Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

The IFSP’s  feedback on this section primarily concerns the definition of risk categories and the application of the proposed four-tier risk rating system. A key question raised is how, in practical terms, a particular category will be assigned to a specific risk level. While the IFSP recognises the need for a degree of flexibility in applying these ratings, it also emphasises that consistent application across Member States requires clear guidance.

To ensure uniformity and comparability across jurisdictions, the IFSP recommends that detailed criteria or illustrative factors be provided to support the assignment of risk levels. This need for clarity applies broadly to all cases where numerical scoring or tiered risk classification is expected.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

We agree with this approach.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

We note that these appear to be tailored to credit and  financial institutions in mind. As such, certain sections may have limited relevance or direct applicability to other subject persons.

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

We agree with this approach.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

We agree with this approach.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

EEA jurisdictions should be afforded the same treatment as EU Member States, given that, in principle, they are bound by the same regulatory framework applicable to obliged entities operating within the European Union.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

We note this and the following questions are tailored to credit and  financial institutions in mind. As such, these have limited relevance or direct applicability to other subject persons.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The IFSP welcomes the emphasis placed by the RTSs on the consistent application of a Risk-Based Approach (RBA) throughout, however,  we would appreciate the inclusion of more detailed guidance on how to apply the RBA in practice, to support effective implementation across the sectors

Paragraph 5 of the Preamble addresses the use of independent and reliable sources. However, we note that the final sentences regarding trusts appear to exclude provisions that would permit regulated trustees to be listed as ‘Independent professionals’.

We seek clarification on whether the provision of independent and reliable sources would permit certification by in-house legal practitioners or in-house financial controllers (or equivalent roles). The IFSP notes that, in practice, obtaining certification from professionals external to the customer can be difficult and may introduce unnecessary delays or burdens. Allowing suitably qualified in-house professionals to certify documents, where appropriate safeguards are in place, could offer a more practical and efficient approach without compromising reliability.

We welcome the introduction of the use of non-standard documentation where standard documentation may not be available, for example asylum seekers and people who may have moved country and not updated information yet.

The clarification that the same information should be gathered on Senior Managing Officials as would be on owners, despite not having an ownership interest, is welcome.

We note that this paragraph  (15) of the preamble classifies pooled accounts as low risk, which is not the practice with many banks at the moment.

The IFSP welcomes the five year minimum period for the updating of information on customers, as stated in paragraph (16) of the preamble.

Article 4 states that “... obliged entities shall obtain necessary information to satisfy themselves...”. The IFSP notes that the use of the phrase “to satisfy themselves” may prove to be complex and potentially ambiguous in practice. The IFSP asks,  at what point should a practitioner consider themselves legally “satisfied”? We recommend that the EBA provide further clarification on the standard or threshold that must be met to fulfil this requirement. Additionally, clearer guidance on what constitutes “necessary information” would support consistency in application and help ensure that practitioners across different sectors can confidently meet their obligations without incurring unnecessary legal uncertainty.

Article 5 (1) and Article 5(2) 

Articles 5(1) and 5(2) address the types of documents acceptable for the verification of identity. The IFSP welcomes the inclusion of non-standard forms of documentation under Article 5(2), recognising the practical importance of such documents—for example, driving licences, which are commonly used for identification purposes but may not contain a machine-readable zone (MRZ).

It is the IFSP’s understanding that documents meeting the criteria set out in Article 5(1) should be treated as the primary or preferred option for identity verification, with the documents described in Article 5(2) serving as an alternative where necessary. We suggest that this hierarchy be explicitly clarified within Article 5(1), by stating that such documents are the preferred means of verification, to avoid ambiguity in interpretation and ensure consistency in application.

Article 9(b) 

Article 9(b) refers to the collection of information from various sources, including up-to-date data from credit and financial institutions. We note that obtaining such information from credit and financial institutions about their customers typically requires the explicit consent of the customer. This practical consideration should be taken into account to ensure compliance with data protection and privacy regulations.

Article 11 

Article 11 addresses the ownership and control structure of customers in cases involving complex structures, specifically where there are two or more layers between the customer and the beneficial owner, and one of the conditions outlined in points (a) to (d) is met. The IFSP suggests that, as a general rule, any structure consisting of three or more layers and any of the points in (a) to (d) should be classified as complex.

Additionally, for the sake of clarity, we recommend that the term “nominee” be included before “directors” in Article 11(1)(c).

In  article 11(3), we note that the organigram does not need to be signed or certified. We welcome this.

Articles 13 and 14 

While recognising that the RTSs use language already established in the Regulation, STEP (Malta) and IFSP have serious reservations about the implications of this terminology:

1. terms such as "objects of powers" and "default takers" are not in line with trust law and practice and will no doubt cause confusion rather than provide clarity. Although we appreciate that this consultation is on the RTSs, and that the wording of the Regulation cannot be changed through the RTSs, we suggest including clarifications to reduce the risk of different interpretations across jurisdictions and incorrect application.
2. the RTSs also describe "default takers" as those benefiting due to the trustee's failure to exercise discretion, which in reality actually results in a breach of trust rather than to some automatic distribution to a ‘default’ beneficiary. The language used could imply a lack of diligence on the part of the trustees, and we recommend revising it to accurately reflect trustee responsibilities and avoid misinterpretations;
3. Similarly, the expression “power of discretion” is also incorrect in trust law, as it merges together the doctrine of ‘powers’ (which are not binding on a trustee, and a trustee is not obliged to exercise a power) and the doctrine of ‘discretion’ (which, unlike a power, is binding on the trustee, and a trustee is obliged at law to exercise any discretion entrusted to him before the trust term expires) – hence the confusion created when reference is made to ‘power of discretion’ together;
4. The reference in article 14(2)(b) to ‘appointed one or more beneficiaries from amongst the objects of power’, from a trust law perspective, is also very misleading and this because the term ‘appointed’ is typically used in the context of a ‘power of appointment’, which in trust law is something completely different.  There are a lot of resources online that explain what a power of appointment in trust law is – in this context it is property that is appointed to a beneficiary, not a beneficiary.  When it comes to beneficiaries one typically adds beneficiaries (one does not appoint them the way one would, say, appoint a director to office).  Typically one would add beneficiaries from amongst those individuals (who are not yet beneficiaries) in respect of whom the trustee is given a power of addition. If on the other hand there is a class of discretionary beneficiaries then they are all deemed to be beneficiaries, and when the trustee decides to distribute assets to one or more of them the trustee does not appoint them, or add them (because they are already beneficiaries, albeit discretionary), but either exercises a power of appointment of trust property, or a power to advance trust property, or else the trustee actually exercises his discretion and makes them benefit. 

The above can be confirmed with a professor of Trust law or any trust law academic for further comfort.

We would also like to point out that we are not in agreement with the use of vague terms such as "relevant documents".   We suggest more specific wording to avoid ambiguity and ensure that trustees can comply without undue burden. 

Similarly, the wide scope of Article 14, particularly the requirement for trustees to obtain ‘sufficient information’ about the exercise of their discretion, is seen as problematic in so far as it relates to documentation which is usually privy only to the trustees (surrounding their deliberations and are not even producible in Court). 

While we note that the Regulation refers to ‘foundations’ in the context of’similar legal entities or arrangements’ (referring to legal entities, of course), we believe that it would definitely be useful to users of the RTS that it be clarified in the RTS themselves (in the relevant applicable articles) that foundations are also covered.

We also believe that while the expression ‘trusts and similar legal entities or arrangements’ originates from the Regulation, this in itself is a misnomer as it suggests that trusts are legal entities – i.e. it is not immediately clear whether the adjective ‘similar’ is qualifying the function of the institute or its form.  Using language such as ‘trusts and similar legal arrangements or legal entities with similar functions’ would, in our view, be preferable.

We humbly also submit our considerations in relation to what we feel should be the definition of "customer" vis-à-vis third party (external) subject persons when they are onboarding or during the course of servicing trusts and trustees and the level of documentation, information to be provided in this regard. 

Trusts: In the case of third party (or external) subject persons providing a relevant activity or carrying out relevant financial business to a trustee of a trust, it is always the trustee of the trust that is to be regarded as the ‘customer’ and, if more than one, then all the trustees are to be regarded as the ‘customer’.  Therefore, for a Bank or financial institution, for instance (or a lawyer, tax advisor, investment advisor or investment manager, notary, estate agent or any other subject person providing a service to a trustee for that matter), it is necessarily (and logically) the trustee that must be regarded as the ‘customer’ and the identity established and verified accordingly.

Foundations: However, in the case of a foundation, contrary to the situation where the administrator of the foundation is determining who his ‘customer’ is (as explained above), the third party (external) subject person is to treat the foundation itself as the ‘customer’ just as it would a company.  Indeed, even in the context of the third party subject person reporting on the location of its customers, in the case of a foundation it is logical that the country of incorporation of the foundation be treated as the location of the foundation qua customer.

Corporate trustees: In the event that the trustee is a corporate entity, the subject person need not follow the same procedure applicable to corporate entities.  On the contrary, since the trustee is evidently acting in its capacity as trustee, for the benefit of the beneficiaries of the trust, the shareholders, owners or ‘UBO’s of the trustee itself are not really relevant from an AML-CFT perspective, and it is more the settlor and beneficiaries of the trust itself (that the trustee is administering) that become relevant to the external subject person from an AML-CFT perspective. 

Thus, where the trustee of the trust or similar legal arrangement is not a natural person, the external subject person can limit itself to considering the legal organisation acting in its capacity as trustee and stop at that level, without investigating who ultimately owns or controls such corporate trustee (even where the external subject person is carrying out due diligence in respect of the trust and seeks to establish who the ‘beneficial owners’ of that trust are – which, as explained above, would include the corporate trustee).   Of course, beneficiaries, settlors and protectors of the trust are a different matter, and in respect of them, even though these may be corporate entities, CDD must still be conducted with a view towards establishing who the ultimate individual beneficiaries thereof are. 

In the case of trustees (or co-trustees) that are authorized or licensed by a regulatory authority in a reputable jurisdiction, and who have therefore undergone a fit and proper test both in respect of directors and senior management as well as in respect of qualifying shareholders, it is reasonable to adopt a risk based approach in their regard and treat the trustee concerned as ‘low risk’, thereby only obtaining evidence of the authorization – or exemption from authorization – that the trustee holds and further:

1. enquire as to whether the trustee has been sanctioned or otherwise disciplined by the supervisory authority or other competent authority (for example a Financial Intelligence Unit”; “FIU”) by perusing the competent authority’s website;
2. carry out a background check for any adverse media or positive hits involving the particular trustee.

Any further due diligence checks that the subject person may need to undertake will depend on the outcome of the above checks.  If upon enquiry it transpires that a trustee has been disciplined including through the imposition of administrative sanctions by the regulatory authority or other competent authority such as an FIU, this does not in itself automatically mean that the subject person must regard the trustee as being ‘high risk’ but instead the subject person must delve more deeply into the matter and assess the nature of the breach, its possible impact on the trustee’s reputability, in order to ascertain whether any further CDD is called for or whether the service being requested should actually be declined. 

Also, if there are multiple trustees of a trust, who are being regarded by the external subject person as a ‘customer’, then logically a separate CRA would need to be carried out in respect of each of these customers – thus, by way of example, if one of the trustees is Maltese while the other is located in Bermuda, each of these may present their own particular risk scenarios and would need to be considered in their own right. 

Identification 

Besides identifying and verifying the identity of the trustee, the subject person providing a service to the trust/trustee or the trustee must also identify and verify the identity of all beneficiaries. 

It needs to be appreciated by subject persons, however, that trusts and foundations present a reality that is completely different to corporate entities and to fiduciary mandates (previously known as ‘nomineeships’).  Indeed, in the context of a corporate entity or legal organization the structure is invariably vertical where there is a ‘UBO’ (in the literal sense) at the very top of the structure – an ultimate beneficial owner who ultimately benefits from the structure and who would originally have put the structure into existence himself.

With trusts and foundations, on the other hand, the structure comes into existence not by the beneficiaries but by the settlor/founder (who can, admittedly, also be one of the beneficiaries but it is his status as settlor/founder that is the most relevant here).  Consequently, focus on the settlor/founder is warranted and subject persons dealing with a trust or a trustee (or a foundation/administrator) or trustees/administrators themselves, should ensure that they conduct full CDD on the settlor/founder, (including on its ultimate beneficiaries in the case of a settlor/founder set up as a legal organization). 

After all, in the context of Source of Funds and Source of Wealth, which is vital to a trust or foundation structure, the critical element is the settlor/founder and not the beneficiaries. 

Naturally, insofar as beneficiaries are included in the definition of ‘beneficial owner’ in the AML-CFT legislation, just as they are in the case of corporate structures, full CDD must anyway be conducted on the beneficiaries.

It is useful to note that a trust may have a settlor of record (or multiple, if joint settlors of record) and one or more economic settlors. 

Beneficiaries 

It must be noted that the term ‘beneficial owner’ in the context of a trust is a complete misnomer and is merely a term borrowed from the corporate world.  While in the corporate world the term ‘beneficial owner’ makes sense because the ultimate beneficial owner can be regarded as ultimately owning (albeit indirectly) the corporate entity, in the context of a trust an owner, as such, does not exist.  What one has, instead, is a beneficiary or beneficiaries, or class thereof, who can benefit from the trust but who’s benefit can be subject to the discretion of the trustee, or be contingent, residual, conditional, limited to a certain type of asset (eg. income or capital) or limited in time (eg a life interest) or it can amount to an actual entitlement (as in the case of a fixed interest trust). 

The same principle applies to the beneficiaries of foundations also.

In the context of trusts and foundations, one may find 2 persons carrying out the function that is traditionally carried out by one person in the corporate world: namely: the person contributing the assets to the trust/foundation (namely the settlor/founder) is different from the person receiving the benefit therefrom (although the former can also be a beneficiary and benefit from the assets settled by himself albeit in his capacity, then, as beneficiary and not as settlor/founder).  In the corporate world, on the other hand, the UBO is invariably thre person who has contributed the capital to the company and who benefits from the distributions from the company (dividends) or from its increase in value.   

Confusion is compounded by the fact that the definition of ‘beneficial owner’ for trusts and foundations in AML-CFT legislation is not restricted to the beneficiaries but includes other relevant persons also such as the settlor, the trustee itself and the protector. 

Therefore, a distinction is created at law between a ‘beneficial owner’ of a trust (which includes the settlor, trustee, protector and controllers besides beneficiaries) and the ‘beneficiary’ of a trust, which term is restricted to those persons, corporate or otherwise, that benefit from the trust.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

General Comment on the Use of eIDAS-Compliant Systems in Non-Face-to-Face Relationships:

The IFSP expresses concern over the proposed requirement for obliged entities to implement eIDAS-compliant systems in the context of non-face-to-face customer relationships. There are several reasons why such a mandate may be impractical.

Not all EU Member States currently support the use of eIDAS for verifying the identity of EU-based individuals, which creates inconsistencies and limits the feasibility of a harmonised approach. Additionally, even if access were broadened, the costs and technical demands associated with adopting eIDAS-compliant infrastructure could impose a disproportionate burden on smaller entities, particularly those with limited resources.

We believe that mandating eIDAS as a central component of remote verification runs counter to the core principles of proportionality and risk sensitivity that underpin the EU’s AML framework. Regulatory obligations should reflect the diversity of the market and accommodate different business models and risk exposures.

eIDAS should be presented as one of several valid tools for identity verification and not as the exclusive method. 

Moreover, the availability of remote verification tools should not be framed as a temporary or transitional measure. Technological innovation continues to improve the reliability of such solutions, and in some cases, they may offer greater security and accuracy than traditional methods

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

No further comments.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 15

Articles 15(a) and 15(b) refer to risk-sensitive measures that obliged entities must take, specifically concerning why the customer has chosen the obliged entity’s products or services, and how the customer intends to use those products or services, including the expected volume of funds and their source. The IFSP questions the inclusion of subparagraphs (a) and (b) in this context, as it does not see why this level of information is necessary, particularly for non-financial and credit institutions.

That said, the IFSP welcomes the clarification in sub-article 15(d) that the source of wealth is to be determined only for higher-risk clients, rather than for all customers, which we consider a proportionate and practical approach.

Article 16 

It is the IFSP’s view that this article is of relevance mostly to credit institutions.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comments.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 18
Article 18 outlines the minimum requirements for customer identification in lower-risk situations. The IFSP notes that, in practice, Maltese entities typically do not request nationality but instead focus on obtaining the customer’s main address.
Additionally, we highlight that the information specified in Article 18(1)(b) is readily accessible through the Malta Business Register, which facilitates compliance with these requirements, and we believe is sufficient.
 

Article 20b and Article 21b 
Articles 20(b) and 21(b) refer to the customer being “effectively supervised.” We note that the phrase “effectively supervised” lacks clarity and may lead to differing interpretations. We therefore suggest replacing this wording with “subject to supervision” to provide a clearer and more straightforward standard.
 

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

No comment.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 24d 

Article 24(d) requires obtaining information on family members and close associates when the obliged entity has reasonable grounds to suspect criminal activity. The IFSP considers this approach potentially problematic, as it risks inadvertently “tipping off” the client during the process of gathering information and conducting verifications. Instead, the IFSP stresses that in cases where there are reasonable grounds to suspect criminal activity, the filing of a Suspicious Transaction Report (STR) may be a more appropriate and effective response. This concern similarly applies to Article 27(d).

Article 25(a):

The IFSP notes that inquiries related to the “destination of funds” are more appropriately directed to banks and may not be relevant for all obliged entities.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 29(a)(iii) 

The IFSP notes that trade names used by customers are not always known to obliged entities. In practice, sanctions screening is typically conducted using the customer’s legal name. Therefore, a requirement to screen trade names may be impractical and difficult to implement effectively.

Similarly, with respect to item (a)(i), the IFSP points out that the customer’s date of birth is not always available, which may limit the ability to fully comply with this provision in all cases.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

No comment.

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

Article 1(b) – Repetition of a Breach: Further clarification is needed regarding the term "repetition" of a breach. Does it refer to breaches identified by a supervisory authority in the same compliance examination (e.g., the same breach across multiple files), or does it apply to breaches found in separate examinations? We believe a repeated breach should only be considered when identified in distinct compliance reviews. If a breach arises from misinterpretation or misapplication, it should count as one breach unless it is considered "systematic" under Article 1(k). It is important to define "systematic," as its interpretation may differ from that of "repeated."

Article 1(l) – Additional Indicators: While some flexibility is needed, it may undermine the harmonization goals of the EU's AML Package. To reduce arbitrariness, we recommend introducing a “reasonableness” test and requiring supervisory authorities to disclose any additional indicators. Transparency is crucial for ensuring clarity in the rules. For instance, phrasing such as “criteria reasonably identified by the supervisor in accordance with this RTS” could be used. This recommendation applies to other similar powers within the Breaches RTS.

Article 2(7) – Combining Category 1 and 2 Breaches: The Breaches RTS lack clear guidance on when Category 1 and 2 breaches, in combination, could lead to Category 3 or 4 breaches. To ensure consistency and alignment with the goals of the Breaches RTS, we recommend specifying when Category 1 and 2 breaches should be combined into higher-level categories.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

Additional Indicators for Gravity of Breaches: A distinction should be made between breaches of applicable AML/CFT laws and regulations, and breaches of an obliged entity's internal AML/CFT policies and procedures. Breaches of the relevant laws/regulations should be considered more serious than violations of internal policies and procedures.

To ensure consistency across Member States, the terms ‘minor,’ ‘moderate,’ ‘significant,’ and ‘very significant,’ as well as ‘short period of time’ and ‘significant period of time,’ should be clearly defined to prevent varying interpretations by national supervisory authorities.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

Article 4(2)(c) and Article 4(3)(g) – Flexibility in Pecuniary Sanctions: While some flexibility for supervisory authorities is necessary, it could undermine the EU's harmonization goals through the AML Package. To reduce arbitrariness, we recommend (i) introducing a ‘reasonableness’ test for the relevant clauses, and (ii) requiring supervisory authorities to publicly disclose any additional criteria used to impose pecuniary sanctions, ensuring transparency and clarity. 

Criteria for Reducing Pecuniary Sanctions: When determining the reduction of pecuniary sanctions under Article 4(2), consideration should be given to the efforts made by the obliged entity to remedy the breach, whether through self-remediation or corrective actions imposed by the supervisory authority. This reflects the entity’s commitment to compliance and collaboration with the supervisory authority, fostering confidence in the process and encouraging entities to proactively address identified failures.

Sanctions for Natural Persons under Article 4(4): When imposing sanctions on directors or officers who are not obliged entities, consideration should be given to the impact of their actions or omissions on the breach, as well as their specific role and responsibilities within the obliged entity.

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

The reference to ‘total annual turnover’ and ‘annual income’ as metrics for pecuniary sanctions may not be the most appropriate. We suggest using profits over a multi-year period and the average balance sheet size over several years as the primary metrics, though other factors like turnover and number of employees could also be considered.

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

The measures referenced (such as restricting or limiting business, withdrawing or suspending authorization, and requiring changes in governance structure) are significant and extreme. These should be reserved exclusively for Category 4 breaches, rather than applying to both Category 3 and Category 4 breaches.

Flexibility in Supervisory Authority Decisions: Articles 5(2)(e) and 5(3)(e) allow supervisory authorities flexibility in determining additional criteria for restricting or suspending the business or operations of obliged entities. While some flexibility is necessary, it could hinder the EU’s goal of harmonization through the AML Package. To mitigate arbitrariness, we suggest (i) introducing a 'reasonableness' test for these clauses, and (ii) requiring supervisory authorities to publicly disclose any additional criteria they apply. Transparency in administrative processes is essential, and one way to phrase this could be, "any other criteria reasonably identified by the supervisor in accordance with the principles laid out in this RTS." This recommendation should apply to all similar powers in the Breaches RTS.

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

No comments.

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

It would be beneficial for the Breaches RTS to specify the types of measures that can be imposed on natural persons who are not obliged entities, such as (i) monetary penalties, (ii) disqualification from key function roles within obliged entities, (iii) restrictions on holding additional key function roles, and/or (iv) mandatory specific training for such individuals.

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

No comments

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

No comments

Name of the organization