Response to consultation on draft amending Guidelines on risk-based AML/CFT supervision
Go back
Given that competent authorities (CAs) need to adjust their supervision to reflect the outcomes of their ML/TF risks assessments (in terms of intensity and frequency), a common understanding of the risk-based approach across the EU is crucial not only for a consistent supervision, but also for the everyday practice of obliged entities, as it brings about legal certainty, enabling them thereby to seamlessly serve their customers and contribute to the fight against ML/TF.
BIPAR is in favour of introducing risks associated with the “sector/subsector” in the definition of “risk profile”. It is important that the risk assessments take into account the risk associated to the particular sector of activities and consequently to place the main attention on sectors considered to present significant ML/TF risks, without of course neglecting the less risky sector. It should be noted that according to the March 2021 EBA Opinion on “ML/TF risks affecting then European Union’s financial sector”, CAs considered the sector of life insurance intermediaries (LIIs) as presenting less significant exposure to ML/TF inherent risks.
BIPAR has a concern about the definition of “threat” referring to the criminals “past, present and future ML or TF activities”. Maybe a clarification would be necessary to specify that this refers only to published and publicly accessible reports and information, at least for the obliged entities.
BIPAR can understand the perspective of Guideline 4.1, paragraph 15 whereby “small credit institutions or financial institutions that are not systemically important can nevertheless pose a high ML/TF risk”. However, this should not be considered as the standard case for SME obliged entities. As a result, it is important that the supervisory actions of the competent authorities also take into account the size and nature and scale of operations of the firm in question.
Double work should also be avoided and the possibility to distribute AML work between parties in the same chain (such as a life insurance intermediary and life insurance company should continue and be possible).
Furthermore, BIPAR supports the fact the no changes were made in paragraph 28 whereby “the extent and type of information sought by competent authorities to identify risk factors and mitigating factors should be proportionate to the nature and size, where known, of the subjects’ of assessment business activities”. BIPAR also supports paragraphs 40 and 41 which explain what type of information should be obtained by competent authorities in order to identify risk factors associated with sectors and sub-sectors.
BIPAR has no objections with regards to the new sources of information listed, such as the EBA’s risk assessment, AML/CFT colleges and colleges of prudential supervisors, tax authorities, prudential supervisors as well as “publicly available information from reputable sources”. We are wondering, however, what is meant by point (c) in paragraph 31 “industry bodies, such as typologies and information on emerging risks”. We believe that further clarification is needed on what type of information may be required by industry bodies.
Regarding paragraph 32 of Guideline 4.2, BIPAR is not convinced that the removal of “financial” activities (from the phase “to identify the ML/TF risk factors associated with the domestic activities of subjects of assessment and within sectors”) is justified. The example given in the EBA consultation paper, namely trading in virtual currencies, seems to be also part of the financial activities. BIPAR believes that is it important to clearly delineate the scope of the activities to be investigated for AML purposes. Removing “financial” may bring about unwanted uncertainty.
Finally, as far as it concerns the information to be collected for risks associated with the subject of assessment (paragraph 46), BIPAR would like to stress out that for small or sole entities the obligation to provide information to competent authorities should be seen together with the principle of proportionality. In practice, many of these entities outsource the compliance function to third-parties or are not able to afford a compliance officer.
BIPAR also agrees with the approach to weigh the risk factors in relation to sectors and subjects of assessment identified under Step 1 of the risk-based supervision model, in accordance with “their relative importance” (paragraph 63 of Guideline 4.3).
The guideline, which now requires competent authorities to consider the use of the risk categories seem to be appropriate (paragraphs 69 and 70 of Guideline 4.3). The prescribed risk categories – less significant risk, moderately significant risk, significant risk and very significant risk classifying subjects of assessment, sectors and sub-sectors are in line with the EBA’s ML/TF risk assessment processes and particularly the biannual EBA Opinion on ML/TF risk. Furthermore, the consideration and categorisation of the residual risk associated with subjects of assessment, sectors or sub-sectors can be also very useful and help understand the actual risk that reflects the reality.
BIPAR further agrees that the supervisory action should be linked to a clear supervisory strategy laying down objectives and measures to be taken and that, in turn, the supervisory plan should be linked to the strategy which it intends to implement (paragraph 78). BIPAR welcomes the clarification that “competent authorities should note that it may not be appropriate to draw conclusions, for AML/CFT supervisory purposes, from the level of prudential or conduct risk” (paragraph 82).
Supervisory tools should also follow the same principles and should be commensurate to the level of exposure to ML/TF risks. Moreover, when developing the supervisory manual, competent authorities should pay attention to proportionality principle and the differences between the various subjects of assessment, such as the number and type of products and services and the number and type of customers and transactions (paragraphs 100 and 101). Please see also our answer to the Q3 above regarding outsourcing of compliance function to third-parties, in the case of small or sole entities.
BIPAR endorses, in principle, the objective that the new paragraphs 122-132 wish to achieve by requiring competent authorities to develop a communication strategy with the sector under their supervision. For an effective supervision and efficient implementation of the AML rules, it is essential that the competent authorities communicate to the subjects of assessment in a transparent way the outcomes of their risk assessment (including that of the sector). This will enable entities to enhance their understanding of risks as well as of the competent authorities’ approach. Furthermore, providing non-binding guidance to the obliged entities with concise, precise and clear provisions on what they expect them to do to comply with their AML/CFT obligations, would be welcome. In addition, competent authorities should be available for a constructive dialogue with the obliged entities and their representation bodies, and they should consult them before developing official supervisory guidelines in a publicly available way.
Q1. Do you have any comments with the proposed changes to the ‘Subject matter, scope and definitions’?
BIPAR welcomes the opportunity to comment on this EBA consultation and supports the objective to provide further guidance on the implementation of the risk-based approach to ensure effective AML/CFT supervision. BIPAR also welcomes the fact that the revised guidelines take into account the FATF Guidelines on Risk-based Supervision.Given that competent authorities (CAs) need to adjust their supervision to reflect the outcomes of their ML/TF risks assessments (in terms of intensity and frequency), a common understanding of the risk-based approach across the EU is crucial not only for a consistent supervision, but also for the everyday practice of obliged entities, as it brings about legal certainty, enabling them thereby to seamlessly serve their customers and contribute to the fight against ML/TF.
BIPAR is in favour of introducing risks associated with the “sector/subsector” in the definition of “risk profile”. It is important that the risk assessments take into account the risk associated to the particular sector of activities and consequently to place the main attention on sectors considered to present significant ML/TF risks, without of course neglecting the less risky sector. It should be noted that according to the March 2021 EBA Opinion on “ML/TF risks affecting then European Union’s financial sector”, CAs considered the sector of life insurance intermediaries (LIIs) as presenting less significant exposure to ML/TF inherent risks.
BIPAR has a concern about the definition of “threat” referring to the criminals “past, present and future ML or TF activities”. Maybe a clarification would be necessary to specify that this refers only to published and publicly accessible reports and information, at least for the obliged entities.
Q2. Do you have any comments with the proposed changes to the Guideline 4.1 ‘Implementing the RBS model’?
BIPAR is not in favour of the removal “nature and size of the subject of assessment” from the Guideline 4.1, paragraph 14 on proportionality. “Proportionality” is a core principle of EU legislation as stipulated in Art. 5.1 of the Treaty of the EU. It is an over-arching principle that requires to be applied in every single EU legislative action, including also quasi legislation such as technical standards and guidelines from supervisors. This means that the objective of considering proportionality is to ensure that any rules and actions are not too burdensome for SME’s by taking account of the nature, scale and complexity of the business at issue. The need to take into account the size, nature and complexity of the activities in question, in accordance with the proportionality principle, is explicitly endorsed throughout the EU legislation, in particular the insurance service legislation. In the context of the AML fight, which follows a risk-based approach, the factors of size, nature and complexity of the entity in question continue to be relevant. In fact, the inherent ML/TF risk is also related to the size and activity of the entity, and it should be assessed accordingly.BIPAR can understand the perspective of Guideline 4.1, paragraph 15 whereby “small credit institutions or financial institutions that are not systemically important can nevertheless pose a high ML/TF risk”. However, this should not be considered as the standard case for SME obliged entities. As a result, it is important that the supervisory actions of the competent authorities also take into account the size and nature and scale of operations of the firm in question.
Q3. Do you have any comments on the proposed changes to the Guideline 4.2 ‘Step 1- Identification of risk and mitigating factors’?
BIPAR agrees with the statement in the consultation paper that to identify the ML/TF risks, competent authorities need to refer to the EBA’s AML/CFT Risk Factors Guidelines. BIPAR also agrees that a “one-size-fit-all” approach is not sufficient to identify the risks in the various obliged entities. For instance, insurance services sector is distinct from the investment and banking services sector.Double work should also be avoided and the possibility to distribute AML work between parties in the same chain (such as a life insurance intermediary and life insurance company should continue and be possible).
Furthermore, BIPAR supports the fact the no changes were made in paragraph 28 whereby “the extent and type of information sought by competent authorities to identify risk factors and mitigating factors should be proportionate to the nature and size, where known, of the subjects’ of assessment business activities”. BIPAR also supports paragraphs 40 and 41 which explain what type of information should be obtained by competent authorities in order to identify risk factors associated with sectors and sub-sectors.
BIPAR has no objections with regards to the new sources of information listed, such as the EBA’s risk assessment, AML/CFT colleges and colleges of prudential supervisors, tax authorities, prudential supervisors as well as “publicly available information from reputable sources”. We are wondering, however, what is meant by point (c) in paragraph 31 “industry bodies, such as typologies and information on emerging risks”. We believe that further clarification is needed on what type of information may be required by industry bodies.
Regarding paragraph 32 of Guideline 4.2, BIPAR is not convinced that the removal of “financial” activities (from the phase “to identify the ML/TF risk factors associated with the domestic activities of subjects of assessment and within sectors”) is justified. The example given in the EBA consultation paper, namely trading in virtual currencies, seems to be also part of the financial activities. BIPAR believes that is it important to clearly delineate the scope of the activities to be investigated for AML purposes. Removing “financial” may bring about unwanted uncertainty.
Finally, as far as it concerns the information to be collected for risks associated with the subject of assessment (paragraph 46), BIPAR would like to stress out that for small or sole entities the obligation to provide information to competent authorities should be seen together with the principle of proportionality. In practice, many of these entities outsource the compliance function to third-parties or are not able to afford a compliance officer.
Q4. Do you have any comments on the proposed changes to the Guideline 4.3 ‘Step 2 – Risk assessment’?
BIPAR supports the EBA statement that “competent authorities’ risk assessment forms basis for competent authorities’ risk-based approach”. In this context, a good understanding of ML/TF risks associated with the sector is also important (paragraphs 49, 50 and 51 of Guideline 4.3). Please see our answer under Q3 regarding sector/sub-sectoral risk assessment.BIPAR also agrees with the approach to weigh the risk factors in relation to sectors and subjects of assessment identified under Step 1 of the risk-based supervision model, in accordance with “their relative importance” (paragraph 63 of Guideline 4.3).
The guideline, which now requires competent authorities to consider the use of the risk categories seem to be appropriate (paragraphs 69 and 70 of Guideline 4.3). The prescribed risk categories – less significant risk, moderately significant risk, significant risk and very significant risk classifying subjects of assessment, sectors and sub-sectors are in line with the EBA’s ML/TF risk assessment processes and particularly the biannual EBA Opinion on ML/TF risk. Furthermore, the consideration and categorisation of the residual risk associated with subjects of assessment, sectors or sub-sectors can be also very useful and help understand the actual risk that reflects the reality.
Q5. Do you have any comments with the proposed changes to the Guideline 4.4 ‘Step 3 - Supervision’?
BIPAR supports the EBA approach that, in line with the FATF guidance, a risk-based approach to supervision involves tailoring the supervisory actions and response to address the specific risks within the sector or subjects of assessment. The risk-based approach and the proportionality principle are also endorsed in paragraph 75 of Guideline 4.4 whereby “competent authorities should ensure that subjects of assessment exposed to more significant ML/TF risks are subject to more frequent and intrusive supervision”. This should be translated that, where the exposure to ML/TF risks is low, the nature, focus, intensity, and frequency of the AML supervision should be lowered accordingly. Also, some financial activities/transactions are examined for compliance more than once at different stages of the process. The option to distribute/divide the AML activities between the various operators in a chain should be maintained (or even encouraged).BIPAR further agrees that the supervisory action should be linked to a clear supervisory strategy laying down objectives and measures to be taken and that, in turn, the supervisory plan should be linked to the strategy which it intends to implement (paragraph 78). BIPAR welcomes the clarification that “competent authorities should note that it may not be appropriate to draw conclusions, for AML/CFT supervisory purposes, from the level of prudential or conduct risk” (paragraph 82).
Supervisory tools should also follow the same principles and should be commensurate to the level of exposure to ML/TF risks. Moreover, when developing the supervisory manual, competent authorities should pay attention to proportionality principle and the differences between the various subjects of assessment, such as the number and type of products and services and the number and type of customers and transactions (paragraphs 100 and 101). Please see also our answer to the Q3 above regarding outsourcing of compliance function to third-parties, in the case of small or sole entities.
BIPAR endorses, in principle, the objective that the new paragraphs 122-132 wish to achieve by requiring competent authorities to develop a communication strategy with the sector under their supervision. For an effective supervision and efficient implementation of the AML rules, it is essential that the competent authorities communicate to the subjects of assessment in a transparent way the outcomes of their risk assessment (including that of the sector). This will enable entities to enhance their understanding of risks as well as of the competent authorities’ approach. Furthermore, providing non-binding guidance to the obliged entities with concise, precise and clear provisions on what they expect them to do to comply with their AML/CFT obligations, would be welcome. In addition, competent authorities should be available for a constructive dialogue with the obliged entities and their representation bodies, and they should consult them before developing official supervisory guidelines in a publicly available way.