Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Introduction
UK Finance is the collective voice for the banking and finance industry. Representing 300 firms, we’re a centre of trust, expertise and collaboration at the heart of financial services, championing a thriving sector and building a better society.
We welcome the opportunity to respond to the EBA’s Public Consultation on the ‘Proposed Regulatory Technical Standards in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates’. Our response is focused on the priority areas identified by our members on the new AMLA mandates.
UK Finance and our members strongly support the intention of the EBA’s Regulatory Technical Standards (RTS) to provide additional clarity and alignment with the AMLR. We are aware of the differing standards across jurisdictions implementing the RTS’, and welcome clarity, wherever possible, to help promote harmonisation in interpretation and application.
Whilst we support the harmonisation of Anti-Money Laundering requirements across EU member states, these requirements must be proportionate and risk-based, in line with the principles we see driving international AML best practice including from the Financial Action Task Force.
We fear there are instances where the RTS proposals deviate from this concept by going above and beyond the specifications of the AMLR. The additional requirements increase regulatory burden and will act as a barrier to legitimate business. To support the delivery of the EU’s Competitiveness Compass, we strongly recommend a review to align more closely with the AMLR whilst ensuring that obligations can be proportionate to the risks being posed.
It is crucial that the RTS both promotes and underpins the risk-based approach, providing the ability for firms to flex their processes and controls as deemed appropriate, in line with the assessed risk. This will in turn help to support legitimate business and financial inclusion.
We welcome the EBA’s clarification of a grace period of 1 year for high-risk customers and 5 years for all other customers. We would encourage the EBA to undertake a feasibility analysis and impact assessment on the cost of implementation ahead of finalising any implementation plans.
Finally, whilst our UK Finance response is focused on priority issues, we would also like to note our support for the response we have fed into from the European Banking Federation (EBF). In addition, many of our shared members have fed into the detail being submitted by the Association of Foreign Markets Europe (AFME) and the Wolfsberg Group, closely aligned to the positioning of our UK Finance response.
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
We appreciate the intention behind the RTS to ensure maximum convergence and proportionality with the AMLR. However, we feel further consideration is needed to ensure the RTS does not go beyond proposals within the AMLR, creating additional disproportionate burden for obliged entities operating both within and outside the EU, and on the business in the EU they support.
In particular, we would appreciate further consideration and engagement on the following priority areas of concern:
Understanding the ownership and control structure of the customer
Article 10 of the RTS should provide flexibility and allow firms to take a risk-based approach, employing reasonable measures when assessing a customer’s structure, its plausibility and economic rationale. This would be in keeping with the wording in the AMLR, which refers to ‘taking reasonable measures’ to verify the identity of Beneficial Owners and understand the structure.
We are concerned that the current drafting (‘obliged entities shall obtain, the following information’) puts too much emphasis on obliged entities to assess the whole set of information in all cases, regardless of risk, which is disproportionate and likely to create significant administrative and operational burden on firms and their customers. The level of due diligence required in all cases, even those that do not present a high risk of money laundering or terrorist financing, will increase the complexity of due diligence processes, thereby increasing costs for firms and acting as a barrier to legitimate businesses accessing financial services in a timely manner. We encourage the EBA to empower firms to tailor the due diligence on ownership and control structures to the risk posed by the customer, following the assessment of factors such as the customer type, sector, and potential status as a regulated or listed entity in line with a risk-based approach.
We understand that Article 10(1)(a) of the RTS requires obliged entities to obtain information on ‘all’ forms of intermediaries between the customer and Beneficial Owners. This includes their legal form, jurisdiction, nominee shareholders and shareholding details. Our members are concerned that the requirement to identify each intermediary level in the RTS is too prescriptive and goes beyond the ‘reasonable measures’ referenced in Article 20(1)(b) of the AMLR.
In contrast, Article 10(1) of the RTS details prescriptive measures to be taken for each intermediary layer, including obtaining a full suite of ownership data for intermediate owners. For wholesale clients, many of whom are well-known listed or regulated entities, the detailed approach to assessing ownership and control structures set out in the draft RTS is likely to create significant administrative and operational burdens. We are concerned that this may lead to the diversion of resources from identifying genuine risks due to the focus on exhaustive ownership structure analysis, rather than a risk-based assessment.
In line with a risk-based approach, we recommend that obliged entities be required to establish the ownership structure and only identify intermediary layers where there are concerns around the legal and economic rationale for the structure. It should equally be explicit that expecting the obliged entity to fully comprehend every detail, particularly regarding control and voting rights at each intermediary layer, is disproportionate. We recommend that the customer disclose relevant information and confirm the types of control at each level, while the obliged entity should make best effort attempts to validate this information. Therefore, we recommend re-focusing Article 10 (1)(a) and (b), as per the below:
- "For the purposes of understanding the ownership and control structure of the customer in accordance with Article 20(1) (b) of Regulation (EU) 2024/1624, where the customer's structure is unusually complex or a higher risk of ML/TF , obliged entities shall take reasonable measures to obtain the following information:
a. a description of the relationship structure including the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners, if any;
b. with respect to each legal entity or legal arrangement within the referred intermediary connections as per lit. a, the legal form of each legal entity or legal arrangement where needed to ultimately understand the ownership and control structure; the jurisdiction of incorporation or registration of the legal person or legal arrangement, or, in the case of a trust, the jurisdiction of its governing law and;"
If the suggested deletion of (c) set out above is not accepted, then we suggest at least reducing the scope of the requirement to the ultimate parent, as follows:
- "c. information on the regulated market on which the securities of the ultimate parent are listed, in case the ultimate parent has its securities listed on a regulated market, and the extent of the listing if not all the ultimate parent legal entity’s securities are listed on a regulated market’."
The requirement under Article 10(2) of the RTS to assess plausibility and economic rationale appears to apply to all customers, rather than being limited to those that are considered ‘high-risk’ or having unusually complex structures. This requirement appears to go beyond Article 20(1)(b) in the AMLR which provides that firms should take reasonable measures to ‘understand’ the structure. To drive proportionality and reduce the burden on legitimate business, we recommend that Article 10(2) is repositioned under Article 11 as a measure to be taken when the ownership and control structure is unusually complex, including where information obtained under Article 10(1) indicates that the structure may have been set up to avoid or reduce the transparency of beneficial ownership.
Suggested amendments
- "2. Where warranted by the facts of the situation at hand, obliged entities shall assess whether a structure might have been set up only in order to avoid or reduce the transparency of beneficial ownership, with no other likely or possible legitimate justification apparent."
To help reduce unnecessary burdens on obliged entities, we recommend the RTS re-introduce the regulated market exemption to ensure a more focused approach based on risk assessment. The absence of a regulated market exemption in the Article, despite its mention in intermediary layers of analysis, brings into question whether there is an implied level of comfort for regulated entities.
Understanding the ownership and control structure in the case of complex structures
Article 11(1) defines a complex ownership structure as “two or more layers” with four additional conditions (see Article 11(1) (a) to (d)). We believe this is too broad and may lead to many, if not most, ownership structures being classified as complex, which is of particular concern for our Wholesale members given the nature of their clients. We recommend removing the ‘two plus one’ assessment criteria, or any other reference to specific numbers of layers, allowing obliged entities to apply proportionality and risk-based judgement when determining the level of complexity of an ownership structure. Therefore, we recommend the following re-drafting proposal for Article 11(1):
- "To understand the complexity level of the ownership and control structure of the customer in accordance with Article 20(1)(b) of Regulation (EU) 2024/1624, obliged entities shall develop specific internal procedures to specify the criteria that make ownership and control structures unusually complex for the business relationships for which the obliged entity provides products and services. These procedures shall provide internal arrangements dealing with: several layers between the customer and the beneficial owner that may be an indicator of unusually complex ownership structure, and; b. indications of non-transparent ownership with no legitimate economic rationale or justification."
Whilst we understand that obtaining an organigram from the customer could be one way to assess the customer’s structure (see Article 10(1) and Article 11(2) of the RTS), the RTS should be sufficiently flexible and allow for firms to draft organisational charts based on client-provided information, with client attestation, or on reliable public information. This could address the practical challenges of obtaining organisational charts directly from clients in a more proportionate manner.
Information on senior managing officials
Under Article 63(4) of the AMLR, SMOs are defined as those natural persons who exercise executive functions within a legal entity and are responsible and accountable to the management body for day-to-day management of identity. We are concerned the proposed definition is too broad and fails to acknowledge the significant differences between the roles and responsibilities of SMOs and beneficial owners when it comes to ownership and control. Furthermore, if applied to Article 22(2) of the AMLR, firms may be required to ID&V a large number of natural persons, which would not align with a risk-based approach. This is a significant concern for our wholesale customers, where responsibilities may be spread across a number of natural persons.
To reduce unnecessary burden on firms and customers, we recommend that the RTS clarifies that, when applying Article 22(2) of AMLR, obliged entities must ID&V those SMOs that have significant control of the entity (i.e., those with meaningful influence) allowing the extent of the ID&V should reflect the customer’s risk.
Scope of the requirements
We understand Article 22 (1) of the AMLR to require obliged entities to obtain specific information to identify “the customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted”. However, the RTS only refers to “the customer(s)”, with no mention of the additional classes of persons referenced in the AMLR. It is unclear the EBA are intending to target a more limited population than the AMLR. We recommend that the RTS needs to clarify the scope of these requirements, particularly for Articles 1 to 6 of the RTS.
Flexibility of the data requirements
Article 22(1)(a)(i) of the AMLR requires firms to obtain “all names and surnames”. Article 1(1) of the RTS appears to go beyond the requirements in the AMLR as it has asked for "all of the full names and surnames".We would recommend removing ‘full’ from the RTS to ensure consistent application against the corresponding Article in the AMLR (see proposed editing for RTS Article 1(1) below). Furthermore, we are concerned that the requirement to provide "at least those names that feature on their identity document, passport or equivalent" (see Article 1(1) of the RTS) does not reflect the variations in global naming conventions. We recommend that Article 1(1) in the RTS be edited to acknowledge this and require obliged entities to obtain only those names that appear on identity documents (see edits underlined):
- “In relation to the names and surnames of a natural person as referred to in Article 22(1)(a) point (i) of Regulation (EU) 2024/1624, obliged entities shall obtain the customer’s names and surnames. Obliged entities shall identify the names that feature on the relevant person’s identity document, passport or equivalent’
We note that, in the Level 1 text, “place of birth” is never defined as Country and City. We would recommend that the RTS does not go beyond what is set out in the AMLR and instead allow for flexibility in terms of what components of place of birth are considered risk relevant, to avoid creating disproportionate burden. Flexibility is also needed, as not all ID documents issued globally will contain both the “city and the country name”. For instance, while City of birth may already be required data points in some EMEA countries, ID documents issued in the U.S. include the State name rather than the City name. We therefore recommend that Article 5(1) incorporate flexible language to accommodate for the differences between different Government IDs issued globally, acknowledging that not all documents will contain the same data points, such as:
Suggested edits to Article 5(1)(b)
- “it contains names and surnames, the holder’s date and place of birth and their nationality”
Documents for the verification of the identity
We interpret Article 5 (1) as applying only to documents that are not official passports or national identity documents and understand that this Article establishes an exhaustive list of features that a document must contain in order to be treated as equivalent to a passport or national identity document for the purpose of verifying a customer’s identity, in line with Article 22(1)(a) of the AMLR. The current list of conditions for an equivalent document is therefore too prescriptive and hence, suggest the below amendments:
Suggested Amendment: Article 5 – Documents for the verification of the identity
- For the purposes of verifying the identity of the person in accordance with Article 22(6) (a) and Article 22(7)(a) of Regulation (EU) 2024/1624 a document, in the case of natural persons, shall be considered to be equivalent to an identity document or passport where all of the following conditions are met:
- it is issued by a state or public authority,
- it contains the legal name (first and surname) and date of birth and place of birth,
- it contains information on the period of validity and a document number,
- it contains a facial image and the signature of the document holder,
or - a member state, in its legal system, considers that document valid for identification purposes.
We would like to note that some of our members have also raised concerns about the inclusion of ‘place of birth’ as a requirement under Article 5(1)(b), and have asked for this to be removed to allow for more flexibility and inclusion when verifying valid ID documents.
Clarifying the definition for ‘person purporting to act’
The RTS needs to explicitly define "any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted" (see reference in Article 18 of the RTS) to ensure consistency of application across member states.
The RTS should clarify whether the definition and scope include only third parties acting via proxy or power of attorney, or if this also encompasses authorised signers and senior manages. In the context of wholesale banking, capturing individuals acting in their professional capacity (e.g., authorised signers), in particular those employed by regulated financial institutions, has proven excessively burdensome and ineffective in combatting financial crime. To ensure harmonisation, the definition should be limited to third parties and not include employees acting in their professional capacity. We therefore recommend that the following definition for a “person purporting to act” be applied consistently across the AMLR and RTS:
- "Legal representative(s) of a customer who is an unfit natural person; any natural person, other than an employee of a legal person authorized to act on behalf of a customer pursuant to a mandate or any natural or legal person authorized to act on behalf of customers pursuant to a proxy agreement."
Amendment – also included in EBF and AFME responses
- “Legal representative(s) (e.g., legal guardians) of a natural person customer; any natural person, other than an internal employee or senior manager of a legal person, authorised to act on behalf of a legal person customer pursuant to a contractual mandate (e.g., an agent), or any natural person authorised to act on behalf of legal person customers pursuant to a bilateral proxy agreement.”
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
We would welcome clarity on the definition of non-face-to-face interactions. Historically, interpretations of operational requirements have varied. For instance, an on-site visit to a customer representative may suffice, even if the meeting is not directly with the ultimate beneficial owner (UBO).
The AMLR Art 22(6) specifies a customer’s identity can be verified through either electronic means or by utilising identity documents provided by the customer or accessed directly. This does not align with Article 6(1) of the RTS, which appears to require the use of only electronic verification systems for customers, beneficial owners, and persons acting on behalf of the business. We would recommend re-drafting Article 6(1) to align with the AMLR and provide clarity (see edits underlined):
- "To comply with the requirements of Article 22(6) of Regulation (EU) 2024/1624 in a non-face to face context, obliged entities shall apply specific and additional measures to compensate the potentially higher risk that this type of customer relationship presents or may use electronic identification means, which meet the requirements of Regulation (EU) No 910/2014 with regard to the assurance levels ‘substantial’ or ‘high’, or relevant qualified trust services as set out in that Regulation."
We recommend the RTS clarify that the definition and concept of “solutions shall be commensurate to the size, nature, and complexity of the obliged entity’s business and its exposure to ML/TF risks” (see Article 6(2)). It should also specify whether using electronic identification (see Article 6 (3) to (6)), would require the acquisition of the customer’s identity document (or equivalent), and provide criteria for the “reasonable steps” needed to ensure authenticity and integrity.
As per our feedback provided on the Scope of requirements (see above), we would welcome clarity on whether the Article 6 of the RTS applies only to ‘customers’ or both ‘customers’ and ‘persons purporting to act on behalf of the customer’ as suggested by Article 22(6) of the AMLR. If beneficial owners are in scope, subjecting them to ID&V would be impractical and disproportionate as a requirement.
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
In Article 22(c) of the AMLR, in the context of virtual IBAN distribution, it is not clear whether the term “issuer” /”issuer” solely refer to that entity creating virtual IBANs to distribute to their client, or describes a use case where an entity is distributing virtual IBANs created by another entity, such as the bank that provides the underlying account.
In Article 8 of the RTS, four distinct entities are described, including one entity (e.g., Party A) that services an account for another entity (e.g., Party B), and that entity (Party B) then “issues” virtual IBANs to an intermediary (e.g., Party C). It is not clear whether Party A and Party B can be interpreted as the same entity, for example, a single bank that services the physical account and distributes the virtual IBANs for the intermediary (Party C). Further clarity from the EBA would also be appreciated on the extent to which credit and financial institutions will be required to identify and verify the identity of natural or legal persons using a virtual IBAN (i.e., the ultimate end user). Our members would welcome clear guidelines to ensure that credit or financial institutions understand their responsibilities and can implement the necessary measures effectively.
RTS requirements to align with changes to FATF Recommendation 16
The Financial Action Task Force (FATF) is currently processing feedback received to its consultation on changes to Recommendation 16, which concerns payment transparency. The FATF consultation was focused on ensuring that the account number or payment message data which are transmitted as part of a transaction can identify the financial institution and the country where the funds are held. FATF is expected to publish the results of its consideration of feedback in June 2025 – which will coincide with the EBA considering feedback received to this consultation.
We request that to the extent possible, the EBA look to align the final requirements of Article 8 with final changes to Recommendation 16 expected to be published by FATF in June 2025. Global alignment is helpful in ensuring effective compliance and reinforces the benefit of FATF’s work to set standard at the global level.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Our concerns regarding Articles 15 and 16 mirror the ones raised in our response to Question 1, namely about the RTS provisions being too prescriptive going above and beyond the corresponding Articles 20(1) and 25 of the AMLR. In fact, while the Level 1 text allows for a risk-based approach by outlining measures to be taken "as appropriate’ and ‘as necessary", draft Article 15 and 16 impose the requirements that all information is collected in all instances.
Purpose and intended nature of the business relationship or occasional transactions (articles 15 and 16)
There is duplication in the AMLR, which has been further expanded in the RTS under Articles 15 and 16. We are concerned this will result in poor and inconsistent implementation. In particular, we are concerned about the requirements being overly prescriptive and not distinguishing between standard Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD). For instance, for Article 15(d) of the RTS we would propose explicitly stating that obliged entities are required to determine source of wealth as an EDD measure, as opposed to when ‘ML/TF risk is higher’, which is open to interpretation. This would align the RTS with the Article 34(4) of the AMLR which provides that EDD measures may include obtaining additional information on source of wealth.
The requirements under Articles 15 and 16 appear to be more prescriptive than current practices such as purpose and intended nature and Source of Funds. Our Wholesale members have also raised concerns about the requirements being oriented towards retail, which may not be suitable for all business types or risk profiles.
The RTS should provide clear guidance on the concept and expected information to be obtained from clients regarding “why the customer has chosen the obliged entities’ products or services, the value and benefits” (see Articles 15(a) and 16(a)). This requirement could be read as requiring obliged entities to record specifically why the customer chose their products/services over their competitors (such as more competitive rates) when, we believe, the EBA intends to focus the due diligence on how the customer plans to use the product and service. Clarification would ensure that the information collected is relevant and useful.
We recommend that the RTS specify whether this information is required in all instances or only when an increased risk is identified by the obliged entity. This distinction is important to ensure the process for collecting information is aligned with the risk profile of the customer, allowing for a more efficient and targeted approach. Therefore, we propose the requirements under Article 15 should apply ”where appropriate” to allow for a Risk Based Approach. This approach will mean firms will not need to ask customers for this information in instances where it can be inferred.
The RTS should clarify whether the level of information is required in all instances or only when there is an increased risk identified by the obliged entity. This particularly important for lines of business opening corporate accounts across jurisdictions as part of their group cash management services. Clear guidance is needed to help ensure the information collection process is appropriately tailored to the risk level.
The RTS should also provide further clarity as to the meaning of “the category of funds that such transactions relate to”, “the intermediaries used” and “actively engaged in business”. Furthermore, in a wholesale context we are concerned that Article 16(c) may not be applicable to all customers and sectors, and more appropriate.
In many cases, there may be no specific reason for a customer choosing a certain service provider. Where a reason is present, it may be only known to the customer, who may not wish to provide it. For example, a customer may choose a bank because of branding, a particular advertisement, the available offers on the market, or simple physical convenience due to proximity to a branch. Where the purpose and intended nature of the relationship or transaction is self-evident from the products and services themselves, there should be no requirement to collect any further information.
We propose the following redrafting of Article 15 to allow for a Risk Based Approach:
For the purposes of Article 20(1)(c) of Regulation (EU) 2024/1624, obliged entities shall as appropriate take risk-sensitive measures to determine :
b. how the customer plans to use the products or services provided, including the volume of funds flowing through the account and their source;
c. whether the customer has additional business relationships with the obliged entity’s group, and the extent to which that influences the obliged entity’s understanding of the customer and the source of funds, provided that obtaining this information does not conflict with other regulatory requirements; and
d. where Enhanced Due Diligence is being applied under Article 34(4) determine the source of wealth
We propose the following redrafting of Article 16:
When obtaining information in accordance with Article 25 of Regulation (EU) 2024/1624, obliged entities shall as necessary and applicable take risk-sensitive measures to obtain the following information
b. in relation to the estimated amount of the envisaged activities, obtain information on the estimated amount of funds to be deposited and understand the anticipated of incoming and outgoing transactions that are likely to be executed during the business relationship or occasional transactions as well as the category of funds that such transactions relate to.
c. in relation to the source of funds, information on the activity that generated the funds and the means through which the customer’s funds were transferred, which includes employment income, including salary, wages, bonusses and other compensation from employment, pension or retirement funds and government benefits including social benefits and grants, business revenue, savings, loans and investments income, inheritance and gifts, sales of assets and legal settlements.
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
We appreciate the inclusion of a 5-year grace period for existing customers under Article 32 of the RTS. However, we would also like to request clarity in regard to the date in which the grace period will commence. A challenge for obliged entities, operating within and outside the EU, is that many of the changes being proposed will take time to implement, especially in instances where proposals in the AMLR and RTS differ from existing global standards. For example, Article 3 of the RTS has interpreted the specification on the provisions of place of birth in Article 22(1)(a)(ii) if the AMLR as including ‘both the city and the country name’, which is not applicable for all ID documents issued globally (as mentioned in our feedback under ‘scope of requirements’) We strongly urge the EBA to delete the requirement to identify and verify city of birth, which goes further than Article 22(1)(a)(ii) of the AMLR. The additional obligation to identify and verify city of birth acts as a barrier to obtaining financial services, will require significant (and costly) remediation, and will result in the termination of legitimate customer relationships because this data point, which is not commonly used for AML/CTF purposes, cannot be identified or verified.