The following is to be viewed as a preliminary comment focusing on Chapter 2 of the proposed guidelines as well as the ‘Executive Summary’, ‘Background and Rationale’ sections of the Consultation Paper.
We note that whilst the proposed guidelines are designed to address remote customer onboarding solutions under article 13(1) of Directive EU 2015/849 (“AMLD”), we see no reference to the proposal for a regulation on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing (the “AMLR proposal”) of 20 July 2021 and only the briefest mention of the proposal to amend Regulation EU 910/2014 as regards establishing a framework for a European digital identity released on June 3rd 2021 (the “eIDAS 2.0 proposal”).
We recognize that these two initiatives have not completed their legislative processes and are therefore, as of today, not part of EU law, but nevertheless find them of fundamental relevance in that they precisely aim to address some of the shortcomings mentioned in the proposed guidelines, notably that : “customer due diligence (CDD) rules in Directive (EU) 2015/849 do not provide sufficient clarity and convergence about what is, and what is not, allowed in a remote and digital context. As a result, supervisory expectations and what financial sector operators do to comply differs across Member States” (Executive summary – page 2). We in particular fail to understand the absence of any mention of the AMLR proposal that precisely deals with article 13 (1) AMLD but also contains provisions on outsourcing and third-party reliance arrangements that are key for CDD processes implemented by FSOs.
It is commonly recognised that the fragmentation of CDD processes within the EU is imbedded in – some would even say ‘encouraged by’ - the wording of article 13(1) of AMLD providing a blanket recognition of any “secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities” without any further requirement regarding trustworthiness or level of assurance. That all national rules are validated in this key area without further quality requirements is an anomaly in a norm-setting European text and what makes article 13(1) uniquely defective. Indeed, this loose wording fosters regulatory arbitrage for cross-border financial services offered with European banking/financial services passports by unduly favouring service providers with lower CDD standards.
That situation was identified by several Commission studies since 2018, leading to calls for radical reform, a point well received by the European Council instructing the Commission to ‘focus its work […] on achieving a uniform and high standard of customer due diligence, especially with regard to the identification of the customer and the customer’s identity […]’ (5 November 2020 meeting - conclusion 18). As the EBA is no doubt aware, this led to the AML package including the proposal of an AML regulation rewriting key provisions of AMLD, including notably article 13(1) – see Chapter III Customer Due Diligence.
The other critical aspect is the eIDAS 2.0 proposal introducing European Digital Identity wallets meeting high level of assurance requirements, required to be accepted for onboarding purposes by banking and financial service providers and complying with strong customer authentication requirements for banking and financial services (article 12b of the eIDAS 2.0 proposal).
We see very little of this reflected in the proposed guidelines, which implicitly assume that article 13(1) AMLD is “here to stay” in its current form. Hence the following two questions:
- Why is there no mention of the linkage between article 13(1) AMLD and the fragmentation of CDD processes within the EU nor of the AMLR proposal dealing with, inter alia, the very problem the proposed guidelines are aiming to address (and, incidentally, also originating from DG FISMA, the author of the ’Digital Finance Strategy’ document to which the proposed guidelines are answering)?
- If there are indeed reasonable prospects that the AMLR and eIDAS 2.0 initiatives will become law within a medium-term horizon, has the EBA considered a transition process reflecting the changes initiated by them or at least considering them?