Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
We believe that Article 2 of draft RTS (“Assessment and classification of the inherent risk profile of obliged entitites”) does not provide sufficiently clear guidance on the key elements of the risk assessment methodology, such as indicators, thresholds, weights and the calculation of inherent and residual risk. These elements are essential for ensuring consistency between the supervisory authorities' methodology and that of the obliged entities.
Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.
From a methodological and prudential point of view, we agree with the proposed approach that the residual risk should never exceed the inherent risk in a well-structured AML assessment. If this occurs, it should be taken as an indication that improvements are needed in the assessment structures or model.
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
In recent years, the prudential reporting discipline, as well as the rest of the sectoral regulations more generally, has been trying to simplify and rationalise. However, the excessive number of data points proposed in the RTS annex does not seem to be moving in this direction. Many of the proposed data points are either not currently required or not aligned with national reporting, implying significant costs and organisational impacts.
Obliged entities will not be able to start internal projects to implement the new methodology until the interpretative note is made available. They will also have to check whether entities in other Member States will be able to provide them with this new information, and whether local authorities will request further information from them.
In the long term, the current local reporting templates are expected to be replaced by standardised, Europe-wide templates. Therefore, we propose that RTS either provide a selection of the information currently identified in the draft or introduce a system to prioritise the data to be collected. This would ensure an adequate assessment of the level of money laundering and terrorist financing risk associated with individual institutions while eliminating unnecessary and redundant data with respect to national reports that would be maintained or data that supervisors could extrapolate from other sources.
3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?
The data listed below are either unavailable or their collection would place a considerable burden on the obliged entities.
SECTION A – Inherent risk
- Customers - Number of NPOs with cross border transactions to/from non-EEA countries
- Products Services and Transactions - Sub- Categories: Payment Accounts, Virtual IBANs, Prepaid Cards, Lending, Factoring, Life insurance contracts, Currency Exchange (involving cash), Custody of crypto assets, Investment Services and Activities RTO (in particular, % of amounts of orders transmitted involving unlisted financial instruments issued by the obliged entity or its group), Investment Services and Activities - custody account keeping, Money remittance, Wealth Management, Correspondent services, Trade finance, E-Money, TCSP services, Exchange crypto-fiat,Exchange fiat-crypto, Exchange crypto-crypto, Transfer crypto-assets, Safe Custody Services, Crowdfunding, Cash Transactions, Geographies (in particular, Number of incoming transactions in the previous year by country, Total value (EUR) of incoming transactions in the previous year by country, Number of outgoing transactions in the previous year by country, Total value (EUR) of outgoing transactions in the previous year by country, Total value (EUR) of entity's investment undertakings (CIUs) by country, Number of investors by country (for AMCs), Total value of investments (EUR) by country (for AMCs), Total value (EUR) of all assets by country (for IFs and AMCs)), Distribution channels (in particular, Number f white labelling partners by country of establishment).
Furthermore, it would be preferable if the references to third countries in the data points in Section A were more specifically limited to high-risk third countries.
SECTION B – AML/CFT Controls
- AML/CFT governance structure - Subcategories: 1A Role and responsibilities
of the management body, 1B Internal controls and reporting system - Risk Assessment - 2B Customer ML/TF risk assessment and classification (CRA): Date when the obliged entity assessed the need to update the CRA for the last time
- AML/CFT Policies and procedures - Subcategories: 3D: Suspicious Activity Reporting (in particular, Number of STRs submitted to the FIU before the completion of the transaction during the last calendar year); 3E Targeted Financial Sanctions (The information required under point 3E is not available to the obliged entity when using a third-party information provider. In this case, the RTS must clarify whether the obliged entity must obtain a supplementary declaration from the supplier)
3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?
NA
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
NA
Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.
NA
Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.
The level of regulation and control in the European Economic Area jurisdictions is higher than in non-EU countries, and is further enhanced by the anti-money laundering package. Therefore, these jurisdictions deserve less stringent treatment. For example, geographic risk is currently subject to extensive regulation: EBA GL/2021/02 on risk factors; the “Two set of guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures” (EBA GL 2024/14 and 2024/15); the Instant Payments Regulation (IPR), the Regulation (UE) 2023/1113 on information accompanying transfers of funds and certain crypto-assets, etc
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
We believe that the total euro value of inbound and outbound transactions generated by customers resident in each Member State in which an obligated entity operates is not an accurate benchmark for determining whether an entity's activity in that Member State is relevant under Article 12(1) of Regulation 2024/1620.
A single transaction could reach the 50 million threshold but be insignificant in terms of fees received by the obliged entity.
Therefore, it would be more meaningful to relate the threshold to the volume of fees generated by transactions.
Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.
NA
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
NA
Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.
NA
Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.
NA
Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
NA
Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.
NA
Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?
NA
Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
NA
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
With reference to Article 4 of the draft RTS (“Specification on nationalities”), we would like to draw your attention to the difficulty of collecting information on all of the customer's nationalities. The identification document that the customer chooses to produce generally shows only one nationality, so it would be too burdensome for the obliged entity to collect further documents proving any additional nationalities. However, if this information were necessary, the obliged entity could collect a declaration from the customer on any additional nationalities, which would also remain valid for verification purposes.
Regarding Article 5 of the draft RTS (“Documents for the verification of the identity”), we deem it is most appropriate to specify that all types of documents recognised under national law remain valid for identity verification purposes in each Member State.
We believe that the criteria listed in the draft RTS describe the prerequisites for a document to be considered equivalent to an identity card or passport, when it is not one of the documents already recognised in the Member State of reference of the obliged entity. This interpretation is also confirmed in recital 7 of the draft RTS.
In relation to the requirement set out in paragraph 1 of Article 5 for the joint presence of all the criteria identified for the purpose of equivalence, we point out that not all documents have the same characteristics (for example, some do not have a photo or a machine-readable zone), so these are difficult standards to achieve cumulatively.
Regarding the possibility - set out in paragraph 2 - to derogate from the equivalence criteria listed in paragraph 1, we consider it useful to provide a definition of 'legitimate reasons' for access to the simplified list. Moreover, the list in paragraph 2 also includes the photo requirement, which, as mentioned above, not all identification documents have.
With regard to the verification of the identity, we recall that Article 22(6) AMLR states that: “Obliged entities shall obtain the information, documents and data necessary for the verification of the identity of the customer and of any person purporting to act on their behalf… “. In this regard, we believe that, in deference to the provisions of Art. 20(1)(i) AMLR, the RTS should clarify that, for the verification of the identity of a legal entity client, it is necessary to identify and verify the identity of the person claiming to act on its behalf by collecting at least an identity document.
With reference to Article 7 of the draft RTS (“Reliable and independent sources of information”) and the examples proposed in Recital 5, we consider it useful for the RTS to specify whether, where the source of information consists of databases made available by an external information provider (such as World-Check), the obliged entity should require some form of certification from the information provider as to the reliability and independence of the source.
With regard to the concept of “complex structure” in Article 11 of the draft RTS (“Understanding the ownership and control structure of the customer in case of complex structures”), we believe that the presence of two or more layers between the customer and the beneficial owner, as well as the presence of indications of non-transparent ownership without any legitimate economic rationale or justification, are sufficient grounds for requiring the customer to submit an organigram. We therefore propose eliminating the conditions set out in points a, b and c, as these are more difficult for the obliged entities to verify.
With respect to the identification of the beneficial owner, Article 22(2) of the AMLR provides that: “Where, after having exhausted all possible means of identification, no natural persons are identified as beneficial owners, or where there are doubts that the persons identified are the beneficial owners, obliged entities shall record that no beneficial owner was identified and identify all the natural persons holding the positions of senior managing officials in the legal entity and shall verify their identity”.
Bearing in mind the definition provided in Article 63(4) of the AMLR, identifying and verifying all natural persons in senior management positions within a legal entity would result in the collection of data on a large number of individuals, which would be disproportionate in terms of monitoring the company's relevant activities. It would also inevitably lead to many individuals being reluctant to provide the data, significantly lengthening the onboarding phase.
We therefore request that Article 12 of the draft RTS restricts the collection of data on SMLs to the company's management board and managing director.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
We believe that the proposed interpretation of Article 6 of the draft RTS, which identifies electronic identification pursuant to Regulation (EU) 910/2024 as the almost exclusive means of customer verification in a non face-to-face context and which considers the use of other remote verification solutions to be only residual, appears unjustified.
If electronic identification under Regulation 910/2024 is unavailable, obliged entities must be able to use all recently implemented remote onboarding solutions – with considerable costs - that fully meet the requirements of the EBA guidelines on the use of remote customer onboarding solutions.
These solutions are undoubtedly comparable to electronic identification means under Regulation 910/2024 in terms of fraud prevention.
In addition, we believe it is important to maintain the liveness detection obligation already set out in the same EBA guidelines. This is an extremely necessary measure at a time when technologies such as AI are being developed and the risk is increasing.
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
NA
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Articles 15 and 16 of the draft RTS require the collection of a considerable amount of information in connection with identifying and understanding the purpose and intended nature of the relationship or occasional transaction. Some of this information is difficult to obtain. This includes information on key stakeholders, particularly in large companies. In this regard, it should be noted that Art. 25 AMLR allows for the collection of certain information on the purpose and nature of the relationship or occasional transaction 'where necessary', but the EBA's interpretation of this in the draft RTS is overly rigid. We therefore call for greater flexibility and proportionality in the wording of Articles 15 and 16 of the draft RTS. The obligation to request additional information should be limited to high-risk customers, as assessed by the obliged entity.
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
With regard to identifying PEPs, we request that the enhanced due diligence measures set out in Article 17 of the draft RTS do not apply to:
- persons acting in their capacity as an organ of the public administration in the context of business relationships and occasional transactions relating to their office; and
- persons acting in their capacity as directors of public investee companies (e.g. a person who is the legal representative of a water service company in which some municipalities have an interest) in the context of the company's business relationships or occasional transactions.
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
As a general remark, it seems that Article 33(1)(e) of the AMLR grants the AMLA the power to introduce further significant simplifications. However, in practice, the draft RTS distinguishes SDD from ordinary due diligence only by excluding residence from the list of identification data to be collected. At the same time, significant simplifications are only envisaged for specific sectors, as set out in Articles 20 and 21 of the draft RTS. We therefore consider it appropriate to introduce more flexibility into the definition of simplified measures, irrespective of legal form.
With reference to Article 19 of the draft RTS (“Minimum requirements for the identification and verification of the beneficial owner or senior managing officials in low-risk situations”), we note that the modalities proposed therein are more stringent than the rules currently in place in the Italian legal system (which is considered one of the strictest in the EU with regard to AML). Italian regulations stipulate that, in low-risk situations, obliged entities may only verify beneficial owner data by acquiring a confirmation statement from the customer. However, in the approach described in Article 19, where the obliged entity chooses the method described in subparagraph b, it must carry out verification using at least one other source from the same list (a or c).
Therefore, if the possibility of relying on the customer's declaration for identification and verification of the beneficial owner is recognised in low-risk situations in one of the countries with the strictest AML regime in Europe, we ask that a similar simplification be maintained in the new EU regime.
With reference to costumer identification data update in low-risk situations under Article 22 of the draft RTS, we request that this update is performed via an automated mechanism to eliminate the need for direct customer contact.
Given the large number of customers with minimal (if any) day-to-day business, a review involving human intervention at least every five years would have a disproportionate organisational and economic impact. This is particularly true since these customers are likely to be reluctant to respond promptly to update requests.
In low-risk cases, we therefore request that the review be handled by straight-through processing. In the absence of trigger events and/or additional risk factors, this would automatically confirm the profile of such customers.
Furthermore, we believe that the draft RTS should reinforce and clarify clients' obligation to cooperate actively during the identification and verification phases.
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
We propose public administration in EEA countries as one of the sectors that should enjoy simplified due diligence measures.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
In our opinion, the RTS should distinguish between high-risk customers and those subject to enhanced due diligence, who do not fall into the highest risk category. For the latter group, the update frequency should be more than once a year.
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
For the purpose of a correct application of Art. 28 of the draft RTS (‘Screening of customers’), we believe it would be helpful for the EBA to better clarify the meaning of “all the entities or persons which own or control such customers”.
In Art. 20(1)(d) AMLR, to which Art. 28 RTS gives effect, this expression refers to ‘the natural or legal persons subject to targeted financial sanctions who (i) control the legal entity or (ii) hold more than 50 % of the ownership rights of an entity or (iii) [hold] a majority shareholding in that legal entity, either individually or collectively.
However it is unclear which entities fall under each of the categories listed in the three bullet points and how this definition relates to the concept of beneficial ownership as set forth in Articles 51 et seq. of the AMLR.
Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
NA
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
NA
Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.
NA
Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.
NA
Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.
NA
Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.
NA
5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?
NA
5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?
NA
5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?
NA
Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.
NA
Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.
NA
Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?
NA
Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?
NA