With regard to question a) of the consultative document, in our view the draft guidelines reflect the re-vised standards of the Financial Action Task Force (FATF) as well as the Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist fi-nancing (4 AMLD) and contains guidelines on risk factors that consider to some extent the practices prevalent in the banking industry. However, we retain certain concerns regarding the impact of the Di-rective, and its risk assessment guidelines regarding the risk based approach of firms, on proportional-ity and the practical efficiency of AML/CFT measures.
It has been our understanding that the Directive aims to provide a proportionate risk based regime and aims to provide suitable due diligence for all types of transactions. This is welcomed, however, by its nature the risk based approach espoused by the Directive, and as the approach is elaborated upon within these draft guidelines, provides little comfort for obliged entities of a certain scale that ordinarily systemise their obligations and which now appear to require an individual subjective analysis of many otherwise “ordinary” transactions. Through the public hearing held at the EBA on the 15 December, we understand that the supervisory authorities do not envisage any kind of “tick-box” exercise, such as currently the exercise that is often used by smaller obliged entities, as suitable under the new regime. Larger, better resourced institutions will be far better placed to absorb the increased regulatory cost than will smaller obliged entities. The impact of that cost will be borne by one of two parties, the cost will be absorbed by the ordinary customer or by the obliged entity. Larger, better resourced obliged
entities, that also carry a greater risk of AML/TF, have a better capacity to absorb that cost. As such, it is our view that this may have a disproportionate effect on smaller, less systemic obliged entities and may have an impact on market place competition. Without explicitly allowing for some kind of system approach for smaller obliged entities, with what could be described as a homogenous type of ordinary business, it remains likely that obliged entities, whose business involves large numbers of smaller, lower risk transactions will need to bear a burdensome disproportionate cost, or need to pass that cost on to the customer. Practically speaking, this may result in them choosing to implement a systematic approach and seek to later justify their systematic approach to their own national supervisor when asked.
More generally to the above point regarding scale and proportionality, the Directive will require an up-scaling of relevant compliance department sections within obliged entities and, as risks are being more individualised, it is unclear whether this approach will actually improve the monitoring of money laundering activity. We fear that the practical effect may be that the current rate of attempted money laundering will continue, but the new regime will have shifted the responsibility to mitigate against in-cidences of money laundering almost entirely to the obliged entity. Whether this is advisable, when facing commercial pressures and very real problems considering the assumptions of “positive knowledge” regarding particular customers, a lack of sufficient public information on equivalent coun-tries, and issues regarding the detail that will be available on public registers for beneficial ownership, is questionable. In light of this, we believe that the Directive, and its risk assessment guidelines, could have provided more legal certainty.
Finally, the general approach of using risk factors which are of an indicative and non-exhaustive nature inevitably fosters a risk of regulatory fragmentation and thus potentially a distortion of competition across the EU. It is likely that different obliged entities and supervisory authorities will develop different understandings of the impact of certain specific risk factors. The outcome of an assessment of several interacting risk factors will be even less predictable. We appreciate and accept that using risk factors this way is part of the new balanced risk-based approach, however, we also hold the view that the su-pervisory authorities at the European level should keep an eye on this in the interest of maintaining a level playing field across the EU single market, in the interest of both companies and their clients.
The structure by business type is clear, however, we retain a concern that certain national authorities and regulators may be inclined to replicate these guidelines as “hard” indicators of risk, and not use them in the fluid manner foreseen by the ESAs. We would hope that the ESAs could include a clear provision or statement to clarify that, if possible.
Further Comments on Title III
Specifically as regards Title III, in Chapter 2 paragraph 98 and paragraph 99, Leaseurope/ Eurofinas believe slight alterations should be possible to clarify the text:
1. Paragraph No. 98, First Bullet: Considering the eIDAS and policy moves towards a digital sin-gle market, we think this paragraph should also acknowledge non face-to-face transactions as outside this idea of “anonymity”, where there exist certain safeguards, such as the digital sig-nature or other technological possibilities such as the use of video identification (we understand it is already permitted in Germany) and in general all other upcoming technical solutions in the field of remote identification (e. g. biometrics). The first bullet point (“the product’s features might favour anonymity”) could be interpreted to include non face-to-face transactions that use other security measure such as the digital signature. The Directive has recognized this at Annex III,2 c) however, for consistency, we think non face to face transactions should be referenced in this paragraph also, together with the express exclusion of those non face-to-face transactions that use additional safety measures such as the digital signature, in paragraph 98. Such as it is present as the first bullet point in Annex III to the Directive (directly before point 2 c)).
2. Paragraph No. 98, Third Bullet: We feel that, while obliged entities should naturally consider extra territorial customers in a more comprehensive manner within their risk assessment pro-cess (as would be usual), this provision in paragraph 98, describing cross border transactions as an explicit indication of a higher risk, is against the drive to unify the single European market and should be removed.
3. Paragraph No. 99, First Bullet No. iii: We feel that this point can be split into two points. Firstly, “A low value loan facility, such as a low value consumer credit facility”, and secondly “A facility where the legal and beneficial title to the asset is not transferred to the customer until the con-tractual relationship is terminated” should be detailed as separate and distinct indicators of lower risk.
4. Paragraph No. 99, First Bullet No. iii: Additional to point 3, the proposed new point “legal and beneficial title to the asset is not transferred to the customer until the contractual relationship is terminated” should be extended to include a situation involving a facility where the legal and
beneficial title is never passed at all. It is accepted that this may be implicit, but an explicit recognition would be helpful.
5. Paragraph No. 99, Third Bullet: We specifically welcome the inclusion of this provision, explic-itly recognising as an accepted indicator of lower risk, transactions that are carried out through an account held in the customer’s name at a credit or financial institution that is already the subject to AML/CTF requirements equivalent to those required by the Directive. This provision is helpful in that it will assist obliged entities when dealing with customers that have already been the subject of, and continue to be subjected to AML/CTF checks, by a regulated obliged entity.
6. Paragraph No. 106, First Bullet: We like to point out that avoiding multiple customer due dili-gence requirements of the same kind is an important issue. The potential requirement of verify-ing the customer’s identity on the basis of more than one reliable and independent source seems to be unhelpful. If there is a need for a second source to identify the customer, the first form of identification is therefore considered unreliable, which should not be the case.