested information only to the extent that their activities fall within the scope of the Regulation.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

See our response to question 3

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

General remarks on Section 1

We appreciate the efforts to enhance the consistency of AML/CFT measures across the EU. However, we are concerned that the Draft RTS on Customer Due Diligence (CDD), in its current form, places significant limitations on the practical application of the risk-based approach, a key principle underpinning the AML framework, as also acknowledged in the recitals 29 of the AMLR.

In particular, we wish to express our concern that Articles 28(1)(b) and 33(1)(e) of the AMLR appear to have been interpreted in an unduly restrictive manner, which unduly limits the development and application of simplified due diligence measures.

This approach reduces the flexibility required to tailor obligations to the effective risk levels, leading to a reduced ability to implement AML/CFT measures in a way that is both effective and proportionate.

We support the EBA’s decision to adopt a principle-based, risk-based approach and to refrain from further specification where the AMLR already provides sufficient guidance. However, the heterogeneity of obliged entities implies that, in certain instances, targeted measures are necessary to ensure the effective application of the risk-based approach. For this reason, we believe that greater attention should be devoted to defining simplified measures that can be applied consistently across the entire collective investment undertaking sector.

Specific proposals in this regard are provided in the response to Question 6.

Furthermore, we consider it important to highlight that the RTS do not include specific provisions concerning the information required to conduct a customer risk assessment, which is critical for determining whether standard, simplified, or enhanced due diligence should be applied.

Regarding the timeline for compliance with the provisions on customer due diligence, we appreciate the flexibility granted in relation to existing clients.

Concerning new clients, the proposed deadline of 10 July 2027 appears reasonable. However, its appropriateness will ultimately depend on the date of publication of the final version of the RTS. If the final version is published only a few months before the application date, it will be important to introduce a transition period for new clients as well, to allow obliged entities adequate time to adapt their internal procedures and systems accordingly.

Identification and verification of the identity of customers and beneficial owners

It would be helpful to clarify how the expression “where available” should be interpreted in relation to the information to be obtained for the identification and verification of the customer and the beneficial owner. For instance, Article 22(1)(a)(iv) requires the collection of the tax identification number “where available.”

Art. 4 – Specification on nationalities

We would welcome clarification on whether compliance with Article 22(1)(a)(iii) of the AMLR and Article 4 of the RTS requires the collection of all identity documents or passports pertaining to the natural person, or whether Article 4 may be interpreted as permitting the use of alternative means.

Art. 10 – Understanding the ownership and control structure of the costumer

We are of the view that the measures set out in Article 10 may be excessively prescriptive and could limit the ability to apply Article 20(1)(b) in a manner that is truly risk-based.

AML/CFT rules— especially those set out in the RTS—should be framed in a way that enables obliged entities to focus their efforts and resources on customer relationships that present higher level of risk.

However, Article 10 requires obliged entities to further investigate the customer’s structure whenever it includes more than one legal entity or legal arrangement, regardless of the actual level of risk. As such structures are frequently encountered in practice, this requirement could result in a disproportionate compliance burden on obliged entities. The inclusion of more than one legal entity or arrangement in the customer’s structure does not, in itself, indicate a higher risk.

For this reason, we believe that understanding the customer’s ownership or control structure should not depend on quantitative thresholds relating to the number of entities or arrangements involved.  Instead, it would be more appropriate—and more consistent with a risk-based approach—to leave it to the obliged entities to assess, based on the information available to them, whether the ownership structure appears unusual or excessively complex considering the nature of the customer’s business.

Where such elements are identified, the obliged entity should apply enhanced due diligence measures. This approach would be consistent with Annex III of the AMLR, which recognises the presence of an ownership structure that appears unusual or overly complex—considering the nature of the company’s business—as a higher-risk factor.

For these reasons, we propose removing the reference to “more than one legal entity or legal arrangement” and including the list of information to be obtained in the case of complex structures—identified by obliged entities—among the EDD measures.

At the same time, it is important that specific simplified measures are provided for cases where the customer is assessed as low-risk.  In any case, it should be clarified that the “understanding of the ownership and control structure” is not required where the customer is assessed as low-risk.

In particular, it is important to clarify whether further investigations are required even when the customer presents a lower risk, such as in the case of other financial intermediaries subject to AML/CFT requirements.

Where the customer is a credit or financial institution subject to AML/CFT obligations, or another entity listed in Annex II of the AMLR, the requirement to obtain additional information on the ownership or control structure of the legal person does not appear to be justified.

Art. 11 - Understanding the ownership and control structure of the customer in case of complex structures

In line with the comments made on Article 10, we are of the view that Article 11 is overly prescriptive and does not allow for a genuinely risk-based application.

From a broader perspective, it is unclear why an ownership or control structure comprising more than two layers should, by default, be classified as “complex.” 

In this respect, we note that the cost-benefit analysis and impact assessment do not provide sufficient elements to understand the rationale behind this approach.

We would suggest that the requirement to obtain a customer’s organigram should be limited to high-risk situations, and only where such a measure is justified based on the obliged entity’s own risk assessment. 

As previously noted in relation to Article 10, it would be more appropriate to give obliged entities greater flexibility to determine when a customer’s structure should be considered complex, and to conduct further analysis only in higher-risk situations.
For instance, if an ownership structure appears unusual or excessively complex given the nature of the company’s business, the financial institution should consider the legal structure adopted by the customer, especially where specific elements of complexity or opacity are present that hinder or prevent the identification of the beneficial owner, the actual corporate purpose, or any ownership or financial links with entities based in high-risk geographical areas.

Article 12 – Information on senior managing officials

In our view, it is essential to distinguish between the roles of Senior Managing Officials (SMOs) and UBOs, as the associated ML/TF risks are not equivalent. SMOs do not hold ownership or exercise control over the entity. Where such control or ownership exists, the individual should rightly be identified as a beneficial owner. In this regard, Recital 125 of the AMLR clearly acknowledges that “although they are identified in those situations, the senior managing officials are not the beneficial owners”. 

Therefore, applying the same identification and verification requirements to SMOs as those applied to UBOs does not appear justified, given their fundamentally different roles and levels of associated risk.

Moreover, Article 63(4)(b) of the AMLR already specifies the type of information that legal persons must make available for the SMOs. Since the provision refers to information equivalent to that required under Article 62(1)(a), it would be appropriate to define a minimum standard of information to be made available for the SMOs that does not include all the information required for beneficial owners. Moreover, it would be necessary to simplify as much as possible the aspects related to the verification of their identity, in line with their role and the limited risk they represent.

Finally, we would appreciate clarification on the implications in cases where one or more SMOs is a politically exposed person (PEP). Given that SMOs are not beneficial owners and do not own or controls the legal entity, we believe that the mere presence of a PEP among the SMOs should not automatically lead to an elevated risk classification of the overall relationship.

Should this approach not be recognised, the relationships between financial institutions would be significantly impacted, requiring obliged entities to treat institutional clients as higher risk, even in the absence of concrete risk factors.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

The article places disproportionate emphasis on the use of eIDAS-compliant electronic identification methods, making them a prerequisite unless such methods are “not available” or “cannot be reasonably expected to be provided.” We consider this approach unduly restrictive. While eIDAS solutions may be effective in some contexts, they are not uniformly accessible across Member States.

The proposed Art. 6 would limit legitimate and secure remote onboarding solutions already in use, which do not rely on eIDAS but still meet high standards of security and reliability. The Art. 6 appears to go beyond the established EBA remote onboarding guidelines, which offered a more risk-sensitive and proportional approach. We respectfully suggest that the RTS should aim for consistency with the EBA guidelines or clarify where and why a stricter standard is deemed necessary.

It is unrealistic to expect that all natural persons will have access to eIDAS in the near future, given the current level of adoption. Moreover, reliance on eIDAS may place customers from third countries—where the Regulation does not apply—at a disadvantage. In low-risk situations, such as when dealing with institutional clients or regulated entities (e.g. pension funds, legal persons already listed in national registers or subject to public disclosure obligations) verification through documents or reliable independent sources should be sufficient.

Article 6 should be designed in accordance with the principle of risk-based approach. Not all non face-to-face relationships carry the same level of risk. As noted in recent FATF guidance on financial inclusion, non face-to-face interaction does not inherently imply higher risk when appropriate controls are in place. 

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We suggest revising Article 15 to ensure consistency with Articles 20(1)(c) and 25 of the AMLR, which indicate that information on the nature and purpose of the relationship should be collected only “as appropriate” or “where necessary”.

In this regard, we would welcome confirmation that, in line with Articles 20(1)(c) and 25 of the AMLR, information on the nature and purpose of the relationship is not required in all cases, but only where necessary — for example, in high-risk situations — enabling financial institutions to collect such information only when it is relevant and proportionate to the nature of their business.

It is important to obtain further clarification regarding the requirement to collect information on the “destination of funds” as set out in Article 25(d) of the AMLR and Article 16(d) of the draft RTS. The draft RTS states that this information should include “the expected types of recipient(s), including information about the jurisdiction where the transactions are to be received, and intermediaries used.”

Given the nature of this requirement, we would welcome clarification on whether this information must be collected by all financial institutions, or only by those whose services or activities allow for the effective identification of the destination of funds, given the nature of the business conducted.

In the case of CIUs, there is considerable uncertainty regarding the practical ability to collect information on the destination of funds. It is unclear what type of information could reasonably be requested from investors either at the time of onboarding or during the business relationship.

We therefore recommend clarifying whether this requirement applies systematically, or only in certain circumstances and for specific categories of obliged entities. Such clarification should also extend to Article 25(a) of the draft RTS on enhanced due diligence measures.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

It would be important for the RTS to provide further clarification regarding certain specific scenarios that may involve politically exposed persons (PEPs).

In particular, it would be useful to clarify how the rules apply when the customer is a public administration or a state-owned enterprise. In such cases, those identified as UBOs or senior managing officials (SMOs) often fall within the definition of PEPs.However, since they are performing functions within the scope of a public administration or a state-owned entity, their status should not, in itself, lead to a higher overall risk rating for the relationship.

It would be helpful to receive confirmation of this approach.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

As highlighted in our response to Question 1, we view the RTS as a unique opportunity to enhance the effectiveness, efficiency, and proportionality of AML/CFT obligations, by ensuring they are effectively implemented in line with a risk-based and proportionate approach.

However, the current draft offers limited flexibility to define and apply simplified measures, significantly constraining the ability to reduce AML obligations in cases where the risk is low.

We believe this approach should be reconsidered, particularly to ensure that proportionate simplifications can be applied where appropriate, thereby supporting the competitiveness of the European economic and financial system.

In recent communications, notably the Competitiveness Compass and the Savings and Investment Union, the European Commission has outlined a strategic vision to strengthen Europe’s competitive position. In this context, it is essential that the financial system continues to be equipped with robust safeguards to prevent the misuse of financial channels for money laundering or terrorist financing. At the same time it is equally important to introduce proportionate measures for low-risk situations that do not place undue constraints on the functioning of specific sectors.

We therefore consider that the information requirements set out in Section 4 of the draft RTS should be substantially streamlined to ensure genuine simplification and to enable obliged entities to focus their attention and resources on higher-risk scenarios.

In light of the above, we would welcome a broader interpretation of Article 33 of AMLR and of the mandate set out in Article 28 of AMLR, with the aim of reducing the compliance burden associated with customer due diligence. This would include the introduction of specific sectoral measures that reflect the actual functioning of the sector and ensure that the intensity of obligations is commensurate with the level of risk.

In this respect, we particularly welcome the inclusion of simplified measures for the collective investment undertakings (CIUs) sector in the RTS.

We appreciate Article 21 and the EBA’s efforts to tailor specific measures for CIUs, acknowledging the overall low-risk profile of the sector, considering its structural characteristics and the composition of the value chain—from the CIU to the final investor—which typically involves other AML-regulated intermediaries.

Nonetheless, we note that the current drafting of Article 21 does not fully reflect the relationship between the CIU, the intermediary, and the investor. For this reason, we propose changes to the wording of Article 21 (see below).

That said, we consider the inclusion of Article 21 in the RTS to be particularly important, as it confirms that AMLA (or EBA) has the power to introduce simplified measures for specific categories of obliged entities, products, or services and that such measures may go beyond the general provisions laid down in Articles 33 and 22 of the AMLR, offering the opportunity to implement effective and proportionate simplifications.

We therefore firmly believe that the interpretation—which we fully support—that led to the inclusion of Article 21 on simplified measures regarding the CDD obligations to identify and verify the identity of the persons on whose behalf or for whose benefit a transaction or activity is carried out, must be unequivocally extended to the entire asset management sector.

Currently,recital 15 and Article 21 of the draft RTS on CDD appear to be designed exclusively for cases where CIU units or shares are subscribed in the name of the intermediary and on behalf of the underlying investors (I Scenario), without considering situations where investors subscribe in their own name through an intermediary (II Scenario).

While we recognise the legal distinctions between these two models—concerning the way units or shares are subscribed and the resulting relationships among the CIU, the intermediary, and the investor —we believe that the substantial overlap between the two models, provides sufficient grounds for extending the simplified measures in Article 21 to II Scenario. In both cases:

1. Investors are clients of the intermediary;
2. The intermediaries are obliged entities subject to AML/CFT requirements.
3. The intermediaries are responsible for performing  risk-based CDD on the investors, and
4. The CIU conducts due diligence on the intermediary to understand the distribution channel and assess AML/CFT risks.

One element that may distinguish the two models is that, under II Scenario, the investor may request the redemption of units or shares directly from the CIU. While this option is permitted, it is important to consider that, in addition to subscribing CIU units or shares distributed by the intermediary—typically a credit institution—the investor will often have other ongoing relationships with the intermediary (such as a bank account). As a result, investors generally regard the intermediary as their main point of contact throughout the entire investment process involving the CIU, and therefore also turn to the intermediary for the redemption of units or shares.

It should also be noted that investors do not have the ability to choose the subscription method, as this is determined by the internal business decisions of the parties involved and by the nature of the distribution agreements in place. Accordingly, the choice of distribution model should not be considered as affecting the overall level of risk.

With respect to risk assessments and the potential implications of different subscription or distribution models, we wish to underline the following:

• differences in distribution and subscription models should not result in different risk levels for CIUs within the same category (for example, open-ended investment funds aimed at retail clients) that follow the same investment strategy.
• the investor’s risk exposure is not influenced by the distribution model, as it depends on the investor’s individual characteristics rather than on the method used to subscribe to the CIU.

This suggests that the conditions necessary for the application of simplified measures are also present in II Scenario.

Moreover, we believe that including specific simplified measures for the II Scenario within the RTS would be appropriate in light of the following considerations:

• Recital 23 of the AMLR states that “AML/CFT requirements should apply regardless of the form in which units or shares in a fund are made available for purchase in the Union, including where units or shares are directly or indirectly offered to investors established in the Union or placed with such investors at the initiative of the manager or on behalf of the manager”.  This suggests that the method of subscription or distribution of CIU units or shares should not, by itself, be considered a factor that determines a different intensity or nature of AML/CFT obligations;
• Recital 78 of the AMLR set out that “the regulatory technical standards on customer due diligence should set out the specific simplified measures that obliged entities are able to implement in the case of lower risk situations identified in the risk assessment at Union level conducted by the Commission”;
• Article 28(1)(b) states that " the draft regulatory technical standards shall specify: the type of simplified due diligence measures which obliged entities may apply in situations of lower risk pursuant to Article 33(1) of this Regulation, including measures applicable to specific categories of obliged entities and products or services, having regard to the results of the risk assessment at Union level conducted by the Commission pursuant to Article 7 of Directive (EU) 2024/1640." The mandate, therefore, covers not only the specification of the measures under Article 33(1), but also additional measures tailored to specific categories of obliged entities, taking into account the SNRA;
• Article 28(2) establishes that simplified measures, including those applicable to specific sectors, should be based on:
  1. the inherent risk involved in the service provided;
  2. the risks associated with categories of customers;
  3. the nature, amount and recurrence of the transaction;
  4. the channels used for conducting the business relationship or the occasional transaction.
• The 2022 SNRA and the related Staff Working Document explain that in the investment sector, which includes CIUs,”The main factor that mitigates the inherent risk of money laundering is the low level of cash-based transactions, despite the fact that the sector is exposed to high-risk customers, including politically exposed persons, while the volume and level of cross-border transactions are high. To have access to the investment sector, perpetrators need to introduce money through the banking system, and hiding illegal money through opaque structures requires a high degree of expertise and/or high cost. Therefore, banks are often a first barrier that mitigates the inherent money laundering risk”. Since CIUs are typically distributed by credit institutions—entities that are subject to robust AML/CFT supervision and perform customer due diligence—these mitigating considerations also apply to II Scenario. The Staff Working Document specifies that the risk increases in the case of investments made through brokers. However, this is a different context from the distribution and subscription of CIUs;
• The interpretation of Article 33 of the AMLR that led to the drafting of Article 21 of the RTS should also support the introduction of simplified measures with respect to the customer, and not only to the person (other than the customer) on whose behalf or for whose benefit the transaction or activity is carried out (i.e. the underlying investor).This is because both categories are expressly referred to in Article 20 and 22 of the AMLR and are therefore subject to the same legal basis governing the applicable due diligence obligations. In this respect, Article 22 of the AMLR provides that "with the exception of cases of lower risk to which measures under Section 3 apply and irrespective of the application of additional measures in cases of higher risk under Section 4 obliged entities shall obtain at least the following information in order to identify the customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted". From this perspective, it is considered that the interpretation adopted by the EBA to justify the simplified measures under Article 21 could also be applied in cases where the investor is registered in the CIU’s register.
• Extending the simplified measures under Article 21 to II Scenario would not constitute an exemption. CIUs would still be required to assess the intermediary and, upon request, obtain the investor's customer due diligence data and information, as foreseen by Article 21.

If simplified measures were not introduced also for the II Scenario II, CIUs - in cases of subscription through an intermediary and in the name of the investor - would be left with the sole option of relying on third-party customer due diligence.

However, this should not be seen as a simplified measure. It merely prevents the duplication of identification and verification procedures. The CIU shall obtain from the obliged entity relied upon all the necessary information concerning the customer due diligence measures laid down in Article 20(1), points (a), (b) and (c) of the AMLR (art. 49). The third party shall provide the information without delay and in any case within five working days.

This approach results in greater burdens and higher costs for entities receiving subscriptions in the name of the client. Changing the subscription and distribution model for CIUs would also be costly and difficult to implement. In any case, AML/CFT requirements should not drive the choice between different CIU distribution models.

Taking all that into account, we suggest the following amendments to the Art. 21: 

1. In the case where shares/units in a collective investment undertaking are subscribed by an intermediary or chain of intermediaries (credit or financial institution) in its own name and on behalf of the collective investment undertaking  may fulfil the requirement under Article 20(1)(h) of Regulation (EU) 2024/1624 by being satisfied that the intermediary will provide CDD information and documents on  underlying beneficial owners upon  request, and provided that: 

1. the intermediary is subject directly or through group policies to AML/CFT obligations in an EU Member State or in a third country that has AML/CFT requirements that are not less robust than those required by Regulation (EU) 2024/1624;
2. the intermediary is effectively supervised for compliance with these requirements;
3. the risk associated with the business relationship between the collective investment undertaking and the intermediary is not high is low;
4. the fund or fund manager is satisfied that the intermediary applies robust and risk-sensitive CDD measures to its own customers and its customers’ beneficial owners.

To reflect the specificities of the second scenario described above, which is relevant to the asset management industry, we would propose adding a second paragraph to Article 21 of the draft RTS on CDD, with the following wording:

2 . In the case where the collective investment undertaking uses an intermediary to distribute its shares or units, and where the units or shares are subscribed in the name of the investor, the collective investment undertaking may fulfil the requirement under Article 20 (1) of Regulation (EU) 2014/1624 by being satisfied that the intermediary will provide CDD information and documents on the investors and their  beneficial owners upon  request, and provided that:

1. the intermediary is subject directly or through group policies to AML/CFT obligations in an EU Member State or in a third country that has AML/CFT requirements that are not less robust than those required by Regulation (EU) 2024/1624;
2. the intermediary is effectively supervised for compliance with these requirements;
3. the risk associated with the business relationship between the collective investment undertaking  ad the intermediary is not high;
4. the fund or fund manager is satisfied that the intermediary applies robust and risk-sensitive CDD measures to the investors and the investors’ beneficial owners.”

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 29(c)(i) of the RTS states that customer and beneficial owner screening must be carried out “during customer onboarding or before entering into a business relationship or performing an occasional transaction.” In cases where CIU units or shares are subscribed through an intermediary in the name of the investor, the screening should be carried out by the intermediary, who has direct contact with the investor.

Name of the organization