Response to consultation on draft Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and ML/TF risk factors
Go back
1.16-1.17 regarding proportionality and implementation of a business-wide risk assessment and 1.18 ” Firms should use the findings from their business-wide risk assessment to inform their AML/CFT policies and procedures”.
Comment: It would be helpful if the guidance could further specify the expectations on the firm to appropriately act upon the update of a business-wide risk assessment.
It may be interpreted as all measures, at all levels, which the firm takes to mitigate risk should be justified by one document. As the statement is rather wide by nature, clarity on the types of “procedures” which, at a minimum, merits an update/review following the business-wide risk assessment would be very helpful. (Similar to the new guidelines 1.12-1.14 which specify the sources of information firms should use to inform their business-wide risk assessment.) Providing clarity on the procedures a firm should update will have a direct impact on the firm’s ability appropriately act upon the results of its business-wide risk assessment. For example, the guidance does not mention the link between the business-wide risk assessment and the efficient allocation of resources.
In addition, similar to the FATF guidance on Risk Assessment (Feb 2013) section 1.4, the guidance could expand to cover who is the user of the ML/TF risk assessment. “The form, scope and nature of ML/TF risk assessments should ultimately meet the needs of its users/…/”. The business-wide risk assessments should primary meet the needs of e.g. senior management and the firm’s regulators. The primary users of the business-wide risk assessment are not operational staff, however they will benefit from the results via from example, the firms awareness and/or targeted training.
1.4 is new and states that firms need to record and document their business-wide risk assessments as well as any changes made to the risk assessment in a way that makes it possible for the firm and for competent authorities to understand how it was conducted and why it was conducted in a particular way.
Comment: It would be helpful to provide further guidance on minimum record keeping requirements as we foresee this to be an issue with different regulators.
2.11c states that firms should consider “the quality of the jurisdiction’s AML/CFT controls, including information about the quality and effectiveness of regulatory enforcement and oversight”, meaning the effectiveness of the AML/CFT measures and not the prudential side, from our understanding. If we consider the different listed examples of “credible and reliable sources”, in most cases there will only be one report available about the measures, not several, for the follow-ing reasons:
A country will only be assessed by the FATF or an FSRB (not both),
The IMF do not, on an ongoing basis, undertake country specific reports, besides the FSAP assessment (or DAR, which is published as an FATF re-port). The FSAP assessment does not consider the AML-CFT area, as this is assessed by the International Standard setter of the AML-CFT area (as recognized globally at both country level and by a number of inde-pendent organs (e.g. G20 and the UN)) = the FATF.
Comment: We seek clarification on the sources to consider when assessing country-specific risks. In our view, either the para should be revised to mention “one or more credible and reliable source” or other examples should be added to the subparagraph.
Comment: The addition of 2.9c may be unhelpful if added in the way it is current-ly phrased. It is important that it can be made clear what is meant by “personal and business links, or financial and legal interests” and how these are thought to impact risk. Additionally, the guidelines should allow flexibility on how to take these risks into account. This is important to avoid the expectation that they be-come another standard item of CDD information to be collected, and to avoid customer risk assessment methodologies producing some unhelpful outcomes. For example, domestic customers with family members that were born in high risk countries being rated higher risk.
2.5a Adverse media reports
Comment: Adverse media is a key risk factor that should be considered as part of CDD activities and we welcome the guidelines on this. However, the EBA should be aware that there are jurisdictions, e.g. Finland, that does not allow this today.
2.21(a)(i),”considered whether there is a risk that the customer may have sought to avoid face-to-face contact deliberately for reasons other than convenience or incapacity”
Comment: It would be helpful here to clarify that this guideline only applies where a face to face channel was available to the customer, and where the specific circumstances of the customer make it potentially unusual or suspicious that they have declined a face to face meeting. In today’s digital world, an in-creasing number of customer meetings are taking place in other channels than physical meetings (face-to-face) and there must not be a tick-the-box require-ment to always consider this as suspicious.
Comment: From our perspective it would be beneficial if the competent author-ities have the same rules, so we do not have different rules in different jurisdic-tion. E.g. in Sweden the SFSA has stated that 12 transactions during a 12-month period will normally constitute a business relationship, while the Danish FSA does not have similar guidelines.
4.9 “Firms should carefully balance the need for financial inclusion with the need to mitigate ML/TF risk”.
Comment: This is a difficult balance that banks today are doing their best to manage. It would be more helpful to get clearer guidance of where to draw the line between inclusion and financial crime prevention, if authorities today think that banks have a too narrow (or too wide) definition of what to allow for. 4.9 should either be removed or further specified.
4.10 regarding that ”firms should put in place appropriate and risk-sensitive policies and procedures to ensure that their approach to applying CDD measures does not result in unduly denying legitimate customers access to financial services. Where a customer has legitimate and credible reasons for being unable to provide traditional forms of identity documentation, firms should consider mitigating ML/TF risk in other ways”.
Comment: In the Nordic countries, private individuals do as a rule have means of secure identification. There may be temporary exceptional cases (theft, accident) where this is not possible.
The difficulties come with immigration of individuals who come from jurisdictions where ID systems are not so secure or where the individual did not manage to bring its ID into the country. It is already a difficult balance for banks to know when to allow these customers in, while securing that society is not put at risk by financial crime or terrorist financing.
To ensure financial inclusion, we would ask for additional clarification and guidance by local authorities of which types of ID should be acceptable for which level of service.
Comments on use of innovative technology/ non face-to face (4.32-4.37):
It is important that use of digital technologies and innovative technology is not prevented by too tight rules on face-to-face identification. The rules should be for cases where a customer - for no legitimate and credible reason – does not want to present himself. This is also the way we read the EBA guidelines, hence they are fine as now formulated.
4.38 and 4.39 set out the measures firms should take to establish the nature and the purpose of the business relationship.
Comment: It would be helpful if the guidelines could clarify that the measures / steps taken by firms to understand these points can be achieved by other methods than just collecting this from the customer as part of CDD. For example in some circumstances it may be possible for a firm to define the acceptable purpose and nature of its relationships within its own terms & conditions and fair usage policies, agreed with its customers.
4.55 states that measures in accordance with article 18 a (1) shall always be applied where a business relationship or transaction involves a high risk third country. The definition of a business relationship or transaction always involves a high risk third country is the following: a) if the funds were generated in a high risk third country; b) the funds are received from a high risk third country; c) the destination of funds is a high risk third country; d) the firm is dealing with a natural person or legal entity resident or established in a high risk third country; or e) the firm is dealing with a trustee established in a high risk third country or with a trust governed under the law of a high risk third country.
Comment: Guidelines regarding high-risk third countries are helpfully clarifying the AMLD5 requirements. We welcome this guidance.
4.74 a) states that “…Firms should ensure that transactions associated with higher ML/TF risk are monitored in real time wherever possible, in particular where the risk associated with the business relationship is already increased;”
Comment: Regarding proposals to include real-time monitoring as a tool for higher-risk transactions, this is in practise not realistic today and the guidelines should be changed to be more aspirational than mandatory. Real time monitor-ing occurs in Fraud and in Sanctions Transactions screening and for AML purpos-es, only for certain types of customer transactions. Transaction Monitoring for AML purposes monitors a number of customer behaviours and their transactions over varying time periods normally daily, weekly and monthly. Therefore it is not always possible to determine potentially suspicious activity from a single trans-action as it is dependent on the specific circumstance or scenario that has gen-erated the alert. Larger banks processes and monitors approximately 2bn trans-actions annually with approximately 250000 thousand alerts generated from the automated transaction monitoring system. These alerts are handled, investigat-ed, discounted or ultimately filed as Suspicious Activity Reports.
When considering the potential volumes involved, the design and implementa-tion of appropriate technical solutions for automated real time monitoring for AML purposes will be a significant undertaking for any financial institution. There is an aspiration in the industry to have sophisticated real-time, intelligent monitor-ing systems that could detect and stop payments with high precision but today, an automatic system that would halt transactions if indicators show potential suspicion, could either cause harmful disruption in payment flows (if the net is too tight) or be of no use (if the net is too loose). Finance Denmark is happy to sup-port the development of EBA and industry thinking in this space.
(see also 8:25: “… Real-time monitoring of transactions is one of the EDD measures banks should consider in situations where the ML/TF is particularly increased...”)
See comment on 4.74 above.
13:21 “Checks on other parties to the transaction…”
Comment: Collecting the proposed information about the other parties in the transaction, which could be the customer’s customers, would be challenging and in many cases impossible. Trade Finance is typically a paper-based opera-tion in which the bank receives documents regarding the export/import transac-tion (bills of lading, invoices, packing lists etc.) and checks whether they comply with the agreed terms and international standards. Collecting information re-garding also the other parties in the transaction, besides the customer of the bank, would increase the complexity.
13:22 ”Checks on transactions…”
Comment: The draft guidelines propose that checks on transactions may include using professional judgement to consider whether the pricing of goods makes commercial sense and checking that the weights and volumes of goods being shipped are consistent with the shipping method. In our view, it would in prac-tice not be realistic to do these checks in the daily Trade Finance operations. It would also require a significantly different skill-set and build-up of competences and expertise in Trade Finance officers.
In general we do not see a purpose for the AIS to have any of these requirements since AIS is only providing information on the payment accounts, balances and transactions on the payment accounts that the customer has in another bank. Terminating or closing the AIS agreement does not prevent any transactions and the AIS service provider might not have full information on the customer availa-ble to assess if customer is acting suspiciously.
PIS service is also problematic since the PISP does not establish a customer rela-tionship with the payer, but is only initiating a single payment via another bank. The PISP’s task is only to provide payment initiation information to another bank and another bank executes the payment.
We also think that the factors mentioned in clause 18.4 should already be taken into account by the PSPs who are actually executing the payment transactions. Hence there is no need to monitor these factors in connection with PIS or AIS ser-vices, where there is no involvement in any fund transfers by PIS or AIS providers.
Comment: the requirement should be clarified and/or re-worded to only cover adverse media screening.
Section 20.7.c (Verification of the identity of other owners or controllers of a cor-porate entity)
Comment: The requirement should be clarified as it is unclear what is meant by ‘other owners’
Section 20.7.e (Establishing the financial situation of the corporate client)
Comment: This requirement should be clarified, what is meant by it?
Section 20.7.i (When taking part in securities’ issuance, the firm should seek to protect its own reputation by confirming that third-parties participating in selling securitisation instruments or transactions to investors have sufficient customer due diligence arrangements of their own in place)
Comment: ‘confirming’ should be replaced by ‘assessing’
Question 1: Do you have any comments with the proposed changes to the Definitions section of the Guidelines?
NAQuestion 2: Do you have any comments on the proposed amendments to Guideline 1 on risk assessment?
As available local guidances have differences the added guidance on business-wide risk assessments will be likely helpful in harmonising the practises and achieving a good dialogue with the different supervisors.1.16-1.17 regarding proportionality and implementation of a business-wide risk assessment and 1.18 ” Firms should use the findings from their business-wide risk assessment to inform their AML/CFT policies and procedures”.
Comment: It would be helpful if the guidance could further specify the expectations on the firm to appropriately act upon the update of a business-wide risk assessment.
It may be interpreted as all measures, at all levels, which the firm takes to mitigate risk should be justified by one document. As the statement is rather wide by nature, clarity on the types of “procedures” which, at a minimum, merits an update/review following the business-wide risk assessment would be very helpful. (Similar to the new guidelines 1.12-1.14 which specify the sources of information firms should use to inform their business-wide risk assessment.) Providing clarity on the procedures a firm should update will have a direct impact on the firm’s ability appropriately act upon the results of its business-wide risk assessment. For example, the guidance does not mention the link between the business-wide risk assessment and the efficient allocation of resources.
In addition, similar to the FATF guidance on Risk Assessment (Feb 2013) section 1.4, the guidance could expand to cover who is the user of the ML/TF risk assessment. “The form, scope and nature of ML/TF risk assessments should ultimately meet the needs of its users/…/”. The business-wide risk assessments should primary meet the needs of e.g. senior management and the firm’s regulators. The primary users of the business-wide risk assessment are not operational staff, however they will benefit from the results via from example, the firms awareness and/or targeted training.
1.4 is new and states that firms need to record and document their business-wide risk assessments as well as any changes made to the risk assessment in a way that makes it possible for the firm and for competent authorities to understand how it was conducted and why it was conducted in a particular way.
Comment: It would be helpful to provide further guidance on minimum record keeping requirements as we foresee this to be an issue with different regulators.
2.11c states that firms should consider “the quality of the jurisdiction’s AML/CFT controls, including information about the quality and effectiveness of regulatory enforcement and oversight”, meaning the effectiveness of the AML/CFT measures and not the prudential side, from our understanding. If we consider the different listed examples of “credible and reliable sources”, in most cases there will only be one report available about the measures, not several, for the follow-ing reasons:
A country will only be assessed by the FATF or an FSRB (not both),
The IMF do not, on an ongoing basis, undertake country specific reports, besides the FSAP assessment (or DAR, which is published as an FATF re-port). The FSAP assessment does not consider the AML-CFT area, as this is assessed by the International Standard setter of the AML-CFT area (as recognized globally at both country level and by a number of inde-pendent organs (e.g. G20 and the UN)) = the FATF.
Comment: We seek clarification on the sources to consider when assessing country-specific risks. In our view, either the para should be revised to mention “one or more credible and reliable source” or other examples should be added to the subparagraph.
Question 3: Do you have any comments on the proposed amendments to Guideline 2 on identifying ML/TF risk factors?
2.9(c) has been amended to specify that, when identifying the risks associated with countries and geographical areas, firms should also consider the risk related to which the customer or the beneficial owner has ‘financial or legal interest’;Comment: The addition of 2.9c may be unhelpful if added in the way it is current-ly phrased. It is important that it can be made clear what is meant by “personal and business links, or financial and legal interests” and how these are thought to impact risk. Additionally, the guidelines should allow flexibility on how to take these risks into account. This is important to avoid the expectation that they be-come another standard item of CDD information to be collected, and to avoid customer risk assessment methodologies producing some unhelpful outcomes. For example, domestic customers with family members that were born in high risk countries being rated higher risk.
2.5a Adverse media reports
Comment: Adverse media is a key risk factor that should be considered as part of CDD activities and we welcome the guidelines on this. However, the EBA should be aware that there are jurisdictions, e.g. Finland, that does not allow this today.
2.21(a)(i),”considered whether there is a risk that the customer may have sought to avoid face-to-face contact deliberately for reasons other than convenience or incapacity”
Comment: It would be helpful here to clarify that this guideline only applies where a face to face channel was available to the customer, and where the specific circumstances of the customer make it potentially unusual or suspicious that they have declined a face to face meeting. In today’s digital world, an in-creasing number of customer meetings are taking place in other channels than physical meetings (face-to-face) and there must not be a tick-the-box require-ment to always consider this as suspicious.
Question 4: Do you have any comments on the proposed amendments and additions in Guideline 4 on CCD measures to be applied by all firms?
4.7 firms are supposed to clearly define at what point a series of one-off transac-tions amount to a business relationship.Comment: From our perspective it would be beneficial if the competent author-ities have the same rules, so we do not have different rules in different jurisdic-tion. E.g. in Sweden the SFSA has stated that 12 transactions during a 12-month period will normally constitute a business relationship, while the Danish FSA does not have similar guidelines.
4.9 “Firms should carefully balance the need for financial inclusion with the need to mitigate ML/TF risk”.
Comment: This is a difficult balance that banks today are doing their best to manage. It would be more helpful to get clearer guidance of where to draw the line between inclusion and financial crime prevention, if authorities today think that banks have a too narrow (or too wide) definition of what to allow for. 4.9 should either be removed or further specified.
4.10 regarding that ”firms should put in place appropriate and risk-sensitive policies and procedures to ensure that their approach to applying CDD measures does not result in unduly denying legitimate customers access to financial services. Where a customer has legitimate and credible reasons for being unable to provide traditional forms of identity documentation, firms should consider mitigating ML/TF risk in other ways”.
Comment: In the Nordic countries, private individuals do as a rule have means of secure identification. There may be temporary exceptional cases (theft, accident) where this is not possible.
The difficulties come with immigration of individuals who come from jurisdictions where ID systems are not so secure or where the individual did not manage to bring its ID into the country. It is already a difficult balance for banks to know when to allow these customers in, while securing that society is not put at risk by financial crime or terrorist financing.
To ensure financial inclusion, we would ask for additional clarification and guidance by local authorities of which types of ID should be acceptable for which level of service.
Comments on use of innovative technology/ non face-to face (4.32-4.37):
It is important that use of digital technologies and innovative technology is not prevented by too tight rules on face-to-face identification. The rules should be for cases where a customer - for no legitimate and credible reason – does not want to present himself. This is also the way we read the EBA guidelines, hence they are fine as now formulated.
4.38 and 4.39 set out the measures firms should take to establish the nature and the purpose of the business relationship.
Comment: It would be helpful if the guidelines could clarify that the measures / steps taken by firms to understand these points can be achieved by other methods than just collecting this from the customer as part of CDD. For example in some circumstances it may be possible for a firm to define the acceptable purpose and nature of its relationships within its own terms & conditions and fair usage policies, agreed with its customers.
4.55 states that measures in accordance with article 18 a (1) shall always be applied where a business relationship or transaction involves a high risk third country. The definition of a business relationship or transaction always involves a high risk third country is the following: a) if the funds were generated in a high risk third country; b) the funds are received from a high risk third country; c) the destination of funds is a high risk third country; d) the firm is dealing with a natural person or legal entity resident or established in a high risk third country; or e) the firm is dealing with a trustee established in a high risk third country or with a trust governed under the law of a high risk third country.
Comment: Guidelines regarding high-risk third countries are helpfully clarifying the AMLD5 requirements. We welcome this guidance.
4.74 a) states that “…Firms should ensure that transactions associated with higher ML/TF risk are monitored in real time wherever possible, in particular where the risk associated with the business relationship is already increased;”
Comment: Regarding proposals to include real-time monitoring as a tool for higher-risk transactions, this is in practise not realistic today and the guidelines should be changed to be more aspirational than mandatory. Real time monitor-ing occurs in Fraud and in Sanctions Transactions screening and for AML purpos-es, only for certain types of customer transactions. Transaction Monitoring for AML purposes monitors a number of customer behaviours and their transactions over varying time periods normally daily, weekly and monthly. Therefore it is not always possible to determine potentially suspicious activity from a single trans-action as it is dependent on the specific circumstance or scenario that has gen-erated the alert. Larger banks processes and monitors approximately 2bn trans-actions annually with approximately 250000 thousand alerts generated from the automated transaction monitoring system. These alerts are handled, investigat-ed, discounted or ultimately filed as Suspicious Activity Reports.
When considering the potential volumes involved, the design and implementa-tion of appropriate technical solutions for automated real time monitoring for AML purposes will be a significant undertaking for any financial institution. There is an aspiration in the industry to have sophisticated real-time, intelligent monitor-ing systems that could detect and stop payments with high precision but today, an automatic system that would halt transactions if indicators show potential suspicion, could either cause harmful disruption in payment flows (if the net is too tight) or be of no use (if the net is too loose). Finance Denmark is happy to sup-port the development of EBA and industry thinking in this space.
(see also 8:25: “… Real-time monitoring of transactions is one of the EDD measures banks should consider in situations where the ML/TF is particularly increased...”)
Question 5: Do you have any comments on the amendments to Guideline 5 on record keeping?
NAQuestion 6: Do you have any comments on Guideline 6 on training?
NAQuestion 7: Do you have any comments on the amendments to Guideline 7 on reviewing effectiveness?
NAQuestion 8: Do you have any comments on the proposed amendments to Guideline 8 for correspondent banks?
8.25 c) states that “…Firms should ensure that transactions associated with higher ML/TF risk are monitored in real time wherever possible, in particular where the risk associated with the business relationship is already increased;”See comment on 4.74 above.
Question 9: Do you have any comments on the proposed amendments to Guideline 9 for retail banks?
NAQuestion 10: Do you have any comments on the proposed amendments to Guideline 10 for electronic money issuers?
NAQuestion 11: Do you have any comments on the proposed amendments to Guideline 11 for money remitters?
NAQuestion 12: Do you have any comments on the proposed amendments to Guideline 12 for wealth management?
NAQuestion 13: Do you have any comments on the proposed amendments to Guideline 13 for trade finance providers?
13:20 “…banks should consider whether performing more thorough due diligence checks on the transaction itself and on other parties to the transaction (including non-customers) would be appropriate.”13:21 “Checks on other parties to the transaction…”
Comment: Collecting the proposed information about the other parties in the transaction, which could be the customer’s customers, would be challenging and in many cases impossible. Trade Finance is typically a paper-based opera-tion in which the bank receives documents regarding the export/import transac-tion (bills of lading, invoices, packing lists etc.) and checks whether they comply with the agreed terms and international standards. Collecting information re-garding also the other parties in the transaction, besides the customer of the bank, would increase the complexity.
13:22 ”Checks on transactions…”
Comment: The draft guidelines propose that checks on transactions may include using professional judgement to consider whether the pricing of goods makes commercial sense and checking that the weights and volumes of goods being shipped are consistent with the shipping method. In our view, it would in prac-tice not be realistic to do these checks in the daily Trade Finance operations. It would also require a significantly different skill-set and build-up of competences and expertise in Trade Finance officers.
Question 14: Do you have any comments on the proposed amendments to Guideline 14 for life insurance undertakings?
NAQuestion 15: Do you have any comments on the proposed amendments to Guideline 15 for investment firms?
NAQuestion 16: Do you have any comments on the proposed amendments to Guideline 16 for providers of investment funds and the definition of customer in this Guideline?
NAQuestion 17: Do you have any comments on the additional sector-specific Guideline 17 on crowdfunding platforms?
NAQuestion 18: Do you have any comments on the additional sector-specific Guideline 18 on account information and payment initiation service providers?
Comment: As stated in the draft guideline (18:2), the inherent ML/TF risk is limited. Taking this into account, and the risk-based approach, the proposed measures seem too demanding. The starting point for the requirements should be the insti-tution that has the customer relationship and/or is executing the transactions.In general we do not see a purpose for the AIS to have any of these requirements since AIS is only providing information on the payment accounts, balances and transactions on the payment accounts that the customer has in another bank. Terminating or closing the AIS agreement does not prevent any transactions and the AIS service provider might not have full information on the customer availa-ble to assess if customer is acting suspiciously.
PIS service is also problematic since the PISP does not establish a customer rela-tionship with the payer, but is only initiating a single payment via another bank. The PISP’s task is only to provide payment initiation information to another bank and another bank executes the payment.
We also think that the factors mentioned in clause 18.4 should already be taken into account by the PSPs who are actually executing the payment transactions. Hence there is no need to monitor these factors in connection with PIS or AIS ser-vices, where there is no involvement in any fund transfers by PIS or AIS providers.
Question 19: Do you have any comments on the additional sector-specific Guideline 19 on currency exchanges?
NAQuestion 20: Do you have any comments on the additional sector-specific Guideline 20 on corporate finance?
Section 20.7.b (Assessments of the integrity of directors, shareholders, and other parties with significant involvement in the customer’s business and the corporate finance transaction).Comment: the requirement should be clarified and/or re-worded to only cover adverse media screening.
Section 20.7.c (Verification of the identity of other owners or controllers of a cor-porate entity)
Comment: The requirement should be clarified as it is unclear what is meant by ‘other owners’
Section 20.7.e (Establishing the financial situation of the corporate client)
Comment: This requirement should be clarified, what is meant by it?
Section 20.7.i (When taking part in securities’ issuance, the firm should seek to protect its own reputation by confirming that third-parties participating in selling securitisation instruments or transactions to investors have sufficient customer due diligence arrangements of their own in place)
Comment: ‘confirming’ should be replaced by ‘assessing’