Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

Article 40 of the AMLD requires supervisors to apply a risk-based approach to AML/CFT supervision. Under a risk-based approach, supervisors are required to adjust the frequency and intensity of supervision based on the ML/TF risk profile of each obliged entity in light of each entity’s business model, operation and customer base. The draft RTS should help assess and classify the inherent and residual risk profile of each obliged entity based on an automated scoring system. The danger with an automated scoring system is that it lacks an assessment of the individual case and national or organizational specificities since it will have to limit itself to common agreed criteria and data points, which have to be carefully selected not to create static categories of risk indicators. · Assessing the quality of controls based on a two-step process seems more appropriate, whereby the control risks would be first assessed in an automated manner based on objective criteria and then manually adjusted based on professional judgment where necessary. · We overall encourage an approach to limit data requests from obliged entities and stakeholders to those that are strictly necessary for ML/TF risk assessment purposes. While the methodology laid out by the EBA to determine risk appears in line with international standards established by the Financial Action Task Force (FATF) – when ascertaining inherent risk, looking at controls and then coming to a residual risk assessment – we have clear concerns around the suggested single set of data points. Furthermore, we have concerns about several proposed data points, specifically: Number of NPOs and number of NPOs with cross-border transactions to/from non-EEA countries The listing of NPOs as client base and hence a potential indicator for risk gives the impression that having NPOs as clients creates a certain risk profile for obliged entities. NPOs where they are legal entities should be included in the category of legal entities and customers. We strongly recommend to remove the category of number of NPOs and number of NPOs with cross-border transactions to/from non EEA countries for the following reasons: · FATF Recommendation 8 and the methodology for assessing it clearly recognise that not all NPOs are vulnerable to TF/ ML abuse and that only (potentially small) subsets of the NPO sector are at risk. The listing of NPOs would also not take into account risk mitigation measures adopted by NPOs. This listing of NPOs does also not take into account risk mitigation measures adopted by NPOs. There are various recent examples moving towards this distinction, in particular the US National Risk Assessment and UK National Risk Assessment who both recognise the effect of mitigation measures taken by NPOs (page 25 and 127 respectively). Moreover, the French National Risk Assessment concluded in 2023 that the level of threat on ML and TF is broadly low for NPOs in France (page 66 and onwards). Another recent good practice example is the NPO industry baseline which was developed in the Netherlands, after the Dutch Central Bank realised their AML/CFT supervisory approach was not risk-based enough, was leading to the derisking of certain classes of customer, NPOs among them, and was not the most effective in keeping the financial sector free from financial crime. The NPO baseline lays out both risk enhancing and risk mitigating factors for NPO transactions. Banks are initially meant to see NPOs as neutral (as opposed to before, when the entire sector was seen as high-risk for TF) and would then apply a risk lens to do ‘more if necessary, less if possible’ in terms of due diligence. Initial monitoring reports have been extremely encouraging. Therefore, putting all NPOs as indicator for risk is contrary to current standards. · Moreover, singling out NPOs in this way will result in unintended consequences for the sector as a whole, including for obliges entities/financial service providers to not serve the NPO sector anymore (so called bank derisking). NPOs are a legal entity like any other, and there is already a criterion for this laid out in the Annex (‘Number of legal entities’). There is no need to exceptionalize one particular legal entity in this way when the consequences of this for the sector are well documented. The EU Supranational Risk Assessment flags the bank derisking that the sector is subject to (p.7). The FATF has also carried out extensive work on the unintended consequences of its framework for NPOs, which include financial exclusion and bank derisking, as has the EBA. The singling out of NPOs in the list of indicators will only exacerbate this problem and is not in line with existing FATF standards. · FATF has also stated in different contexts that the sole fact of a cross-border transaction does not create higher risks. Analysis of past financing of terrorist incidents even point to local and low budget actions. Hence the reference to cross-border transactions to/from non-EEA countries could potentially be removed for any customer/legal entity. Based on international standards and good practice, what the EBA is proposing is not risk-based or proportionate, will lead to undue focus on the sector when regulation should be vehicle agnostic, and will be repeating mistakes that have been made in the past two decades and more with the FATF framework leading to grave impact on the humanitarian, peacebuilding, rights and development work of NPOs and the communities we serve. Total Number of projects funded for philanthropic purposes in the previous year We question the validity of this indicator for the assessment of the risk profile of crowdfunding platforms as obliged entities. Singling out projects for philanthropic purposes will lead to further derisking of NPOs and public benefit crowdfunding platforms. This labels philanthropic projects and online donations as high-risk activities without evidence or a proper risk assessment. The report “Following the Crowd: clarifying terrorism financing risk in European crowdfunding” (2021, Royal United Services Institute for Defence and Security Studies) found no significant or consistent evidence that European donation-based crowdfunding platforms are misused for terrorism financing purposes. Including this indicator without proof of abuse cases that justify it is contrary to existing standards, good practice and the principles of proportionality and effectiveness.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

Please see our input under question 1 on the data points.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

Please see our input under question 1 on the data points.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

We would like to reiterate the concerns expressed on the data sets above as art. 2 also refers to Annex 1.

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We welcome the fact that the current differences in the national transposition of the AMLD’s CDD requirements will be streamlined and clarified to the extent possible. At the same time, we are concerned that the proposed framework poses a risk to financial inclusion and does not reflect the financial inclusion priority set by the new FATF Presidency. Although progress in financial access has been made in the past years, still more than 13 million adults (4% of the adult population) face financial exclusion in the EU, according to an ESBG analysis of the Global Findex Database 2021. Specific communities are particularly impacted, including stateless people, refugees, asylees, homeless people, Roma and Sinti communities. Furthermore, while FATF R.8 states that AML/CFT measures should not unduly disrupt or discourage legitimate activities of non-profit organisations (NPOs), restrictive interpretation and application often leads to disproportionate administrative burdens for NPOs, including public-benefit foundations, as well as cases of derisking. FATF are updating their guidance on AML/CFT Measures and Financial inclusion and have committed to launch a workstream to reconceptualize risks related to this topic, taking into account how AML/CFT measures are also a risk to financial inclusion. This proposed RTS will only reinforce these risks. More specifically, we would like to express the following concerns and recommendations: · Art. 3, art. 4 and Annex 1 (a): We recommend that the information on the place of birth consists of the city and/or the country name. Many identity documents (or acceptable alternative documents) include either the city or the country name; therefore, this requirement could lead to increased cases of derisking. Additionally, birth registration data cannot always be obtained due to a host of conditions many in the world are living under, and come to the EU from, including conflict, war, forced displacement, forced dispossession, regime change, apartheid, occupation, genocide, blockades, and gender apartheid. Furthermore, we want to bring to your attention that registration of nationality and place of birth can be discriminatory in nature and can lead to financial exclusion. This includes registration of dual nationality as current practice has shown. · On legal entities: Many NPOs across the world function as unincorporated associations; for example a voluntary group, resident initiative, cultural group, community trust, or an animal welfare group. Because of their nature and/or the high compliance burden associated with registering as a legal entity they opt to remain unregistered. Budgets of such groups are typically low (<10,000 EUR). Individuals associated with these groups open a bank account or use their personal bank account to accommodate money flows. This could potentially lead to derisking. Therefore, we recommend providing guidance to obliged entities that in such case, risk-based due diligence measures should be applied and these should not lead to derisking. · Art. 5: We recommend providing stronger guidance in this article to ensure criteria are applied in a way that takes into account the reason why a legitimate customer may be unable to provide standard documentation (as stated in recital 7). Furthermore, we recommend specifying in art. 5 (2) that the document should contain country and/or city of birth (not necessarily the city; see above). Lastly, we recommend to add statelessness and refugee or subsidiary protection status to nationality, in line with art. 22 (1) AMLR. We recommend specifying in Annex 1 (a) (iii) that the attribute “other” can be documented instead of “nationality” to ensure obliged entities include statelessness and refugee or subsidiary protection status in their ICT systems and dropdown menu in application forms, which is currently often lacking. · Art. 13 and 14: we recommend adding a provision to ensure synergy with art. 59 (2) AMLR to avoid obliged entities require information on individual beneficiaries when NPOs and foundations similar to express trusts or constituted as express trusts and similar legal arrangements do not need to list individual beneficiaries as BOs based on art. 59 (2) AMLR. NPOs and foundations similar to express trusts or constituted as express trusts and similar legal arrangements while not being required to list individual beneficiaries (since they benefit the general public) could add a description of the class of beneficiaries and its characteristics, as described in their statutes. Only in the case of private interest trusts (family trusts), individual beneficiaries would need to be listed. · Art. 16 (a) and (b) require obliged entities to obtain information from their clients on the value and benefits expected from occasional transactions or business relationships (point a) and the anticipated number, size, volume and frequency of incoming and outgoing transactions (point b). First of all, it is unclear how value and benefit (point a) should be interpreted for non-profit organisations, especially since volume of incoming and outgoing transactions is mentioned in point b. Furthermore, value and benefit as well as anticipated number, size, volume and frequency are extremely difficult to estimate as results of fundraising efforts are not known in advance. Moreover, unexpected circumstances (e.g. natural disasters, war or conflict) may prompt organisations to respond and launch an appeal, leading to a much higher number and frequency of incoming transactions. Such unexpected circumstances may also lead to unforeseen destination of funds (point d). It is unclear what potential consequences could be of such deviations. Lastly, it will be very difficult for persons or entities who launch a fundraising appeal through crowdfunding platforms (and whom will now also be subject to CDD measures) to anticipate the number, size, volume and frequency of incoming transactions. Many of them may be launching an appeal for the first time and do not know what response to expect. Therefore, we recommend to: o add an exemption for value and benefit for NPOs in point b; o remove the reference to the anticipated number and frequency of transactions; and o add guidance for obliged entities that deviations from any of these estimations should not lead to determination of a higher level of risk if the customer can provide legitimate reasons for the deviations Furthermore, we would like to highlight the consequences of this RTS for donation-based crowdfunding platforms. Under the AMLR, crowdfunding platforms will for the first time be considered obliged entities. No distinction is made in this regard between for-profit and non-profit entities, and it does not matter whether crowdfunding platforms focus on private interests or public benefits. Public benefit crowdfunding platforms are often non-profit entities themselves who do not have the capacity and financial resources to be able to comply with these requirements. This new framework therefore threatens their viability, or at the very least forces them to increase their commission fees. This will limit the fundraising options available to civil society organisations. Moreover, the research Following the Crowd: clarifying terrorism financing risk in European crowdfunding (2021, Royal United Services Institute for Defence and Security Studies) found no significant or consistent evidence that European donation-based crowdfunding platforms are misused for terrorism financing purposes. The compliance burden for public benefit crowdfunding platforms related to customer due diligence measures is therefore not proportionate to the level of risk. The AMLR provides that the obligation to conduct customer due diligence also applies to natural or legal persons who make donations, although the extent of this obligation is not yet clear. While it seems reasonable to expect that making a donation is characterised as “carrying out an occasional transaction” (hence, the 10,000 EUR threshold would apply), this will depend on the criteria for identifying occasional transactions and business relationships, which will be developed by AMLA. Moreover, even if donations can be characterised as occasional transactions, AMLA could determine that crowdfunding platforms are required to conduct customer due diligence for donations above a lower threshold, meaning a to be determined value below 10,000 EUR (Art. 19 (9) (a) AMLR). Therefore, crowdfunding platforms may be required to apply customer due diligence measures on persons or entities that make (small) donations through their platform. If that is the case, the numerous requirements will be extremely challenging for non-profit, donation-based crowdfunding platforms. This includes e.g. the provisions related to specification of nationalities (art. 4), verification of the customer in a non-face-to-face context (art. 6) and all provisions related to beneficial ownership (art. 9-12) in case a company donates through their platform. We propose to add exemptions for donation-based crowdfunding platforms in these articles to apply due diligence measures on persons or entities who seek funding through their platform to simplify due diligence requirements: to avoid misuse of donation-based crowdfunding platforms for illicit money flows, it would be sufficient to apply due diligence towards persons and entities seeking funding.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Related to section 4, we would like to point out that it is unclear what the concept of “the person on whose behalf or for the benefit of whom a transaction or activity is being conducted” would mean in the context of non-profit organisations and crowdfunding platforms.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Art. 25-27 introduce several new requirements for enhanced due diligence, several of which are not apt to the nature of NPOs and/or disproportionately burdensome (or even impossible to fulfill) and can lead to derisking or blocking of transfers. We are particularly concerned about the following: · Art. 25 (1) requires obliged entities to obtain information on the intended nature of the business relationship which enable them to verify the legitimacy of the destination of funds. This may include information from authorities and other obliged entities. It is unclear what it is meant by information from authorities. This can be very problematic or even impossible for NPOs to obtain, especially for NPOs that provide humanitarian assistance in conflict areas and NPOs that conduct or support human rights work in countries with authoritarian regimes (including those that were forced to relocate from their country of origin due to government repression). This requirement could lead to refusal of an obliged entities to onboard an NPO as client. We recommend including an exemption for non-profit organisations. · Art. 26 (1) (a) on proof of income of BOs. The concept of beneficial owners does not fit the non-profit sector which explicitly does not serve private interests but public interests. For many NPOs (including public benefit foundations) as well as other types of foundations, board members are considered BOs. They often serve on a voluntary basis. Their sources of wealth or income do not stem from the NPO and are not relevant to assess the level of risk associated with the organisation. Moreover, this requirement could lead to discrimination based on income: e.g. persons who represent excluded groups may no longer be considered for a board member position to avoid high-risk classification. For some public-benefit organisations (those similar to express trusts or constituted as express trusts and similar legal arrangements), there is cumulative listing of BOs, irrespective of whether those individuals exercise control over the organisation and/or own assets or have rights on assets. This list includes the beneficiaries; it is impossible for such NPOs to provide information on their income and wealth. The same can apply to founders if they are no longer connected to the organisation. Therefore, we recommend including an exemption for non-profit organisations. · In the same vein, art. 27 (c) requires obliged entities to obtain information to assess whether transactions are consistent with the business relationship. According to point c, this should include information which enables them to assess the legitimacy of the parties involved in the transaction, including any intermediaries. This is also very difficult for NPOs, particularly those who work with partners in other parts of the world. Partners can include very small organisations or unregistered groups whose legitimacy may be difficult to assess by obliged entities. We recommend including an exemption for non-profit organisations.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

Name of the organization

Philea, Philanthropy Europe Association