With regard to question a) of the consultative document, in the view of EBIC the draft guidelines appear to reflect the revised standards of the Financial Action Task Force (FATF) as well as the Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (4. AMLD) and contains guidelines on risk factors that consider to some extent the practices prevalent in the banking industry. Although EBIC commends the efforts of the ESAs to provide supervisory guidelines on good practices we have some concerns regarding the draft’s impact on the risk based approach of firms, on proportionality and the efficiency of AML/CFT measures.
Some aspects of the said draft guidelines go beyond the scope of the requirements laid down in the 4. AMLD and in some cases obliged entities could not be able in practice to conduct the activities requested. For example many provisions pre-suppose that firms/obliged entities have positive knowledge on issues like customers reputation, adverse media reports, links of customers with high risk, abuse office for private gain etc. Although financial institutions may incidentally have knowledge on these issues resulting from their monitoring and research it should not be expected by supervisors from the outset. Specific points where the text goes beyond level I legal requirements are listed further below.
Moreover, several provisions appear in contradiction with certain public authorities’ expectations regarding recent developments in Europe. In particular EBIC sees a lack of clarity in the draft Guidelines on the expected risk prevention measures and demands to offer basic customer services associated in light of the current migration crisis (see comments on paragraphs 59 and 99 further below).
Furthermore, EBIC finds that the text does not take due consideration of the principle of proportionality by proposing requirements that would pose serious and – to some extent - indomitable challenges for the European banking industry as a whole and especially for small and medium sized banks (see for example comments on paragraph 20 below)
In terms of efficiency, EBIC finds that the draft does not sufficiently take into consideration the importance for obliged entities to have access to public information on risk factors such as registers of beneficial owners as required by the 4. AMLD and information on equivalent countries often mentioned in the Directive (see comments below on paragraph 23). The Guidelines should lay more stress on the public domain and sources of information to provide informational and legal certainty to firms/obliged entities. In this context we would welcome a paragraph that emphasizes that the processing of personal data for the purposes of the 4. AMLD is a matter of public interest as stated in Article 43 of the 4. AMLD and that under the conditions laid out in the Directive these provisions override data protection concerns (e.g. concerning the collection of data on the customer’s reputation) as was also stated by the ESAs during the public hearing. Otherwise, the effective implementation of the guidelines could be hampered.
Predictability and Reliability
In the public hearing on the draft Guidelines on 15 December 2015 the ESAs stressed that the Guidelines shall give input for an effective mitigation of AML/CFT risks and that they should not lead to a “box-ticking-exercise”. While the general line of this argument is to be welcomed financial institutions have to be able to have a high level of certainty that by complying with the guidelines they largely fulfill expectations of supervisory authorities as well as auditors which usually use such standards for their assessments. The risk indicators mentioned in the Guidelines represent a basis for the firms’ system of preventative measures. Firms should be able to trust in this basis. Of course, risk indicators may develop and change over time and firms should take this into account. Further, they should be allowed to follow also other indicators if their business model rules out other indicators. However, if an obliged entity follows the risk indicators in the Guidelines as they stand, this should be an important indication for a sound risk based preventative system. If new risk indicators appear, they should be evaluated and – if proven valid – been integrated into the Guidelines. Such a more flexible and adjustable form of Guidelines could improve the interaction between rules and implementation significantly and could help a lot to improve the overall translation of the risk based approach.
We would also like to insist on the need for the ESAs / national supervisory authorities to regularly update industry representatives on the state of play of the interpretation/implementation issues experienced by individual obliged entities of the guidelines in order to allow for a representative banking industry feedback. This is essential for a good engagement and dialogue between the industry as a whole and the supervisors as mentioned in paragraph 64 of the draft guidelines.
The drafts list a very high amount of possible risk factors presented as questions. From past experience one can say that the risk with such “examples” of risk factors is that they are often translated by national authorities and auditors as “hard risk indicators” which are then to be checked with each customer. In the public hearing the ESAs have clearly stated that these guidelines were not just guidance but clear supervisory standards and expectations that firms and obliged entities have to meet.
Therefore, it is crucial that the Guidelines contain a clear statement that implementation is a presumption for compliant behavior. This does not exclude implementation of other risk factors if addressees of the Guidelines believe this is appropriate.
The proposed structure by types of business is clear enough, especially for a text that is not supposed to introduce new legal requirements (Level I). A legally driven classification would not necessarily provide more clarity. However, in addition to our comments under question b) we would like to insist on the fact that it should be more clearly stated along the text that firms/obliged entities may within a Risk Based Approach decide not to use all the risk factors provided in the Guidelines but individual sub-sets thereof specifically suited to their business models and risk profiles so that they do not fall into a “compliance risk gap”.
Finally, we would like to stress that following the recent terrorist attacks in Paris the EU has insisted on a rapid transposition of the 4. AMLD. In those Member States where the Directive is transposed before the formal deadline, 26 June 2017, firms/obliged entities should be able to have at their disposal the final set of the ESA’s risk factor guidelines. We therefore urge the ESAs to quickly adopt a final text. However, wherever the guidelines goes beyond the provisions in the Directive it should be clearly stated that national authorities leave obliged entities enough time (at least two years) for implementation.
We would very much appreciate if the ESAs could consider our comments while finalizing the Risk Factors Guidelines. Should you require further information concerning the issues stated above please do not hesitate to contact us.