Response to consultation on draft amending Guidelines on risk-based AML/CFT supervision
Go back
According to par. 19, different products or services delivered by the credit or financial institutions have been identified as factors that must be taken into account when associating the subject of assessment in a cluster with a different level of ML/TF risk. In addition to the above considerations, we believe that other factors that should reveal significant changes in the “products or services delivered” are different delivery channels, new type of customers and different geographic areas where the services or products are delivered. To that end, the last period of the paragraph should be re-elaborated, according to the following reviews “… or because the credit institution or financial institution has changed significantly its products or services, also in combination with different delivery channels, new type of customers or different geographic areas where the services or products are delivered”.
Par. 20 states that “competent authorities should cooperate and exchange all relevant information with each other and with other stakeholders, including prudential supervisors, Financial Intelligence Units, tax authorities, law enforcement agencies and AML/CFT supervisors of third countries to ensure the effective AML/CFT supervision of subjects of assessment”. We agree with the aforementioned examples of potential stakeholders that competent authorities should consider cooperating with. However, we believe that judicial authorities, professional orders and social security institutions should be also included among these “potential stakeholders”. In fact, judicial authorities, social security institutions and, above all, professional orders – which represent different categories of subjects of assessment and consequently have a more direct relationship with them – could provide competent authorities with other essential information, in order to ensure a “proportional” RBS model.
In accordance with the new par. 44(e), “in order to develop a good understanding of the inherent risk factors applicable to subjects of assessment, competent authorities should gather information from various sources that includes … the types of customers serviced by the subject of assessment and the level of risk associated with those customers, including customers that are PEPs”. We agree with the aforementioned reference to PEPs customers and with the new types of information required to identify risk factors that are strictly connected with the subject of assessment’s customers. However, we suggest to include a reference to the subjects who have recently ceased to be qualified as PEPs (e.g. subjects who have been qualified as PEPs in the last year but who are no longer considered so) and subjects who are strictly connected to PEPs (e.g. PEPs family members). Furthermore, we believe that the current paragraph should also include a reference to customers that are not strictly qualified as “PEPs”, but that have a relevant political role (e.g.: mayors of cities with more than 15.000 habitants). To that end, paragraph 44(e) should be re-elaborated, according to the following reviews “the types of customers serviced by the subject of assessment and the level of risk associated with those customers, including customers that are PEPs or have been PEPs in the previous year or their family members, or customers that have a relevant political role, and those assessed as presenting ML/TF risk according to the subject of assessment”.
Par. 47 states that “competent authorities should ensure that the type of information requested is determined by the relevant domestic, foreign and sector-wide risk factors”. We believe that this paragraph should include an explicit reference to the “proportionality” of the request of data to individual subjects of assessment. In this way – according to the related statement on pages 17-18 of the EBA Consultation Paper and to the new paragraph 48 – it should be easier to prevent wrong practices, where banks are overburdened with data requests from supervisors. Therefore, paragraph 47 should be re-elaborated as follows “…competent authorities should ensure that the amount and the type of information requested are proportional and determined by...”.
Par. 63 imposes an obligation on competent authorities to weight risk factors in respect of sectors and subjects of assessment. We agree that, when competent authorities weight risk factors, they should do so based on a good understanding why they use certain risk factors to assess ML/TF risk, in order to ensure that weighting of these risk factors is well assessed. However, in our opinion, the additional explanation “When weighting risk factors, competent authorities should ensure to avoid that one risk factor does not sway the balance of the overall weighting to a disproportionate and unreasonable assessment” could be misinterpreted. Competent authorities could underestimate individual factors that are more significant than others. To that end, the paragraph should be re-elaborated as follows “When weighting risk factors, competent authorities should ensure to avoid that one risk factor does not sway automatically the balance of the overall weighting to a disproportionate and unreasonable assessment, when the risk factor does not imply a higher ML/TF risk”.
According to the new par. 67, “when competent authorities have only limited information about the mitigants within the subject of assessment or sector or sub-sector, they should categorise these subjects of assessment, sectors and sub-sectors on a basis of their inherent risk”. In our opinion, this new paragraph could lead to significant delays in determining the residual risk score. According to the importance of the “residual risk” – they should assign the residual risk score as soon as the relevant information becomes available. In particular, we propose the deadline to be 30 working days since when the relevant information becomes available. Ultimately, the paragraph should be reviewed as follows “When competent authorities have only limited information about the mitigants within the subject of assessment or sector and sub-sector, they should categorise the subjects of assessment, sectors and sub-sectors on a basis of their inherent risk profile and assign the residual risk score within 30 working days since when the relevant information becomes available”.
Par. 87 states that “competent authorities should exercise flexibility and adapt their use of supervisory tools in response to a new or emerging ML/TF risk identified within the subject of assessment, sector or sub-sector”. We agree that, in order to carry out the AML/CFT supervision effectively, competent authorities should adjust the frequency, intensity and intrusiveness of AML/CFT supervision on a risk-sensitive basis. However, we believe that the “flexibility” in the choice of the specific supervisory tool to be used should be always pursued, regardless of how the emerging ML/TF risk has been identified. To that end, the reference to “such situation may arise where the competent authority has identified through AML/CFT returns or other supervisory activities an emerging ML/TF risk” is redundant and could be misinterpreted. Ultimately, the aforementioned part of the paragraph should be removed.
According to the new par. 88, “competent authorities should also be flexible to carry out ad hoc inspections where necessary, which do not form part of their supervisory strategy and plan. Such inspections may be triggered by a specific event…”. We agree that competent authorities should exercise flexibility in order to carry out ad hoc inspections, even if they do not form part of their supervisory strategy or plan. Nonetheless, we believe that the reference to “specific event” should be specified, in order to establish when an ad hoc inspections should be carried out. For example, new products or services delivered by the subject of assessment – such as new delivery channels of the services or products, different type of customers or new geographic areas where the services or products are delivered – should be considered as a “specific event” that requires an ad hoc inspection. In accordance with the above considerations, the paragraph should be amended as follows “… such inspections may be triggered by a specific event, such as new products or services, new delivery channels of the services or products, different type of customers or new geographic areas where the services or products are delivered...”.
Par. 89 states that “competent authorities should recognise that each subject of assessment, sector and sub-sector is exposed to different levels of ML/TF risk, which should determine the type and frequency of supervisory tools used”. We agree that competent authorities should determine the type and frequency of supervisory tools used, according to the different levels of ML/TF risk. However, we believe that competent authorities should determine not only the type and frequency of the supervisory tools used, but also the intensity and intrusiveness of these tools. To that end, the paragraph should be reviewed as follows “Competent authorities should recognise that each subject of assessment, sector or sub-sector is exposed to different levels of ML/TF risk, which should determine the type, frequency, intensity and intrusiveness of the supervisory tools used”.
Par. 91 requires that “where the implementation of AML/CFT systems and controls by subjects of assessment is not the competent authority’s key objective, competent authorities should consider the use of off-site reviews”. We agree with the aforementioned use of off-site reviews. Nevertheless, we believe that the reference to “When the implementation of AML/CFT systems and controls by subjects of assessment is not the competent authority’s key objective” could be misinterpreted, because the current paragraph do not provide a definition of “competent authority’s key objective”. To that end, the incipit of the paragraph should be re-elaborated as follows “When a full scope on-site inspection is not required, according to par. 90, competent authorities should consider the use of off-site reviews”.
In accordance with par. 93(b), “when deciding whether to carry out a full-scope on-site inspection or use other type of supervisory tool, competent authorities should consider … what type of information is needed and how to obtain it effectively”. We agree that the decision whether to carry out a full-scope on-site inspection or other type of supervisory tools should be determined by the type of information needed. However, in our opinion, this new paragraph should also include a reference to the intensity and intrusiveness of the information required. To that end, par. 93(b) should be modified as follows “…what type of information and which intensity and intrusiveness is needed and how to obtain it effectively”.
Par. 118 states that “competent authorities should ensure that breaches and weaknesses identified as a result of its supervisory tools are sufficiently remediated by the subject of assessment. Competent authorities should request a written remediation plan where the subject of assessment ha set out its proposal to address the identified breaches and weaknesses. The remediation plan should set out a clear timeline for when the remediation plan will be complete, which should be challenged by the competent authority where the timeline is unrealistic”. We agree that competent authorities should be able to challenge the remediation plan adopted by the subject of assessment. However, we believe that the remediation plan should be challenged not only where the timeline – for when the remediation will be complete – is unrealistic, but also where the remediations that have been set out are not suitable or enough to adjust the weaknesses. In accordance with the above considerations, this part of the paragraph should be amended as follows “the remediation plan should set out a clear timeline for when the remediation will be complete, which should be challenged by the competent authority where the timeline is unrealistic or the remediations are not appropriate to the specific weakness”.
Q1. Do you have any comments with the proposed changes to the ‘Subject matter, scope and definitions’?
We agree with the non-substantive changes to paragraphs 1 to 4 of the Original Guidelines. In particular, we highlight the importance of the new definition of “Cluster”, as “two or more credit institutions or financial institutions in a sector having similar characteristics and exposure to the same levels of ML/TF risk”. In our opinion, the current definition is of the utmost importance, in order to ensure an overall perspective of the ML/TF risk within a sector.Q2. Do you have any comments with the proposed changes to the Guideline 4.1 ‘Implementing the RBS model’?
Par. 14 states that “competent authorities should be proportionate in their supervision of subjects of assessment for AML/CTF purposes”. We agree that the extent of the information sought, and the frequency and intensity of the supervisory engagement and dialogue with a subject of assessment should be commensurate with the ML/TF risk identified. Nonetheless, we believe that the nature and the size of the subject of assessment are factors that should be taken into account for the identification of the ML/TF risk; in fact, in multiple occasions, there is a link between a high ML/TF risk and certain type of nature or size of the subject of assessment. Ultimately, the analysis of the nature and the size of the subject of assessment guarantees a more proportionate approach in the supervision of subjects of assessment for AML/CTF purposes.According to par. 19, different products or services delivered by the credit or financial institutions have been identified as factors that must be taken into account when associating the subject of assessment in a cluster with a different level of ML/TF risk. In addition to the above considerations, we believe that other factors that should reveal significant changes in the “products or services delivered” are different delivery channels, new type of customers and different geographic areas where the services or products are delivered. To that end, the last period of the paragraph should be re-elaborated, according to the following reviews “… or because the credit institution or financial institution has changed significantly its products or services, also in combination with different delivery channels, new type of customers or different geographic areas where the services or products are delivered”.
Par. 20 states that “competent authorities should cooperate and exchange all relevant information with each other and with other stakeholders, including prudential supervisors, Financial Intelligence Units, tax authorities, law enforcement agencies and AML/CFT supervisors of third countries to ensure the effective AML/CFT supervision of subjects of assessment”. We agree with the aforementioned examples of potential stakeholders that competent authorities should consider cooperating with. However, we believe that judicial authorities, professional orders and social security institutions should be also included among these “potential stakeholders”. In fact, judicial authorities, social security institutions and, above all, professional orders – which represent different categories of subjects of assessment and consequently have a more direct relationship with them – could provide competent authorities with other essential information, in order to ensure a “proportional” RBS model.
Q3. Do you have any comments on the proposed changes to the Guideline 4.2 ‘Step 1- Identification of risk and mitigating factors’?
Par. 33 requires that, in order to have adequate knowledge, awareness and understanding of the ML/TF risks, competent authorities should understand – among other things – “the type, typologies and scale of money laundering linked to predicate offences, including tax offences, committed domestically”. We agree that tax offences are factors that should be taken into account by the competent authorities, in order to identify the domestic risk associated with a subject of assessment. Nonetheless, we believe that other typologies of offences should be considered when referring to the connection between predicate offences and money laundering. Among those offences, at least the crimes against the public administration should be considered and added to the paragraph 33(a). Part of the proceeds and price of such crimes (e.g. corruption, indictment to bribery etc.) could, in fact, be part of the ML/TF process.In accordance with the new par. 44(e), “in order to develop a good understanding of the inherent risk factors applicable to subjects of assessment, competent authorities should gather information from various sources that includes … the types of customers serviced by the subject of assessment and the level of risk associated with those customers, including customers that are PEPs”. We agree with the aforementioned reference to PEPs customers and with the new types of information required to identify risk factors that are strictly connected with the subject of assessment’s customers. However, we suggest to include a reference to the subjects who have recently ceased to be qualified as PEPs (e.g. subjects who have been qualified as PEPs in the last year but who are no longer considered so) and subjects who are strictly connected to PEPs (e.g. PEPs family members). Furthermore, we believe that the current paragraph should also include a reference to customers that are not strictly qualified as “PEPs”, but that have a relevant political role (e.g.: mayors of cities with more than 15.000 habitants). To that end, paragraph 44(e) should be re-elaborated, according to the following reviews “the types of customers serviced by the subject of assessment and the level of risk associated with those customers, including customers that are PEPs or have been PEPs in the previous year or their family members, or customers that have a relevant political role, and those assessed as presenting ML/TF risk according to the subject of assessment”.
Par. 47 states that “competent authorities should ensure that the type of information requested is determined by the relevant domestic, foreign and sector-wide risk factors”. We believe that this paragraph should include an explicit reference to the “proportionality” of the request of data to individual subjects of assessment. In this way – according to the related statement on pages 17-18 of the EBA Consultation Paper and to the new paragraph 48 – it should be easier to prevent wrong practices, where banks are overburdened with data requests from supervisors. Therefore, paragraph 47 should be re-elaborated as follows “…competent authorities should ensure that the amount and the type of information requested are proportional and determined by...”.
Q4. Do you have any comments on the proposed changes to the Guideline 4.3 ‘Step 2 – Risk assessment’?
According to the new par. 60, competent authorities “should develop a holistic view of ML/TF risks to which subjects of assessment which are part of a group are exposed”. We agree that the assessment of ML/TF risk at a group level should include risks arising from subjects’ of assessment operations in other countries through their branches and subsidiaries. Nevertheless, in our opinion, the risks arising from the subject’s of assessment exposure to countries are not limited to the factors analysed in paragraph 60(a)-(e). The current list of foreign risk factors should also include a reference to “countries or territories that have been subject to sanctions, embargo or similar measures adopted by national or international competent authorities”.Par. 63 imposes an obligation on competent authorities to weight risk factors in respect of sectors and subjects of assessment. We agree that, when competent authorities weight risk factors, they should do so based on a good understanding why they use certain risk factors to assess ML/TF risk, in order to ensure that weighting of these risk factors is well assessed. However, in our opinion, the additional explanation “When weighting risk factors, competent authorities should ensure to avoid that one risk factor does not sway the balance of the overall weighting to a disproportionate and unreasonable assessment” could be misinterpreted. Competent authorities could underestimate individual factors that are more significant than others. To that end, the paragraph should be re-elaborated as follows “When weighting risk factors, competent authorities should ensure to avoid that one risk factor does not sway automatically the balance of the overall weighting to a disproportionate and unreasonable assessment, when the risk factor does not imply a higher ML/TF risk”.
According to the new par. 67, “when competent authorities have only limited information about the mitigants within the subject of assessment or sector or sub-sector, they should categorise these subjects of assessment, sectors and sub-sectors on a basis of their inherent risk”. In our opinion, this new paragraph could lead to significant delays in determining the residual risk score. According to the importance of the “residual risk” – they should assign the residual risk score as soon as the relevant information becomes available. In particular, we propose the deadline to be 30 working days since when the relevant information becomes available. Ultimately, the paragraph should be reviewed as follows “When competent authorities have only limited information about the mitigants within the subject of assessment or sector and sub-sector, they should categorise the subjects of assessment, sectors and sub-sectors on a basis of their inherent risk profile and assign the residual risk score within 30 working days since when the relevant information becomes available”.
Q5. Do you have any comments with the proposed changes to the Guideline 4.4 ‘Step 3 - Supervision’?
Par. 78(b) states that “in the strategy, competent authorities should set clear objectives for their approach to AML/CFT supervision and set out how these objectives will be achieved. As part of this, a supervisory strategy should … explain how they will ensure that adequate supervisory coverage and monitoring commensurate to the ML/TF risk is applied to all sectors and sub-sectors, including those associates with lower ML/TF risks”. We believe that supervisory coverage and monitoring commensurate to the ML/TF risk has to be applied to all sectors and sub-sectors, regardless of the risk level. To that end, the reference to “including those associated with lower ML/TF risk” is redundant and should be removed.Par. 87 states that “competent authorities should exercise flexibility and adapt their use of supervisory tools in response to a new or emerging ML/TF risk identified within the subject of assessment, sector or sub-sector”. We agree that, in order to carry out the AML/CFT supervision effectively, competent authorities should adjust the frequency, intensity and intrusiveness of AML/CFT supervision on a risk-sensitive basis. However, we believe that the “flexibility” in the choice of the specific supervisory tool to be used should be always pursued, regardless of how the emerging ML/TF risk has been identified. To that end, the reference to “such situation may arise where the competent authority has identified through AML/CFT returns or other supervisory activities an emerging ML/TF risk” is redundant and could be misinterpreted. Ultimately, the aforementioned part of the paragraph should be removed.
According to the new par. 88, “competent authorities should also be flexible to carry out ad hoc inspections where necessary, which do not form part of their supervisory strategy and plan. Such inspections may be triggered by a specific event…”. We agree that competent authorities should exercise flexibility in order to carry out ad hoc inspections, even if they do not form part of their supervisory strategy or plan. Nonetheless, we believe that the reference to “specific event” should be specified, in order to establish when an ad hoc inspections should be carried out. For example, new products or services delivered by the subject of assessment – such as new delivery channels of the services or products, different type of customers or new geographic areas where the services or products are delivered – should be considered as a “specific event” that requires an ad hoc inspection. In accordance with the above considerations, the paragraph should be amended as follows “… such inspections may be triggered by a specific event, such as new products or services, new delivery channels of the services or products, different type of customers or new geographic areas where the services or products are delivered...”.
Par. 89 states that “competent authorities should recognise that each subject of assessment, sector and sub-sector is exposed to different levels of ML/TF risk, which should determine the type and frequency of supervisory tools used”. We agree that competent authorities should determine the type and frequency of supervisory tools used, according to the different levels of ML/TF risk. However, we believe that competent authorities should determine not only the type and frequency of the supervisory tools used, but also the intensity and intrusiveness of these tools. To that end, the paragraph should be reviewed as follows “Competent authorities should recognise that each subject of assessment, sector or sub-sector is exposed to different levels of ML/TF risk, which should determine the type, frequency, intensity and intrusiveness of the supervisory tools used”.
Par. 91 requires that “where the implementation of AML/CFT systems and controls by subjects of assessment is not the competent authority’s key objective, competent authorities should consider the use of off-site reviews”. We agree with the aforementioned use of off-site reviews. Nevertheless, we believe that the reference to “When the implementation of AML/CFT systems and controls by subjects of assessment is not the competent authority’s key objective” could be misinterpreted, because the current paragraph do not provide a definition of “competent authority’s key objective”. To that end, the incipit of the paragraph should be re-elaborated as follows “When a full scope on-site inspection is not required, according to par. 90, competent authorities should consider the use of off-site reviews”.
In accordance with par. 93(b), “when deciding whether to carry out a full-scope on-site inspection or use other type of supervisory tool, competent authorities should consider … what type of information is needed and how to obtain it effectively”. We agree that the decision whether to carry out a full-scope on-site inspection or other type of supervisory tools should be determined by the type of information needed. However, in our opinion, this new paragraph should also include a reference to the intensity and intrusiveness of the information required. To that end, par. 93(b) should be modified as follows “…what type of information and which intensity and intrusiveness is needed and how to obtain it effectively”.
Par. 118 states that “competent authorities should ensure that breaches and weaknesses identified as a result of its supervisory tools are sufficiently remediated by the subject of assessment. Competent authorities should request a written remediation plan where the subject of assessment ha set out its proposal to address the identified breaches and weaknesses. The remediation plan should set out a clear timeline for when the remediation plan will be complete, which should be challenged by the competent authority where the timeline is unrealistic”. We agree that competent authorities should be able to challenge the remediation plan adopted by the subject of assessment. However, we believe that the remediation plan should be challenged not only where the timeline – for when the remediation will be complete – is unrealistic, but also where the remediations that have been set out are not suitable or enough to adjust the weaknesses. In accordance with the above considerations, this part of the paragraph should be amended as follows “the remediation plan should set out a clear timeline for when the remediation will be complete, which should be challenged by the competent authority where the timeline is unrealistic or the remediations are not appropriate to the specific weakness”.