In relation to Article 3, we note that the definition of ‘Ineffective application’ is broad, and will likely to lead to high levels of reporting by some competent authorities. Whilst we recognise the benefit in collecting information, this may reduce the ability of the EBA and NCAs to identify the firms/areas of greatest AML/CTF risk. It may also be applied in an inconsistent manner by NCAs across the EEA, thus undermining the EBA’s objective of applying a targeted approach to identify the most egregious AML/CFT breaches and/or those of a persistent and serious nature in terms of impact and materiality of the weaknesses.
EMA members are also concerned about the potential disproportionate impact on firms that operate on a cross-border basis. For example a firm’s home CA may take a “tick-box” approach, applying frequent low value fines for minor breaches. However this could then trigger visits and inspections from host CA authorities, despite the fact that the ‘ineffective application’ report triggering the action would normally be considered minor by another CA, and/or may have already been rectified by the firm immediately after being identified.
We suggest therefore that the term ‘Ineffective Application’ is defined more clearly, in order to support a consistent approach amongst NCAs, so that the same threshold would trigger a disclosure form the competent authority in all EU MS. In doing this the EBA is more likely to meet the objective of being able to identify matters which should be of concern from an AML and CFT perspective.
We also suggest that where a firm rectifies the ‘ineffective application’ of an AML/CTF requirement, the report submitted by the NCA is then removed. This will ensure the database remains accurate and up to date.
The descriptions of AML/CFT risk profile that a competent authority must make as mandated in the draft RTS in Article 6 under Annex 3 are defined differently by different CAs. For these to be clearly understood, we suggest the EBA consider providing further guidance on how to quantify inherent risk, ranging from low, moderate and high, to ensure the assessment process is interpreted consistently by all CAs.
In a similar vein the EBA may consider providing guidance around the control effectiveness score, and any related mitigation.
Otherwise there may be significant discrepancies between different competent authorities in the scoring of these important AML/CFT risk factors. Inconsistencies would result in some firms being incorrectly risk scored and selected for a visit, whilst others that should receive greater oversight are ignored.
Under article 8 the EMA has no comment on the RTS draft but is concerned in general terms that the collection of data on measures taken by competent authorities and the likelihood of its use by the EBA in assessing the effectiveness of supervisory actions may have a disproportionate impact on firms offering cross-border services. For example a firm’s home CA may take a “tick-box” approach, applying frequent low value fines for minor breaches. However this could then trigger visits and inspections from host CA authorities, despite the fact that this report triggering such action would normally be considered minor by another CA, and/or may have already been rectified by the firm immediately after being identified.