Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

Introduction

The European Association of Co-operative Banks (EACB) welcomes the European Banking Authority (EBA)’s public consultation on specific mandates of the 2024 Anti-Money Laundering legislative package.

Cooperative banks, as they are actively addressing ML/CT risks, and are obliged entities subject to the new legal requirements of the AML legislative package, are well placed to offer valuable feedback to the EBA on the draft Regulatory Technical Standards (RTS).

The EACB, having participated in the October 2024 industry roundtable, greatly values its ongoing dialogue with the EBA and welcomes the opportunity to provide further feedback.

EACB’s members have read EBA’s consultation paper and have the following observations.

EACB general observations on the EBA’s Consultation paper

Notion of banking group: The EACB would have welcomed the opportunity to also be able to comment on the RTS under Article 16(4) of the Anti-Money Laundering Regulation (‘AMLR’) on the development of guidance on “group-wide policies, procedures, and controls, including minimum standards for information sharing and criteria for identifying the parent undertaking”. EACB experts emphasize the need to ensure the diversity of banking models by further clarifying the definition of "group".

Indeed, cooperative banking groups have a unique structure, consisting of numerous smaller credit institutions that operate independently in certain areas while delegating specialized services - such as treasury, payments/securities processing, and IT - to joint central institutions.

Recital 44 AMLR, which references institutional protection schemes (IPS) as defined in Regulation (EU) No 575/2013 (Capital Requirements Regulation)[1], is a positive step toward acknowledging the diversity of banking models within AML legal frameworks.

However, the concept of the "broadest possible definition of a group," as mentioned in the recital, requires further clarification in the RTS under Article 16(4). Certain national regulators have highlighted that this broad definition could lead to misunderstandings. To address this, we recommend including a list of examples of banking groups when drafting the RTS on group-wide policies.

It is of utmost importance that institutional protection schemes (IPS) are not equated with banking groups in the regulatory sense. An IPS is characterized by the decentralized structure of its member institutions, their legal and operational independence, and the mutual support mechanism in place to ensure their stability. Unlike banking groups, IPS typically do not have a parent entity that exercises control or uniform group-wide governance. Treating IPS as banking groups would therefore not only disregard their specific nature and regulatory treatment under the CRR, but also create significant legal and operational challenges, especially in the implementation of group-wide AML/CFT policies. IPS should be treated according to their own regulatory framework, respecting their unique positions within the EU banking sector and ensuring full application of the proportionality principle.

BO registers: We also wish to highlight the need to have uniform BO registers’ quality across the EU. Well-maintained national registers can prove to be an effective tool in combating money laundering. National registers with up-to-date and precise information and to which all banks have access can signal suspicious customers. However, with the quality of registers highly differing between Member States, obliged entities cannot always rely on them. While drafting the RTS on Customer Due Diligence under Article 28(1) of the AMLR - particularly the draft Article 9 - it may be a valuable opportunity to highlight the importance of maintaining high-quality beneficial ownership registers throughout the European Union.

Simplification: When drafting the standards, EBA should also to take into account the new European Union’s simplification and competitiveness agenda. It is key to create an uniform and clear framework for obliged entities. For example concerning direct supervision, and in particular the RTS under Article 12(7) AMLAR, it should be clear for obliged entities who is going to be directly supervised and the list should not be revised automatically. Legal stability should be kept in mind. The same is valid for review clauses contained in the AML legislative package: these should not be automatically and systematically reviewed.

Connection between level 1, level 2, and level 3 legislations: In this regard, we urge the EBA to take into consideration the Less is More report, which underscores the legal complexities stemming from the growing number of measures adopted by EU regulatory agencies, some of which occasionally exceed their conferred mandate. The report also highlights the importance of clearly defining the relationship between level 1, 2, and 3 legislations, along with establishing dedicated and logical timelines for each. Please refer to our comments under Article 32 of the RTS on CDD below.

Consideration of de-risking practices: When drafting the standards, and especially the RTS on Customer Due Diligence under Article 28(1) AMLR, the need to avoid de-risking practices and ensure financial inclusivity of all types of customers is also very important. This should however not lead to (i) conflicting requirements and/or (ii) decreasing the freedom of contract for banks.

Importance to keep existing legal notions to ensure legal stability: We also wish to highlight that certain terms included in the EBA consultation paper are not in line with the current European and national legal frameworks. This is for example the case with the ‘commercial name’ notion (see our comment under Article 1 - Information to be obtained in relation to names on the RTS on CDD). In order to maintain a level playing field, and ensure harmonization of AML regimes, we suggest to maintain only those terms already implemented in Member States.

[1] Recital (44) AMLR especially makes a reference to Articles 10 and 113(7) of Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 Text with EEA relevance

RTS under Article 40(2) of the AMLD - Question 1

We would like to draw the EBA's attention to the impact that the risk assessment methodology - although already defined for the activity performed by the Supervisory Authorities - will have on each of the obliged entities.

This impact will be firstly related to the amount of information to be made available to the Supervisory Authority for the purpose of such activity. Secondly, it relates to the foreseeable ‘adaptation’ to the new methodologies – compared to the methodologies currently used by the obliged entities in accordance with the logic defined by certain Supervisory Authorities. This is particularly relevant to the new rules for determining the residual risk profile that are not in line with the provisions already set forth by our Supervisory Authority in the above-mentioned Organisational Provisions.

For instance, in France, out of all data points listed in Annex I (approximately 240), only the third (approximately 75, 32%) actually matches data currently required by the supervisory authority under the French annual AML-FT questionnaire.

This significant impact directly affects the obliged entities’ ability to provide all data points under the timeline that can be expected by reference to Article 5 RTS (“Supervisors shall carry out the first assessment and classification of the inherent and residual risk profile of obliged entities (…) at the latest nine (9) months after the date of entry into force of this Regulation”, i.e. May 2028). The deadline for completion of all risk assessments involves the provision of data points to supervisors by the middle-end of year 2027, based on data relating to year 2026. Necessary IT developments will need to be already in place at that time in order to process and produce the data.

In this respect, consideration shall be given to:

given the large volume of data points and significant gaps between current domestic reporting of some Member States and this upcoming risk-assessment reporting, it may take one-and-a-half to two years to be able to provide comprehensive and reliable datasets ; and
the decision to start work on and engage necessary (and significant) costs for those IT developments would reasonably be taken only when (i) the final version of this RTS (to be handed to the Commission by 10July 2026) and (ii) the interpretative note accompanying that final version to be drafted by the AMLA of the draft RTS are issued.

It follows that timely submission of a full dataset relating to year 2026 (with a view for supervisors to complete the initial risk assessment by May 2028) would be unrealistic since no work to adapt IT systems can be initiated before the issuance of the final RTS and its interpretative note (by middle-end of year 2026). Therefore, it seems necessary to postpone the first submission of a full dataset relating to year 2027, which implies that Article 5 should be modified to postpone the deadline for the completion of risk assessments accordingly.

According to Recital 9 it will be the role of AMLA, in cooperation with competent authorities, to ensure that each competent authority applies the same thresholds and weights. Supervisors shall determine combined scores and apply predetermined weights (Article 2, Article 3).

Based on this, we have two comments:

It will be important to ensure a uniform approach across the EU.
Without knowing these (combined) scores and weights we are currently unable to assess specifically whether the assessment’s result (using the methodology proposed in the draft RTS and the applied (combined) scores and weights that will subsequently be defined by AMLA in combination with the national supervisors) will appropriately reflects the risks of the assessed obliged entities.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

We agree that the residual risk cannot be higher than the inherent risk. Mitigating measures are put in place to lower the inherent risks. If the residual risk would be higher than the inherent risks, this would mean that the adopted measures actually increased the inherent risks.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

Suggestion to reduce the number of data points: Annex I provides a list of data points per indicator. The large volume of data points - exceeding 200 - makes it difficult for obliged entities to understand the framework by which their inherent and residual risks will be evaluated (which will be then used to determine whether they will be subject to direct supervision). Reducing the number of data points would enable a clearer and simpler framework for both obliged entities and national supervisors (tasked with collecting the data points).

General comments: The description of certain proposed data points is not clear enough and leaves room for different interpretations. These data points should be further determined and specified.

For a number of data points it is in general questionable whether they can attribute added value for the proper assessment of the risks, for other data points the added value for the risk assessment seems to be disproportionate to the additional (manual) effort that is required to deliver the respective data.

Specific comments:

Table A – Sub-Category – “Payment accounts”: Tables A and B appear to use two different wordings in relation to payment flows : Incoming transactions / flows (table A) / inbound transfer (table B), and Outgoing transaction / flows (table A) / outbound transfer (table B). The wording should be harmonized in order to avoid confusions ;
Table A – Sub-Category – “Prepaid Cards”: "Prepaid Card" does not refer to any definition in the AMLR. Therefore this section should clarify which products it cover (and how this section interacts with the section relating to electronic money);
Table A – Sub-Category – “Correspondent services”:
- while there are limited references to "payable-through accounts" in the AMLR, there is no definition associated to it. A definition should be given in order for supervisor to get data that enable comparability between obliged entities (i.e. definition by the FATF : "correspondent accounts that are used directly by third parties to transact business on their own behalf";
- "Nested accounts" is neither defined nor mentioned in the AMLR. A definition should be given in order for supervisor to get data that enable comparability between obliged entities (i.e. BCBS Guidelines on Sound management of risks related to ML-FT : “Nested correspondent banking refers to the use of a bank’s correspondent relationship by a number of respondent banks through their relationships with the bank’s direct respondent bank to conduct transactions and obtain access to other financial services.”;
Table B – Sub-category “1D: AML/CFT Compliance Function and Resources”: The term "Dedicated compliance staff" should be defined in order for supervisor to get data that enable comparability between obliged entities. The, it should be clarified that it embraces specialists of the second line of defense (i.e. compliance function). It should also be specified whether it includes only the permanent staff, or also seconded employees, interns, etc.;
Table B – Sub-category “2B. Customer ML/TF risk assessment and classification (CRA)”: The concept of “CRA” seems not to refer to a defined term in the AMLR (we understand that this concept is different from the business-wide risk assessment - BWRA). It should be clarified whether the CRA refers to (i) customers' related risk factors or (ii) the internal risk scoring attributed to customers by obliged entities.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

Considering the timeline for the consultation, we did not have time to combine feedback received on the availability of each data points to financial institutions. We might come back at a later stage to the EBA with comments.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

Very detailed data points: Given the amount of data points and the level of detail regarding several data points, and in order to establish robust processes to timely obtain the data points and deliver the requested information to competent authorities, the expectation would equivalate to an increase in costs in the short and medium term. Please see the following examples of (too) detailed data points:

Lending transaction: premature repayments, outstanding asset backed loans with cash collateral, consumer loans not associated to acquisition;
Distribution Chanels: onboarding by third parties not directly subject to AML/CFT supervision; remote onboarding; number of white labelling partners by establishment country.
Investment services : assets under custody with no business relationship with the final investors ; AML/CFT regulated customers outside the EEA ; orders transmitted involving unlisted financial instruments;
Trade finance : incoming and outgoing trade finance transactions;
Geographies: all data points in this section shall be provided “by country”, which, in our understanding means that detailed information will be expected on a “country-by-country” basis (i.e. in relation to any country obliged entities and their activities are exposed to). Identification and management of the geographical risk generally involves a specific focus and monitoring of geographic areas of exposure associated with a higher/significant ML-FT risk. In this context, maintaining detailed mapping of said exposures in internal arrangements is relevant. By contrast, this is generally not necessary (for AML-CFT considerations) that obliged entities build such detailed breackdowns in relation to countries with lower risks. Therefore, it seems very unlikely that obliged entities will be able to provide these data points “country-by-country” (if these are not restricted to high-risk countries), and the costs and capabilities required timely submit the data would be disproportionate to their actual gain from a risk assessment / management perspective. It follows that the EBA should limit the scope of data points in this section only to high-risk countries, i.e. countries referred to in Articles 29 et seq. of the AMLR.

During the 10 April EBA public hearing on the consultation, it was mentioned that obliged entities would only have to provide data points which are relevant to them and that not all data points were relevant for all obliged entities. In our view this adds to the legal uncertainty.

NPO sector: It would also be beneficial to have further information on the data points and why they are deemed relevant for the risk assessment. Concerning the Netherlands specifically, given the recent (public) discussions on/with the Nonprofit Sector (NPO), it would be beneficial to understand the reasoning for including this data point as part of the risk assessment, as the NPO sector is likely to challenge its relevance and because Obliged Entities will be the first to face this challenge.

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

Excessiveness of the yearly frequency: Setting a yearly frequency for the conduct of risk assessments appears excessive, because:

ML-FT inherent and residual risks would not vary significantly from one year to the next in the obliged entities’ ordinary course of business ; and
where an event affecting the obliged entities’ risk exposure occurs (i.e. new products/business line and broad internal reorganisation/restructuring, sanctions by competent supervisors, etc.), supervisors would be entitled to conduct an ad hoc assessment in accordance with article 5 (4) of this RTS in order to adjust the scores affected by such event.

Therefore, ad hoc reviews would suffice for relevant supervisors to ensure that specific circumstance likely to affect the risk profile of obliged entities are considered in due time, without the need of a yearly assessment.

However, we understand that both assessments (yearly and ad hoc) will consist in parallel reporting exercises, and an ad hoc assessment would not reset the deadline for the completion of yearly risk assessments (i.e. 30 September, as included in Article 5(2)). The triggering of an ad hoc assessment in addition to yearly reviews would result in excessively close reporting exercises. Given the number of data points, processing and submitting such data would necessitate material allocation of resources and time that could otherwise be dedicated to more sensitive matters and therefore disproportionate according to the risk-based approach.

Considering the above, we suggest the EBA to review its frequency assessment. Setting the revision to three years would enable to align to AMLA’s direct supervision regime.

What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

Given the amount of data points, the normal frequency will be very costly. Lowering the frequency would decrease this impact and cost would be more in line with the risk-based approach of the AML legislative package.

It should be kept in mind that an obliged entity under the ‘normal frequency’ regime will face reputational risks, even if the data points on which the risk is determined do not always mean that an entity is ‘doing something wrong’, but rather that it has strong customer and international exposure.

The requirements set for reduced frequency are deemed restrictive.

Article 5(4) mentions that “Where major events or developments in the management and operations of obliged entities occur, supervisors shall conduct an ad hoc assessment and classification of the inherent and residual risk profile of the relevant obliged entities, at the latest four (4) months after the supervisor becomes aware of the occurrence of such events or developments”. To ensure predictiveness for obliged entities, the interpretation of the ‘major event’ notion should be narrowly defined and restricted to significant breaches of AML requirements only.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

As previously mentioned, the frequency of the yearly risk assessment should be extended to three years.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

A different assessment should not be applied to all third countries in general but instead the assessment of geographical risks linked with cross-border transactions should focus on those countries with higher ML/TF risks listed in the respective lists defined via delegated regulations pursuant to Art 29 to Art 31 AMLR.

We also wish to make the following remark, not directly linked to the Consultation Questions:

Are Obliged Entities expected to preform their internal risk assessment following the same methodology? If this is the expectation, more clarity on the methodology (for instance the weighing of the data points) should be provided.
Given that the collection of all datapoints laid out in the RTS will represent a significant burden for obliged entities, it is critical that the final RTS clearly states that these reporting shall replace any redundant domestic reporting having a similar purpose.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

As a preliminary comment for drafting this RTS, we believe that it should be clarified whether AMLA will act as the unique competent supervisor for an entire group or as the supervisor for the ultimate parent entity (with obliged entities/sub-consolidated groups still being supervised by relevant national competent authorities).

Designating AMLA as the unique supervisor of groups would be a solution to avoid multiplications and potential overlaps in supervisory measures and requests (i.e. by AMLA and competent supervisors of countries where supervised groups are established). This implies that AMLA would be the contact points of the group on supervisory matters.

AMLA would still be able to rely on national competent authorities of countries where supervised entities and groups are established for the performance of its supervisory tasks (i.e. exchanges of information, exercise of specific powers, etc.). Such cooperation will become all the more efficient when harmonization in requirements applicable to obliged entities and convergence in supervision methodologies is achieved.

Once obliged entities are selected for direct supervision, we would also advice to held preliminary discussions on organizational matters between those groups and AMLA to ensure that the exercise of direct supervision will be adapted to specificities of their national banking sectors and group structures (such as cooperative bank models).

Article 29 AMLAR already provides for language arrangements in direct supervision. Other organizational subjects may include for instance how AMLA will interact with the parent obliged entity and other entities within the group, the designation of dedicated contacts points within the group, etc.

Using number of customers and number of transactions does not reflect the complexity of the activities or susceptibility to ML/TF risks. Other benchmarks, such as thresholds (type of products offered, sectors to which products are offered, geographies involved in the activities,…) should be considered.

Please also refer to our response to question 3. We believe that an adaptation of the thresholds should be made by amending different thresholds for retail and wholesale customer segments.

Question 1

Please also refer to our response to question 3. We believe that an adaptation of the thresholds should be made by amending different thresholds for retail and wholesale customer segments.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

Please refer to our answer under question 1.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

A distinction should be made between the retail segment and corporate and institutional clients, as corporate and institutional clients bear a higher complexity with regard to the number and complexity of offered products and services, the assessment of the customer risk, source of funds, business model, requirement to identify and verify beneficial owners, transaction patterns etc.

Please refer to our answer under question 1.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

Why does this RTS not simply refer to the RTS on Article 40(2) AMLD6? Does this set up not create a risk of (unintentional) differences in this assessment?

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

Please refer to our answer to question 4. Allowing adjustment of the inherent, or residual, risk score could introduce an element of subjectivity, which should be prevented.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Clarification should be provided on the term ‘group’. In particular, we have questions on what it includes, i.e.: all entities, only the entities within the EU Member States, or only obliged entities within the group. Additionally, the link with branches should be clearly defined. A clear definition would enable a proper assessment of the proposed calculation. Regarding the calculation, please refer to our answer under question 1.

Please also see our comment on question 8. The different weight of the parent company with regards to the quality of its AML/CFT controls should be accordingly considered in the methodology for the calculation of the group-wide risk score.

Please also refer to our comment under the general comments’ section.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

Please refer to our answer to question 6.

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

The parent company defines group standards and is obliged to control and steer its group entities to ensure that the group standards are effectively implemented within the group. For this reason, the parent company’s quality of AML/CFT controls has a considerable impact on the AML/CFT controls within the group entities. Therefore the results of the assessment of the quality of AML/CFT controls in the parent company should have a higher weight for the overall group residual risk.

Reputational risks incumbent to the risk assessment and direct supervision: We wish to highlight an additional element, which is not directly linked to the Consultation Questions. It is assumed that the obliged entities subject to AMLA’s direct supervision will be publicly disclosed. From this disclosure , it could be derived that these obliged entities are deemed high risk on the susceptibility of ML/TF risks. This could impact correspondent relationships, funding (as high risk in general means a higher funding cost) and, generally, the obliged entity’s reputation. It could further lead to scrutiny by non-EU supervisors, should that (group of the) obliged entity be active outside the EU. What is the opinion of the European Banking Authority, the Anti-Money Laundering Authority, and the European Commission on this, and how can these risks be mitigated?

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

General comments

Article 32 – Entry into force: The draft RTS stipulates that the AMLR provisions on customer identification and beneficial owner shall apply for existing customers following a risk-based approach, and in any case no later than 5 years from when the new regulation applies. Given that under the new AMLR the maximum time within which the renewal of due diligence must be carried out is now five years, the provision in Article 32 should be read positively.

We would like to ask whether the 5 years are deemed to run from 10 July 2027, the date on which the Regulation enters into force, or from when the RTS will enter into force, which, being secondary legislation, can only take place at a later point in time than the Regulation, thus moving the deadline for compliance even further forward.

Furthermore, Article 32 defines a grace period of "no later than 5 years after entry into force of this Regulation". This contradicts the grace period under Article 22: "within 5 years after the application date of this Regulation." Both articles use different starting points for calculating the grace period (five years from the application date vs. from the entry into force of the Regulation). We urgently request clarification and correction of which date is actually to be applied.

Additionally to the date of entry into force, we would like to ask for a clarification regarding the scope of the measures Article 32 refers to. It seems that in the most recent version of the draft RTS Article 32 refers to Article 23(1). It is confusing whether this is a reference to Article 23 of the RTS or Article 23 of the AMLR. Nevertheless, for a grace period to be effective, we would like to request urgently that Article 32 refers to Chapter III of the AMLR when it concerns the application date of the CDD measures.

We propose to rephrase Article 32 as follows:

“The requirements of Chapter III of the AMLR will become applicable for existing customers over a period of five years after the application date of the AMLR. Obliged Entities are required to apply a risk-based approach, whereby higher risk customers will become subject to the requirements of Chapter III of the AMLR first and lower risk customers can become subject later, however no later than five years after the entry into force date of the RTS.”

Additionally, the RTS should provide clarification regarding a grace period for other provisions of the AMLR, such as Article 11(6) AMLR on the obligation for the compliance functions to report on the policies, procedures and controls and Article 10 on performing a business-wide risk assessment. These reports and assessments cannot include data resulting from the AMLR requirements in 2027, due to the requirements being only applicable in that year.

Question 1

General comments on the operational costs of implementing Section 1: We wish to mention that the articles could have a strong impact on the fluidity of customer journeys - particularly digital ones - given (i) the width of information required and (ii) the strict requirements that would condition the possibility of using certain types of supporting documents (i.e. official documents and equivalents).

In addition, please note that the IT developments necessary to align internal systems with these multiple new requirements would be extensive with a significant impact on financial and human resources (total time for completion and deployment of changes for collecting one supplementary data or data type may sometimes amount to one year – one year and a half due to the amount of customers cooperative banks have).

To further enhance the customer journey and with a risk-based approach in mind, we would deem it helpful for the European Banking Authority to define and clarify that for low-risk AML clients, the update of information may take place, where required, in an automated fashion, without necessarily contacting the client (Recital 16 and Article 22 RTS).

We consider it appropriate that, for low-risk customers, in the absence of the conditions set out in points (a), (b) and (c) of Article 22 RTS and in conjunction with recital 16, providing for a risk-based approach, the banks should be able to update /confirm the information data by means of automated processes that do not involve the intervention of an operator or of the customer.

Beneficial Ownership: A second area in which the customer journey can be enhanced, is a harmonized understanding of the methodology for calculating beneficial ownership. This would create more legal clarity for customers regarding whom to identify as their beneficial owner or senior management official. This also ties in with our request to harmonize beneficial owner register in the EU and to ensure their quality of information.

Although a mandate for guidance on beneficial ownership methodology is not explicitly set out in the articles of the AMLR, Recital 105 introduces the possibility for the Commission to issue guidelines on rules to identify beneficial owners in different scenarios, including through the use of case examples.

We would welcome such guidelines, and strongly encourage the use of case examples, including i.e. the following topics

The application of Art 54, 57, and 58 AMLR (multi-layered ownership structures)
Nominee agreements on shareholding by a nominee (clarification that nominee is not a beneficial owner – in accordance with FATF’s approach)
Private equity funds in the legal form of limited partnerships and, in general, case examples for collective investment undertakings (Art 61 AMLR) that also clarify to which extent investment managers have the “ability to define or influence the investment policy of the collective investment undertaking” (Art 61 b) AMLR)

Recital 8: The correctness, accurateness and up-to-dateness of the data collected in the central beneficial owner registries should be ensured by appropriate measures and obliged entities should be permitted to rely on the registered data when performing their CDD obligations. E.g.: complete excerpts from the Austrian beneficial owner registry are accepted as a reliable source to verify the beneficial owners of a customer outside the high-risk segment.

Specific comments per provision: We also comment on the specific recitals and articles included under section 1 of this draft RTS (with the exception of Articles 6 and 8, which are addressed in Questions 2 and 3, respectively).

Article 1 - Information to be obtained in relation to names

Focus on retail business: The current drafting appears to be focused predominantly on retail business, which may not be fully applicable to all customer types. We recognise the challenge the EBA faces in drafting regulation applicable to all sectors. We nevertheless note the importance of the wholesale sector in Europe’s capital markets and underline the importance of tailoring requirements also to the needs and realities of wholesale entities.

Clarity of targeted population: Article 22 (1) AMLR requires obliged entities to obtain specific information to identify ‘the customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted’. Article 1 (1) of the draft RTS cites Article 22 (1) AMLR, but then sets out requirements citing only ‘the customer’, with no mention of the additional classes of persons set out in Article 22 (1) AMLR. It is unclear whether this is an oversight, or whether the EBA intends to target measures at a more limited population than that identified in the AMLR.

Therefore, we understand that :

this paragraph supplements Article 22 (1) AMLR exclusively and with respect to date requirements to be apply to customers; and
obliged entities may otherwise determine on a risk-based basis how they apply requirements of Article 22 (1) AMLR to person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted and other categories of natural persons whose identity must be identified.

This understanding seems, in our view, to be the most compliant with the risk-based approach principle as it gives more leeway for oblige entities to adapt their due diligence to the actual ML-FT risk of business relationships. Please note that this comment would also be relevant for other parts of the RTS.

Scope: We would also be grateful if the EBA could clarify:

whether the reference in Article 1 (1) draft RTS relates to a more limited population (of ‘customer[s]’) than that cited in Article 22 (1) AMLR is an oversight, or a deliberate choice;
the scope of the information to be obtained with regard to the identification of persons purporting to act on behalf of the customer, and of natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted, and
whether the requirements set out for ‘customers’ similarly apply to the identification of
- natural person trustees of an express trust or persons holding an equivalent position in a similar legal arrangement, pursuant to Article 22 (1) (c) AMLR, and
- beneficial owners pursuant to Article 22 (2) AMLR, in combination with Article 62 (1) AMLR and/or also, where appropriate, to the identification of individuals as per Article 22 (1) (c) AMLR, in combination with Articles 57 to 60 AMLR.

These questions apply mutatis mutandis to Articles 1 to 6 draft RTS.

We have understood that EBA is bound by its mandate as set out within Article 28 AMLR when drafting the present RTS. However, since Article 28 (1) (a) AMLR clearly references Article 22 AMLR, including Article 22 (1) and (2) AMLR, we assume that clarifications on the complete population of roles as outlined above should be within EBA’s mandate. The choices made regarding the obtention of information on beneficial owners must align with the technical capabilities and requirements concerning the central registers to ensure efficient and effective alignment between banks and their clients and the central registers.

Continuous numbering: The numbering jumps directly from 1 to 3, which appears inconsistent and may be an editorial oversight.

Names and abbreviations: When capturing names, the question arises of how to deal with abbreviations in identity documents, such as "George W. Bush" on a US ID. Should banks ask the customer what the abbreviation stands for, or is it sufficient to use the abbreviation since it is "at least" on the ID? Clarification on this would be helpful to ensure that name captured is correct and in line with the requirements.

Are obliged entities required to obtain all of the customer’s full names and surnames or the names that are featured on a customer’s identity document, passport or equivalent?

For identity verification purposes (Article 22 (6) & (7) AMLR), an ID or equivalent is not always necessary. Identity may also be verified via electronic identification. In such cases, obliged entities would not per se have a ID or equivalent to check what the names on such document are.

Person purporting to act: The RTS should explicitly define ‘any person purporting to act on behalf of the customer’. It should also clarify whether this definition includes only third parties acting via proxy or power of attorney (e.g. agents), or if it is to be interpreted extensively and also encompasses authorized the customer’s signers and senior managers. A clear definition of the ‘person purporting to act on behalf of the customer’ is key to ensuring maximum harmonisation and would avoid a continuation of the present situation where Member States interpret this term differently. We also see an overlap with the new term ‘legal representative’.

In light of our members’ experience stemming from the implementation of Directive (EU) 2015/849 and Directive (EU) 2018/843, it would be sensible to limit the definition to third parties acting via proxy or power of attorney. In the context of wholesale banking, capturing individuals acting in their professional capacity belonging to the customer’s sphere (e.g., authorized signers, senior managers), in particular those employed with regulated financial institutions, has proved excessively burdensome and ineffective in combatting financial crime. Individuals acting only as authorised signatories and senior managers will not add to potential ML/TF risks and focusing attention on them is not in keeping with the risk-based approach.

We propose to limit the provision to ‘persons acting towards the Obliged Entity’. We would like to point out that Article 22 1) AMLR states ‘persons purporting […]’, making it ambiguous if it is limited to ‘natural persons’, or should also include ‘legal persons’.

Considering the above, we would like to suggest the following definition for ‘a person purporting to act’:

‘any natural person acting towards the obliged entity on behalf of a customer, excluding persons acting towards an obliged entity for administrative purposes and/or executing transactions under a (umbrella) agreement.’

Differentiation between obtaining and verifying: Article 22 (1) AMLR requires obliged entities to ‘obtain’ various pieces of information ‘in order to identify’ three classes of natural persons. The use of separate verbs, and the statement that the obtaining is done to make possible (‘in order to’) undertake the verification make clear that these are separate actions, with the first undertaken to allow the second. It is possible that a particular identification document may not contain all the information set out in Article 22 (1) AMLR. In that case, the identification document should still be usable to verify the identity, and the obliged entity should not have to verify the data points that are not available in the identity document. For instance, a German passport does not contain any address. In that case, it should be sufficient to obtain the address from the individual and to verify the individual’s identity using the passport, but not to obtain a second document for the purpose of verifying the address. This is already existing practice and corresponds to a pragmatic approach. To require otherwise would be burdensome, particularly for retail clients, and would require the presentation of multiple documents with very little added value.

Data point variability – limit collection of names to those on ID documents: Article 22 (1) (a) (iv) AMLR requires obliged entities to obtain a natural person’s ‘all names and surnames’. Article 1 (1) draft RTS repeats this obligation to obtain ‘all of the customer’s [see targeted population point above] full names and surnames’, but then limits the requirement to ‘at least those names that feature on their identity document, passport or equivalent’. Naming conventions vary across cultures and around the world. Passports and identification documents also vary in the data points they provide, in accordance with the choices of the issuing authority. As such, the RTS should acknowledge this variability and require obliged entities to obtain only those names that appear on identity documents, passports, or equivalents.

We therefore suggest amending the text as follows (with in red an strikethrough our suggested deletions and in red and underlined our suggested additions):

Article 1 (1) draft RTS

‘In relation to the names and surnames of a natural person as referred to in Article 22 (1) (a) point (i) of Regulation (EU) 2024/1624, obliged entities shall obtain all of the customer's full names and surnames. Obliged entities shall identify ask the customer to provide at least the those names that feature on their the relevant person’s identity document, passport or equivalent".

Transliteration / transcription: The names of natural persons from non-Western jurisdictions may often be written in non-Latin scripts in languages of origin. Western languages differ in how they transcribe identical non-Western names (consider the variations of Mohammed/Muhammad, the latinised Pinyin script etc.). Natural persons from non-Western backgrounds may have documents issued by more than one EU Member State in more than one language. Where non-Western origin names have been transliterated, the RTS should clarify whether obliged entities may take a risk-based decision as to the probability that the documents in question refer to the individual presenting them.

Additionally, we would like to see clarification as to whether screening in different scripts can occur, in accordance with the risk-based approach.

With regard to consistency in the use of terms – we note that Recital 3 draft RTS refers to the ‘transcription’ of names, which we interpret to be broad in scope, and that Article 29 draft RTS refers to the ‘transliteration’ of names, which we interpret to refer to the conversion of text from one script to another. If particular nuances are intended, we ask that the EBA clarifies these in the RTS.

Use of official registers / constitutional documents: For legal entities, the identification and verification process should rely on official commercial registries, or equivalents. Since commercial names are not always included in these registries, the scope of identification should be limited to data points available in official registers. A company’s constitutional documents (articles of incorporation, company constitution etc.), when drawn up in accordance with relevant law, should also be considered an adequate source to identify and verify a legal entity.

In addition, identifying legal representatives as part of the identification and verification of the identity of the legal entity have very limited risk-relevant value to ensure that a certain legal entity is actually the client.

Commercial name: Article 1 (2) and Article 18 (1) (b) draft RTS refer to ‘commercial name’. Article 29 refers to ‘trade name’. If ‘trade name’ is intended to be synonymous with ‘commercial name’, we suggest that the RTS uses one term consistently. We note that the Wolfsberg Payment Transparency Standards offer a definition of ‘trade name’ as ‘[t]he name a business uses for advertising and sales purposes that is different from its legal name. A trade name can also be referred to as a doing business as – DBA’. Level 1 texts make no use of either ‘commercial name’ or ‘trade name’.

Article 1 (2) draft RTS requires obliged entities to obtain the registered name, and where it differs, the commercial name. The commercial name may not always be available, and where is it is available, may be written in varying ways.

We suggest the deletion of ‘commercial name’. Instead, the ‘registered names’, as included in the AMLR, should be kept. Alternatively, we would limit the commercial name definition to those names currently available across Member States.

Applicability of requirements by analogy: We note that according to Article 18 draft RTS, the requirement to collect the commercial name shall also apply to other organisations (‘…for a legal entity and other organisations that have legal capacity under national law…). We assume that the requirements of Article 1 (2) draft RTS apply to these organisations by analogy. We would welcome confirmation of this assumption in the text of the final RTS.

Clarification of requirements relating to beneficial owners: We have understood that the EBA is bound by its mandate as set out within Article 28 AMLR when drafting the present RTS. However, since Article 28 (1) (a) AMLR clearly references Article 22 AMLR, including Article 22 (7) AMLR, we would assume that clarifications on the complete population of roles as outlined above should be within EBA’s mandate. As per our earlier statement (‘clarity of targeted population’), the draft RTS is unclear on what requirements (if any) are to be met regarding the names of beneficial owners. Article 22 (7) AMLR does not require obliged entities to collect copies of identity documents of the beneficial owners (a), but also allows them to take other ‘reasonable measures’, as laid down in (b).

In practice, obliged entities experience difficulties in obtaining copies of identification documents for beneficial owners. This is particularly the case in certain jurisdictions with strong privacy protections – which includes EU countries. A general obligation to obtain identification documents from all beneficial owners would go significantly beyond international market practice, is unhelpful for EU competitiveness, and is unlikely to foster effective use of scarce AML resources.

Nevertheless, it has to be noted that this is market practice in certain countries, such as in Denmark, which is deemed helpful by Danish obliged entities to apply measures on higher geographical risk factors.

Clarifications on terms: Article 1 RTS requires further substantiation and clarification regarding:

Article 1(2) refer to 'a commercial name' (singular). Should obliged entities understand 'all commercial names'?
National identification number, is this data point only applicable if a person has a nationality? Meaning that for certain national refugee/protection frameworks which issue national identification numbers, the identification numbers for this group would not have to be obtained.
Is it meant that a stateless person always require a refugee or subsidiary protection status?
Does the ‘where applicable’ of article 22 (1)(a)(iii) AMLR refer to the plural form of nationality?

Article 2 – Information to be obtained in relation to addresses

Clarity of targeted population: We would like to ask if the information on address as prescribed in draft Article 2 is also applicable to the persons mentioned in Article 22(1) (c) and (d).

Focus on retail business: The requirement to collect full residential addresses appears to be drafted from a retail perspective. It may not be necessary or appropriate for related parties in a wholesale context, where only the country of residence might suffice. The RTS should consider this distinction and provide flexibility accordingly. In addition, in some cases clients are located in (international) rural areas which do not have such granular information as their address as outlined in article 2 RTS.

Operational costs of implementing Article 2: While some of the address components listed in this paragraph are useful for performing client due diligence and assessing the customers’ levels of risk (i.e. country and city names, postcode), the others (i.e. street name, and where available, building number and the apartment number) would only add value to risk assessments and transaction analyses in very limited situations where they would enable to connect on or more customer to potential criminal activity/ML-scheme involving a flagged immovable property (e.g. sexual exploitation, illicit renting practices, or illegal trust practices). In such cases, obliged entities may use the latter information in high-risk context and to substantiate investigations of unusual transactions. It follows that requiring the systematic collection of such data would involve additional IT developments without a tangible gain from an AML-CFT perspective, and their collection should be required only on a best-effort basis, where available.

Person purporting to act: The AMLR and draft RTS require the collection of the personal place of residence for natural persons purporting to act on behalf of the customer. Please refer to our comments under Article 1 for a suggested definition of a ‘person purporting to act’.

Concerning the place of residence for UBOs / SMOs, we have understood that the EBA is bound by its mandate as set out within Article 28 AMLR when drafting the present RTS. However, since Article 28 (1) (a) AMLR clearly references Article 22 AMLR, including Article 22 (7) AMLR, we would assume that clarifications on the complete population of roles as outlined above should be within EBA’s mandate.

Article 2 going beyond the AMLR concerning the place of residence for UBOs / SMOs: The specifications in the RTS are more prescriptive than the level 1 text, which only requires (Article 22 (1) (a) point (iv) AMLR) obliged entities to obtain ‘the usual place of residence or, if there is no fixed residential address with legitimate residence in the Union, the postal address at which the natural person can be reached and, where available the tax identification number’. The collection of the personal address of ultimate beneficial owners (UBOs) and senior managing officials (SMOs) is unlikely to advance the fight against money laundering and financial crime. More concerningly, full residential information for UBOs and SMOs are sensitive data points for corporate customers, in particular in jurisdictions with heightened kidnap risk (such as Mexico). The sharing of certain details regarding the place of residence – particularly the street name – would increase the personal risk (e.g., kidnap risk, risk of other violence against the person) faced by certain UBOs and SMOs to an unacceptable level, in particular in high-risk jurisdictions. In these cases, these individuals may prefer that their firms decline to enter into a business relationship, rather than provide the details requested. This would be an undesirable outcome in light of making a distinction based on personal data, in addition it would not be an efficient outcome and would make the EU less competitive against other major financial markets which do not request this level of personal data. For screening purposes it should be sufficient to obtain the country of residence and – only to the extent where available when taking reasonable measures – the name of the city. Further investigations could be restricted to hits (i.e., the results of searches) where further data are required to assess the hit.

Suggested amendment: As a general principle, address information should be sufficient to identify clearly the location of the party/parties for sanctions screening and AML/CTF monitoring. We note that the AMLR requires obliged entities to obtain the ‘place’ of residence. This is not as specific as the draft RTS currently – and does not include ‘city’ in all circumstances. In situations where the provision of ‘city’ could pose security risks to the individuals concerned, or in jurisdictions of such a size as to render the inclusion of ‘city’ irrelevant (small island states such as Bermuda, or microstates such as Monaco, where the jurisdiction itself is simply one single settlement) then ‘city’ should not be required. Obliged entities should retain the ability to judge what is required to ascertain the ‘place’ of residence, in keeping with the risk-based approach.

We hope the EBA accepts the rationale set out here. If however the preceding point is not accepted, we then suggest amending Article 2 draft RTS at least to read as follows:

The information on the address as referred to in Article 22(1) (a) point (iv) and 22(1) (b) point (ii) of Regulation (EU) 2024/1624 shall consist of the following information: the full country name or the abbreviation in accordance with the International Standard for country codes (ISO 3166) (alpha-2 or alpha-3), city, and where available other aspects of the address in accordance with the resident country conventions such as postal code, city, street name, and where available building number, building name and the apartment number.

Article 3 – Specification on the provision of the place of birth

Regarding the 'country name', do the same requirements as set out in Article 2 apply?

Clarity of targeted population: Article 22 (1) AMLR requires the address information to be obtained for the customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted. These groups are envisaged as being natural persons, legal entities, trustees of an express trust or equivalent, or other organisations that have legal capacity under national law. Article 22 (2) refers to obligations relating to beneficial owners as set out in Article 62 (1) AMLR.

The draft RTS however only makes reference to the AMLR’s categories of natural persons and legal entities. We would appreciate the RTS to clarify if the obligations set out here are intended also to apply to trustees of an express trust or equivalent, other organisations that have legal capacity under national law, and beneficial owners.

Variability in identification documents: Passports and identification documents vary in the data points they provide. The RTS should provide flexibility around specific data points such as place, city, and country of birth. This flexibility is important to address sanctions and screening risks without creating an additional burden for collecting data points that may not be present on certain countries' documents.

City of birth and country of birth: We would argue that for the ‘city of birth’ or ‘country of birth’, one of this information should be considered sufficient, with ‘country of birth’ having to be preferred among the two.

The specifications in the draft RTS are more prescriptive than the AMLR which only requires ‘place’ of birth. The co-legislators did not specify the extent to which the ‘place’ should be defined – and did not suggest the level of precision implied by ‘city’.

Given that some passports and identity documents may not provide such detail, we suggest the RTS to require:

the collection of city of birth only where available on the ID document, noting that there is no requirement to collect ID documents for UBOs, or
obtain city of birth to support financial crime risk management outcomes such as to discount screening hits, or
whatever is standard in the relevant country (e.g., US passports contain State rather than city).

Either of these approaches would ensure the requirement to be practical and reasonable.

Notwithstanding the suggestions above, if the choice is made to require city as well as country name to be identified for a natural person customer, there should nevertheless be alleviated requirements for UBOs and SMOs. To require such data from these classes of customers would be disproportionate, intrusive, and would go beyond requirements set by the co-legislators.

Change of name of cities / states which cease to exist: The names of cities and states occasionally change – and so do international borders between them. Most obliged entities could recognise that a reference in a document to ‘Leningrad, Soviet Union’ should be regarded as referring to the same place later known as ‘Saint Petersburg, Russian Federation’. The journey of ‘Chemnitz’ to ‘Karl-Marx-Stadt’ and back to ‘Chemnitz’ may however be less well known beyond the borders of the state in question, and some situations – particularly where border changes are disputed – may be emotive.

The RTS should recognise that the names of cities and states (and in the case of the latter, their ongoing existence) may evolve over time, and obliged entities may use open-source information to verify such changes and take risk-based decisions on the location information presented to them. Additionally, the RTS should clarify that obliged entities may rely on naming conventions provided on official documents submitted to them for the purpose of identification and verification of customers and related parties.

Article 4 - Specification on nationalities

Clarity of targeted population: Article 22 (1) AMLR refers to the ‘customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted’. Article 4 draft RTS cites Article 22 (1) (a) point (iii) AMLR, but then refers only to ‘customers’. We would like to see a clarification on whether Article 4 is intended to apply to the other classes of persons cited by Article 22 (1) AMLR, and to beneficial owners.

Operational difficulties and costs: Article 4 relates to the collection of information about a customer's nationalities. Obliged entities shall obtain the necessary information to satisfy themselves that they know of any other nationalities their customers may hold. This provision, although in line with Article 22, which mentions ‘nationalities’ (plural) among the data to be collected concerning the client, poses operational problems. The provision indeed does not specify (a) how they might obtain the information (for example, by questioning the customer where other information collected pursuant to the AMLR and this RTS would suggest that there might be other nationalities) and (b) whether they must verify it. There is no central record to verify nationalities which may or may not be held by an individual. As such, obliged entities must rely on declarations made by the individual.

Requiring obliged entities to perform supplementary diligences to ascertain the actual nationality(ies) of their client on a systematic basis would imply a significant operational burden difficult to measure at this stage (because it will be highly difficult for obliged entities to prove and record that they conduct sufficient diligences to ascertain a negative fact, i.e. their clients do not have another nationality than the one provided on first instance). Moreover, such verification would not bring any gain for clients risk management in every situation, but only in a high risk context (e.g. products, services with potential high ML-FT risk in relation to their cross-border nature such as trade finance).

Self-disclosure: It might be conceivable to use self-disclosure similar to FATCA/CRS to encourage customers to disclose their other nationalities. Would this be sufficient? In many countries, there are no registers that provide comprehensive information on multiple nationalities, or banks do not have access to them (including Germany). This presents a practical problem for banks in applying Article 4, as they do not have direct access to a reliable data source (see also comments on Article 9 RTS).

We would suggest rewording the provision to clarify that obliged entities can be satisfied with self-disclosed information from the client (i.e. without having to verify this information subsequently) and the collection on a best effort basis, except in situations where there is no high risk or a ML-FT suspicion. We would suggest the RTS to confirm that sourcing nationality information from the relevant individual, and verifying that information with one data source provided by the individual, should be deemed sufficient to fulfil the requirement unless – in accordance with the risk-based approach – the obliged entity has reasons to doubt the completeness or correctness of information provided by the individual.

Satisfaction: We would like to see clarifications on the definition of 'satisfy' and what is deemed sufficient. For instance, is asking the customer sufficient to be ‘satisfied’?

Country of birth and city of birth: We also question whether defining ‘place of birth’ as to contain both ‘city of birth’ and ‘country of birth’ is necessary for identification and risk mitigating (including (sanction) screening) purposes. We further question whether this requirement can be efficiently and effectively fulfilled. Finally, we do not believe that the related verification requirement can be fulfilled as the city of birth is not always included in formal ID documents.

Article 5 - Documents for the verification of the identity

Clarity of targeted population: Article 22 (6) AMLR refers to the customer and any person purporting to act on their behalf. Article 22 (7) AMLR refers to the beneficial owner and, where relevant, the persons on whose behalf or for the benefit of whom a transaction or activity is being carried out. Article 5 (1) draft RTS refers to ‘the person’ and ‘natural persons’. Article 5 (2) draft RTS refers to ‘the customer’. Article 5 (3) draft RTS refers to ‘the person pursuant to Article 22(6)(a) and Article 22(7)(a) [AMLR]’. Article 5 (5) draft RTS refers to ‘the person referred to in Article 22(6) [AMLR]’.

In particular, we would suggest the RTS to clarify whether:

the reference to ‘the customer’ in paragraph 2 is intended to cover all other natural person roles covered by Article 22 (6) and (7) AMLR
the reference to ‘the person’ in paragraph 3 is intended to cover both natural and legal persons, and therefore encompasses all legal persons pursuant to Article 22 (1) (a), (b) and (c) AMLR
the reference to ‘the person referred to in Article 22(6) [AMLR]’ in paragraph 5 includes the various relevant roles a natural person may have, which may include that of a beneficial owner or a natural person on whose behalf a transaction or activity is conducted, due to the reference in Article 22 (7) AMLR to Article 22 (6) AMLR.

Differentiation between existing and new clients: We think that it should be clarified that Article 5 should be used only for new clients, as opposed to all clients (including existing clients).

Criteria for identification documents across Member States: We also wish to highlight that some of the listed conditions are not present in certain documents that legislation considers valid for identification purposes in some Member States, particularly the nationality criterion and the holder’s date and/or place of birth. In Italy for example, a driver’s licence or a birth certificate for a minor is accepted as identity document. In Denmark, the driver’s licence is also accepted as a mean of verification of the identification of the natural person. Likewise, obliged entities accept ’sundhedskort’ (public health insurance card), ’birth certificate’ and other documents (without the individual’s picture on the document) as means of verification of the identification for minors and adults.

We would suggest having a clear reference that what is included in the official ID documentation is deemed sufficient, and that otherwise, clients’ disclosure should suffice.

We recommend that longstanding use of these documents be permitted to continue – and so we would opt for the deletion of the reference to ‘and their nationality’ in Article 5 (1) b), and the reference to ‘it contains a machine-readable zone’ in Article 5 (1) (e). The requirements set out in Article 5 (1) draft RTS are very prescriptive and would significantly limit the verification possibilities available to obliged entities to verify the identity of natural persons.

The current drafting would not serve the objectives of mitigating the risk of financial exclusion and unintended derisking.

This paragraph should rather provide that obliged entities shall assess the equivalence of official documents provided by customers to identity documents following a risk-based approach and taking into account the aspects listed under indents a. to g. (i.e. without making all of them mandatory).

Biometric data: The requirement for a document to contain ‘biometric data’ is problematic. It is unclear whether all identity documents from jurisdictions outside of the EU would or should contain this data – and in the absence of a central registry, it is equally unclear how obliged entities would be expected to verify this. Obliged entities do not have the computer hardware to read biometric data stored in microchips embedded within identification documents – and if such were available, the legal basis which would permit such reading is unclear. We recognise the qualification provided by the EBA via the inclusion of ‘where available’, but suggest nevertheless that (g) be deleted.

Legitimate reasons: In exceptional cases, for legitimate reasons, less comprehensive documents can be considered equivalent to identity documents if they contain basic information such as names, date of birth, and a facial image of the document holder and if it issued by a state or a public authority.

EBA consultation document and recital (7) of this RTS give an indication of what ‘legitimate reasons’ are for not producing a compliant ID document: originating from a particular country that would not have equivalent standards in terms of ID documents; or official identity documents issued by EU Member States to asylum keepers to confirm their status and their right to reside in that EU Member State.

As regards other types of documents, the requirements to be met appear to be too strict, exceeding the current guidance for potential risk situations (e.g. Opinion EBA-Op-2016-07 on the application of CDDs to asylum keepers) and industry practices. Situations “where the customer cannot provide a document that meets the requirements in paragraph 1”, by their nature, require that lowered/degraded standards are applied and left to obliged entities to determine based on the ML-FT risk, with a necessary flexibility (current practices may include for instance the collection of documents such as the family record book for children, and IDs exceeding its period of validity for elderly people or protected adults).

We would appreciate if the EBA could provide other examples of ‘legitimate reasons’ as well as a definition of this term.

Inappropriate narrowing of scope through ‘legitimate reason’: We consider the use of ‘legitimate reason’ in Article 5 (2) draft RTS to inappropriately narrow the scope of when an obliged entity may accept a document issued by a state or public authority. Under the current draft, an obliged entity may only accept an alternative document under paragraph 2 if the customer is unable to provide one meeting the criteria in paragraph 1 for a ‘legitimate reason’. Notwithstanding the lack of clarity as to what would constitute a ‘legitimate reason’, as noted above, a document which has been issued by a state or public authority and which is sufficient for the purposes of the state – establishing civil status, gaining employment, paying taxes, participating in legal proceedings, receiving state payments, starting a business and so on – should be sufficient for the purposes of the private sector. It is not appropriate to hold the private sector to a higher standard than the public sector. If a public authority has issued a valid identity document – whether or not a ‘legitimate reason’ is present – that should be sufficient and acceptable for the private sector.

We also would like to ask for clarification of the scope of the provision which states that ‘a state or public authority’ may provide a document that is equivalent to an identity document or passport. Is this intended to refer only to national level entities, or are sub-national authorities also in scope?

Paragraphs 3-5 on document forgery and translation: Obliged entities must take appropriate measures to ensure that all documents submitted for identity verification are authentic, have not been forged or tampered with. What are the minimum requirements for "reasonable steps" to ensure the authenticity of the documents received?

If original documents are in a foreign language, obliged entities must understand the content, even if necessary through a certified translation. Under what specific circumstances should banks be required to obtain certified translations when original documents are in a foreign language? Are there specific criteria or situations that should be “deemed "necessary" for certified translation?

Does this Article mean that Obliged Entities should collect multiple documents, to cover verification of all data points? Is there an overview which documents (if any) fulfil all these requirements?

Concerning the third, fourth, and fifth paragraphs of this draft Article (on document forgery and translation) we would argue that the provision exclusively relates to the prevention of document fraud, which exceeds the subject matter of both the AMLR and of the RTS. Additionally, there is no known source of expertise or central register to verify every possible document issued by every possible global public authority. In the absence of such, we kindly request that the EBA clarifies what would constitute obliged entities taking ‘reasonable steps’, as used in this context. Therefore it should be removed.

Potential recourse to certified translation – ability to understand / translate in-house: We understand Article 5 (4) draft RTS) to require a certified translation of an identity document only in those situations ‘when deemed necessary’ by the obliged entity – i.e., it should only be required if the mandatory content of the information in Article 5 cannot be understood through other measures (e.g. internal translation by the obliged entity). We would like the RTS to confirm that obliged entities can rely on other (including internal) measures.

Acceptability of simple copy vs. certified copy: Article 5 (5) states that obliged entities must see an original identity document, passport or equivalent, or a certified copy thereof, or must verify in accordance with Article 6. The reference to ‘certified copy’ is not included in Article 22 (6) AMLR. It is unclear if obliged entities can accept simple copies if verified through other sources, in keeping with the risk-based approach, or if only certified copies are deemed acceptable for verification of identity. We would suggest the EBA to clarify if simple copies can be used for this purpose.

Acceptability of certified copy provided by client vs. received from notary / qualified lawyer: If a certified copy is required, it is unclear whether obliged entities may accept (in a non-face-to-face context) a certified copy directly from the relevant person, or if the certified copy must be received directly from the relevant notary / qualified lawyer. We would suggest clarification from the EBA, and suggest that – in the absence of any other risk indicators - the former is pragmatic, resource-efficient, and sensible. In this context, we also want to bring to EBA’s attention that it is common practice, especially in the UK and the US, that certified copies are often produced by company secretaries i.e. not necessarily a qualified lawyer or notary. We would welcome a clarification that also these copies, in line with the current practice, are deemed certified. If not this potentially could result in a significant competitive disadvantage for entities operating in the EU.

Article 7 – Reliable and independent sources of information

Risk-based approach: This article offers flexibility to obliged entities as to the determination of sources that they would deem as reliable and independent following their own assessment, which is compliant with the risk-based approach. It is not clear how an obliged entity is to assess reputation, official status or independence, or how an entity could document this to provide evidence of appropriate completion to a supervisory authority. We consider that obliged entities should decide for themselves what measures they take. We therefore suggest to delete this requirement from the Article, and to place greater emphasis on simply ‘risk-sensitive measures’ to make clear that obliged entities are expected to use their judgment, in accordance with the risk-based approach.

Definition of ‘up-to-date’: Article 7 draft RTS requires obliged entities to assess the extent to which information is ‘up-to-date’. There is no consistent practice across EU Member States regarding the acceptable age or ‘up-to-datedness’ of legal entity data and supporting documentation used for KYC reviews. This includes both the duration of the acceptable age and the starting point for determining ‘up-to-datedness’. We would suggest the RTS to clarify the duration for which relevant documents are to be considered recent or ‘up-to-date’.

Assessment of potential risk of forging: Obliged entities will in practice usually not have sufficient information from KYC data providers or adverse media providers to assess ‘the ease with which the identity information or data provided can be forged’. In the absence of such information, it is unclear how obliged entities could perform such assessments. We therefore suggest that the RTS set out how obliged entities should perform such an assessment, or simply, that the requirement be removed.

Article 9 - Reasonable measures for the verification of the beneficial owner

Focus on retail business: The reference to ‘utility bills’ as an example of ‘third-party sources’ in the context of identifying the beneficial owner in Article 9 draft RTS is unhelpful in the context of wholesale business. Given the nature of wholesale business and of the customers of wholesale banks, it is not credible to expect wholesale banks to obtain utility bills (or similar items) from UBOs (or SMOs). We recognise the challenges the EBA faces in seeking to draft regulation applicable to all sectors. Regulation must nevertheless be realistic, fit for purpose, and appropriate for the sectors regulated. To require the collection of sources of such intimacy or detail goes beyond the requirements set by the co-legislators. As such, we believe that the RTS should simply require ‘reasonable measures’, in line with Article 9 draft RTS.

Accessibility of BO registers and sources: Article 9 describes the "reasonable measures" for verifying the beneficial owner as required in Article 22 7) b) AMLR. Article 22 7) b) AMLR implies that when using the "reasonable measures" defined in Article 9, obtaining an identity document from BOs/SMOs can be waived. Is this understanding correct? Furthermore, in the context of Article 9 of the RTS, it is unclear to what extent the mentioned information sources are suitable for verifying the beneficial owner, especially in countries where certain registers do not exist or banks cannot access them (e.g., Germany).

Overall, this article raises concerns regarding the actual availability and practicability of both possible sets of measures in every EU Member States:

˗ as regard the consultation of public registers : please note that, depending on the Member State, obliged entities may have limited access to national registers (even to none of them). Therefore, it would be advisable that the RTS includes an express statement encouraging public authorities to give obliged entities access to the relevant registers and to reconsider a reasonable balance between the AML-CFT and other fundamental objectives in this respect ; and

˗ as regard the use of other sources: examples of information and supporting documents on the beneficial owner mentioned in this article do not actually relate to current practices (e.g. utility bills). In addition, this paragraph should clarify arrangements and partnership types that would enable an obliged entity to receive up-to-date information and confirmations relating to beneficial owners from financial institutions, as this is quite unclear (where relevant, precise references to information-sharing mechanisms provided for in the AMLR shall be included, e.g. reliance).

Additionally, it should be clarified that the measures described in Article 9 are not intended as to be limitative.

Given the amount of data points, none of the listed reasonable measures will contain all data points. Please revise and describe sources which do contain all mandatory data points.

In many countries (including Germany), sources such as the registration register, tax register, and passport database do not provide suitable instruments for verifying the beneficial owner, as there is often no direct access for obliged entities. What procedures or alternative sources are considered reliable specifically for these markets to confirm the identity of the beneficial owner?

Is it correct to assume that we can refrain from verifying the beneficial owner if this has already been carried out by another EU credit or financial institution? Are no further verification requirements necessary in this case to ensure that the identification and verification by the other institution are considered sufficient and trustworthy? Additionally, why is this limited to ‘credit or financial institutions’?

Regarding the obligation to assess beneficial owners and check the central registers, how should this be interpreted for those customers who do not need to register their beneficial owners in a central register? For instance with Listed Companies? This is especially important for the requirement to have an extract from the central register on file before on-boarding the customer.

Certification by independent professionals: Certification of identity by an independent professional should only be required for documents originating in certain high-risk jurisdictions. For other risk classes, such certification should only be necessary in case of reasonable doubts about the authenticity of the document deriving from indications that the document could have been forged.

We note this point following our reading of Recital 5 draft RTS, which could be interpreted as a rule-based requirement for all risk segments to collect either official copies of statutory or constitutive documents from the applicable public register, or unofficial copies certified by an independent professional or a public authority.

Such an approach would be excessively burdensome and would have a negative impact on the competitiveness of EU financial institutions, due to the additional cost and burden of certifications on the side of the customer.

We therefore suggest the requirement to provide certified copies to be restricted to:

• situations where reasonable doubt about the authenticity of the document exists deriving from indications that the document could have been forged (irrespective of the customer risk), and

• in cases of EDD, but only if the document had been set up or signed by one of the parties in a high-risk country as listed under Regulation 2016/1675.

We suggest amending the RTS to make clear that if an obliged entity has direct access to a public register, information taken from that register shall be deemed as an official copy coming from the applicable register.

Clarification of legal base for information sharing: We note the statement in Article 9 draft RTS that ‘reasonable measures’ may include

‘…up-to-date information from credit or financial institutions as defined in Article 3(1) and (2) of Regulation (EU) 2024/1624, which confirm that the beneficial owner has been identified and verified by the respective institution’.

We welcome the possibility for credit and financial institutions to be able to share beneficial owner KYC information to avoid unnecessary duplication. We understand that Article 22 (7) (b) AMLR and Article 9 draft RTS provide a clear basis for such data sharing. It would be helpful if the RTS could confirm this understanding.

Article 10 - Understanding the ownership and control structure of the customer

Excessive assessment of the control structure: It seems disproportionate in cases of lower risk and where no complex structures is involved to:

˗ collect all information from (b) and;

˗ for the (c), check whether legal entities in an intermediate level would be listed (if the information is not given by the client).

The information to be collected in order to understand the ownership or control structure of customers that comprise more than one layer is way too excessive since these multi-layered structures do not always involve a higher risk per se, i.e. if there is neither indication of complexity nor suspicion of an attempt to concealing the ultimate beneficial owner(s). In addition, a significant proportion of customer legal entities would be captured in certain business lines (e.g. corporate finance, wholesale market, etc.). Therefore, if no flexibility is allowed, this would result in a significant allocation of resources (considering the time that would need to be dedicated to collect the information) that would otherwise be more useful if dedicated to risker situations identified by obliged entities on a risk based basis.

Especially for wholesale clients, many of whom are well-known listed or regulated entities, the detailed approach to assessing ownership and control structures set out in the draft RTS is likely to create significant administrative and operational burdens. The requirement as currently drafted may lead to missing genuine risks if the focus is on exhaustive ownership structure analysis, rather than on undertaking a more proportionate, targeted and risk-based assessment.

Article 20 (1) (b) AMLR sets the taking of ‘reasonable measures’ as the starting point for the obliged entity to satisfy itself that it understands the ownership and control structure of the customer. The approach set out in the RTS goes however significantly beyond the AMLR text and introduces the requirement to obtain specific information, which may not in all cases be required or appropriate for understanding the customer’s ownership structure.

The RTS should consider the wholesale customer base and provide flexibility regarding the situations when assessment of all ownership layers is to be required. The level of such assessment should vary according to the customer type, sector, and potential status as a regulated or listed entity as well as the customer risk.

It follows from the above that this article should clarify that obliged entities may determine which information element they should collect among the list set out in this article (and additional elements where necessary) depending of the actual risk and complexity of business relationships.

Information elements listed in this Article 10(1) would indeed be relevant where obliged entities identify that a structure may be complex, therefore, requirement to collect all of should be moved under Article 11 that addresses CDDs as regard complex structures.

Obliged entities must obtain and analyse the information specified in Article 10 in situations where the ownership and control structure of the customer includes more than one legal entity or legal arrangement.

We also have the following questions:

Is the comprehensive analysis of the ownership and control structure according to Article 10 RTS only required in cases where a "complex" ownership structure according to Article 10 RTS exists, and does this imply that it is not necessary for "simple" ownership and control structures (especially subpoints b and c)?
Article 10 of the RTS requires obliged entities to assess the economic logic behind complex ownership structures to understand the risks of money laundering and terrorist financing. How can KYC processors reliably analyse the economic logic of a complex ownership structure when they typically do not have specialized knowledge in the field of taxes and corporate finance? Guidelines and assistance are needed to make this process more practical and effective for KYC teams.

Under the AMLR, obliged entities are not required to assess the information as referred to under Article 62(1)d AMLR. This requirement therefore entails a substantial expansion of the requirements related to UBO's.

Specifically concerning paragraph 2, pursuant to Article 62(1)(d) AMLR referred to in this article, the information to be included when the ownership and control structure contains more than one legal entity or legal arrangement is: a description of that structure, including the name and, where available, the identification numbers of the different legal entities or arrangements that are part of that structure, as well as a description of the relationships between them, including the stocks held.

Clarification of ‘a reference’: Article 10 (1) (a) draft RTS requires obliged entities to obtain ‘a reference to all the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners…’. It is not clear what is meant by ‘a reference’ in this context. The term is not used elsewhere in the draft RTS. If it is intended that obliged entities shall collect the names of the legal entities and/or legal arrangements cited, we suggest that the word ‘name’ be used.

Scope of identifying intermediary layers: Article 10 (1) (a) draft RTS requires obliged entities to reference all the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners, if any. We consider this to be excessive and not in line with the risk-based approach.

We suggest instead that the focus should be on intermediary layers and that the identification of intermediaries should apply to higher risk customers, thus reducing the administrative burden for lower risk scenarios.

Nominee shareholder guidance: The existence of nominee shareholders is not always apparent. The RTS should clarify whether firms are expected to proactively inquire about potential nominee arrangements.

Information on the regulated market: In cases where a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, Article 10 (1) (c) draft RTS requires obliged entities to obtain information on the regulated market on which the securities are listed.

It is not clear what risk management outcome the EBA is looking to achieve by requiring obliged entities to gather this information. Noting that the relief for listed entities has been removed from the regime, we do not understand the risk mitigation that is expected to be derived by obtaining this information

For most customers, such a requirement then would not add benefit commensurate to the cost imposed. We suggest that information on the regulated market should only be required if the fact that a customer is listed on such a regulated market is used as the basis for assessing the customer as low risk.

Regulated market exemption: The absence of a regulated market exemption in the article, despite its mention in intermediary layers analysis, raises questions about whether there is an implied level of comfort for entities listed on a regulated market. We suggest that re-introducing a regulated market exemption is likely to reduce unnecessary burdens and would be in keeping with the risk-based approach.

Beneficial ownership reporting: It is not clear from the draft RTS what is to be considered in beneficial ownership reporting. It would be helpful for the RTS to provide clarification of acceptable information that an obliged entity can obtain to satisfy this requirement

Plausibility assessment: Article 10 (2) draft RTS requires obliged entities to assess whether the information included in the description is ‘plausible’.

In any clarification of how the ‘plausibility’ of such information should be assessed (which may be provided by the final text of the RTS, or in future guidance), we believe that obliged entities should retain the ability to apply a risk-based approach and not be forced to follow a rules-based alternative. It would be an error to imagine that the extent of all such situations which may arise can be anticipated, and appropriate rules written, ex ante. It would be better to permit obliged entities to tailor their assessment to the facts of the situation at hand, in accordance with the risk-based approach.

Obligation to assess the economic rationale behind the structure: Article 10 (2) draft RTS requires obliged entities to assess the economic rationale behind the structure presented by a customer. We do not consider it appropriate – or feasible – to require obliged entities to perform such an assessment. We also note the wording in Article 20 (1) (b) AMLR which requires simply ‘understanding’ the ownership and control structure. Assessing the economic rationale and performing a plausibility check (see above) go significantly beyond having an understanding of the control structure.

There are many reasons a customer (or other legal entity) may choose to structure itself as it does. The choice of structure will often arise from internal information known only to the customer (or other legal entity) itself. It should not be expected for obliged entities to understand – or even to infer – the economic rationale behind the structure, as such an understanding (or inference) would require knowledge of internal information of the customer (such as tax implications or political and market considerations relevant to particular jurisdictions) which the customer is not obliged and would not expect to disclose.

We recommend that the obligation should be changed to require obliged entities to assess whether a structure might have been set up only in order to avoid or reduce the transparency of beneficial ownership with no other likely or possible legitimate justification. As with the plausibility assessment, this would be triggered by the facts of the situation and in accordance with the risk-based approach.

Little differentiation between requirements of Articles 10 and 11: Article 10 draft RTS sets requirements to build understanding of the ownership and control structure of the customer in standard cases. Article 11 sets requirements to build understanding in complex cases. The sole additional provision for higher risk entities as set out in Article 11 (2) draft RTS is that an organigram must be obtained. The level of information which obliged entities must obtain for standard and complex cases is therefore essentially the same at both levels. This is not in keeping with the risk based approach, and suggests the requirements set out in Article 10 for standard cases are excessive.

Based on all the arguments outlined above, we suggest that the text of this Article be redrafted to focus on understanding the ownership and control structure of customers, particularly in complex and higher-risk situations:

For the purposes of understanding the ownership and control structure of the customer in accordance with Article 20(1) (b) of Regulation (EU) 2024/1624, where the customer's structure appears unusually or excessively complex given the nature of the customer’s business, and may pose a higher risk of ML/TF and in situations where the customer’s ownership and control structure contains more than one legal entity or legal arrangement, obliged entities shall obtain the following information:

a. a reference to all the names of the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners, if any;

b. with respect to each legal entity or legal arrangement within the referred intermediary connections, the legal form of each legal entity or legal arrangement, and reference to the existence of any nominee shareholders; the jurisdiction of incorporation or registration of the legal person or legal arrangement, or, in the case of a trust, the jurisdiction of its governing law and; where applicable, the shares of interest held by each legal entity or legal arrangement, its sub-division, by class or type of shares and/or voting rights expressed as a percentage of the respective total, where beneficial ownership is determined on the basis of control, understanding how this is expressed and exercised.
c. information on the regulated market on which the securities are listed, in case a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, and the extent of the listing if not all the legal entity’s securities are listed on a regulated market’.

If the suggested deletion of (c) set out above is not accepted, then we suggest at least reducing the scope of the requirement to the ultimate parent, as follows:

c. information on the regulated market on which the securities of the ultimate parent are listed, in case the ultimate parent a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, and the extent of the listing if not all the ultimate parent legal entity’s securities are listed on a regulated market’.

2. Where warranted by the facts of the situation at hand, obliged entities shall assess whether the information included in the description, as referred to in Article 62(1)d of Regulation (EU) 2024/1624, is plausible, there is economic rationale behind the structure, and it explains how the overall structure affects the ML/TF risk associated with the customer whether a structure might have been set up only in order to avoid or reduce the transparency of beneficial ownership, with no other likely or possible legitimate justification apparent.

Article 11 - Understanding the ownership and control structure of the customer in case of complex structures

Overly broad definition of ‘complex structure’ – request for industry to determine complexity: If obliged entities must consider ownership or control structures comprising more than two layers between the customer and the beneficial owner being one of the conditions to define the complexity of a structure such qualification is likely to catch structures that might not be so complex. We would also like to have confirmed that the two layers do not include the customer entity.

In a wholesale context, it is possible that many ownership structures could be classified as ‘complex’ under the criteria as set out, noting that multinational companies and large financial entities typically have multiple layers of ownership. To classify all such structures as ‘complex’ would not be aligned with the risk-based approach and would require the obtaining of detailed and potentially certified ownership structure charts – a significant administrative burden – for almost all clients, for little benefit.

It follows that this article, instead of imposing obliged entities to treat structures which match with one of the criteria of points (a) to (d) as complex structures, should state that such criteria constitute indications to be considered by obliged entities when assessing the complexity of multi-layered structures on a case-by-case basis. We also would like to adopt a risk-based approach interpretation for this article (e.g.: taking activities in low-risk jurisdictions and/or transparency of the ownership into account).

Therefore, we would suggest the assessment criteria to be removed and the responsibility placed upon obliged entities to determine the complexity of the structures they encounter. This would allow obliged entities to apply specialist knowledge and experience to identify (and allocate resources to) cases which involve genuinely higher risk structures. This would be in keeping with the risk-based approach and allow most efficient use of scarce resources, the better to advance the fight against financial crime.

If this request is not be accepted, we would suggest the definition of ‘complex structure’ to be tailored to genuinely higher risk scenarios, rather than applying (as in the present draft) broadly to large institutions. We make drafting suggestions below to this end. This approach would allow better use of scarce resources and ensure that the focus is on genuinely complex and high-risk structures.

A distinction should be made: the involvement of layers does not automatically imply a complex structure. A structure involving multiple lawyers can still be considered ‘simple’ if it features a direct and transparent control chain between the customer and the beneficial owner. The complex structure requirements should be applied respecting a risk based approach. This is particularly relevant in the context of competitiveness and simplification, where European banks must adhere to EU requirements, while other banks are not subject to the same time and financial burdens for compliance.

Further, we do not consider that the condition set out in Article 11 (1) (a) – that of having a ‘legal arrangement’ in any of the layers – to be an appropriate signifier of complexity. Legal arrangements are common in ownership structures – particularly in wholesale contexts. We therefore suggest to amend this condition to take account of the reality of wholesale business, or to simply remove it.

This article should clarify the information to be included in the organigram, and if it will need to contain further elements to those referred to in Article 10(1) of this RTS (based on our experience, organigrams obtained for assessing the risk of clients would usually contain limited information on the structure type, the entities involved with indication of the type and percentage of ownership).

In addition, since the organigram should reflect information obtained pursuant to article 10(1) above - which is already quite extensive - it would be advisable to move this information requirement to Article 11.

Organigrams: Regarding paragraph 3, expectations vis-à-vis obliged entities should be realistic. In that sense, obliged entities would not be able to ensure that an organigram provided by a customer includes the accurate full picture of the control structure with extra information, i.e. other than those already collected pursuant to article 10(1). Indeed, in order to justify to supervisors that the organigram is accurate, obliged entities would need to document verifications about any information referred to under said article (that is required under this article). We kindly request that the RTS clarifies how obliged entities may ensure that an organigram provides a comprehensive understanding of the ownership and control structure, including effective assessment and validation measures. Allowing banks to draft organisational charts based on client-provided information, with client attestation, or on reliable public information, could address the practical challenges of obtaining organisational charts directly from clients. This approach would streamline the process while ensuring accuracy and would be in keeping with the risk-based approach. Examples of risk sensitive measures in the frame of this article would be welcome.

Below we propose to amend entirely Article 11. This would require obliged entities to define, within their specific context, the criteria for what constitutes a complex ownership and control structure.

To understand the complexity level of the ownership and control structure of the customer in accordance with Article 20(1)(b) of Regulation (EU) 2024/1624, obliged entities shall develop specific internal procedures to specify the criteria that make ownership and control structures complex for the business relationships for which the obliged entity provides products and services.

These procedures shall provide internal arrangement dealing with:

1. the number of layers between the customer and the beneficial owner that are an indicator of complex ownership structure and

2. indications of non-transparent ownership with no legitimate economic rationale or justification and

3. the presence of nominee shareholders and / or directors that are involved in the structure.

If this proposal is not accepted, we suggest to reconsider the number of layers that are regarded as a factor for complex ownership and control structure. Only multiple layers (of at least three or more layers) in combination with other clear indicators for complex ownership should be deemed as complex ownership and control structure.

Article 12 - Information on senior managing officials

Clear definition of SMOs and their powers: This is particularly important for application in a wholesale environment, where roles and responsibilities vary greatly across the sector. We note that in the public hearing the EBA held on 10 April 2025, there was a suggestion that SMOs could be defined in accordance with Article 63 AMLR. This would suggest that ‘senior managing officials’ would include executive members of the management body, as well as the natural persons who exercise executive functions within a legal entity and are responsible and accountable to the management body for the day-to-day management of the entity. Such an interpretation would capture in some instances a very large number of natural persons and would be very burdensome for obliged entities to implement (especially noting that these individuals change more frequently than legal representatives and CEOs). This would not be in keeping with the risk-based approach or the proportionality principle and would not further efforts to prevent and detect financial crime. On the contrary – by requiring the use of scarce resources for largely unnecessary and unhelpful work, it would likely reduce the efficacy of wider financial crime risk mitigation efforts. A more focused interpretation should be preferred, in accordance with the risk-based approach.

Distinction between senior managing officials and beneficial owners: Article 12 of the RTS requires obliged entities to collect and verify information for Senior Managing Officials to the same extent as for real beneficial owners. Indeed, Article 12 states that in relation to senior managing officials as referred to in Article 22 (2) second paragraph AMLR obliged entities shall:

“a. collect the same information as for beneficial owners; and

b. verify the identity of senior managing officials in the same way as for beneficial owners.”

Therefore, the identity of senior managing officials shall be verified in the same way as for beneficial owners without, however, providing a clear definition of that role given that Article 22, 2) AMLR states that “for the purposes of identifying the beneficial owner of a legal entity or of a legal arrangement, obliged entities shall collect the information referred to in Article 62(1), second subparagraph, point (a). Where the performance of identity verification referred to in the second subparagraph may tip off the customer that the obliged entity has doubts regarding the beneficial ownership of the legal entity, the obliged entity shall abstain from verifying the senior managing officials’ identity, and shall instead record the steps taken to ascertain the identity of the beneficial owners and senior managing officials”. On such a basis it may be necessary to verify the identity of several persons, and thus a clear definition of senior manager officials is deemed appropriate.

Requiring the same information for these two types of customers entails significant additional effort for financial institutions. The roles and responsibilities of SMOs differ significantly from those of natural person beneficial owners. SMOs manage the legal entity, but do not personally own or control it. Article 12 draft RTS does not however recognise this distinction. Given the disparity in roles, responsibilities, benefits and degree of control, we consider the alignment of identification and verification requirements to be disproportionate. It would result in a huge operational burden and a lack of legal certainty. It is also unclear what specific benefits or risk mitigations in the area of money laundering and terrorist financing are expected from these additional requirements. Therefore, we kindly suggest a reassessment of the necessity of this requirement to ensure that the associated effort for obliged entities is justified and actually serves risk mitigation. The data elements to be collected for SMOs should be tailored to the extent that they may exercise control over the entity.

Privacy regulations: Additionally, this extended scope of senior managing officials raises questions in relation to the General Data Protection Regulation (GDPR). We do not consider that obliged entities should be required to collect an identification document for SMOs – noting that SMOs would in many cases be unwilling to provide such personal data, and the risk of tipping off the customer to the existence of concerns that such a request would entail.

We consider that the registered address of the legal entity should be deemed as the residential address of its SMOs, where such addresses are to be recorded. We also note the potential personal risk provision of such information could have for the SMO (e.g., kidnap risk – please see our earlier remarks relating to Article 2 draft RTS noting this point for both UBOs and SMOs).

Finally, please refer to our comments in Article 9 for the verification of identity of beneficial owners.

Article 13 – Identification and verification of beneficiaries of trusts and similar legal entities or arrangements

Clarification on scope of AMLR in relation to trusts: It is unclear whether the AMLR refers to trusts as direct customers or trusts in the ownership structure. We therefore suggest that the RTS clarifies the scope of the AMLR in relation to trusts. In our view, the focus should be on trusts as direct customers, as applying requirements to ownership structures would be significant and challenging to implement.

Limited applicability of beneficiary information: We suggest amending Article 13 (1) RTS to clarify that Article 22 (4) AMLR requires the collection of sufficient information to establish the identity of beneficiaries only when they are designated by particular characteristics or class, and not in all circumstances. This limits the applicability to specific cases and is in keeping with the risk-based approach.

Source of beneficiary descriptions: We suggest to remove the wording ‘from the trustee, the legal entity or the legal arrangement…’ from Article 13 (1) draft RTS to avoid implying that descriptions of the class of beneficiaries must be obtained directly from these sources. In some instances, the descriptions might be sourced from trust corporate documents.

Documentation for Article 13 (1) (b): Article 13 (1) (b) draft RTS cites ‘…relevant documents to enable the obliged entity to establish that the description is correct and up-to-date’. It is unclear what documents would satisfy Article 13 (1) (b). While an updated trust deed may contain beneficiary information, it may not always be available. In most instances, obliged entities would rely on trustees to attest that the documentation is correct and up-to-date. The RTS should allow obliged entities to complete verification using reasonable measures. This would permit obliged entities to tailor their verification processes to the facts of the situation at hand, the better to ensure appropriate verification is undertaken without pre-judging how best any particular description received may be verified.

Definition of ‘up-to-date’: In line with our comments on other Articles, we believe that the RTS should specify how obliged entities are to judge what is to be regarded as ‘up-to-date’. Article 13 draft RTS requires obliged entities to assess the extent to which a description of the class of beneficiaries and its characteristics is ‘up-to-date’. There is no consistent practice across EU Member States regarding the acceptable age or ‘up-to-datedness’ of information provided and supporting documentation used for KYC reviews. This includes both the duration of the acceptable age and the starting point for determining ‘up-to-datedness’. We suggest that the RTS clarifies the duration for which the description provided and relevant documents are to be considered recent or ‘up-to-date’.

Measures to be taken for updates: Article 13 (2) draft RTS requires obliged entities to ‘take risk-sensitive measures to ensure that the trustee, the legal entity or the legal arrangement provide timely updates’. The RTS could provide examples of what would constitute such ‘risk-sensitive measures’ in order to ensure shared understanding between industry and supervisory authorities of how this requirement may be fulfilled.

Treatment of private foundations: Private foundations are customary legal forms used notably in Austria, Germany, Liechtenstein and Switzerland. We ask that the RTS clarifies if such foundations are intended to be treated as ‘trusts’ for the purpose of this Article.

Article 14 – Identification and verification of beneficiaries of discretionary trusts

Please refer to our comments under Article 13.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

Article 6 - Verification of the customer in a non-face-to-face context

In its proposed drafting, Article 6 RTS requires obliged entities to use limited ID verification measures such as an eIDAS compliant electronic identification means or trust services (and enable the implementation of alternative measures only in case of unavailability of those solutions for reasons not attributable to the obliged entities). This is excessive and contrary to the risk-based approach, as the recitals of the text do not provide any justification for restricting financial institutions' discretion to such an extent. The text may result in the impossibility to implement measures that have proved effective in verifying customer identity and hence are widely applied (e.g. provider of remote identification solution applying similar specifications to eIDAS requirements, first transfer to or from an account opened in the customer's name).

The RTS should avoid any suggestion that limits the scope of the options set out by the co-legislators. We therefore ask to amend the final RTS text to make clear that both options set out in Article 22 6) AMLR are available. We suggest drafting such as:

Article 6 (1) draft RTS

‘To comply with the requirements of Article 22(6) of Regulation (EU) 2024/1624 in a non-face to face context, obliged entities shall apply specific and additional measures to compensate the potentially higher risk that this type of customer relationship presents, or may use electronic identification means which meet the requirements of Regulation (EU) No 910/2014 with regard to the assurance levels ‘substantial’ or ‘high’, or relevant qualified trust services as set out in that Regulation’.

To our understanding, the AMLR and the draft RTS require solely obliged entities to verify the natural persons’ identity, which could be done with a passport or an e-IDAS solution. We would like the EBA to confirm that these means of verification will suffice to the future customer due diligence requirements. Based on out reading of Article 22 (6), we understand the passport verification and the e-IDAS verification as equally secure means of verification of the identity of a natural person. Furthermore, Article 22(6) allows the use of any electronic identification means that meet the requirements of the eIDAS Regulation. This enables the use of electronic identification means certified under domestic regimes of EU Member States as reliable solutions equivalent to eIDAS-compliant identification means, as they generally follow similar technical specifications laid down at national level that align with those set out in the eIDAS Regulation.

Clarity of targeted population: Article 22 (6) AMLR refers to ‘the customer and of any person purporting to act on their behalf’. Article 6 (3) draft RTS refers only to ‘the customer’.

If the scope of Article 6 (3) draft RTS is intended to match that of Article 22 (6) AMLR, or indeed is intended to cover additional roles that a natural person may have (including, notably, that of beneficial owner), we suggest amending the text to make this clear.

Possible focus on retail banking: The draft Article appears to have been written with predominantly retail banking scenarios in mind. We suggest that when finalising the Article – and others noted elsewhere in our response – the characteristics and practices of wholesale banking scenarios be considered.

Definition of ‘non face-to-face’: There is a need for clarity on what constitutes a non-face-to-face interaction. Historically, interpretations have varied – particularly in the wholesale context. For example, meeting a customer representative at a site visit may be considered ‘face-to-face’, even if the ultimate beneficial owner is not met. Clear definitions are crucial, especially if some competent authorities may consider wholesale interactions non face-to-face. We therefore suggest the RTS to clarify what constitutes ‘face-to-face’ – with a particular focus on the wholesale context.

Paragraph 2: The second paragraph appears excessive from a risk-based perspective (even in a non-face-to-face context) to condition the implementation of alternative measures to an eIDAS qualified electronic identification means or trust service only where the use of such means is “not available on the market, or cannot reasonably be expect to be provided” (i.e. namely for a reason external to the obliged entity: non-EU residents, vulnerable customers, as specified in the EBA consultation document, p.42).

Refusal by customers in the EU to provide / to be subject to an electronic identification means (whatever the reason might be) is a situation which seems not to be considered in the EBA consultation document or in this RTS for enabling obliged entities to apply alternative measures. However, please note that many reasons may explain that natural persons refuse to give their consent to the use of electronic identification means that may not be related to an attempt to conceal their identity (e.g. reluctance to biometric captures, sensitivity to privacy issues, poor access to ICT means, etc.).

This inappropriately limits the use of non-eIDAS solutions, placing them in a second order of preference, to be used only in certain circumstances. This is unhelpful and unwelcome. eIDAS solutions are not yet widely available. When they are rolled out, it remains to be seen whether they will be accepted by the public. Video identification is however already widely used, is understood and accepted by the public, and is already built into banks’ systems and controls.

Therefore, the RTS should clarify (at least in recitals) that the refusal of clients to the use of an electronic identification means may also be a case where such solution “cannot reasonably be expected to be provided”. Otherwise, customers would be excluded from remote access to financial services without sufficiently robust justification from an AML and fraud prevention perspective and with a potential conflict with other EU regulation and fundamental right (i.e. GDPR).

Going further, we would argue that the article should also enable obliged entities to use solution / application operated by service providers specialised in remote verification of ID and subject to robust security and anti-fraud requirements under domestic rules. By way of example, the French Cybersecurity Agency (ANSSI) delivers a certification as “Services providers for remote verification of identity” (Prestataires de verification d’identité à distance – PVID) to services providers and solutions which enable the verification of the identity of natural persons willing to access public and private services online without possessing their own digital identity (i.e. either an eIDAS certified electronic identification means or digital identity delivered by a state). Under such regime, remote verification services provided by PVIDs are subject to strict technical specification and shall present an assurance level “substantial” or “high”. As a result, they are considered to offer a similar level of reliability and safety as a verification in a face-to-face context. We therefore believe that such remote solutions should not be considered only as a temporary measure but should be accepted as valid alternatives to eIDAS-compliant means (and in all cases their use should not be limited to situations only where eIDAS solutions are unavailable or cannot reasonably be provided) where they meet equivalent assurance and security standards.

Besides, please note that financial institutions may have recourse to other types or combination of verification measures that have proved efficient and safe, with no increased vulnerability of internal CDD framework demonstrated so far. For instance, many digital banks use online subscription journeys that use combinations between several measures such as the collection of a copy of an ID document, an e-signature and/or a the initiation of a first payment sent to or received from an account opened in the name of the client within the books in another obliged entity within the EU or third country applying similar standards (as regard this latter measure, banks use additional fraud risk mitigation tools to ensure that that account has not be obtained by fraud : restriction on the means of payment which may be used to perform the payment, i.e. exclusion of card-based payments ; black lists of payment services providers within the EU flagged for poor client due diligences procedures following public measures or sanctions by a supervisor).

Article 6 of the RTS also poses a challenge for financial institutions to find reliable methods for identifying customers from non-EU countries. According to Article 48 1) read in conjunction with Article 20 AMLR, customer identification must not be carried out by third parties, which is particularly challenging for individuals from non-EU/EWR countries due to the lack of technical solutions for video identification. The eIDAS Regulation is limited to the EU and EEA regions, so electronic identification means are only intended for documents from these regions. Currently, there are no comparable solutions for countries outside these regions. Banks must therefore develop innovative and secure remote identification methods themselves to continue conducting remote identifications in third countries in the future.

Consent requirement: After setting out possibilities for verifying the customer’s identity in paragraphs 1 and 2, Article 6 (3) draft RTS requires obliged entities to obtain the customer’s explicit consent – but only with regard to the solutions set out in paragraph 2. The RTS should specify what time of consent should be recorded (privacy-type or data protection-type consent), and clarify why consent is required in relation to the solutions set out in paragraph 2 but not those set out in paragraph 1.

Clarity on ‘commensurate’ solutions: The RTS allows:

• the use of electronic identification means, which meet the requirements of Regulation (EU) No 910/2014 with regard to the assurance levels ‘substantial’ or ‘high’,

• relevant qualified trust services as set out in that Regulation,

• remote solutions that meet the conditions set out in paragraphs 3-6 of Article 6 draft RTS. In this possibility, solutions are required to be ‘commensurate to the size, nature and complexity of the obliged entity’s business and its exposure to ML/TF risks’.

The RTS should clarify what ‘commensurate to the size, nature, and complexity of the obliged entity’s business and its exposure to ML/TF risks’ means in this context.

Proposal to replace ‘commensurate’ with ‘proportionate’: The FATF recently consulted and finalised a review to replace use of the word ‘commensurate’ with ‘proportionate’ in FATF Recommendation 1. It explained its change as follows:

Replacement of the term ‘commensurate’ with ‘proportionate’, defined as a measure or action that appropriately corresponds to the level of identified risk and effectively mitigates the risks, throughout the Recommendations in order to provide clarity on how the concept should be applied in the context of a risk-based approach and align the FATF’s language more closely with that of financial inclusion stakeholders and frameworks.

We recommend that the draft RTS uses FATF language to better ensure shared understanding and global consistency between standards setters.

Verification of security features embedded in official documents: Article 6 (5) draft RTS requires obliged entities to verify the security features (such as holograms) embedded in the official document to verify their authenticity. Security features vary significantly depending on the jurisdiction producing the document. Although we recognise the mention as illustrative, ‘holograms’ are not a feature that is generally used in the identification and verification of legal persons. It is also not clear how an obliged entity would verify the authenticity of a hologram (or similar) on a document. Where obliged entities accept ‘reproductions’ of original documents, the draft RTS requires them to take ‘steps’ to ascertain that the reproduction is reliable. We do not consider that obliged entities are likely to be in a position where they are able to validate the integrity and authenticity of reproductions of documents. In most instances, the process of adding reliable and independent sources to internal procedures should be sufficient. Where documents are obtained directly from the customer, it is not realistic or reasonable to ask obliged entities to accept the burden of checking the authenticity of documents – especially given the rise of the capabilities of artificial intelligence. We therefore suggest to remove this provision from the RTS. Should this request not be accepted, we would suggest the RTS to provide criteria to define what we assume must be reasonable ‘steps' to ensure the authenticity and integrity of reproductions of documents. This will help ensure consistent and effective implementation across different business contexts.

Use of terminology – ‘customers that are not natural persons’: We also note the reference to ‘customers that are not natural persons’. This is not a term that is used elsewhere in the draft RTS, or in the broader AML package. If this is intended to refer to legal entities, or other organisations that have legal capacity, we suggest that it may be more appropriate to use such terms.

Definition of ‘up-to-date’: Article 6 draft RTS (and other subsequent Articles) requires obliged entities to assess the extent to which information is ‘up-to-date’. There is no consistent practice across EU Member States regarding the acceptable age or ‘up-to-datedness’ of legal entity data and supporting documentation used for KYC reviews. This includes both the duration of the acceptable age and the starting point for determining ‘up-to-datedness’. The RTS should clarify the duration for which relevant documents are to be considered recent or ‘up-to-date’.

- The title of Article 6, and Article 6 (2) draft RTS, refer to ‘the customer’. In Article 6 (3), reference is made first to ‘a customer’, and subsequently to ‘the person to be identified’. We recommend that terminology be used consistently and precisely to avoid possible confusion.

On another note, this first paragraph should also clarify under which conditions:

˗ obliged entities may otherwise verify customers’ ID by means of a “trusted service provider” (e.g. electronic signatures and seals, electronic attribution of attributes, etc.) ; and

˗ how customers and obliged entities will be able to leverage on the upcoming EU Digital Identity Wallet (introduced by Regulation (UE) 2024/1183 - eIDAS 2) for ID verification purpose. Our understanding is that EU Digital Identity Wallets will be considered as compliant with electronic identification means, so it would be advisable to include an express reference to it in the RTS (either in recitals or directly in this article 6).

We also wish to highlight that Article 6, paragraph 1 on remote onboarding has an ambiguous wording that does not seem consistent with the recent EBA Guidelines on remote onboarding solutions. The first paragraph states that in order to comply with the requirements of Article 22 (6) of Regulation (EU) 2024/1624 in a non-face to face context, obliged entities shall use electronic identification means, which meet the requirements of Regulation n. 910/2014 (EU) with regard to the assurance levels ‘substantial’ or ‘high’, or relevant qualified trust services as set out in that Regulation. Paragraph 2 provides that only in cases where the solution described in paragraph 1 is not available, or cannot reasonably be expected to be provided, obliged entities shall acquire the customer’s identity document (or equivalent) using remote solutions that meet the conditions set out in paragraphs 3-6 of this article. Such solutions shall be commensurate to the size, nature and complexity of the obliged entity’s business and its exposure to ML/TF risks. We would argue that the use of other remote onboarding tools, given last year's EBA Guidelines, should be a settled fact and not subject to residual cases.

It follows from the above that requiring the use of an eIDAS compliant electronic identification in a non-face-to-face (online) context and restricting to a large extent other (non-electronic) means would not be justified from a risk-based perspective, considering that other measures exist with a similar guarantee in term of reliability and safety.

Concerning the fourth paragraph, all the safeguards listed would not be relevant in relation to all possible type of verification measure commonly used in a non-face-to-face context (e.g. certain specification would fit for chats or video capitation mechanisms but be irrelevant for other measures including e-signature or the initiation of a first payment). Therefore, this paragraph should specify alternative solutions that should include the listed safeguards “where relevant”.

On the fifth paragraph, and as stated above, it is possible to secure the ID verification of customers being natural persons with the collection of a copy of an identity document if such measure is combined with one or more other verification measures. Therefore, this paragraph should also apply to customers who are natural persons.

We also understand that the purpose of this paragraph is to detect alterations which may affect copies of ID documents between their issuance and the time they are collected. In this respect, expectations from obliged entities regarding the control of security features must be realistic, in line with their actual technical capabilities (for this article to be technologically neutral).

Notwithstanding all the points previously raised with regard to Article 6 on customer verification in a non-face-to-face context, we would also like to emphasise that e-IDAS verification means can, on a voluntary basis, be used in face-to-face onboarding as well.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Article 8 – Identification and verification of the identity of the natural or legal persons using a virtual IBAN

As a preliminary comment, we would like to specify that the use case addressed in this article would not be relevant in certain Member States, such as in France (as we are not aware of any services where a PSP operating a payment accounts would be distinct from the PSP/entity issuing a vIBAN that would redirect funds on that payment account).

Clarity on obligations and language: The current language of the draft RTS is unclear and does not specify in a certain manner the actions an obliged entity must take to fulfil its obligations. The language of the AMLR text appears to provide clearer statements as to obligations. We suggest to revise the language of the RTS to ensure that the actions expected of obliged entities are explicitly stated and easily understood in terms of the role a credit or financial institution undertakes in a transfer.

Identification and verification for virtual IBANs: We kindly request that the RTS specifies the extent to which a credit or financial institution issuing the IBAN is required to identify and verify the identity of natural or legal persons using the virtual IBAN. This should include clarification on whether the issuer of the virtual IBAN must obtain identification and verification information from their customer about the underlying users of the virtual IBAN. If this is the intention, it could impact the viability of virtual IBANs as a product in the EU.

Clarification of Roles: The RTS references three types of roles for credit or financial institutions in relation to virtual IBANs:

• a credit or financial institution issuing a virtual IBAN

• a credit or financial institution servicing the account

• a credit or financial institution (different than the issuer of the virtual IBAN) that provides the virtual IBAN to a natural or legal person for their use.

The AMLR however references only two roles:

• a credit or financial institution issuing a virtual IBAN

• a credit or financial institution servicing the bank or payment account to which a virtual IBAN issued by another institution redirects payments.

We suggest the RTS to define what constitutes a credit or financial institution servicing the bank or payment account for virtual IBAN accounts.

We also note the apparent introduction of the third class of institution by the draft RTS, and believe that the RTS should clarify the definition of roles related to virtual IBANs.

In our reading, the draft RTS puts the onus on an institution that provides a virtual IBAN to a person to provide information to identify and verify the identity of that person to the issuing institution – but given such a class of institution is seemingly a creation of the draft RTS, it would be helpful for this to be explained further.

Use of the term ‘provides’: The draft RTS uses the term ‘provides’ to refer to the passing of information between the various roles set out in Article 8. We believe that the EBA should clarify if in practice this means requesting and/or providing information via one of the existing payment rails or payment infrastructure, or similar means.

Inconsistency between text of AMLR and draft RTS – potential inability to extend scope: The AMLR text differs with the draft RTS. Indeed, Article 22 (3) sub-paragraph 2 reads as follows:

The credit institution or financial institution servicing the bank or payment account to which a virtual IBAN issued by another credit institution or financial institution redirects payments, shall ensure that it can obtain from the institution issuing the virtual IBAN the information identifying and verifying the identity of the natural person using that virtual IBAN without delay and in any case within 5 working days of it requesting that information.

Article 8 of the draft RTS reads as follows:

Where a credit or financial institution, other than the issuer of the virtual IBAN and other than the credit or financial institution servicing the account, provides a natural or legal person a virtual IBAN for their use, it shall provide to the issuer of the virtual IBAN the information for identifying and verifying the identity of that natural or legal person using the virtual IBAN within a time period that enables the credit institution and financial institution servicing the bank or payment account to fulfil its obligation under Article 22(3) second subparagraph of Regulation (EU) 2024/1624.

We flag here the difference in scope between the AMLR reference to ‘the natural person using that virtual IBAN’ and the draft RTS reference to ‘that natural or legal person using the virtual IBAN’. In general, we would expect such a requirement to apply to natural or legal persons – but it is not clear that a level 2 measure may extend the scope of a measure previously set out in level 1.

Responsibility placed upon the institution servicing the account: Article 22 (3) AMLR requires a credit or financial institution servicing the account to which a virtual IBAN issued by another credit or financial institution redirects payments to ensure that it can obtain from the credit or financial institution issuing the virtual IBAN the information identifying and verifying the identity of the natural person using that virtual IBAN within five working days.

It is not clear that a servicing credit or financial institution will know that a given IBAN is a virtual IBAN. It is also not clear how the servicing credit or financial institution can ensure that it will receive the information, since the completion of the action relies on prompt action of an external party.

We would suggest the RTS to clarify how a servicing institution may differentiate between virtual and non-virtual IBANs, and to explain how the servicing institution may fulfil the responsibility set out by Article 22 (3) AMLR in the absence of control over the actions of the issuing institution.

Responsibility of virtual IBAN intermediaries: The draft RTS could place more responsibility on virtual IBAN intermediaries for identification and verification processes. We suggest that the draft RTS state that the virtual IBAN issuer can rely on the identification and verification checks conducted by an intermediary without additional outsourcing governance, such as spot checks, when the data is provided. This responsibility could also be extended to non-EU regulated entities to ensure a more efficient process and better use of resources.

RTS requirements to align with changes to FATF Recommendation 16: As per our understanding, the ‘provision’ of required information as per this Article in the RTS will be via a payment rail or external payments infrastructure. The Financial Action Task Force (FATF) is currently processing feedback received to its consultation on changes to Recommendation 16 on Wire Transfers, which concerns payment transparency. The FATF consultation focused on ensuring that the account number or payment message data which are transmitted as part of a transaction can identify the financial institution and the country where the funds are held. FATF is expected to publish its considerations on the feedback received in June 2025 – which will coincide with the EBA considering feedback received to this consultation.

We kindly ask that to the extent possible, the EBA looks to align the final requirements of Article 8 with final changes to Recommendation 16 expected to be published by FATF in June 2025. Global alignment is helpful in ensuring effective compliance and reinforces the benefit of FATF’s work to set standards at the global level.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 15 – Identification of the purpose and intended nature of the business relationship or the occasional transactions

The article could allow obliged entities to have a better understanding of business relationships, but it should be read within the limits of banking secrecy. Clarifications regarding the notion of ‘group’ within this article would also be appreciated.

Article 15 seems to limit the use of a risk-based approach, for example, in the context of identifying the source of funds. When the text states “obtain, where necessary, [information]…”, this is interpreted to mean that a risk-based assessment should be used to determine whether the information or measure is required. In contrast, when it says “take risk-sensitive measures,” it suggests that the measure must be taken, but the manner in which it is implemented can be adapted according to the risk level.

Suggestion to follow AMLR’s risk-based approach; requirement to first assess appropriateness / necessity: Article 20 (1) (c) AMLR requires obliged entities to obtain information on and understand the purpose and intended nature of the business relationship or the occasional transactions ‘as appropriate’. Article 25 AMLR similarly requires obliged entities to obtain information ‘where necessary’. In both Articles, it is clear that the co-legislators did not intend obliged entities to take the actions set out in all instances. Rather, obliged entities are required to apply their judgement and take action in certain circumstances, in accordance with a risk-based approach.

The drafting of Article 15 draft RTS does not sufficiently reflect the risk-based approach evident in the AMLR. We recognise that the text makes reference to ‘risk-sensitive measures’. It is not however clear in the text of the draft RTS that obliged entities should first assess whether the measures need to be applied at all. The RTS should be amended to reflect the co-legislators’ risk-based approach. In particular, the text should clarify that obliged entities should first assess whether the specific situation warrants the application of any of the listed measures, and if so, that a proportionate and risk-based approach should be applied, with obliged entities exercising judgment in determining which topics or points to seek information on – and to what extent – and which may be reasonably excluded from further inquiry. Where the purpose and intended nature of the relationship or transaction is self-evident from the products and services themselves, there should be no requirement to collect any further information.

Request for definition of ‘occasional transaction’: The RTS should provide a definition of ‘occasional transaction’. We note that Directive 2015/849, Article 11 (b) states:

(b) when carrying out an occasional transaction that:

(i) amounts to EUR 15 000 or more, whether that transaction is carried out in a single operation or in several operations which appear to be linked; or

(ii) constitutes a transfer of funds, as defined in point (9) of Article 3 of Regulation (EU) 2015/847 of the European Parliament and of the Council ( 1 ), exceeding EUR 1 000;

An updated definition would assist obliged entities in understanding their requirements. We note that the definition previously provided by Directive 2015/849 is very low for wholesale banking contexts and should be amended to take account of the reality of wholesale banking transactions.

Clarity regarding ‘risk-sensitive measures’: Article 15 draft RTS requires obliged entities to ‘…take risk-sensitive measures…’. The RTS should provide examples of what would constitute such ‘risk-sensitive measures’ in order to ensure shared understanding between industry and supervisory authorities of how this requirement may be fulfilled.

Requirement to determine why the customer has chosen the obliged entities’ products and services: In many cases, there may be no specific reason for a customer choosing a certain service provider. Where a reason is present, it may be known only known to the customer, who may not (or may not wish) to provide it. For example, a customer may choose a bank because of branding, a particular advertisement, the available offers on the market, or simple physical convenience due to proximity to a branch of the institution. We understand the RTS to be in line with the risk-based approach set out in the AMLR and assume that further determination of why the customer has chosen the obliged entities' products or services is not required in such cases.

Requirement to assess relationship with the ‘wider group’: The requirement in Article 15 (1) (c) draft RTS to assess whether the customer has additional relationships with the ‘wider group’ is excessively broad. It would be particularly unrealistic in certain sectors of banking, where high-volume business is usual. In cases where the obliged entity is a subsidiary of a third country entity, obtaining this information may conflict with local data sharing and banking secrecy provisions (e.g., Switzerland). For obliged entities based in the EU, there may be significant issues regarding data sharing with third country jurisdictions which do not adhere to similar data protection standards and data deletion requirements (e.g., China). To fulfil such a requirement would be a significant burden for industry and would send a strongly negative signal for EU competitiveness. We therefore suggest redrafting Article 15 (1) (c).

Requirement to assess source of wealth: The requirement set out in Article 15 (1) (d) draft RTS to obtain information relating to the source of wealth goes beyond the scope of Article 20 (1) (c) AMLR, which is explicitly cited as the setting the scope of Article 15. Assessment of the source of wealth is only required for EDD and is not to be required for the purposes of Article 20 (1) (c) AMLR. We therefore ask for Article 15 (d) draft RTS to be clarified, to read:

where the ML/TF risk is higher to justify that EDD is necessary, to determine the source of wealth.

Article 16 - Understanding the purpose and intended nature of the business relationship or the occasional transactions

Please clarify whether the 'activity that generated the funds' is limited to the activities of the customer or should be interpreted more broadly.

The RTS clarifies that the information required under Article 25 of the EU AML Regulation to determine the purpose and intended nature of a business relationship or occasional transaction can be obtained through risk-based measures. In addition, it is specified which information must be obtained in order to meet the requirements of Article 25, points (a) to (e). However, in addition to this specification of the information to be obtained, it remains unclear which measures are considered suitable on a risk-based basis and can be taken. Some of the information to be obtained can only be obtained by asking the customer. In our understanding, public sources do not represent a realistic option here.

The requirements of Article 16 draft RTS are not in line with the risk-based approach of the AMLR. Article 25 AMLR sets out measures that obliged entities shall take ‘where necessary’. Notwithstanding the use of ‘risk-sensitive measures’ in the opening paragraph, the requirements set out in Article 16 draft RTS are excessive, overly-detailed, and unrealistic for high volume business – and this particularly so in banking, e.g. the ‘anticipated number of transactions’, which is in general not known by the customer. We suggest the text to be amended to make clear that obliged entities should apply their judgement to form a view on whether any particular measure is necessary in a given situation, and if so, should then assess the extent of information required to obtain an appropriate level of assurance. This would be proportionate and in line with the risk-based approach chosen by the co-legislators.

Clarification or further specification would be desirable here, as to what is meant by risk-based measures and to what extent these can be graded. Does the risk-based approach apply exclusively to the procurement measures (type of procurement) or possibly also to the scope of the measures? Article 25 (1) AML Regulation (second sentence) states that the obliged entity shall obtain the information referred to only “where necessary”. It is not clear in which cases this is considered necessary and when it may be omitted or reduced in scope.

The heading of the article is not clear about how obliged entities may adapt their CDD measures on a risk-based basis, since it is unclear whether they may :

˗ choose the category(ies) of information that they will collect among categories listed in points a) to e) on a case-by-case basis, depending of actual characteristics of the business relationships; or

˗ they will have to collect information pertaining to all information categories listed in points a) to e) in any cases, but the means to obtain such information would be left to them to determine.

Information pertaining to categories under points a) to c) are generally collected for any business relationships as they will provide useful indication about the actual risk of a customer. However, with regard categories of points d) and e), the information requested seems to go further than current practices and is collected in situations of high risks.

Additionally, some of this information does not fit well with occasional transactions, such as the way in which the customer wants to use a product or service or the volume of funds flowing through the bank account. We would suggest to review this list or to address the list only to relationships and not also to occasional transactions.

Clarity on terms used: When speaking of transactions that are likely to be executed during the business relationship, Article 16 (b) draft RTS cites ‘the category of funds that such transactions relate to’.

When speaking of the destination of funds, Article 16 (d) draft RTS cites the ‘intermediaries used’.

We suggest the RTS to provide further clarification of the intended meaning of these terms in these contexts.

Clarity regarding ‘key stakeholders’ and other information in Article 16 (e): Article 16 (e) draft RTS requires obliged entities to obtain information on the business activity or occupation of the customer, which shall include information on the industry, operations, products and services, regulated status, key stakeholders, geographical presence, revenue streams, and (where applicable) employment status.

This information is not straightforward to obtain (even for the customers themselves) and would not significantly impact the customer’s risk profile (e.g., in the case of an employed natural person). Several of the data fields listed also apply only to certain categories of customers. We therefore consider that to require obliged entities to seek to obtain such information would lead to cost without benefit.

We therefore suggest to significantly reduce the scope of the information to be obtained, with obliged entities required instead to apply judgment on what information is appropriate to obtain, in accordance with the risk-based approach.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 17 – Identification of Politically Exposed Persons

The article clarifies that it is not mandatory to detect a customer's Politically Exposed Person status as soon as it happens: obliged entities set up a screening system with a frequency depending on the risk, outside the circumstances listed in the article (significant evolution of the KYC elements, new status brought to the bank's attention - by the press?). The group of persons “the person on whose behalf or for whose benefit a transaction or activity is carried out” is yet to be determined and defined.

Please clarify that the EDD measures related to PEPs only need to be applied when there is a business relationship with a PEP, a PEP’s close associate or a PEP’s family member. Therefore, the measures would not apply when a UBO is a PEP, a PEP’s close associate or a PEP’s family member, as required under the current EBA Risk Factor Guidelines. More in general, could EBA indicate if (and if yes, when) the EBA Risk Factor Guidelines will be reviewed.

Clarity regarding SMOs: As per our earlier comments, we suggest clarification on the treatment of SMOs when no beneficial owner can be identified. The exposure of beneficial owners to politics and political decision-making may entail a heightened risk of financial crime. But SMOs – who do not own assets, control resources, or offer or stand to benefit from political influence to the same extent as beneficial owners – do not pose equivalent risks. Applying the same measures to individuals who pose a lower risk as those who present a higher risk would be an inefficient use of resources and would divert attention away from the most significant sources of risk. Notwithstanding considerations relating to proportionality, following the text of the AMLR, we understand that SMOs are not beneficial owners. This understanding is reinforced by Recital 9 of the RTS, which states ‘[w]hile SMOs are not beneficial owners…’. Article 20 (1) (g) AMLR only makes reference to the beneficial owner. This is in contrast to Article 22 (2) AMLR, which explicitly makes reference to SMOs. Therefore, we understand that SMOs are not subject to PEP screening. We would want the RTS to confirm this understanding.

Clarity regarding ‘manual check’: Article 17 (2) draft RTS requires obliged entities to put in place automated screening tools and measures, or a combination of automated tools and manual checks. We suggest the RTS to clarify whether inquiring with the client or conducting independent-source research is to be considered a ‘manual check’.

Potential typographical error: Article 17 (1) (b) refers to situations ‘when the obliged entity has any indications that the customer beneficial owner of the customer…’. We assume that there is a missing comma or ‘or’ intended between ‘customer’ and ‘beneficial owner of the customer’. We suggest to amend this for clarity.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

In general, we notice that some articles in Section 4 are stricter than the AMLR itself, i.e. for source of funds in low risk situations (Article 23) and purpose and nature. The AMLR requires the establishment of source of funds where necessary, indicating where risk indicators are present (please also see our feedback on Article 15). We also would have expected that in low risk situations the Purpose & Nature could be derived from the customer’s characteristics, as it sometimes self-explanatory (e.g. it is quite logical that a bakery in a Member State wants to have a customer account at a bank in the same Member State, or that a savings account of a natural person is intended for savings).

Furthermore, regarding some minimum requirements for low risk situations, how can these be seen in the context of proportionate risk based measures? The bar for low risk situations is set at a too high level, and as a consequence it raises the bar for normal CDD and subsequently enhanced CDD, resulting in approach that is not risk based and inefficient. In our view, the AMLR requirements should not be enhanced or expended under the RTS, but should only be further interpretated or explained.

We also have comments that are specific to individual articles.

Article 18 – Minimum requirement for the customer identification in situations of lower risk

The requirements for identifying low-risk customers have been strengthened by the RTS:

˗ individuals: nationality, refugee or stateless status.

˗ legal entities: collection of NIF or LEI

By repercussion, the information to be collected about persons on whose behalf or for the benefit of whom a transaction or activity is being conducted is also increased.

We also had the following questions:

• Article 18.1.b: commercial name or all commercial names?

• Article 18.2: 'persons' or 'natural persons', as included in Article 22.1 AMLR. In case it is the latter, then only reference to Article 18.1.a?

We also provided detailed comments on requirements relating to names, place and date of birth, nationalities and statelessness, refugee or subsidiary protection status in our comments on Articles 1 to 4.

We do not consider it necessary to repeat them in full. We do however offer a brief summary of key points to recap the detailed explanation offered earlier in our response.

Names
- to be limited only to those names that appear on identity documents, passports, or equivalents
- to take risk-based decisions on potential variations in transliteration of non-Western names
- for legal entities, to rely on official public registries, or equivalents
Place and full date of birth
- place to be collected only where and as given on ID document
Nationalities and statelessness, refugee or subsidiary protection status
- ability to rely on declarations made by relevant individual
- obliged entities not accountable for inability to discover nationalities or statuses where such are not disclosed by the individual.

Also as noted in our earlier comments, the definition of ‘person purporting to act’ should in case of customers that are legal entities, not include senior management officials or employees of the customer and in general the definition should be restricted to those natural persons that effectively act legally relevant on behalf of the customer vis-à-vis the obliged entity;

We suggest to amend Article 18 (b) draft RTS as follows:

for a legal entity and other organisations that have legal capacity under national law, the legal form and registered name of the legal entity including its commercial name and where available other alternate names, in case it differs these differ from its registered name; the address of the registered or official office and the registration number, the tax identification number or the legal entity identifier where applicable available.

Article 19 - Minimum requirements for the identification and verification of the beneficial owner or senior managing officials in low-risk situations

As a preliminary remark, we wonder why the term public register is not used (as in the AMLR).

The article provides "In situations of lower risk, the obliged entity may consult one of the following sources for the purposes of verification of the beneficial owner or the senior managing officials:

a. the information registered in the central register or in the company register;

b. the statement or explanation provided by the customer, including their confirmation that the data is adequate, accurate and up-to-date, for the purpose of the verification of the identity of the beneficial owner or the senior managing officials;

c. any publicly available, reliable sources of information including internet research.”

To identify the beneficial owner and SMO of low-risk business relationships, it will be possible to consult the beneficial owner’s public register (without soliciting the customer?). However, this register will no longer be sufficient to verify identity, and additional measures will be required. Indeed, as drafted, obliged entities would be required to use a central register or company register to identify the beneficial owner or SMOs (a), and then a confirmatory statement from the customer (b) or publicly available reliable sources of information (c) to verify that information.

We do not consider that such a tiered process is appropriate. We consider instead that an obliged entity should have the choice of taking ‘appropriate measures’ to identify and verify the beneficial owner and SMOs in situation of lower risk, without a limitation to any of the methods mentioned under lit (a) to (c).

Obligations are more stringent than expected by certain national authorities, such as by the French authority of control (ACPR) (which allows the beneficial owner’s public register to be consulted to verify the identity information provided by the customer).

The limitation of methods as per (a) to (c) would limit obliged entities in particular where, for example, a suggested method is not available at all (e.g. there is no central register or company register). At the minimum, obliged entities should be able to use a combination of (a), (b) and (c), with the exact choice made according to the facts of the situation at hand. We request that the RTS permit such flexibility, the better to promote an efficient and risk-based approach.

Point c) is imprecise and should be clarified: as with the standard requirements, it is expected to use a reliable source of information, but perhaps with a less stringent reliability requirement (internet search).We also wonder why the verification via the company register is not possible.

Additionally, we suggest expanding the scope of Article 19 draft RTS to include persons on whose behalf or for the benefit of whom a transaction or activity is being conducted. To apply full identification and verification requirements on these persons does not appear appropriate in SDD cases. This would also go significantly beyond practice as currently conducted in many member states and would significantly weaken the EU’s competitiveness, without being justified by underlying money laundering or terrorist financing risks.

Furthermore, we would like to request confirmation that, in low-risk cases, this provision permits not collecting the identity document of the beneficial owner or senior manager, and instead allows reliance on a customer statement or information available on the beneficial ownership register or from open sources.

We therefore suggest to amend the opening sub-paragraph of Article 19 draft RTS as follows:

In situations of lower risk, the obliged entity may consult one two or more of the following sources for the identification of, and use another sources from the same list under b. or c. for the purposes of verification of the beneficial owner or the senior managing officials:

Article 20 – Sectoral simplified measures: Pooled accounts

We welcome the possibility to apply SDD for pooled / escrow accounts, as set out in Article 20 draft RTS. However, the focus on customers who are obliged entities themselves limits this possibility unnecessarily. There are other types of pooled accounts or collective trust accounts (e.g. rent deposit accounts, collective trust accounts of debt collection agencies) which may also be subject to SDD from a risk perspective. We therefore request that the condition set out in Article 20 (a) draft RTS to be deleted.

This article could cover the case of segregated accounts opened by other AML-TF entities not authorized to receive deposits themselves (payment institution, e-money institution).

This article does not constitute a real reduction, but on the contrary seems to extend to any relationship between a credit institution and a PSP the expectations formulated by the authorities concerning the KYCC for the supervision of correspondent banking operations.

As a result, it would be necessary to contract with the PSP to provide KYC elements on request concerning end-customers.

Inclusion of accounts held by non- obliged entities in low-risk cases: There are many cases where non-obliged entities hold (pooled) accounts for their clients which should also benefit from SDD. This applies, for example, for rental deposit accounts, accounts for school classes or (senior) home residents, insolvency administrators or collection agencies.

In all of these cases, only low ML/TF risks exist and in all of these cases, the full identification and verification of the persons on whose behalf or for the benefit of whom the account is set up is not feasible or not possible. Thus, we believe that the RTS should provide a general possibility to apply SDD measures in such cases. If this is not done, there will be severe damage, both in an economic sense, and for the financial inclusion of certain groups, without adding to the reduction of ML/TF risk.

Clarification on transactions for legal entities: Article 20 AMLR refers to transactions conducted on behalf of a natural person other than a customer but does not address transactions conducted on behalf of a legal entity different from the client. We suggest the RTS to clarify whether the article applies when the transaction is conducted on behalf of an underlying legal entity.

Potential extension of applicability / inclusion in general CDD section: The article is currently included in the simplified due diligence section and is not applicable to customers rated medium risk. It would be preferable to extend its applicability to customers that do not pose a high risk of ML/TF. This would include medium-risk customers, allowing for a more comprehensive application of due diligence measures. We suggest to remove the article from the simplified due diligence section and include it in the general CDD section. This would ensure that the requirements are applicable to a broader range of customer risk profiles, not just those classified as low risk.

Request to define ‘third country with an AML/CFT requirements that are not less robust’: if the EBA declines to delete the criterion set out in Article 20 (a), as per our earlier request, we then request that it (or an appropriate authority) issue a list of third countries with AML/CFT requirements that are not less robust that those required by the AMLR. Such a judgment may be politicised or controversial, and as such, may be most appropriately taken by a public authority.

Request to define ‘effectively supervised’: In a similar manner, the decision as to whether a customer is ‘effectively supervised’ could be equally politicised or controversial, as it is possible to interpret the criterion as a requirement to form a judgment on the competence of the local competent authority. Again, given the potential political consequences of such a judgment, such a decision may be most appropriately taken by a public authority.

Clarification of ‘the credit institution is satisfied’: An obliged entity assesses the AML/CFT risk posed by its customer. It does not generally audit the internal workings of its customer. It is therefore unclear how an obliged entity may ‘satisfy’ itself that the customer ‘applies robust and risk-sensitive customer due diligence measures to its own clients and its clients’ beneficial owners’. We suggest that the RTS clarifies how such satisfaction is to be achieved – or that this condition be deleted.

We also had the following questions:

• Does Article 20 d) imply that audits should be performed on this?

• Does Article 20 imply that the customer’ customers (i.e. the owners of the funds held in the pooled account) are no longer considered UBOs (as currently stated in the EBA Risk Factor Guidelines)?

• More generally, will the EBA Risk Factor Guidelines remain in place, once the AMLR and its RTSs become applicable?

Article 21 – Sectoral simplified measures: Collective investment undertakings

This article could cover the case of a savings products/collective investment scheme in partnership with a financial institution that offers these products to their customers. We have here the same comment as above.

We think it is also useful to ask whether AMLA or the EC will provide a list with third countries with an AML/CFT requirements not less robust than the AMLR.

Challenge of assessing business relationship risk as ‘low’: We consider the condition set out in Article 21 (c) draft RTS – that is, to judge that the risk associated with the business relationship is ‘low’ – to be problematic and to be requiring a more nuanced definition. The business relationship with a collective investment undertaking is a mix of the relationship with the collective investment undertaking itself, and with the relevant investment manager. If one entity in this pair were rated other than ‘low’, then the overall relationship could be judged to be outside the scope of SDD – even if a more holistic assessment would deem the overall risk to be negligible.

We therefore suggest to better define the ‘business relationship’, or for the condition in (c) to be deleted. We also suggest to remove the article from the simplified due diligence section and include it in the general CDD section. This would ensure that the requirements are applicable to a broader range of customer risk profiles, and not just those classified as low risk.

Wording clarification: The phrase ‘When a collective investment undertaking is acting in his own name’ is misleading. We suggest it be amended to read ‘…collective investment undertaking investor in a collective investment undertaking is acting in his its own name…’.

The treatment of collective investment undertakings hugely varies across Member States. In Denmark for example, when these products are sold to retail customers, the vast majority is sold through the credit or financial institution of the customer, and since the products to a large degree resembles the characteristics of a security (stock) there is no business relationship between the undertaking and the investor (only to be seen as a customer of the bank).

Please also refer to our comments under Article 20.

Article 22 - Customer identification data updates in low-risk situations

Article 22 provides for a five-year grace period for updating customer data (“within five years after the application date of this Regulation”). This contradicts Article 32 (“but no later than 5 years after entry into force of this Regulation”), since both articles use different starting points for calculating the grace period. We urgently request clarification and correction as to which date is actually to be used.

It will not be possible to postpone updating for more than 5 years (see recital 16 of the RTS)

Paragraph 2) includes a transitional provision which allows for the possibility of postponing updating after the AMLR comes into force for low-risk customers. This transitional provision is unclear. We wonder if:

˗ we have until July 2032 to review customer files (regardless of the last update date before the AMLR comes into force, so the delay may exceed 5 years); or

˗ all files must be updated within 5 years since their last update (so for some with a deadline that will be earlier than July 2023)?

There is also ambiguity as to whether the frequency of customer identification updates can be reduced to less than every five years when applying SDD.

Article 33 (1) (b) AMLR and Article 22 (1) draft RTS allow a reduction in the frequency of customer identification updates specifically in cases of SDD, without setting a maximum period. However, the reduction of the frequency of customer identification updates beyond five years if applying SDD is not explicitly addressed.

Obliged entities will monitor the relevant circumstances, potential trigger events, and transactions and activities of the customer on an ongoing basis. If a change in circumstances, trigger event or transaction or activity were to occur, obliged entities would conduct a customer identification update. In the absence of such, and where a low-risk relationship continues in a stable manner, permitting obliged entities to reduce the frequency of customer identification updates for low-risk customers would permit more resources to be allocated to more significant sources of risk, in keeping with the risk-based approach.

In line with the overarching guiding principles to have a proportionate and risk-based approach, as well as the focus on effective, workable outcomes, we suggest the RTS to clarify if such an approach is permissible.

We also think that what constitutes a relevant circumstance should be clarified.

‘Customer identification updates’ should also be specified. Does this refer to the whole customer file? Does this only refer to the data point of the customer as described in Article 22(1) of the AMLR? Specifying the information that needs to be updated for clients with different risk profiles (high, medium, and low risk), and the frequency of these updates is needed.

Definition of ‘at all times’ : We request that the RTS clarify the concept of ‘at all times’ in the context of customer identification updates. This will ensure that firms understand the expectations for maintaining current and accurate customer information and can implement processes that align with regulatory requirements.

The sentence related to “Obliged entities shall take the measures necessary to ensure that they hold up-to-date customer identification data at all times” is an exaggeration in our view. Article 22 being part of the simplified due diligence measures, we think that this should be reflected upon.

Article 23 – Minimum information to identify the purpose and intended nature of the business relationship or occasional transaction in low-risk situations

RTS exceeds scope of / removes possibility present in AMLR: Article 33 (1) (c) AMLR allows obliged entities to reduce the amount of information collected to identify the purpose and intended nature of the business relationship or occasional transaction, or to infer it from the type of transactions or business relationship established. Article 23 draft RTS appears to remove this second possibility by setting out minimum requirements and seemingly requiring the collection of certain information to identify the purpose and intended nature of the business relationship – that is to say, to remove the possibility to infer otherwise granted by Article 33 (1) (c) AMLR.

It is possible that this is inadvertent, and removal is not intended. It is also possible however that supervisory authorities may read it as removing the possibility to infer. In this way, the RTS may remove a possibility the co-legislators chose to include. We therefore suggest amending the RTS to clarify that that obliged entities may infer the purpose and intended nature of the business relationship or occasional transaction from the nature of the type of transactions or business relationship established.

Information on the origin of funds is currently not required - except in cases of higher risk or when funds come from a third party, or from abroad. The French authority of control, ACPR, has indicated that the sole information that funds come from an account opened in the customer's name is not sufficient in the case of high risk/high risk profile. Conversely, it should be sufficient in case of low risk.

Does this imply that 'source of funds' must be assessed in all circumstances (SDD, NDD and EDD)? This is in our opinion more strict that the AMLR (Articles 25 and 20.1.f).

We would have expected that in low risk situations the Purpose & Nature could be derived from the customer’s characteristics, as it sometimes self-explanatory (e.g. it is quite logical that a bakery in the Netherlands wants to have a customer account at a bank in the Netherlands or that a savings account of a natural person is intended for savings).

Clarity regarding ‘risk-sensitive measures’: Article 23 draft RTS requires obliged entities to ‘…take risk-sensitive measures…’. We request that the RTS provide examples of what would constitute such ‘risk-sensitive measures’ in order to ensure shared understanding between industry and supervisory authorities of how this requirement may be fulfilled.

Suggestion to replace ‘source’ with ‘origin’: The ‘risk-sensitive measures’ discussed above are to be applied inter alia to understand ‘…the source of the funds used in the business relationship or occasional transaction…’. We believe that it would be more appropriate to the majority of intended contexts (and in our reading, would come closer to what we understand the EBA is seeking to achieve) to apply such measures to the origin of the funds in question. We therefore suggest replacing ‘source’ by ‘origin’.

Inadequate simplification of measures: Article 23 draft RTS is part of Section 4 on Simplified Due Diligence. As such, it should permit the obliged entity to put in place substantially simplified measures for lower risk situations when compared with those required for standard CDD.

The measures set out in Article 23 draft RTS appear however to be substantively the same as those set out in earlier Articles for standard CDD. In Article 16 (a) draft RTS (standard CDD), obliged entities are required to obtain information on why the customer has chosen the obliged entities’ products and services (or two other largely equivalent options, which are presented as alternatives via the use of ‘or’). This is substantively repeated in Article 23 draft RTS (SDD).

In Article 16 (b) draft RTS (standard CDD), obliged entities are required to obtain information on the estimated amount of funds to be deposited, with some secondary additional details. In Article 23 draft RTS (SDD), obliged entities are also required to obtain information (‘where applicable’) on the estimated amounts which will flow through the account.

In Article 16 (c) draft RTS (standard CDD), obliged entities are required to obtain information on the activity that generated the funds and the means through which the customer’s funds were transferred. In Article 23 draft RTS (SDD), obliged entities are required to obtain information on the source of the funds.

In Article 15 (b) draft RTS (standard CDD), obliged entities are required to obtain information on how the customer plans to use the products or services provided. This requirement is repeated verbatim in Article 23 draft RTS (SDD).

Given the above, and noting that SDD allows greater resources to be dedicated to more significant sources of risk, in keeping with the risk-based approach, we request the alleviations set out in Article 23 to be strengthened to allow genuinely simplified due diligence.

Industry-specific wording: The phrase ‘estimated amounts flowing through the account’ is more appropriate for the banking industry. We suggest however that this wording be tailored to fit the context of the specific industry to which it applies.

Requirement to determine why the customer has chosen the obliged entities’ products and services: In many cases, there may be no specific reason for a customer to choose a certain service provider. When there is a reason, it may be known only to the customer, who may not (or may not wish) to provide it. For example, a customer may choose a bank because of branding, a particular advertisement, the available offers on the market, or simple physical convenience due to proximity to a branch of the institution. We understand the RTS to be in line with the risk-based approach set out in the AMLR and assume that further determination of why the customer has chosen the obliged entities' products or services is not required in such cases.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

SDD shall be in general possible for lower risk factors, i.e., with regard to customer risk factors such as government agencies, publicly listed entities and their majority owned subsidiaries, or domestic organisations funded by governments, as indicated in Annex II (1) AMLR.

The application of simplified due diligence should be applied to exclusive provision of payment services not involving the execution of a payment transaction or the management of an account (initiation) insurance activities for moderate amounts.

Would this provide for the opportunity to classify customer, solely based on the sector in which they perform business activities, as low risk?

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 24 - Additional information on the customer and the beneficial owners

Exceeding level 1 requirements – need for a proportionate, risk-based approach: Article 24 draft RTS should be read in conjunction with Article 34 (4) AMLR, which states that ‘in cases of higher risk … obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures…’. Appropriate measures which obliged entities may take are then set out in points (a) to (g) of that paragraph. It isis clear that the co-legislators intended obliged entities to follow a proportionate, risk-based approach, tailored to the specific circumstances of each situation. It is also clear that list of measures is illustrative, and it was not intended that all the measures set out be undertaken in every case.

The approach set out in the draft RTS is however very different. The use of ‘shall’ and ‘at least’ in Article 24 is very prescriptive and is not in keeping with the approach chosen by the co-legislators. We therefore suggest amending the text to make clear that obliged entities may tailor the measures they adopt, in accordance with the risk-based approach, and do not have to take the measures set out in Article 24 in circumstances where careful analysis leads them to conclude that such measures are not necessary.

In paragraph a), the term ‘authenticity’ implies - although this is not expressly stated - that information obtained from customers must always be corroborated by documentary evidence. It is not within the power of obliged entities to verify such information to the level of certainty that the text of the draft RTS suggests. Redrafting the provision to include ‘where necessary’, obliged entities ‘take reasonable steps to verify, validate via independent and reliable sources’ or ‘check the plausibility’ of the relevant information, rather than verification in the sense of Articles 22 (6) and (7) AMLR.

Scope of investigations and information collection: The requirement in Article 24 (b) draft RTS to obtain information to enable the obliged entity to assess the reputation of the customer and the beneficial owner is unclear. In general, reputational risk is a separate risk category that sits outside of AML obligations. We therefore request that it be removed from the RTS, or at least, be the subject of an adverse media / information search and not full reputational risk assessment.

Request for removal / clarification of ‘past’ business activities: The term ‘past’ business activities in Article 24 (c) draft RTS is vague. It is unclear how far into the past obliged entities would have to perform such an assessment, or the limits of what would and would not be deemed relevant. We therefore recommend that it be deleted from the Article. If this is not accepted, we request that the RTS at least clarify the scope and relevance of ‘past’ activities, as well as whether it is intended to relate to adverse news screening (in which case, guidance would be required to assist with risk rating of the age and seriousness of the negative news).

As part of the enhanced due diligence requirements, the RTS standardizes additional information to be obtained about the business partner and the beneficial owner. This additional information should, among other things, enable the obliged entity to assess the ML/TF that results not only from current business activities but also from past business activities (Article 24 c). This wording is very broad and not very specific. It remains unclear, for example, whether this only includes past business activities in the context of the business relationship with the obligated party or also all business activities of the business partner during its entire existence (e.g. also previous corporate objects or business lines that were then not pursued further or were discontinued).

Revision of Paragraph d): This paragraph should be revised. It seems odd to ask for additional information to understand a customer's environment and to justify transactions if the bank has already confirmed a suspicion of ML-TF (and has therefore in principle already sent a SAR). This information is normally collected at a less advanced stage, before a suspicion has been confirmed: as part of an enhanced examination or analysis of atypical transactions. If this paragraph is intended to cover the situation where a first SAR has already been transmitted, but the business relationship has not been severed, and the information on close relations is to be used to reconstruct ML-TF network schemes, the article should specify this.

Additionally, Article 24 (d) draft RTS when criminal activity is suspected to obtain additional information on relatives and close associates could clash with the prohibition against tipping off. While it may be appropriate (and expected) for a PEP, it would be highly unusual – and likely serve as a warning – in other circumstances. As with other aspect of the draft, it also appears to have been written with retail banking in mind, and is less appropriate for wholesale contexts. If this requirement is taken forward, we request that the RTS clarify how obliged entities may apply this requirement in the wholesale context, and how they may comply with the provision without breaking the tipping off prohibition.

Furthermore, Article 24 d) contains the obligation to obtain additional information in the event of suspected criminal activity in order to obtain as complete a picture as possible of the ML/TF risk. Who exactly falls under this group of people remains unclear. Is it possible to fall back on the corresponding regulations for politically exposed persons here? The RTS lacks further details that would enable a more precise definition or demarcation. Another problem in this context could be that, depending on the interpretation, there is no legal basis for obtaining such information on “associated” persons.

Definition of terms: The definition and scope of 'family members', 'close associates', 'close business partners' or 'associates of the customer or UBO' should also be clarified in the frame of the article.

It also remains unclear how this additional information can or should be reliably obtained and which sources are permissible and sufficiently reliable in this regard.

Potential focus on retail business: The requirement in Article 24 (d) draft RTS appears to have been drafted with retail business in mind. It may not however be practical for wholesale contexts, where obtaining information on a beneficial owner's family members could involve multiple layers below the client entity in the ownership chain.

We therefore would like to request that the RTS clarifies how the requirement should be interpreted for entities in the wholesale sector.

Request clarification that Article 24 only applicable to high risk situations: point b) requests the obliged entity to assess the reputation of the customer and the beneficial owner. It should be made clear that this adverse media research is only necessary in high-risk situations as Article 24 is part of the enhanced due diligence measures. We would like to have the expressed clarification that no adverse media research is necessary for the other risk categories.

Article 25 – Additional information on the intended nature of the business relationship

Exceeding level 1 requirements – need for a proportionate, risk-based approach: Article 25 draft RTS should be read in conjunction with Article 34 (4) AMLR, which states that ‘in cases of higher risk … obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures…’. Appropriate measures which obliged entities may take are then set out in points (a) to (g) of that paragraph. From this, it is clear that the co-legislators intended obliged entities to follow a proportionate, risk-based approach, tailored to the specific circumstances of each situation. It is also clear that list of measures is illustrative, and it was not intended that all the measures set out be undertaken in every case. The approach set out in the draft RTS is however very different. The use of ‘shall’ and ‘at least’ in Article 25 is very prescriptive and is not in keeping with the approach chosen by the co-legislators. We therefore request that the text be amended to make clear that obliged entities may tailor the measures they take, in accordance with the risk-based approach, and do not have to take the measures set out in Article 25 in circumstances where careful analysis leads them to conclude that such measures are not necessary.

We would suggest to clarify point a). At the KYC stage (excluding transaction monitoring and enhanced verification), what are the circumstances in which a public authority or other regulated party may provide information on the lawfulness of a transaction?

Requirement to verify legitimacy of the destination of funds and expected number (etc.) of transactions: Article 25 (1) (a) and (b) draft RTS states that the additional information obliged entities obtain on the intended nature of the business relationship shall enable them to ‘verify the legitimacy of the destination of funds’ and ‘verify the legitimacy of the expected number, size, volume and frequency of transactions that are likely to pass through the account, as well as their recipient’. It is not within the power of obliged entities to verify such information to the level of certainty that the text of the draft RTS suggests. This requirement would be better set out with language requiring that ‘where necessary’, obliged entities ‘take reasonable steps to verify, validate via independent and reliable sources or check the plausibility’ of the relevant information, rather than verification in the sense of Articles 22 (6) and (7) AMLR.

Clarification on information sources: The suggestion in Article 25 (1) (a) that the information obliged entities are to obtain ‘may include information from authorities and other obliged entities’ raises questions as to whether this language allows or expects firms to approach former or other banks of the client to enquire about customer behaviour and products. We believe that the RTS should clarify whether this language is intended to create an expectation that obliged entities reach out to other entities for EDD – and whether there is an obligation for obliged entities to respond to such requests.

On point b), we wonder how an obliged entity can verify the destination of funds with independent and reliable sources.

Point c) seems excessive if banks are expected to collect this information as soon as they enter into a relationship (this could create a major irritant): some of this information is collected - mainly on a declarative basis and in support of financial documents - and contracts may be requested as part of transaction monitoring, to carry out a sanction filter. For business partners or associates of the customer, we wish to question how these can be assessed and what is the risk relevance. Do also the business partners or associates of UBOs be assessed?

Risk-based approach for SMOs identified as beneficial owners: Additionally, we kindly request that the RTS clarifies that where SMOs are identified as beneficial owners, gathering detailed information on such individuals should be conducted in accordance with the risk-based approach. This will ensure that due diligence efforts are proportionate to the actual risk posed.

Impact on transaction processing: We note that that conducting due diligence on a transaction-by-transaction basis is likely to lead to delays in fast payments, increased costs, and a reduction in operational efficiency. Noting that EU authorities are working to increase the speed of payments – and are setting requirements for banks and other payment service providers to this end – the RTS should consider the consistency of requirements set by the official sector and take account of other policy ambitions which seek to benefit the EU economy.

Article 26 – Additional information on the source of funds, and source of wealth of the customer and of the beneficial owners

Exceeding level 1 requirements – need for a proportionate, risk-based approach: Article 26 draft RTS should be read in conjunction with Article 34 (4) AMLR, which states that ‘in cases of higher risk … obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures…’. Appropriate measures which obliged entities may take are then set out in points (a) to (g) of that paragraph. From this, it is clear that the co-legislators intended obliged entities to follow a proportionate, risk-based approach, tailored to the specific circumstances of each situation. It is also clear that the list of measures is illustrative, and it was not intended that all the measures set out be undertaken in every case. The approach set out in the draft RTS is however very different. The use of ‘shall’ in Article 26 is very prescriptive and is not in keeping with the approach chosen by the co-legislators. We therefore suggest amending the text to make clear that obliged entities may tailor the measures they take, in accordance with the risk-based approach, and do not have to take the measures set out in Article 26 in circumstances where careful analysis leads them to conclude that such measures are not necessary.

It seems that supporting documents can already be collected in cases of high risk (with the exception of the payslip signed by the employer - this type of practice is not widespread in France).

Requirement to verify that the source of funds or source of wealth is derived from lawful activities: Article 26 draft RTS states that the additional information obliged entities obtain on the source of funds, and source of wealth of the customer and of the beneficial owners, shall enable them ‘to verify that the source of funds or source of wealth is derived from lawful activities’.

It is not within the power of obliged entities to verify such information to the level of certainty that the text of the draft RTS suggests. We therefore suggest that this requirement would be better set out with language requiring that where necessary, obliged entities take reasonable steps to verify, validate via independent and reliable sources or check the plausibility of the relevant information, rather than verification in the sense of Articles 22 (6) and (7) AMLR.

Focus on retail business: The possibilities set out in Article 26 (1) (a) to (g) appear largely to be focused on retail banking. Most of the documentation listed is unlikely to be appropriate for the wholesale context. We note the potentially broad scope of the term ‘any other authenticatable documentation’ in (g). In a wholesale banking context, however, a credible and comprehensive source of wealth narrative may often be corroborated through publicly available information, such as reputable media publications. Additionally, where a client has a long-standing relationship with the obliged entity – typically exceeding ten years – detailed notes from the Accountable Client Owner (ACO), or their delegate, may serve as sufficient evidence, provided they include appropriate narrative, rationale, and context demonstrating the ACO’s knowledge of the client.

We therefore recommend that the RTS be amended to clarify this or, alternatively, that the list be removed and replaced with the substance of (g).

Paper-based requirements vs. digitalisation: The draft requirements appear to emphasise paper-based process, with reference to ‘certified copies’ or documents ‘signed by the employer’. This appears to be at odds with the EU’s efforts to reduce bureaucracy and promote digitalisation through various omnibus laws. Wholesale banks support these efforts, and note the positive impact on the environment and improved security the shift to digital documentation will offer. With this in mind, the RTS should consider other EU policy ambitions, including expected omnibus legislation seeking to promote digitalisation.

Applicability to SMOs as beneficial owners: We believe that source of wealth checks for SMOs where these are treated as quasi (fictitious) beneficial owners would not be appropriate in this context, would infringe on the privacy of the individuals in question, and would not advance the fight against financial crime. We therefore suggest that the RTS clarifies that source of wealth checks are not required for SMOs.

Concerning Article 26, we also had the following interrogations concerning the proportionality:

Point a): Is it truly proportionate to ask tax returns or pay slips / employment documents signed by the employer from UBO's?
Point b): is it truly proportionate to ask certified copies?
Point d): is this always available? Is it proportionate to ask customers and UBO's to make these costs?
Point e): is it truly proportionate to ask for the original or certified copy?

Article 27 – Additional information on the reasons for the intended or performed transactions and their consistency with the business relationship

Exceeding level 1 requirements – need for a proportionate, risk-based approach: Article 27 draft RTS should be read in conjunction with Article 34 (4) AMLR, which states that ‘in cases of higher risk … obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures…’. Appropriate measures which obliged entities may take are then set out in points (a) to (g) of that paragraph. From this, it is clear that the co-legislators intended obliged entities to follow a proportionate, risk-based approach, tailored to the specific circumstances of each situation. It is also clear that list of measures is illustrative, and it was not intended that all the measures set out be undertaken in every case. The approach set out in the draft RTS is however different. The use of ‘shall’ and ‘at least’ in Article 27 is very prescriptive and is not in keeping with the approach chosen by the co-legislators. We therefore suggest amending the text to make clear that obliged entities may tailor the measures they take, in accordance with the risk-based approach, and do not have to take the measures set out in Article 27 in circumstances where careful analysis leads them to conclude that such measures are not necessary.

Requirement to verify the accuracy of the information for why the transaction was intended or conducted: Article 27 (a) draft RTS states that the additional information obliged entities obtain on the reasons for the intended or performed transactions and their consistency with the business relationship shall enable them to ‘verify the accuracy of the information for why the transaction was intended or conducted including the legitimacy of its intended outcome’.

Clarity of expectations and terms: It is unclear how obliged entities should validate the ‘customer’s turnover’, or whether ‘assets representing higher risks’ (both in Article 27 (b) draft RTS) is intended to mean assets domiciled in or coming from high risk third countries. The RTS should clarify the intended meaning and expectations related to and arising from these terms.

With regard to point c), the expectations placed on banks should be realistic, particularly in the case of transactions involving multiple parties. We also note the use of the term ‘intermediaries’ in Article 27 (c) draft RTS. The EBA should clarify whether this term is intended to refer to transaction execution, and thus to payment service providers (which are not always known and not relevant for ML/TF), or to intermediaries in the broader economic sense.

Requirement to assess ‘legitimacy’: Article 27 (a) draft RTS suggests that obliged entities should verify the ‘legitimacy of [a transaction’s] intended outcome’. Article 27 (c) draft RTS suggests that obliged entities should verify ‘the legitimacy of the parties involved’.

An activity may be lawful or unlawful, and obliged entities rightfully look for evidence of any activity that may be unlawful. It is not however for obliged entities to take a view on whether a transaction is ‘legitimate’. We therefore believe that the word should be removed, or amended (perhaps to ‘legality’ or ‘lawfulness’), to clarify the EBA’s intentions.

Requirement to obtain a deeper understanding – potential clash with tipping off prohibition: The requirement in Article 27 (d) draft RTS to obtain a deeper understanding of the customer or the beneficial owner, including of relatives or close associates, is unlikely to be relevant in the wholesale context. Any outreach to this end could also serve as a warning – and thus risk breaching the tipping off prohibition. We wonder how an obliged entity can strike a balance between gaining a deeper understanding of the customers’ family members, associates and business partners and adhering to privacy laws and regulations.

If this requirement is taken forward, we suggest the RTS to clarify that wholesale entities should proceed according to the risk-based approach, and explain how obliged entities may comply with the provision without breaking the tipping off prohibition.

We propose two alternatives for Article 27. The first proposal sets out requirements more in keeping with the risk based approach which take into account that what is complex or unusual depends on the particular circumstances of the obliged entity, the customer, and the situation at hand:

Article 27 – Additional information or assessment on the reasons for the intended or performed transactions and their consistency with the business relationship.

The additional information obliged entities obtain on the reasons for the intended or performed transactions and their consistency with the business relationship, in accordance with Article 34(4) point (d) of Regulation (EU) 2024/1624 shall enable the obliged entity to:

determine the transaction activity and whether this activity is consistent with the expected behaviour for this customer or category of customers
determine whether transactions that are assessed by the obliged entity to be complex or unusually large follow a suspicious pattern without any apparent economic or lawful purpose.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 28 – Screening of customers

We recommend that the points that the EBA covers in Articles 28 and 29 draft RTS be aligned with existing EBA Guidelines on internal policies, procedures, and controls to ensure the implementation of Union and national restrictive measures under Regulation (EU) 2023/1113 (EBA/GL/2024/15).

Please clarify what should be understood under ‘all entities or persons which own or control such customers’. This could suggest screening all intermediary layers between the UBO and the customer. This would not lead to effective use of scarce resource. Should this be understood to be the beneficial owners? We suggest to limit it to relevant layers, such as the direct shareholder and the ultimate parent entity, or based on a percentage of ownership. This approach would focus efforts on meaningful control and ownership and would be in keeping with the risk-based approach evident in the level 1 text.

Article 29 – Screening requirements

Consistency of terms: We note that Recital 3 draft RTS refers to the ‘transcription’ of names, which we interpret to be broad in scope, and that Article 29 (a) draft RTS refers to the ‘transliteration’ of names, which we interpret to refer to the conversion of text from one script to another. Similarly, Article 29 (a) draft RTS refers to ‘trade names’, whereas Articles 1 and 18 refer to ‘commercial name’ and ‘registered name’. If particular nuances are intended in this Article, we kindly request that the RTS to clarify these.

Clarity on screening requirements: What specifically falls under customer information? All information in the customer file? Article 29 (a) draft RTS requires screening of first names, surnames, and date of birth for natural persons. Noting that date of birth is not always included in listings of sanctioned persons, we suggest the RTS to clarify whether the date of birth should be used in the screening match process, or only in alert management to confirm true hits. We suggest that it may be preferable to remove date of birth from initial screening requirements.

On point a): we wonder if this mean that the persons purporting to act on behalf of the customer, the natural persons on whose behalf […], the legal representatives are not required to be screened.

Importance of maintaining acceptability of transliteration: We note that Article 29 (1) (a) and (b) require names to be screened ‘…in the original and/or transliteration of such data…’. We interpret the use of ‘and/or transliteration’ to mean that transliterated forms can be used for screening and the use of original forms (in non-western scripts) is not required to comply with this Article.

For banks with international clients, the names of customers are frequently not in non-Latin scripts in the native language. In such cases, the banks’ systems record only the Latin transliteration. Different transliteration variants (e.g Aleksey or Aleksej for the Russian name Алексей) are covered by fuzzy logic in the screening process. Furthermore, external list providers such as Worldcheck or Bloomberg usually provide several transliteration variants to be screened against. If one were to require the screening of customer names in their original literation, an extensive and costly adaptation of the core banking system and an extension of the screening software would be necessary. Screening customer names in their original literation is therefore neither required nor (given the significant additional efforts and costs) proportionate. As stated above, capturing the customer's name in its transliteration is sufficient to ensure the detection of a sanctioned customer. The capture of different transliteration variants is ensured through fuzzy logic and extended sanctions list delivered by external providers. In reviewing this Article, we kindly ask that the EBA maintains the ability to fulfil the requirement through screening transliterated names and do not amend to require screening solely in the original script.

Compatibility with Single Euro Payment Area instant screening: Article 29 (c) draft RTS sets a minimum standard that may not be compatible with the SEPA Instant Payments Regulation, which requires immediate and frequent screening (at least once a day). We therefore would request that the reference to ‘undue delay’ in Article 29 (d) draft RTS be further defined to align with SEPA Instant Payments Regulation requirements. On a broader note, and although beyond the scope of this consultation, we believe that the Commission should work towards aligning the Instant Payment Regulation and sanctions requirements as stipulated in other legal sources. This alignment would ensure consistency and efficiency in compliance processes across different regulatory frameworks.

No obligation for UBOs to inform of change of residency / nationality: Article 29 (c) (iii) draft RTS requires that obliged entities screen their customers and beneficial owners regularly, at least in the following situations:

iii. if significant changes occur in the customer due diligence data of an existing customer, or beneficial owner, such as but not limited to change of name, residence, or nationality or change of business operations.

UBOs (and SMOs by extension) are under no obligation to inform banks of a change of residency or nationality. This requirement introduces a complexity that is unhelpful. We therefore suggest removing the specific examples.

Definition of beneficial ownership: A literal reading of Article 29 (a) (iv) draft RTS may exclude screening of related parties (e.g., directors) other than beneficial owners. We suggest the RTS to provide a clear definition of ‘beneficial ownership’ in this context to ensure comprehensive screening.

Re-drafting suggestions: Given the points above, we propose that the text be amended as follows:

Article 29 draft RTS (selected)

‘(a)(i). in the case of a natural person: all the first names and surnames, in the original and/or transliteration of such data; and date of birth;

(a)(iv). in the case of a legal person: beneficial ownership information, in accordance with Article 51 Regulation (EU) 2024/1624.

…

(c) (iii) if significant changes occur in the customer due diligence data of an existing customer, or beneficial owner, such as but not limited to change of name, residence, or nationality or change of business operations.

(d). ensure the screening as well as the verification is performed using updated targeted financial sanctions lists without undue delay in accordance with Regulation (EU) 2024/886."

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 30 - Risk reducing factors

The impact is difficult to measure for obliged entities at this stage given that conditions for benefiting from the exemption for anonymous electronic money are left to be determined by national supervisors. There is a risk that will continue to be disparities between Member States.

We also had the following questions:

Related to Article 30(a): Article 19.7.a AMLR already contains a threshold. What is the added value of this requirement?
The requirement in art 30(e) makes it impossible to issue these products to commercial parties. Is that truly the intention?
What is the impact of requirement in Article 30 (f)?
What is deemed a 'specific and limited duration' in Article 30 (g)? As the product may not be reloadable, does this mean that a new one needs to be issued after every 'duration'?
Is it possible to perform the requirement in Article 30 (h)?
The requirement in Article 30 (i) makes it impossible to issue these products to commercial parties. Is that truly the intention?

We would like the EBA to provide clarification as to which of the listed factors can be considered sufficiently consequential when present alone, and which should be combined with others.

For the factors listed, we make the following comments:

we suggest either that this should be considered in combination with a rule guaranteeing the non-accumulation of transactions, or at least, that that this should not be considered as sufficient when present as a single factor
[no comment]
it is unclear how the absence of charge is thought to lower the risk.
this should not be considered as sufficient when present as a single factor
this should not be considered as sufficient when present as a single factor
there is no incentive to have an exemption after the KYC has already been completed
this should not be considered as sufficient when present as a single factor (consider for example the risk posed by an instrument with a coupon with a very high value and a time limit)
this should not be considered as sufficient when present as a single factor
there is no incentive to have an exemption after the KYC has already been completed
if electronic money is created, it will only be valid at EU level. Inconsistent under the exemption
this should not be considered as sufficient when present as a single factor.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 31- Electronic identification means and relevant qualified trust services

In paragraph 3) the reference to Article 22(6) AMLR creates a circular reasoning because this article requires the use of an electronic identification means for non-face-to-face onboarding, without specifying what “other means” for verifying the identity might be in this context. The reference to Article 22(6) AMLR should therefore be replaced by a reference to Article 6, which address those alternative measures.

Electronic identification means can also be used for the verification of the customer in a face-to-face context. We would want this to be made explicit in this article.

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

As a general comment on this draft RTS, we wish to highlight the risk of unpredictability and lack of convergence it presents.

While this RTS provides rules on both the classification of breaches and the determination of sanctions and administrative measures depending on their level of severity, we believe that many indicators and provisions still need clarifications in order to ensure sufficient predictability and harmonization across Member States. In its current drafting, this RTS appears to grant a significant level discretion to supervisors, which may both hinder the objective of convergence and consistency approach sought by this RTS (see recital (2)) as well as the legal predictability for obliged entities.

In this regard, we note that:

Article 3 of this RTS states that breaches with a gravity classified in category 3 or 4 shall constitute a “serious, repeated or systematic” within the meaning of Article 55(1) AMLD, meaning that they shall give rise to a pecuniary sanction (conversely, article 55(1) provides that pecuniary sanctions can be imposed for less serious breaches) ; and
Article 5 of this RTS provides that supervisors shall take into account the gravity of a breach classified in category 3 or 4 in their decisions to impose certain severe administrative measures (i.e. limitation in the business, operations or network of institutions comprising the obliged entity, the divestment of activities, withdrawal or suspension an authorization).

Given the potential material effect of the ratings 3 or 4 on obliged entities, the RTS should set clear and restrictive indicators for assigning such rating to breaches. Some provisions are problematic in this respect. For instance, according to Article 1 (indent (l)), for assessing the gravity of a breach, supervisors may consider “any other indicator” than those listed in said article 1. In addition, Article 4 paragraphs (2) and (3) also enable supervisors to take into account “any other criteria” which they identify as relevant for reducing or increasing the level of pecuniary sanctions imposed to obliged entities. These provisions carries the risk that supervisors across different Member States may arrive at significantly divergent decisions for similar breaches.

This may lead to an unintended unpredictability that would not be in line with the principle of legal certainty and the protection of legitimate expectation. Therefore, references to “other criteria” or “other indicators” throughout the RTS that would not clarify what these other indicators/criteria are should be deleted from this draft.

Similar concern would exist in relation to Article 2 (7) which provides that breaches not rated 3 or 4 when assessed on an individual basis would amount to such grade when considered together, without providing further guidance on how supervisors should conduct such overall assessment (for instance, conditions under which multiple breaches may be treated as a single breach for the purpose of this assessment).

It follows that conditions for scoring the level of gravity of breaches as 3 or 4 should be more restrictive.

Harmonization is hindered by the different ways of criminal and administrative enforcement in Member States. In certain Member States, AML/TF breaches directly constitute an economic crime, while in others, such a provision does not exist. In some member states, criminal prosecution may arise if the breach of AML/TF is done non-intentionally ("colourless intent") . This is the case in the Netherlands.

This means that in the Netherlands, entities may be directly prosecuted for non-intentional breaches of AML legislation, whereas, according to the RTS, entities in other member states may face administrative settlements for even intentional breaches. This inequality in settlements, based on varying criminal provisions between member states, must first be addressed to achieve the intended harmonization between member states and to achieve a level playing field for obliged entities.

In addition, related to the five guiding principles for the CfA and the intention to minimise divergence across sectors and Member States (p. 5) respectively:

• A real risk-based approach can in our opinion. only be achieved, as long as a (non-intentional) breach doesn't directly constitute a criminal offense.

• In order to minimise divergence across Member States, also a uniform approach in criminal law for AML/TF breaches is needed.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

It is difficult to identify specific legal effects associated to each category of breach (1 to 4) under this draft RTS. For instance, we note that similar legal effects seem to be attached to grades 3 and 4, which is not consistent since breaches rated 4 should be regarded as more serious than breaches rated 3.

In this regard, it seems not justified that, under Article 5, both grades attributed to breaches may lead to the implementation of the most severe administrative measures (i.e. restriction of operation, withdrawal of an authorization or a change in the governance structure). Indeed, such measures would be proportionate only for infringements and continuous misconducts that would raise a significant risk for the financial system and decision to enforce such measures generally constitutes a final recourse. Since the gravity of a breach with systemic implications would be classified in category 4 (and not 3) in accordance with the classification methodology set out under Article 2, administrative measures referred to in article 5 (or at least the most severe) should therefore be considered only in relation to breaches with a gravity classified in category 4.

Last, no specific positive consequence can be associated to categories 1 and 2.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

In some Member States (e.g.: the Netherlands) a breach of AML/TF is in many cases directly considered an economic crime. Therefore most breaches of AML/TF immediately trigger the "nemo tenetur" principle. This conflicts with the provisions regarding voluntary cooperation in an administrative settlement. The choice, due to “nemo tenetur”, not to disclose information to the supervisor may serve a legitimate interest, but can result in a higher fine for the entity. Obliged entities in these member states, that are confronted with this concurrence between administrative law and criminal law, end up in a difficult position, where conflicting roles are requested of the entity. It is proposed that this distinction between Member States is addressed first, so that the intended goal of harmonizing AML violations can be achieved.

Additionally, we believe that it should be clarified that general mitigating factors as stipulated in criminal law are applicable in addition to those factors listed in Article 3.

It should also be explicitly listed as a mitigating factor that should lead to a decrease of the level of pecuniary sanctions if the natural or legal person held responsible proactively engages in financial crime-related PPP models and other initiatives to improve the effectiveness and efficiency of AML/CFT on national or supranational level, e.g. cooperation with the supervisor and/or the FIU to clarify regulatory requirements, to improve processes and standards or the AML/CFT-related cooperation between public and private sector.

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

Proportionality should prevail above the turnover of the obliged entity, when setting the fine.

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

The international consequences for the business should also be taken into account, for this might lead otherwise to a disproportionate measure.

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

The issues mentioned under questions 1 and 3 form a problem for all obliged entities in this Member State and are fundamental conditions that must first be addressed before the goals of harmonization and a level playing field can be achieved. Otherwise, there will be no consistent and comparable outcomes between supervisors, as described in recital (2) on p. 54.

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

Article (4) paragraph (4) states that “(…) when setting the level of pecuniary sanctions for natural persons which are not themselves obliged entities, supervisors shall take into account where applicable, (i) their role in the obliged entity and the scope of their functions ” in addition to (ii) indicators considered as part of the level of gravity of the breach as set out in Articles 1 and 2 and (iii) circumstances laid out in article 4 paragraphs (1) and (2) to mitigate or increase the amount of pecuniary sanctions.

First, the concept of “natural persons which are not themselves obliged entities” would deserve clarifications and be limited to natural persons who are in in capacity of taking decisions affecting the actual ML-FT risk of obliged entities. We therefore suggest limiting its scope to individuals that are members of the management body, senior management compliance manager and compliance officer, as those terms are defined respectively by the Single Rulebook (see Article 2 (1)(37), Article 2(1)(40), Article 11 (1) and Article 11 (2)).

In addition, the RTS should clarify the legal conditions for imposing pecuniary sanctions to such individuals in order to better serve the principle of legality and ensure convergence in supervisory practices. Article 53 (4) AMLD refers to “the senior management and to other natural persons who under national law are responsible for the breach”. We would like to draw EBA’s attention on the fact that several legislative frameworks would condition the imposition of administrative sanctions on directors and senior managers to their direct and personal involvement in breaches committed by their obliged entities.

Regarding the assessment of pecuniary sanctions to be applied to said individuals, since indicators considered as part of the level of gravity of the breach set out in Articles 1 and 2 shall be taken into consideration, our comments above regarding the lack of clarity of said indicators and levels of gravity would also apply to this section. Further specifications would also be necessary on the relevant criteria and circumstances set out in Articles 1, 2 and 4 that should be considered in relation to natural persons not being obliged entities and on the assessment of these criteria. For instance, it would be justified that indicators relating to conducts and behaviours have a more significant weighting than other indicators/circumstances relating to the breach itself.

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

We also wish to make the following comments, not directly linked to the Consultation Questions:

This RTS aims to ensure that all member states handle anti-money laundering (AML) violations consistently, which is crucial for effective enforcement and harmonization across the member states.
- ”a common understanding of the gravity of breaches to ensure harmonisation accross Member States”. (p 54, under 1)
- “Supervisors should ensure that their supervisory judgment is coherent and consistent, with comparable outcomes” (p 54, under 2)
Apparently, administrative measures can be taken in case of both a negligent breach, and in case of an intentional breach.
- “An important indicator to assess the level of gravity of breaches is the conduct of the natural or legal person, including its senior management and management body in its supervisory function. Supervisors should consider whether a breach was committed intentionally or negligently. Supervisors should pay particular attention to those situations where the natural or legal person appears to have had knowledge of the breach and took no action, or whether they have taken a course of actions directed at generating the breach.(p 55, under 4)
However: In some member states, AML-breaches are directly considered an economic crime, even if the breaches were non-intentionally , or negligent.
This distinction in approach of breaches between Member States might hinder an objective, uniform treatment of obliged entities across member states and might create challenges in achieving a harmonized approach.
Therefore the EBCCON proposes that this distinction between Member States is addressed first, so that the intended goal of harmonizing AML violations can be achieved."

Furthermore, the above can also have undesirable consequences for the fine, as it can influence the cooperation of the obliged entity, beyond its control. Because a single violation of AML legislation in some countries is directly brought within the scope of criminal law, the obliged entity faces a conflict of interest between being transparent (resulting in a lower fine, art 4 paragraph 2) and remaining silent (nemo tenetur, due to the risk of criminal prosecution). Remaining silent might even lead to an increase of the fine, according to Article 4, paragraph 3.

Name of the organization

European Association of co-Operative Banks (EACB)