Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

We broadly support the EBA's approach to risk profile assessment and classification, which provides needed clarity and structure for both supervisors and obliged entities. The framework detailed in Annex 1 provides a solid foundation for consistent ML/TF risk evaluation across the EU. That being considered, we recommend standardising the numerical risk scale to ensure that the value of “1” consistently represents the lowest risk value across all assessment categories. This adjustment would reduce the likelihood of confusion during implementation and enable more straightforward data aggregation and comparison across jurisdictions.

While we appreciate the detailed methodology, we note a disparity in the numerical scoring approach between inherent risk and control quality assessments. For inherent risk, 1 represents the lowest risk and 4 the highest, whereas for control quality, 1 represents the highest quality (best controls) and 4 represents the lowest quality (poorest controls). This inverse relationship may create confusion during implementation and reporting, especially for entities operating across multiple jurisdictions and aggregating data. We suggest that the numerical scale be standardised to encourage consistency, ideally maintaining “1” as the lowest risk/highest quality across all assessment categories.

The harmonised approach delivers significant operational benefits for obliged entities by enabling standardised data collection and risk assessment. This facilitates more efficient resource allocation based on clearly identified risk factors and supports cross-border collaboration between compliance teams within multinational organisations. 

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

We strongly support the EBA's proposed relationship where residual risk can only be lower than inherent risk, never higher. This approach aligns with fundamental risk management principles across financial services, where controls serve as mitigating factors. Allowing residual risk to exceed inherent risk would create significant methodological inconsistencies, potentially undermining the credibility of the entire risk assessment framework and creating confusion in cross-border implementation.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

N/A

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

N/A

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

N/A

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

We partially agree with the proposed frequency but suggest modifications to enhance proportionality while maintaining effectiveness. While annual reviews may be appropriate for higher-risk entities, extending the baseline frequency for standard risk profiles would better balance regulatory objectives with operational burden, particularly where no material changes have occurred. This approach aligns with FATF guidance, which recommends that authorities determine appropriate reassessment intervals after initial risk assessments, typically within three to five years, reflecting the risk assessment as an evolutionary process. This approach would better align with international standards while maintaining effective oversight. 

International practice supports a more flexible timeline than annual reviews. Taking into account the frequency of certain jurisdiction’s National Risk Assessments, frequency is roughly every 3.5 years. This suggests that  annual reviews may be more frequent than necessary for effective risk management. The cost differential between annual and reduced frequency reviews varies significantly based on entity size, complexity, and risk profile. For lower-risk entities with stable business models, even biennial reviews may create disproportionate compliance burdens. Smaller entities with corporate customers and lower transaction volumes may not experience sufficient changes to warrant frequent reviews as frequently, so a notification-based system for material changes may be more cost-effective. It may be best for the obliged entities to focus their AML resources on areas with the greatest impact, rather than rigid timelines, recognising that practices should be proportional to the firm and its operations.

While annual reviews may be justified for high-volume or high-risk businesses (particularly in volatile sectors), a cadence of 4-5 years may be more proportionate for low-risk entities. This flexibility is critical to ensuring effective risk management while allowing resources to be allocated efficiently based on the entity's risk profile and complexity.

Overall, we suggest 4-5 years for demonstrably low-risk entities, 2-3 years for medium-risk entities, and annual reviews for high-risk entities. This approach maintains appropriate oversight while acknowledging that the rate of material change in risk profiles correlates strongly with inherent risk levels. For newly established entities with limited operational history, an initial assessment followed by a review after 2-3 years (rather than annually) would allow them to establish their business model before committing significant resources to repeated comprehensive reviews.

The operational and financial benefits of a more flexible approach are substantial. Reduced assessment frequency for qualifying entities would decrease compliance costs, minimise operational disruption, and allow more proportional allocation of resources to actual risk management rather than documentation exercises. For small or low-risk entities, this would remove potential barriers to entry and growth while maintaining appropriate safeguards. Annual reviews often yield diminishing returns for stable, low-risk operations, as core risk factors and control environments typically evolve gradually rather than annually.

In conclusion, while we support the principle of reduced frequency for lower-risk entities, we recommend expanding the qualifying criteria beyond employee count to include client profile, transaction patterns, business stability, and control effectiveness. This more nuanced approach would better align regulatory burden with actual risk while maintaining the integrity of the AML/CFT framework.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

While we broadly support the principle of reduced frequency reviews for lower-risk entities, we believe the proposed criteria (fewer than 5 full-time employees and previously assessed low residual risk) can be expanded. The employee threshold alone is a part of, but does not fully illustrate risk exposure, as it doesn't account for the nature of business activities, client profiles, or transaction patterns that more directly influence ML/TF risk.

We propose a broader set of criteria that better reflects the multidimensional nature of ML/TF risk while maintaining regulatory effectiveness. In addition to the current criteria, reduced frequency should be available to entities that meet at least two of the following conditions:

(1) serve a limited number of corporate clients (fewer than 50); 

(2) operate in sectors with low ML/TF risk as identified in national risk assessments; 

(3) conduct below-threshold transaction volumes relative to sector averages;

(4) maintain stable business models without significant changes over the preceding review period; and 

(5) demonstrate robust control frameworks with no material deficiencies identified in previous supervisory assessments.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

Cross-border transactions linked with EEA jurisdictions should be assessed differently than those linked with third countries, particularly for entities subject to MiCA regulation and future AMLA oversight. However, this should be driven by a nuanced, proportionate approach that maintains core due diligence principles while acknowledging the harmonised regulatory standards within the EEA. Jurisdictions that are demonstrably aligned with FATF recommendations, including many within the EEA, can generally be considered to present a lower inherent geographical risk profile. 

Although the geographical risk component with EEA jurisdictions may be assessed as lower, there still exists the requirement for obliged entities to demonstrate thorough scrutiny and risk-based due diligence on all business relationships and transactions as factors beyond geography contribute to the overall risk assessment. Adherence to international standards like FATF or UN sanctions lists represents a baseline rather than a comprehensive fulfillment of due diligence responsibilities. Taking into consideration proportionality, while compliance resources may be allocated differently based on jurisdictional risk profiles, the underlying analytical framework and core due diligence requirements should remain robust regardless of transaction geography. 

While systemic risks may be lower within the EEA, entity-specific and transaction-specific risks remain relevant regardless of geography. The risk-based approach should incorporate customer behavior, delivery channels, product characteristics, and transaction patterns alongside geographical considerations. 

On a practical level, we recommend a tiered geographical risk framework that categorises jurisdictions based on multiple factors which include regulatory alignment with EU AML/CFT standards; FATF compliance status; and effectiveness of implementation evidenced by mutual evaluations and supervisory assessments. This would likely place EEA jurisdictions in a lower-risk tier while maintaining the flexibility to address specific concerns within individual member states where implementation gaps may exist.

To prevent misapplication, entities should implement safeguards against poor practices, including establishing minimum thresholds for high-risk classification that apply consistently and preventing arbitrary risk score overrides without evidenced and documented justification.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

N/A

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

N/A

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

We strongly recommend distinguishing between retail and institutional customers when establishing thresholds, as the current single threshold of 20,000 customers may disproportionately exclude entities that focus their offering on institutional clients. We propose a dual threshold approach: maintaining 20,000 for retail-focused entities while establishing a lower threshold of 10,000 for institutional-focused entities. This is worth considering due to the fundamental differences in business models and risk profiles: institutional relationships typically involve higher transaction values, more complex structures, making them materially significant even at lower numerical counts. The relevance measurement criteria in the draft RTS already recognise this distinction by considering customer numbers, transaction values as well as assets managed, supporting our position that customer type materially affects risk exposure. 

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

N/A

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

N/A

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

N/A

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

N/A

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

We disagree with giving equal consideration to parent companies and operational entities within the group. There are diverse structural purposes of parent entities which need to be considered and accounted for. While the proposed weighted averaging method partially addresses this by considering entity relevance, it doesn't fully account for parent companies that function primarily as holding entities with minimal operational activity. Corporate structures are frequently designed with separate entities for different client types, markets, and activities, with parent companies often established for dividend distribution, tax efficiency, or regulatory purposes rather than direct customer engagement. Including such parent entities with the same consideration could distort the group-wide risk assessment, particularly when the parent has low-relevant activity compared to operational subsidiaries. 

We suggest modifying the approach to either: (1) exclude non-operational parent entities from the risk calculation while maintaining their supervisory responsibility; or (2) apply a materiality threshold based on the relevance measurement criteria that would automatically reduce consideration of entities with minimal customer relationships, or transactions, regardless of their position in the corporate hierarchy.

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

N/A

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We broadly support Section 1 of the draft RTS regarding information collection for identification and verification purposes. We particularly appreciate the acknowledgement in Article 5(2) that documents may still be suitable even if they don't meet all specified requirements. We do note the requirements specify documents that are issued by a state or public authority. The explicit inclusion of public authorities may include formal communications from such agencies and the flexibility in the document issuer may better  support financial inclusion while maintaining appropriate verification standards. Having the document issued by a government authority is sufficient. 

For beneficial ownership verification, the approach of consulting multiple sources is appropriate, but would benefit from explicit reference to standard ownership thresholds in Articles 9 and 10, (for example 25% for standard risk and 10% for enhanced due diligence situations) to provide greater clarity and consistency across obliged entities. 

The requirements for understanding complex ownership structures will necessitate enhanced data management systems for many entities, particularly those operating across multiple jurisdictions. While this represents a compliance cost, it is justified by the improved risk management capabilities and cross-border operational consistency that harmonised standards will deliver. For smaller entities with less complex customer bases, we suggest a more graduated implementation approach that would allow them develop these capabilities over time without compromising on essential verification requirements.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

N/A

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

N/A

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We support the proposals in Section 2 of the draft RTS regarding the information to be collected to understand the purpose and intended nature of business relationships. The comprehensive approach requiring information on why customers have chosen specific products/services, expected transaction volumes, source of funds, and intended recipients provides a robust foundation for effective risk assessment while maintaining sufficient flexibility through its risk-sensitive framework.

From an implementation perspective, these requirements will enhance the effectiveness of entity-wide risk assessments by providing standardised, comprehensive customer information that enables more accurate risk classification and facilitates ongoing monitoring. The structured approach to understanding business relationships will help identify gaps in customer knowledge and support timely adjustments to risk classifications when customer circumstances change, strengthening the overall AML/CFT framework.

Regarding compliance costs, implementation will require investment in several areas: 

(1) staff training to ensure consistent application of the requirements across customer-facing and compliance teams; 

(2) process redesign to incorporate all required information fields into onboarding and periodic review workflows; 

(3) systems enhancements to capture, store, and analyse the expanded data points; and 

(4) quality assurance mechanisms to verify the completeness and accuracy of collected information. 

For entities with established CDD frameworks, these costs will likely be moderate as many already collect similar information, though standardisation may require some adjustments. For smaller entities or those with less mature compliance programs, the initial implementation costs will be more significant to upscale their current tech stack, but justified by the improved risk management capabilities.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We support the proposals in Section 3 of the draft RTS regarding Politically Exposed Persons (PEPs), particularly the risk-based approach to determining screening frequency for existing customers and the use of automated tools, manual checks, or a combination based on the entity's size, business model, and complexity. 

The requirement to check for PEP status before establishing business relationships or conducting transactions, and to determine whether existing customers have become PEPs with risk-based frequency, establishes a clear baseline for PEP monitoring while allowing for appropriate calibration based on risk exposure. We particularly value the explicit recognition that significant changes in customer data, such as the nature of business or occupation, should trigger reassessment, as these changes often correlate with evolving PEP status.

The framework would benefit from more explicit guidance on risk-calibrated measures following PEP identification. While all identified PEPs should be classified as high risk and subject to enhanced due diligence, a more graduated approach could distinguish between domestic and foreign PEPs, particularly those from jurisdictions with robust versus weaker AML/CFT frameworks. This would align with the proportionate, risk-based approach highlighted throughout the RTS. Such calibration should maintain core EDD elements—senior management approval, source of wealth/funds verification, and enhanced monitoring—while allowing for appropriate adjustment of intensity based on comprehensive risk assessment.

Industry-specific considerations could also be incorporated into PEP risk assessment, as certain sectors such as private banking and real estate present heightened risk profiles due to their susceptibility to illicit financial flows. However, it is essential to maintain the principle that PEP status alone should not result in service denial, as this could undermine financial inclusion goals while failing to address actual risk factors.

From a compliance cost perspective, implementation will require investment in screening technology, staff training, and documentation systems. For entities with established PEP screening frameworks, alignment costs will be moderate, primarily involving procedural adjustments and potentially enhanced automation. For entities with less mature systems, particularly smaller institutions, the initial investment in automated screening capabilities may be substantial but necessary to ensure consistent identification as customer bases grow. These costs are justified by the critical role PEP screening plays in preventing corruption-related money laundering and the reputational protection it provides to obliged entities.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The minimum identification requirements for lower risk situations establish appropriate baseline standards, and we particularly value the flexibility in verification sources for beneficial owners in low-risk scenarios. While the draft RTS appropriately establishes minimum requirements, we recommend more explicit guidance on the categories of customers that may qualify for SDD based on their inherent characteristics. 

The provision allowing verification using different documents, data or information from credible and independent sources is valuable for entities with robust public profiles. However, we question whether a separate customer attestation is necessary when information can be verified through public sources. Requiring attestations in addition to verification through public records may create unnecessary administrative burden without proportionate risk mitigation benefits. Instead, we suggest that verification through multiple public sources should be considered sufficient for low-risk entities with substantial public footprints.

We strongly support the requirement that relationships subject to SDD must still be monitored to ensure no change in relevant circumstances, no trigger events requiring updates, and no unexpected or inconsistent transactions. This ongoing monitoring requirement maintains essential safeguards while allowing for reduced intensity in initial due diligence.

The draft RTS would benefit from clearer boundaries on when SDD becomes inappropriate, particularly regarding jurisdictional considerations. We recommend explicit reference to FATF-identified jurisdictions subject to countermeasures and those known to have inadequate AML/CFT measures as automatic disqualifiers for SDD, regardless of other risk factors. This would align with the risk-based approach while establishing clear minimum standards.

From a compliance perspective, the SDD framework offers significant efficiency benefits, particularly for smaller entities with limited resources. By allowing these entities to focus enhanced efforts on higher-risk relationships while applying proportionate measures to lower-risk customers, the framework supports more effective resource allocation. We recommend explicit guidance that obliged entities document their risk assessment methodology, SDD criteria, and the specific simplified measures applied to each customer category, with appropriate senior-level approval.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

The draft RTS appropriately recognises that CDD measures should be adjusted based on associated ML/TF risks, with simplified due diligence designed to ease administrative burden without increasing ML/TF risk. Certain categories typically present lower ML/TF risk due to their regulatory oversight and transparency. This is more so as these entities face enhanced regulatory scrutiny, public disclosure requirements, and established governance frameworks, making them suitable candidates for SDD when no other risk factors are present. These include:

1. Publicly Listed Companies: Entities whose securities are admitted to trading on a regulated market in the European Union (or an equivalent third-country market imposing comparable disclosure and transparency requirements), and which are subject to disclosure obligations (including those relating to beneficial ownership transparency) stipulated by that market's regulations. The draft RTS acknowledges that for low-risk situations, beneficial ownership verification can utilise central/company registers and publicly available information. For these entities, simplified measures could include accepting information from central registers without additional verification and extending the monitoring frequency to the maximum 5-year period for information updates, while maintaining appropriate monitoring to detect any changes in relevant circumstances.
2. Public Administrations or Enterprises: Domestic EU Member State government departments, public agencies, or enterprises, as well as equivalent entities from third countries with robust governance and anti-corruption frameworks. Government entities operate within a framework of public accountability and are often subject to audit by supreme audit institutions. Their ownership and control structures are typically transparent by law. Government entities and public authorities similarly present lower ML/TF risks due to their operation within established legal frameworks with inherent accountability mechanisms. Simplified verification of the purpose and nature of business relationships would be appropriate, focusing on understanding the customer's interest in the products/services and estimated funds flowing.
3. Financial Institutions: Financial institutions regulated within the EU (or equivalent third-country FIs), that are supervised for compliance with AML/CFT requirements consistent with, or equivalent to, the FATF Recommendations and EU AML/CFT legislation by a competent authority. These institutions are themselves obliged entities under AML/CFT frameworks and are subject to rigorous licensing, ongoing supervision, and reporting obligations by their respective competent authorities. Information about their regulatory status and ultimate beneficial ownership is generally verifiable through these authorities or public registers. Financial institutions already subject to robust AML/CFT requirements consistent with FATF standards constitute another category for simplified measures. These entities operate under regulatory frameworks that include their own CDD obligations, creating a layered approach to AML/CFT compliance. For these institutions, simplified measures could include accepting publicly available information for verification purposes and a streamlined approach to beneficial ownership verification using central registers.

While these customer types generally suggest lower risk, obliged entities must consider all relevant risk factors related to the customer, geography, product, service, and transaction to ensure the overall risk is indeed low. Factors that could negate SDD include adverse media, sanctions exposure, complex or opaque beneficial ownership structures despite the general category, or operations in high-risk sectors or jurisdictions inconsistent with the obliged entity’s risk appetite. 

While advocating for these simplified measures, we emphasise that SDD should never apply when there is suspicion of money laundering or terrorist financing or when the customer or beneficial owner is from a high-risk jurisdiction. Additionally, even with simplified measures, obliged entities must maintain appropriate ongoing monitoring to detect changes in risk profiles.

The sectors and products identified above demonstrate inherently lower ML/TF risks due to their regulatory oversight, transparency requirements, or restricted functionality. 

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Yes, we agree with and support the proposals for Enhanced Due Diligence (EDD) measures as set out in Section 5 of the draft RTS. We believe these measures are crucial for enabling obliged entities to obtain a comprehensive understanding of the potentially higher ML/TF risks associated with certain customers, business relationships, or transactions. The principles underpinning robust EDD, as outlined, align with established international standards, such as those from the Financial Action Task Force (FATF), and reflect best practices observed in leading regulatory jurisdictions.

The draft RTS establishes clear minimum standards while allowing obliged entities to implement additional measures based on their risk assessment. This approach recognises that enhanced due diligence must be tailored to specific risk scenarios. The harmonisation of these requirements will ensure higher-risk customers receive appropriate scrutiny regardless of where they conduct business within the EU.

From a compliance perspective, the proposals in Section 5 build upon existing practices already implemented by many obliged entities, which should reduce implementation costs. The clear delineation of requirements provides legal certainty for obliged entities, reducing the need for extensive interpretative guidance. While there will inevitably be some costs associated with ensuring systems and procedures align with these specific requirements, these are proportionate to the enhanced risk mitigation benefits they provide.

Direct costs may include more intensive staff involvement for analysis, acquisition of specialised database access for enhanced screening and verification (e.g., for SoW/SoF, reputational checks, entity structure analysis), and more sophisticated transaction monitoring systems. Indirect costs may include longer onboarding times for high-risk customers and the development and maintenance of more detailed policies and procedures.

Nevertheless, the costs are a proportionate component of managing higher ML/TF risks as failing to apply adequate EDD could lead to significantly greater costs in the long term, including regulatory penalties, reputational damage, and potential facilitation of financial crime. The adoption of these measures will enhance the integrity of the EU financial system, align with international best practices, and provide clear expectations for obliged entities when confronted with high-risk situations.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The comprehensive approach requiring screening of all customers and controlling entities establishes a robust framework for sanctions compliance. The preference for automated screening with provisions for manual checks based on business size and complexity strikes an appropriate balance between thoroughness and proportionality.

The adoption of automated screening solutions, as implicitly supported by the need for continuous monitoring and comprehensive coverage, can significantly enhance the efficiency and effectiveness of the screening process, helping to minimise gaps and ensure timely detection. However, any reliance on automated systems must be accompanied by robust governance, including clear model risk management and sufficient human oversight to review alerts accurately. While implementing and maintaining effective screening systems and processes incurs operational costs, these are essential investments for compliance and risk mitigation. The potential financial and reputational damage resulting from sanctions breaches far outweighs the cost of robust preventative measures, making the proposals a fair and proportionate requirement for all obliged entities.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

N/A

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

N/A

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

The structured four-category classification, ranging from minor or no direct impact to significant impact where the breach has facilitated or led to criminal activity, provides a clear and graduated framework. Such standardisation promotes consistency in how breaches are assessed, taking into account indicators such as duration, repetition and the effect on the obliged entity and the financial system's integrity. This should contribute to more predictable and proportionate supervisory actions. 

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

We commend the balanced approach in Article 4, which appropriately considers both mitigating and aggravating factors when determining pecuniary sanctions. The mitigating criteria including the level of cooperation, prompt notification to supervisors, and implementation of remedial actions, encourages transparency and proactive compliance management. Conversely, the aggravating factors such as attempts to conceal breaches, non-cooperation, intentional violations, and benefits derived from non-compliance deter deliberate misconduct. This dual framework effectively promotes a culture of compliance while recognising that the response to identified breaches is as important as the breach itself.

Consideration of the entity’s financial strength ensures penalties remain proportionate without being disproportionately punitive.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

N/A

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

N/A

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

N/A

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

N/A

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

N/A

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

N/A

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

N/A

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

We believe the proposed framework for periodic penalty payments provides a broadly sound basis for supervisory authorities to build upon. However, regarding the factors influencing the decision to impose and the amount of periodic penalty payments (PPPs), explicit articulation of certain aspects could enhance consistency and effectiveness across the EU. The draft RTS must be more granular regarding the calculation of PPPs and this granularity should explicitly incorporate the role and conduct of the NCAs.

The effectiveness of any penalty regime is predicated on the clarity and fairness of the supervision that precedes it. An obliged entity’s failure to remediate a breach can only be fairly penalised if the supervisor’s initial expectations, guidance, and communication were clear, consistent, and reasonable. So, the methodology for PPPs should also consider the context set by its supervisor.

We recommend the establishment of a quantifiable baseline amount. This will help manage expectations and set a clear standard. Such baseline daily penalty could be calculated as a percentage of the obliged entity's average daily turnover. This could be set within a defined range (e.g., 0.01% to 0.1%). Crucially, this step must include consideration of the firm's overall financial strength to ensure the baseline amount is not so high as to threaten its continued business functioning, thereby protecting market stability and consumers.

Next, the baseline could be adjusted based on a holistic assessment of qualitative criteria, reflecting the specific circumstances of the case. This may be a non-exhaustive list of aggravating and mitigating factors. Mitigating factors could decrease the penalty faced whereas aggravating factors could increase the penalty. Mitigating factors could include (i) demonstrable, good-faith efforts by the firm to engage with the NCA, (ii) efforts to implement remedial actions (such as a suggested third-party audit), (iii) proactively communicating challenges, and (iv) legitimate, evidenced unforeseen technical challenges in implementing the required measures. Aggravating factors could include (i) a failure to act on prior, clearly communicated supervisory expectations; (ii) a failure to engage with offered remedial pathways; (iii) a demonstrable failure by senior management to allocate sufficient resources; (iv) a demonstrable failure by senior management to prioritise correcting the breach.

The draft RTS strikes an appropriate balance but would benefit from additional granularity without becoming overly prescriptive. The framework should incorporate a progressive approach that begins with remedial actions for minor infractions before escalating to financial penalties. A tiered methodology should explicitly address both the degree of the breach and the firm's size to ensure proportionality while maintaining deterrent effect, balancing an obliged entity’s financial resources and ability to continue business operations.

To better foster a common supervisory culture, NCAs must be encouraged to share information on best practices for communication and enforcement. NCAs must clearly communicate the initial administrative measures, the grounds for potential periodic penalties if non-compliance persists, and the expected standards for remediation. Open dialogue and transparency are key, as is the supervisory body's role in providing relevant and up-to-date guidance to its licensees. Sharing anonymised summaries of findings or case studies at an EU level (perhaps facilitated by AMLA) could support this.

The framework should also recognise the value of non-punitive interventions like performance improvement plans with reasonable correction timeframes. This approach would provide greater consistency while preserving necessary flexibility for national competent authorities to adapt to their specific regional contexts and national risk assessments, particularly as these assessments typically identify varying vulnerability levels across different sectors.

In summary, a more granular guidance on specific factors that underscore the persistent nature of non-compliance and the entity's commitment to remediation when deciding upon and scaling such penalties could be beneficial. 

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

N/A

Name of the organization