As a general remark, the EBF supports the addition of the Annex to address specific issues related to NPO customers.
NPOs are providers of valuable services to those in need. However, this necessarily involves that at times they have to act in jurisdictions and situations that might expose them to higher ML/TF risks. Moreover, compared to corporate customers and financial institutions, NPOs often are less aware of the need to manage those risks and of how to do it. For this reason, we support the efforts pursued by EBA to maintain NPO customers’ access to services through this annex, which clarifies the steps that can be taken by financial institutions to manage those ML/TF risks related to NPO customers.
We support the idea of considering NPOs separately as opposed to addressing all customer groups together. Nonetheless, although we acknowledge that the proposed definition of NPOs is aligned with FATF’s one, the fact that it is rather open may entail certain risks if it covers an overly broad range of customers.
Customers that are NPOs (Guidelines 9 and 10)
The guidelines for NPOs appear to be directed towards established (international) organisations (e.g. Red Cross, Doctors Without Borders). These guidelines provide little guidance on how to assess the risk profile of newly established and small NPOs. In those cases there may not be an opportunity to assess the reputation, demonstration of the management capability or disclosed annual reports/financial statements. Therefore, these risk indicators may be less relevant for newly established or smaller NPOs. Therefore, we request to add further clarification on how to assess the identified risk factors in guideline 9 and 10 in those circumstances.
In support of a stronger risk-based approach, we suggest making the following adjustments to the text of guideline 9 (page 13) and guideline 10 (pages 13 -15).
We believe that a stronger focus on the risk-based approach is needed in the wording of Guideline 9. Not all information and documentation listed therein needs to be obtained in all cases. Therefore, we suggest changing the wording “should refer” mentioned throughout the guideline (let. “a” to “f”) to “may refer”.
Similarly, we maintain that not all risk factors listed in Guideline 10 necessarily need to be considered in all cases. Therefore, we propose changing the sentence: “When identifying the risk associated with clients that are NPOs, firms should consider at least the following risk factors:” into: “The following risk factors may be relevant to consider when identifying the risk associated with clients that are NPOs.”
These changes will reduce unnecessary administrative burden for NPOs, where the information, documentation or risk factors are not relevant from a risk perspective.
Another issue relates to Guideline 10h which covers risks related to NPO’s funding, such as crypto or crowdfunding. In our view, it remains unclear to what extent this is different to other customers’ risk profiles receiving funds from similar sources. We believe further clarification will be needed in this regards.
Competent authority outreach to NPOs
We see an important role for competent authorities, and in time potentially the EU’s new Anti-Money Laundering Authority (AMLA), in promoting an understanding among NPOs of the importance of identifying and managing ML/TF risks in their operations and of techniques for doing so. We note that this is one of the practices recommended in the FATF’s June 2015 Best Practices on Combating the Abuse of Non-Profit Organisations that includes case studies from several EU countries. In addition, the EBF believes that the establishment of a dialogue among the relevant stakeholders would be beneficial in order to provide clarification and support the mutual application of appropriate procedures to mitigate ML/TF risks.
The FATF report also provides useful examples of areas to cover in such outreach, including factors that can help to enhance and demonstrate the NPO’s organisational integrity, and the particular issues related to the use of cash. We suggest that it might be helpful to further refine the definition of NPOs. Therefore, we recommend that EBA adds an extra section to the Annex addressed to NCAs referring to communication with NPOs.
Risk mitigants for NPOs operating in higher-risk jurisdictions
We welcome that the Annex recognises that not all NPOs operate in high-risk jurisdictions. However, for NPOs that operate in those jurisdictions we note that the guidelines do not provide details on the possibility for them to put in place controls to reduce or manage the inherent risk. This in turn may reduce their ML/TF risk profile. This is a separate issue from the question of humanitarian operations in countries subject to sanctions, which is already addressed.
Based on the above, we recommend that EBA introduces a section explicitly referring to the possibility for NPOs that operate in high-risk jurisdictions to put in place the aforementioned controls in order to reduce the inherent risk of their operations. We also suggest drawing on the FATF report mentioned above to provide indicative examples. For instance, it would be helpful to provide more information about what kind of evidence a bank might be able to obtain, and how, to obtain assurance that an NPO was operating within the scope of an applicable exemption from the sanctions regime, as discussed in paragraph 12.
Operations in jurisdictions associated with higher ML/TF risks and high-risk third countries (Guidelines 11-13)
With regards to the section on NPO customers and the operations in jurisdictions associated with higher ML/TF risks and high-risk third countries, there are several issues we would like to address.
First, according to Guideline 11e (page 15), funding from governments, supranational or international organisations should be considered as a risk reducing factor. However, NPOs often receive funds from both public and private parties. We recognise that the guidelines do not provide detailed guidance on how to consider funding from a combination of public and private parties. Therefore, we suggest a stronger risk-based approach for assessing the ratio of public and private funding. Additionally, it should be recognised that funding received from governments from high-risk third countries should not be considered as a risk reducing factor.
Moreover, in Guideline 11f (page 15) the use of the word “it” is confusing. We assume that “it” refers to the NPO. It is therefore suggested to replace “it” by “NPO”. The sentence will then read as follows: “The NPO does not have any links with high-risk third countries, or if the NPO has, the NPO can demonstrate that it has taken appropriate steps to mitigate the ML/TF risks…”. In our view, Guideline 11f serves as an example of how these guidelines are more beneficial to larger than smaller NPOs. For instance, requiring written AML procedures may not be proportionate for a small NPO with a restricted objective and limited money flows (e.g. volunteers building a school in a high-risk third country).
The EBF would also like to highlight an operational risk related to Guideline 12. In particular, we refer to the “evidence that provide reasonable assurance that the NPO conducts its activities in these jurisdiction in line with the exemption provided….”. We note that it would be useful to have a more detailed indication as regards the means by which this requirement may be fulfilled.
Moreover, the provisions of Guideline 13 on obtaining information in order to establish a good understanding of the NPO’s governance, how it is funded, its activities, where it operates and who are its beneficiaries, are too extensive and detailed. This may also impede the risk-based approach.
We ask for clarification in relation to the definition of jurisdictions associated with higher ML/TF risk. The two categories mentioned in this definition appear to be well distinguished in the EBA Guidelines: it is therefore important to clarify whether – in assessing the NPO’s risk profile, the “mitigation measures” that banks should adopt are the same for both categories or not.
Furthermore, in the Guidelines, we would explicitly highlight that they apply just to the so called “de-risking phenomenon” (termination/refusal of business relationship due to the high risk posed by a category of clients or an individual client). Consequently, it would be welcome to recall in the text that these guidelines do not affect the obligation of banks to refuse the client (or terminate the relationship) when the execution of CDD obligations is impossible, according to the Directive in force.
We also believe that it the Guidelines should not affect cases where banks, for ethical reasons, decide not to offer their services to a specific category of players.
With regards to the general requirements, we welcome the introduction of a distinction between the risk profile of a category of customers and the risk profile of an individual customer within that category. Credit and financial institutions should indeed differentiate between the risks associated with a particular category of customers and the risks associated with individual customers that belong to this category. Moreover, we also support the clarifications provided regarding to payment accounts with basic features.
However, with regards to the definition of “de-risking”, we believe that EBA should acknowledge that Financial institutions may have legitimate reasons for exiting/refusing individual customers or transactions to manage higher ML/TF risk following a case-by-case analysis. FATF’s 2021 Stocktake of unintended consequences recognised that “the loss of access to financial services represents de-risking if it is not based on a case-by-case assessment of risk and ability to mitigate that risk”. AML/CFT legislation includes the legal obligation to refuse and terminate relationships with individual clients when AML/CFT requirements cannot be fulfilled (Article 14(4) of the AMLD4. There are also other legitimate reasons other than those related to ML/TF risks for which financial institutions refuse or decide terminate business relationships with clients, for instance, non-responsive clients or for reasons based on the ESG framework. They can also be linked to the customer conduct or risk management and compliance with legal obligations (sanctions risks) or strategic commercial decisions. We maintain that de-risking is only harmful and unwarranted when categories of clients are excluded.
Guideline 10 “Credit and financial institutions should ensure that the implementation of these policies, procedures and controls should not result in the blanket refusal, or termination, of business relationships with entire categories of customers that they have assessed as presenting higher ML/TF risk.”
Since not every financial service or product is a prerequisite for participation in society, the reference to “access to financial services” seems to be too broad. More specifically, payment accounts are a prerequisite for participation and we suggest to use “access to a basic payment account” with the provision that the involved client does not already hold a payment account with an institution. This would be aligned with the limited access as described in the PAD.
Furthermore, we suggest clarifying the definition of a client as envisaged here (e.g. the PAD definition: any natural person who is acting for purposes which are outside his trade, business, craft or profession are addressed in the EBA Guidelines).
The EBF also calls for a clarification of the following sentence: “As part of this, institutions should put in place appropriate and risk-sensitive policies and procedures to ensure that their approach to applying customer due diligence (CDD) measures does not result in unduly denying customers’ legitimate access to financial services”. This sentence should be coordinated with the banks’ right to decide the level and intensity of the CCD requirements (also in terms of information required) based on the risk of the client.
Guideline 11 “Credit and financial institutions should set out in their policies, procedures and controls all options for mitigating higher ML/TF risk that they will consider applying before deciding to reject a customer on ML/TF risk grounds”.
We consider that Guideline 11 (page 21) should accommodate decisions not to onboard a client when the institution cannot determine beforehand if ML/TF risks can adequately and efficiently be mitigated. This may also occur in situations where new risks emerge.
Guideline 12 “Before taking a decision to reject or to terminate a business relationship, credit and financial institutions should satisfy themselves that they have considered, and rejected, all possible mitigating measures that could reasonably be applied in the particular case,…”
We consider that financial institutions should be able to terminate relationships in case of criminal conduct or possibly criminal customer conduct without considering all possible mitigating measures. Additionally, in reference to Guideline 19 of the same section, the EBF considers that such guidance should be issued by regulators.
Guideline 13 “For the purposes of reporting obligations under Article 14(4) of Directive (EU) 2015/849, institutions should set out in their procedures the reasonable grounds on which they would suspect that ML/TF is taking place or is being attempted”.
Guideline 13 (page 22) requests banks to state in their procedures reasonable grounds on which they would suspect that ML/TF is taking place or has been attempted. With reference to FATCA and risk indicia (as well as the related statements made on page 32-33 regarding the interaction of FATCA and PAD), the question arises whether a missing Tax Identification Number (TIN) or the refusal to provide a TIN by a client could be considered an indicator for tax evasion. If so, we recommend adding this indicator to the guidelines.
Guideline 14 “Credit and financial institutions should document any decision to refuse or terminate a business relationship and the reason for doing so…”.
According to Guideline 14 (page 22), financial institutions should document any decision to refuse or terminate a business relationship and the reason for doing so. A clarification is needed that refusals and terminations of client relationships resulting from AML/CFT reasons should be documented. If a client relationship is refused or terminated for other reasons (e.g. ESG framework, client non-responsiveness) documenting the decision could be in breach of the data minimisation and/or proportionality principles under the GDPR. On the other hand, documenting refusals or terminations of client relationships for AML/CFT reasons can be considered as necessary processing of personal data to adhere to AML/CFT obligations likely to be considered in line with GDPR requirements.
Moreover, we suggest adding a statement on data retention to Guideline 14. Referring to the GDPR once more, it states in Article 5.1(e) that “…personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed”.
Guideline 15 ”…credit institutions obliged to offer such basic accounts should set out in their account opening policies and procedures how they can adjust their customer due diligence requirements to account for the fact that the limited functionalities of a basic payment account go towards mitigating the risk that the customer could abuse these products and services for financial crime purposes”.
With regards to Guideline 15, we are concerned with the statement whereby financial institutions “…should set out in their account opening policies and procedures how they can adjust their CDD requirements to account for the fact that the limited functionalities of a basic payment account go towards mitigating the risk that the client could abuse these products and services for financial crime purposes”. This may imply that CDD requirements for basic payments accounts should be less strict than regular CDD requirements. We maintain that this should not be the case.
Furthermore, we suggest including in the guideline the requirements and supervisory expectations with regard to basic payment accounts. Due to the risk mitigating nature of the characteristics of a basic payment account, controls can be defined in accordance with the specific risk profile. Elements to consider could include, e.g. no new products, intensity of monitoring measures, review type and frequency, etc.
Guideline 16 “…credit institutions should make sure that where digital onboarding solutions are in place, those also comply with the afore mentioned Directive and with these guidelines and that the digital solutions do not produce automated rejections, which would conflict with that Directive and these guidelines”.
Regarding guideline 16 and non-discriminatory access, we welcome specific guidance on the types of acceptable digital onboarding tools. As non-face to face may represent additional risks, we suggest that financial institutions retain the mandate within the risk-based approach to settle on measures commensurate to the risks associated with their customers.
The EBF welcomes the inclusion of guidelines in relation to handling cases in which an individual has legitimate reasons for being unable to provide traditional identity documents. Likewise, we believe that apart from the case of refugees and homeless persons, it would be very useful to have clarifications and examples in relation to letter c), persons who do not have an EU residence permit but whose exclusion is impossible.
Additionally, in reference to Guideline 18, and in particular to the term “destination of transactions”, we suggest that it would be helpful to have clarification of whether it should be interpreted as the purpose of the relationship or, instead, as the geographical destination of the transaction. We believe that it should refer to the use of funds/rationale of the business relationship.
Guideline 19 “Credit and financial institutions’ policies and procedures should contain guidance on handling applications from individuals that may have credible and legitimate reasons to be unable to provide traditional forms of identity documentation”.
In our view, there seems to be some inconsistency in the wording of Guideline 19 (page 23) where it is stated that “…guidance should at least set out..” and in the following a), b) and c) stating “…where permitted by national law”. We believe that the reference to national law should be maintained in order to cater for the differences in the laws of Member States.
Moreover, we believe that several elements in this guideline need further clarification:
• Guideline 19a states that information on full name and date of birth is sufficient. We seek clarification whether this would also be applicable to the situations and forms of identification mentioned in points 19b and 19c.
• We also ask for a definition of a robust enough/sufficiently reliable document for identification and verification.
The EBF would like to note that the overall approach in the Guidelines to apply restrictions to services and products and transactions to/from high-risk countries is welcome and provides good guidance.
Targeted and proportionate limitation of access to products or services (Guideline 20)
In relation to targeted and proportionate limitation of access to products or services, the EBF would like to emphasise the importance of maintaining the condition that the prescribed activity should be put in place only if permitted under national law, currently provided by the draft Guidelines in Guideline 20.
As an example to illustrate the importance of the aforementioned condition, the banking legislation of some Member States do not explicitly provide for the differentiation of products based on AML parameters. Therefore, a question arises as to whether such a provision in the EBA guidelines is sufficient to be compliant also with national law. The risk profile, moreover, may be susceptible to changes throughout the relationship, thus making the management of the customer relationship very complex.
In addition, we recognise the benefits of the adaptations laid down in this paragraph and EBA’s recognition that this will only be possible “where permitted by national law”. Such clarification is helpful given the reasons presented above.
Moreover, in view of the EBF, the proposal to impose targeted restrictions such as the amount or the number of person-to-person transfers of the amount of transactions to and from third countries is in contradiction with the Article 17(4) of the AMLD4 which provides that “Member States shall ensure that a payment account with basic features allows consumers to execute an unlimited number of operations in relation to the services referred to in paragraph 1.”
First, we believe that the following statement in Guideline 21c (page 24) needs clarification: “…limits on the amount and/or number of person-to-person transfers (further or larger transfers are possible on a case-by-case basis)…”. If the intention is to restrict transactions to other private individuals, the execution thereof is highly dependent on the technical possibility to establish whether the counterparty account holder is a private individual or legal entity.
Second, in Guideline 21e (page 25) the mitigating action reads as follows: “…limits on the size of deposits and transfers from unidentified third parties, in particular where this is unexpected…” and requires further explanation. When does a party qualify as “unidentified” and when does such a deposit or transfer qualify as “unexpected’? It is difficult to envisage situations where a deposit or transfer from an unidentified third party is to be expected and in general will be unexpected.
We understand that this measure is aimed at protecting customers who are in a situation of vulnerability due to lack of knowledge and/or experience in banking services, such as consumers, who today benefit from a system of protection reinforced by the legislator through Community consumer law, which expands the obligations on transparency and information of the obligated parties to prevent consumers from not being able to exercise their rights due to lack of knowledge.
With regard to other customers, we understand that the main objective of these guidelines is to improve their access to banking services. However, non-consumer customers would not suffer vulnerability due to lack of knowledge about where to address a complaint, but for other reasons, so the imposition of this communication to obliged parties would not represent a significant improvement in the access to banking services by non-consumer customers.
Likewise, and taking into account that specific processes already exist to protect the most vulnerable customers due to lack of knowledge about the banking system, the inclusion of this obligation would mean an additional workload for obliged entities that we do not consider necessary, taking into account the already existing protection for consumers in the European regulation.
We hence fear that the proposed measure does not respect the principle of proportionality since, on the one hand, it would implement a burdensome measure for the obliged entities, which does not truly contribute to reinforcing the protection that consumers (the only group of clients that really needs this protection) already receive by the legislation that already protects them.
This is the reason why we consider that the best approach would be to follow the current regulation and, therefore, to delete Guideline 22.
If this is not feasible, as an alternative we suggest to elaborate on the scope of this guideline. We suggest to clearly state that the scope is limited to refusals and terminations of client relationships for ML/TF risks. Other reasons for refusing or terminating client relationships should be out of scope.