We would welcome an additional definition and/or clarification on the difference between NPOs and NGOs in the Guidelines, as these are often mixed. Furthermore, ML/TF risk is defined as the likelihood and impact of ML/TF taking place. We recommend deleting the ‘impact’ criterion from the definition since the impact is always severe when it comes to TF and therefore the risk might be assessed higher than actually given. This would contradict the aim of the new rules to avoid de-risking activities. The assessment would not be nuanced for entities at risk (for example because they are in a conflict zone) and the new rules would fail its aim when everything would be considered as high risk based on the impact criterion. Therefore, we believe it would be better to avoid the ‘impact’ criterion in the definition of ML/TF risk or at least ask for clear guidance on what weight should be given to impact compared to likelihood when assessing the risk.
Despite the explanation of the exemption for payment institutions (PIs) and electronic money institutions (EMIs), we highly recommend including PIs and EMIs as subjects which need to act in line with the Guidelines. This is relevant, as PIs and EMIs are generally having several NPO clients due to their practical experience. It is therefore necessary that PIs and EMIs are having the same de-risking and risk mitigation standards as credit institutions and financial institutions. Otherwise there is a risk that NPOs, on which the due diligence rules have not been applied correctly (i.e. in compliance with the EBA Guidelines), might come into the financial system indirectly (as merchants, i.e. clients of PIs and EMIs). Moreover, we would welcome clear rules and/or definitions on what proof it needs to identify a person as a ‘refugee’ or ‘homeless individual’ so that the alternative identification documents can be deemed sufficient. For example, would it be sufficient to show the paper of an asylum request? If there is no exhaustive list provided, credit and financial institutions run the risk of applying the less stringent identification regime to criminals that pretend to be ‘refugees’ or ‘homeless individuals’. Therefore, and in order to provide legal certainty, we strongly recommend to list (exhaustively) the proof it needs to accept alternative ways of identification as laid down in the rules.
The Guidelines do not sufficiently describe the situation if a client has been reported for suspicion of ML/TF. If the credit institution decides to terminate a business relationship with such a client (or applies the process for this “category of clients”), it does not constitute de-risking, but is an adequate response to a suspected crime.
If the Guidelines conflict with a provision of the national rules, the provision of the national rule shall prevail to the extent of the conflict.
As an example, section 19.b of the Guidelines states that: ‘Credit and financial institutions’ policies and procedures should contain guidance on handling applications from individuals that may have credible and legitimate reasons to be unable to provide traditional forms of identity documentation. These should set out at least:
b. The steps to take where the customer is vulnerable and cannot provide traditional forms of identification or does not have a fixed address, for example because they are homeless. Institutions’ policies and procedures should specify which alternative, independent documentation it can rely upon. This documentation may include expired identity documents…’
Under article 6(4) of the Spanish AML Royal Decree 304/2014 expired identity documents are neither acceptable for business relationships nor for occasional transactions.
We would appreciate some clarification on whether the supervised entity would be compliant with section 22 of the Guidelines by only providing the customer with the weblink of the EBA’s suggestions on the submission of complaints to national bodies.