In the sections below, as requested, we provide detailed input per section. We would like to use the opportunity to make a couple of general remarks:
First, we would like to underline the importance of consistency in policy guidance, also in an international context. We fully support the ESA’s attempt to further supervisory convergence within the EU through updating its Guidelines on MLTF risk factors. There are ample examples where requirements and policies are applied in a different manner across EU jurisdictions. A notable example is the treatment of AISP’s and PISP’s (see for further detail below). In general, open wording leads to significant differences in interpretations and applications across Member States. This will make it virtually impossible for pan EU operating banks to apply a EU – let alone global – KYC policy and operating standards.
Second, as also pointed out in Question #5, it is of imminent importance that the conflict between GDPR legislation and AML-D requirements will be alleviated. The GDPR (or national interpretations thereof by Data Protection Authorities) restricts obliged entities to collect, analyze, store and share personal data while the processing of those data is required for, e.g. but not limited to, conducting CDD, monitoring, investigating and reporting unusual and suspicious transactions and identification of the ultimate beneficial owners under the AML-D. The ESA Guidelines should explicitly state that the processing of such data for the purpose of the AML-D, is allowed. Naturally, strict safeguards should be in place in accordance with the GDPR.
Third, based on these revised Guidelines, all EU regulators should harmonise the obligations for AISP’s and PISP’s. In (the newly added) guideline #18, it is mentioned that the inherent ML/TF risk associated with payment initiation service providers (PISPs) and account information service providers (AISPs) is very limited, even if those entities are obliged entities under the AML Directive (EU 2015/849). Regulators across Europe however have a different opinion what an AISP or PISP should do to comply with the law. Some have even excluded these service providers from the obligation to conduct CDD. One can observe concentrations of TPP’s registering in certain Member States where regulatory requirements are low. A level playing field within the EU is important. The Guidelines should ensure that the obligations that apply to AISP’s and PISP’s are applied in exactly the same way in all EU jurisdictions. In our comments on guideline 18 below, we added more specific input.
Fourth, a new Guideline (10.15) was added to reflect the new article 18a in the AML-D. Enhanced due diligence is required on clients “associated with/ involved in” high risk countries. We believe, as we also pointed out in the consultation response to AML-D5, that the term “associated with” does not provide for a proper base to conducting an enhanced due diligence. There may be many clients with some kind of association with high risk countries without bearing a higher risk persé. In our view, the Guidelines should specify what associated with means. Clearly clients that are established in, have their residence or statutory seat in a high risk country, do qualify for a EDD.
On the definitions section:
Definition of Risk appetite.
The risk appetite could include also the willingness of a firm to accept certain types of risks as some entities may be more adverse than others. Also, the risk appetite can be seen from the perspective of what type of risks will not be accepted, not only from those that will. Therefore, we suggest to rephrase in this way: Level of risk a firm is prepared and willing to accept or not.
A yearly business-wide update may not be very functional for global banks. An updated business-wide assessment should not be connected directly with a time frame. A risk assessment can be valid for up to 3 years. However, the entity can update more frequently the assessment of certain risk factors, to monitor any change of circumstance. This of course will impact the business-wide risk, but there is not an expectation to redo the entire assessment. Therefore, we suggest to rephrase as follows:
“Setting a date on which the next business-wide risk assessment update will take place, which should not be more than 3 years later after the last update, and setting a date on risk sensitive basis for the individual risk assessment to ensure new or emerging risks are included.”
In respect of business-wide risk assessments,
c) Processes to capture and review information on risks relating to new products, new services and new compliance systems and controls.
Please add the following: including if applicable, new distribution channels.
General comment to this section is related to definitions:
• FATF and the EU Directive mention risk factors related to : customers, countries or geographic areas, products and services, transactions or delivery channels. These risk factors are mandatory to drive the risk assessments. However, firms could include other risk factors if they wish and consider it convenient.
• At the same time the EU directive in Annex I and II mentions a non-exhaustive list of factors, and not "risk factors". These factors are more related to variables that could be taken into account in order to assess each of the risk factors.
Therefore, we suggest to ensure more alignment in order not to create the expectation that firms must assess every single factor as a risk factor and leave some freedom for institutions in the performance of its risk assessment.
We suggest to rephrase as follows:
“Firms should consider the following risk factors as the basis for their risk assessment:
Customers, countries or geographic areas, products & services, transactions or delivery channels. Firms may include others if relevant.
Those risk factors may be assessed using the non-exhaustive list of factors set out in Annexes I and II of the Directive. Suchfactors are not exhaustive, nor is there an expectation that firms will consider all factors in all cases.”
An important risk to consider within the customer risk is the customer structure.
So, we suggest to add: “d) The ownership and/or control structure of the customer (only applicable for legal entities)”
We suggest to delete the word "Risk" to create a difference between Risk factor and factor. The following questions are more variables/ factors to take into account to assess the customer risk factor.
Delete: “include bearer shares, fiduciary deposits, offshore vehicles and certain trusts, and legal entities such as foundations that can be structured in such a way as to take advantage of anonymity and allow dealings with shell companies or companies with nominee shareholders.”
The deleted examples are more related to the complexity of the legal structure of the customer than to financial products or services. Therefore, we suggest to include these examples in section. 2.6
In this paragraph (2.17), examples could include: accounts that allow the customer to be identified by an alias or a number, or certain pre-paid cards that allow anonymity.
FATF and the Directive mandate that the minimum risk factors are: customers, countries or geographic areas, products & services, transactions or delivery channels. This sentence gives the impression that the firms can choose which risk factors include.
Therefore, we suggest to rephrase as follows: “Firms should use the risk factors to assess the overall level of ML/FT risks. Firms may include additional risk factors, and may use any of the factors to support the assessment, or include any other relevant one.”
Please include the word "risk" between “weigh” and “factor”
Please delete ‘business lines’.
Business line should not have a perceived level of ML/TF risk, otherwise this can create de-risking as it suggest that there may be some business lines more risky than others. A business lines should be a factor to take into consideration, but not necessarily should be categorized with a ML/FT risk level per se.
We suggest to change the words ‘customer’s ownership and control’ to the following: transactional activity or behavior.
Otherwise, it is suggesting that only the ownership and control structure can give rise to suspicion or that a complex structure per se is suspicious and that is misleading.
“They are satisfied that the reason given by the customer as to why the natural person who ultimately owns or controls the customer cannot be identified is plausible.”
Please delete, as this is not included in the Directive and sets an additional requirement.
This is an additional requirement to do a risk assessment. The quality of the evidence can be a factor, but should not be phrased as mandatory. Additionally, the levels of independence and reliability of the sources may differ and not necessarily have a negative impact on the customer risk. For example, for customers with very simple products or SDD, a less reliable source as evidence of certain elements should not necessarily impact negatively on the risk rating of such customer.
We suggest to rephrase:
“firms could assess the risks associated with each type of evidence provided and the method of identification and verification used, to ensure that the method and type chosen is commensurate with the ML/TF risk associated with the customer. “
Simplified due diligence 4.41
We would add: “ threshold settings depending on the risk appetite statement of the bank. When thresholds are applied, it needs to be documented which these are per customer segment and why certain thresholds are chosen.”
We suggest to delete this point as the Directive does not specify that these situations are to be considered as high risk, and it is repetitive with point 4.47. The Directive only mandates to apply enhanced CDD measures, when in AML-D art 18(1) it says: "to apply enhanced customer due diligence measures to manage and mitigate those risks appropriately." Followed by art. 18 (3) "the factors of potentially higher-risk situations".
Considering all these situations as immediately high risk, will not allow firms to correctly identify risks neither apply measures to manage them. These situations can be of potentially higher-risk, but when the enhanced measures are applied, the risk can be reduced, as its potentiality can be reduced.
As these PEP lists are sometimes provided by independent entities, firms cannot "ensure" they are up to date, only request such entities for a more accurate and updated product. Therefore, we suggest to rephrase in the following way:
“Firms that use commercially available PEP lists should fully trust them if they can be sure that these lists are up to date. Firms should take additional measures where necessary, for example in situations where the screening results are inconclusive or not in line with the firm's expectations.”
Enhanced due diligence 4.64
''This may include establishing the destination
of funds or ascertaining the reason for certain transactions.' -> The rationale for transactions needs to be ascertained even when it's a low risk customer, not only for enhanced risk customers.
Other considerations 4.67
Suggest to add: 'even when the transaction(s) has/have not been processed/carried out'.
Customer due diligence 4.7
It is not really clear what is meant by compensated by “enhanced monitoring”.
Transaction monitoring 4.72
Firms should ensure that their approach to transaction monitoring is effective and appropriate. By having a written process in place to test the effectiveness of the transaction monitoring system.
Transaction monitoring 4.73
What is meant with “without undue delay”? After detection by tool, or after transaction took place? We encounter a lot of differences per country. Should be more harmonized within EU.
Transaction monitoring 4.74
''In addition to real time and ex-post monitoring of individual transactions, and irrespective of the level of automation used, firms should regularly perform ex-post reviews on a random sample taken from all processed transactions to identify trends that could inform their risk assessments, and to test the reliability and appropriateness of their transaction monitoring system.'' In our view, it should be added that obliged entities would need to take samples to assure whether any transactions were missed (not only to improve the transaction monitoring system, but also take action in case a transaction was overlooked).
Considering the data protection laws, and what is establish in the introductory paragraph (14) of AML-D, we suggest to include a paragraph saying:
“5.3. In accordance to the AML-D, the collection, analysis, storage and sharing of data should be permitted, while fully respecting fundamental rights, for the activities required in the AMLD, such as, and not limited to, carrying out customer due diligence, ongoing monitoring, investigation and reporting of unusual and suspicious transactions, identification of the beneficial owner of a legal person or legal arrangement, identification of a politically exposed person, sharing of information by competent authorities and sharing of information by credit institutions and financial institutions and other obliged entities.”
Assessing effectiveness can be very subjective. This section does not give enough guidance on what is an effective AML/CFT preventive system, in order to assess it. The AMLD does not mandate to do an effectiveness assessment and FATF only speaks of monitoring or testing the system.
Therefore, we suggest to rephrase this sections as:
Guideline 7: Reviewing or Testing.
7.1. Firms should regularly review or test and determine the frequency and intensity of such assessments to their AML/CFT internal policies, procedures and controls to ensure that the approach is consistent and reflects the nature, size of their business and the level of ML/TF risk to which they are exposed.
Respondents based in non-EEA countries 8.17
We believe transaction monitoring controls are necessary to have in place to monitor FEC risks associated with correspondent banking activities, not only 'for example'. This is also stated in 8.10 that post transaction monitoring is mandatory for correspondent banks which would make it consistent.
Customer risk factors 8.6
The following factors may contribute to increasing risk: The respondent´s failure to provide the information requested by the correspondent for CDD and EDD purposes "and TM purposes.", and information on the payer or the payee that is required under Regulation (EU) 2015/847.
Enhanced due diligence 9.13
''Increasing the frequency of transaction monitoring.'' -> or intensity, for example by setting a lower threshold.
Suggest to rephrase to: "Financial arrangements involving jurisdictions associated with higher ML/TF risk or to countries that have a culture of banking secrecy or that do not comply with international tax transparency standards (Tax havens)". Not all Tax havens are regarded as High ML/TF risk countries and the other way around.
For tax carousal fraud this is not correct, excluding EU/EEA will limit the alerts generated for this kind of offence.
To highlight specifically for this new part of requirements applicable to AIS/PIS, the level playing field within Europe is of the utmost importance. It should be clear that within the EU member states AIS and PIS are in scope of AMLD requirements.
Delete last part of sentence (“or to someone with known links to those jurisdictions”), or add what kind of links are meant, because the current text is not sufficiently specified. For instance every transaction from any large international corporate selling retail goods all over the world has an increased risk based on this factor, due to the fact that branches of such a corporate are located in High Risk jurisdictions.
In 18.4 the EBA obliges the PISPs and the AISPs to monitor the transactions of the customers. In principal an AISP has more information about the client than a single bank, due to the fact that they receive account information from different banks. However, the monitoring of this information is a challenge because of the following reasons:
1. Account information is not the same as payment transaction data, necessary fields for monitoring effectively are missing or combined in one field.
2. Not all AISPs structure (the content of) data fields in the APIs in the same way
3. Not all AISPs send the same amount of data, some share 3 month of data, some 9 months and others a year.
Without more harmonization and standardization of the data of the API, the obligation to monitor the account information is less effective and is therefore less useful for the fight against Financial Economic Crime.
In 18.4 under c. is mentioned: “customer receives funds from, or sends funds to, jurisdictions associated with higher ML/TF risk or to someone with known links to those jurisdictions.”
The last part of this sentence could lead to discussion, because the terms “known links” is vague that every large company with activities in High Risk countries should be flagged.