Some requirements laid out in the Annex on customers that are NPOs are unworkable and excessively costly. The proposed guidelines could, consequently, exacerbate de-risking instead of containing it. This dilemma affects, in particular, the requirements to obtain a “detailed list of staff and beneficiaries for each of its activities” (p.13, paragraph 9, point e) and a “reasonable assurance” that the NPO conducts its activities in line with the exemptions provided in the EU/UN financial sanctions regime or that it benefits from a derogation granted by a relevant competent authority (p.15, paragraph 12). Sketching out the transactions that an NPO will likely request based on detailed staff and beneficiaries lists across activities, for instance, would be particularly challenging for multinational and crowdsourced (open call) NPOs whose staff are widely spread and operations frequently ad hoc. In this scenario, the difficulty in obtaining sufficient information, in terms of their potentially poor quality and high costs in the face of low profitability, would encourage rather than remedy de-risking. Ultimately, NPOs could be hindered in their operations, and, especially small NPOs might have to revert to less transparent means to send and receive payments.
The EACB thus suggests that the EBA makes the requirements that the Annex on NPO customers covers more workable and risk-appropriate. In this context, questions arise about whether firms may pass on these requirements to clients and whether only an initial assessment or the continuous maintenance of this information is necessary for clients that are an NPO for the first time.
The EACB regrets that the present guidelines address only obliged entities as defined in Articles 3(1) and 3(2) of Directive 2015/849/EC (AMLD4). More specifically, because they ultimately refer to Annex I of Directive 2007/64/EC, the guidelines cover an outdated array of payment services. By exempting, for example, account information services (AIS) and payment initiation services (PIS), the present guidelines could upset the playing field. Even following the public hearing on January 10, 2023, it remains unclear to the EACB how the EBA intends to solve this issue with the review of Directive 2015/2366/EU (PSD2), as the proposed AMLD6 does not, at this point, include a similar mandate for guidelines.
While the EACB appreciates that the present draft guidelines intend to ensure vulnerable customers’ access to financial services (paragraphs 9 and 10), we would like to highlight that they contradict rather than complement the currently practised approach to managing ML/TF risks. In essence, the draft guidelines are too prescriptive, resulting in a general obligation for credit and financial institutions to conduct contracts with natural and legal persons that they would otherwise not pursue under the established methods for identifying and dealing with ML/TF risks. The guidelines would thereby, firstly, push banks to thwart Financial Intelligence Units’ advice, which regularly issue warnings against certain groups. These messages and banks following them do not violate Article 21 of the Charter of Fundamental Rights (CFR) on non-discrimination. Subsequently, they do not necessitate the protection that the present guidelines seek. They, however, secondly, limit banks’ freedom to conduct business as enshrined in Article 16 of the CFR. The benefit from these guidelines for the few customers who are wrongfully denied access to financial services is, therefore and thirdly, outweighed by the burden that the EACB expects them to impose upon the banking sector.
Within the general requirements section, the EACB would further like to draw your attention to paragraphs 11 and 12, which equally contradict current practices. Banks can no longer take general risk-minimising measures, wherefore these cannot be outlined in their policies, procedures and controls. Such an obligation under the current guidelines would contradict the independent decision-making duty of the board of directors. It would also restrict the management’s discretion in business policy decisions and therefore infringe upon the freedom to provide services.
The section on applying restrictions to services or products could lead to an undue burden for monitoring systems by creating new categories of business relationships across various products and services.
Additionally, the above-mentioned FIU warnings show that the fraud potential of particular groups should be considered by the addressees when restricting access to (online) products or services.
The requirements laid out in the “Complaint mechanisms” section disproportionately grow the volume of documentation, which may be traced back to, especially, the EU General Data Protection Regulation.
Additionally, handing over the respective report to each rejected customer could create a large volume of legal actions, cumbersome bureaucracy for Member State’s legal systems, overburdening them, and liability issues for the responsible bank employees.