Response to consultation on draft Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and ML/TF risk factors
Go back
Amendments to title I: ‘Subject matter, scope and definitions’
12. The draft Guidelines propose to amend the definitions section of the original Guidelines as follows:
We would like to comment on the definition of non-face to face relationships or transactions which states that ‘Non-face to face relationships or transactions’ means any transaction or relationship where the customer is not physically present, that is, in the same physical location as the firm or a person acting on the firm’s behalf. This includes situations where the customer’s identity is being verified via video-link or similar technological means.’
We believe that identifying situations where the customer’s identity is verified via a video-link or similar technological means should not be identified as non-face to face relationships or transactions. For instance, in Germany video identification is recognised as face-to-face means of identification by the German Ministry of Finance and Federal Financial Supervisory Authority (BaFin) ,
Categorising these forms of identification as non-face-to-face is likely to counteract the risk-based approach taken by many market participants especially in relation to performing EDD requirements when the customer’s location does not allow for a physical identification.
To this end, we would also like to emphasise that in line with the FATF guidance on digital identity ‘using reliable, independent digital ID systems with appropriate risk mitigation measures in place, may present a standard level of risk, and may even be lower-risk.’ This is also in line with the Guideline 4.31 of the EBA’s guidance stating that ‘(…) the use of electronic means of identification does not of itself give rise to increased ML/TF risk (…).
Therefore, we ask the EBA to not explicitly call out verifying customer’s identity via video-links or similar technological means in the context of the definition of non-face to face relationships and transactions as these are safe means of verification that pose low ML/TF risk when properly used.
- Guideline 1.4 is new and clarifies that firms should record their risk assessments in a way that makes it possible for the firm and its supervisor to understand how it was conducted.
Guideline 1.4 refers to record keeping.
We note that banks are subject to supervision from more than one national supervisor. This effectively means that different supervisors may have different views on how recording of risk assessments should be made.
We would like to ask the EBA to provide more guidance regarding the recording requirement so that firms can comply with a one set of rules. This will effectively allow for more harmonisation.
In addition, we note that the text in the previous Guidance used the following wording: ‘Firms must keep their risk assessment up to date and under review’.
We think this wording is sufficiently precise and means that banks have an obligation to keep an audit trail and document the process.
It would be helpful to get further guidance on minimum record keeping requirements (e.g. when a group-wide risk assessment should be considered sufficiently granular).
- Guidelines 1.6-1.9 are based on paragraph 10 and 65-69 in the original Risk Factors Guidelines. Paragraph 10 was expanded to provide guidance on the systems and controls firms should put in place to ensure their risk assessments remain up to date and relevant.
Guideline 1.9 b) i. b. refers to having processes in place to ensure that relevant information is regularly reviewed. This particular Guideline refers to individual risk assessments and making use of b. ‘media reports that are relevant to the sectors or jurisdictions in which the firm is active’.
We would like to encourage the EBA to make it clear that media reports should only be used in this context when they are relevant and credible. Otherwise, it is difficult for firms to solely rely on media reports that may be biased and based on presumptions.
- Guidelines 1.16-1.17 are new and provides guidance on the use of business-wide risk assessments in the design of AML/CFT policies and procedures, and the individual risk assessment methodology.
Guideline 1.17 a) states that ‘firms should make their business-wide risk assessment available to competent authorities’.
We note that the available local guidance on business-wide risk assessments differs across member states and harmonising practices across member states would be very helpful in this respect. It would further enhance a dialogue between firms and different competent authorities.
- Guidelines 1.18-1.20 are based on paragraph 10 in the original Risk Factors Guidelines. They establish the link between business-wide and individual risk assessments and clarify that individual risk assessments are no substitute for a business-wide risk assessment.
Guideline 1.18 refers to firms using the findings from their business-wide risk assessment to inform their AML/CFT policies and procedures.
The business wide risk assessment impacts the group risk appetite, which in turn impacts the individual risk assessment. This means that the business wide risk assessment only indirectly impacts the individual risk assessment.
Can the EBA provide more clarification on how the business wide risk assessment should feed directly into the individual risk assessment?
Guideline 1.19 states that ‘to comply with paragraph 1.18 and also having regard to paragraphs 1.21 and 1.22, firms should use the business-wide risk assessment to inform the level of initial customer due diligence that they will apply in specific situations, and to particular types of customers, products, services and delivery channels.’
We note that the business wide assessment can be used to complete/update the list of sensitive products or sectors and may be used to identify new delivery channels. As such it can have an impact on CDD, but we do not see how it can inform CDD on customers.
Considering the above and our comment to the Guideline 1.18, could the EBA clarify how the business wide risk assessment should inform the initial level of CDD?
- Guidelines 1.26-1.27 are based on paragraph 17 in the original Risk Factors Guidelines. They clarify that firms should identify relevant risk factors to obtain a holistic view of the risk both at the beginning and throughout the life of the business relationship, or before carrying out an occasional transaction.
Guideline 1.26 refers to firms applying additional CDD measures, and assessing risk factors to obtain a holistic view of the risk associated with a particular business relationship or occasional transaction.
Our understanding of the holistic view in this context is that one risk factor should not be considered in isolation. Could the EBA confirm?
- With regard to customers risk factors, a new Guideline 2.7 has been added so as to help firms to better identify the risk factors associated with the nature and behavior of a customer or a beneficial owner’s nature that could point to increased terrorist financing risks;
Guideline 2.7 a. reads ‘Is the customer or the beneficial owner a person included in the lists of persons, groups and entities involved in terrorist acts and subject to restrictive measures, or are they known to have close personal or professional links to persons registered on such lists (for example, because they are in a relationship or otherwise live with such a person)?’
This guideline is very broad as it refers to close personal and professional links to certain persons.
Current practice is that firms may seek to identify professional and personal links with certain countries but only on an exceptional basis.
In order to narrow down the scope of the Guideline, we propose to add the following wording [underlined]:
‘Is the customer or the beneficial owner a person included in the lists of persons, groups and entities involved in terrorist acts and subject to restrictive measures, or the financial institution knowns that he/she has close personal or professional links to persons registered on such lists (for example, because they are in a relationship or otherwise live with such a person)? ‘
Guideline 2.7 b. refers to customers or beneficial owners who are ‘publicly known to be under investigation for terrorist activity or has been convicted for terrorist activity, or are they known to have close personal or professional links to such a person (for example, because they are in a relationship or otherwise live with such a person)?’
We note that any information with regard to terrorist activities is very sensitive and rarely in the public domain.
Therefore, we think that the wording in the Guideline 2.7 b. should be changed as follows:
“Is the customer or the beneficial owner a person who is publicly known to be under investigation for terrorist activity or has been convicted for terrorist activity (…)”
We would also like to stress that it is rarely possible for banks to assess whether an individual in question is ‘in a relationship or otherwise live(s) with such a person.’ This Guideline should only apply when, for some reason, a firm actually possesses such information.
Therefore, we propose to change the wording in the Guideline 2.7 b to:
‘(…) (for example, because firms know that they are in a relationship or otherwise live with such a person)?’
Guideline 2.7 d. i. refers to ‘activities or leadership (…) publicly known to be associated with extremism or terrorist sympathies’.
If the EBA decides to redraft Guideline 2.7 b. as we suggest above, then the Guideline 2.7 d. i. will also have to be redrafted.
We suggest it should be clear that firms should pay particular attention to those risk factors when, in fact, they are aware of them.
- With regard to countries and geographical areas, Guideline 2.9(c) has been amended to specify that, when identifying the risks associated with countries and geographical areas, firms should also consider the risk related to which the customer or the beneficial owner has ‘financial or legal interest’;
Guideline 2.9 c) has been amended to specify that, when identifying the risks associated with countries and geographical areas, firms should also consider the risk related to which the customer or the beneficial owner has ‘relevant personal or business links, or financial or legal interest’.
We would like to ask for more clarification around the meaning of personal and business links, or financial and legal interests and how these are thought to impact the risk.
In our view, the Guideline 2.9 c) in its current form could be read as if domestic customers with family members who were born in high risk countries could be rated as high risk.
We think it is important that the expectation set in the Guideline 2.9 c) does not become another standard item of CDD information to collect. In order to avoid this, we request that the Guideline 2.9 c) allows for more flexibility on how to evaluate these risks, which in turn will help to avoid customer risk assessment methodologies producing some unhelpful outcomes.
- With regard to CDD measures, Guideline 4.7 clarifies what is expected in this regard in the firms’ policies and procedures;
Guideline 4.7 a) refers to policies and procedures for identifying customers and, where applicable beneficial owners for each type of customer and category of products and services.
We would like to note that in practice, setting out who the customer and beneficial owner is for each type of customer/product/service will depend on the specific context at hand. In addition, CCD requirements under the EU AML Directive mainly refer to the customer and generally not products and services that a customer uses.
Therefore, the requirement under the Guideline 4.7 a) can be fulfilled for specific customer groups (e.g. funds), however laying this out for all the customer groups is difficult and from our point of view disproportionate.
Hence, we propose to broaden the wording in the Guideline 4.7 a) as follows:
‘Firms should set out clearly, in their policies and procedures, who the customer and, where applicable, beneficial owner is for different customer types/products and services each type of customer and category of products and services, and whose identity has to be verified for CDD purposes. (…)’
Guideline 4.7 b) we would welcome more guidance on defining when a series of one-off transactions amount to a business relationship, rather than an occasional transaction.
We note that this definition varies across jurisdictions. For instance, the Swedish Financial Supervisory Authority (SFSA) has stated that 12 transaction during a 12-month period will normally constitute a business relationship.
We would also like to draw your attention to the Joint Guidelines under Article 25 of Regulation (EU) 2015/847 on the measures payment service providers should take to detect missing or incomplete information on the payer or the payee, and the procedures they should put in place to manage a transfer of funds lacking the required information published by the Joint Committee of the European Supervisory Authorities.
More specifically we encourage the EBA to consider the excerpt that relates to Articles 5, 6 and 7 of the Wire Transfer Regulation (EU) 2015/847 and reads:
‘In order to apply rules in Articles 5, 6 and 7 of Regulation (EU) 2015/847 related to transfers of funds that do not exceed EUR 1 000, [Payment Service Providers] PSPs and [Intermediary Payment Service Providers] IPSPs should have in place policies and procedures to detect transfers of funds that appear to be linked. PSPs and IPSPs should treat transfers of funds as linked if these fund transfers are being sent:
a) from the same payment account to the same payment account, or, where the transfer is not made to or from a payment account, from the same payer to the same payee; and
b) within a reasonable, short timeframe, which should be set by the PSP in a way that is commensurate with the ML/TF risk to which their business is exposed.
PSPs and IPSPs should determine whether other scenarios might also give rise to linked transactions, and if so, reflect these in their policies and procedures.’
In light of the above, we request the EBA to clarify when a series of one-off transactions amount to a business relationship, rather than an occasional transaction.
Guideline 4.9 refers to firms carefully balancing the need for financial inclusion with the need to mitigate ML/TF risks.
We note that this is already a part of banks’ daily routine.
In this regard, we would welcome clearer guidance on where to draw the line between inclusion and financial crime prevention.
Guideline 4.10 refers to customers who do not provide traditional forms of identity documentation.
We believe that this should only be applicable to private individuals and only in exceptional cases.
To this end, we note that corporates should always be obliged to provide valid documentation.
- Guidelines 4.12 to 4.25 clarify the CDD expectations regarding the beneficial owners, in particular the use of beneficial ownership registers, new developments on how to identify the customer’s senior managing officials or the beneficial owner of a public administration or a state-owned enterprise;
Guideline 4.12 a) refers to an obligation for firms to understand the customer’s ownership and control structure by, for instance, asking customers who their beneficial owners are.
Pursuant to the existing legal framework, firms may determine who the beneficial owners are by other means. In fact, there is no requirement to determine the customer’s beneficial ownership and control structure by asking the customer.
Therefore, we would like to propose to add the following wording in the Guideline 4.12 a) [our wording underlined]:
‘Firms should ask the customer who their beneficial owners are; or ascertain the beneficial owner(s) by other means, such as external sources that could, for instance, include annual reports, third party vendors database, extract from corporate registries, self-sourced constitutional documents.’
Guideline 4.13 refers to firms using beneficial ownership registers.
We would welcome if the EBA could encourage the development of an EU wide company register that provides verified data that can be relied upon.
This would be very helpful given that banks have to comply with many different registers that may sometimes give divergent results that have to be additionally checked. This considerably lengthens the entire process of checking beneficial owners and proves to be burdensome for the industry.
We also believe that asking the private sector to verify data entered into registers appears to be inconsistent with the FATF Recommendations 24 and 25 where, in fact, ‘countries should ensure that there is adequate, accurate and timely information’ available in the registers.
Guideline 4.15 b) refers to firms’ understanding of opaque and complex ownership and control structures.
We note that firms cannot exhaustively assess if customers complex/opaque ownership and control structures have a legitimate legal or economic reason.
We suggest deleting this sentence as it seems to be disproportionate.
Guideline 4.17 refers to paying particular attention to persons who may exercise ‘control through other means’.
Firstly, we ask the EBA to clarify that control through other means will only be relevant if control through ‘ownership’ or ‘control’ of shareholdings cannot be established.
Secondly, we note that these references imply that firms should exercise higher standards of due diligence that is in contradiction with derogations of SDD where a firm may adjust the extent, type and timing of measures applied. In our view, firms should react to risk factors identified as part of CDD measures and ask additional questions on a risk-based basis.
We propose to add the following wording in the Guideline [our wording underlined]:
‘Firms should pay particular attention to persons who may exercise ‘control through other means’ where identified, or where such information is made available to the firm as part of CDD (…).’
Guideline 4.20 refers to circumstances under which the customer’s senior managing officials should be identified as beneficial owners.
4.20 a) ‘They have exhausted all possible means for identifying the natural person who ultimately owns or controls the customer;’
Would the EBA be able to provide more guidance on what is meant by exhausted all possible means in line with the CDD measures that firms are required to comply with as per 4.20 a)?
4.20 c) They are satisfied that the reason given by the customer as to why the natural person who ultimately owns or controls the customer cannot be identified is plausible.’
We believe that the reasons do not necessarily have to be given by the customer, therefore we suggest amending Guideline 4.20 c) as follows:
“They are satisfied that the reason(s) given by the customer as to why the natural person who ultimately owns or controls the customer cannot be identified is plausible”.
Please also refer to our comment to the Guideline 4.12 in this regard.
Guideline 4.21 refers to senior managing officials who should be considered as having either ultimate or overall responsibilities for the customer.
Could the EBA please clarify whether this Guideline refers to the so-called fictitious beneficial owners?
If so, we would like to note that the European supervisory authorities have issued different interpretations on whether all members of senior management must be identified as fictitious beneficial owners, or it is sufficient to identify one. More harmonisation in this space would be welcome.
Guidelines 4.19 and 4.22 refer to identifying the beneficial owner and customer’s senior managing officials.
The draft guidelines assume that there will always be a natural person to identify as a beneficial owner (whether a true UBO through ownership/control or a senior official in their absence).
AFME members continue to find this approach problematic as in many cases private companies do not have a beneficial owner through shareholding or control and their constitutional documents contradict the notion of designating the most senior official due to responsibilities over decision making being vested with the board of directors.
In addition, we would find it helpful if a clear definition of senior managing officials could be spelled out in the EBA’s guidelines (preferably in the definitions section of the Guidelines).
This could further be accompanied by a more granular detail on the type of ownership structures. For examples, we would like to understand how to proceed in a situation where the most senior official may be a PEP. Please also consider that sometimes PEPs can exert very little power within the organisation, or senior managing officials will not contribute to sources of wealth or sources of funds.
We suggest revising the guidelines 4.23 and 4.25 to exempt certain customer types from the requirement to identify the senior managing official as a beneficial owner when there is no reasonable expectation to identify a beneficial owner, for example, in the case of supranational organisations, wholly state-owned entities, certain multilateral financial institutions, government agencies and sovereign wealth funds.
Guideline 4.24 We would like to make two comments in respect of Guideline 4.24. They relate to different parts of the guideline as quoted below.
1) ‘In those cases, and in particular where the risk associated with the relationship is increased, for example because the state-owned enterprise is from a country associated with high levels of corruption (…)’.
We note that corruption is embedded in the ML risk and there is no specific list of countries with high levels of corruption.
We suggest that the EBA refers to high level of ML risks rather than high levels of corruption.
2) ‘(…) firms should take risk-sensitive steps to establish that the person they have identified as the beneficial owner is properly authorised by the customer to act on the customer’s behalf.’
We would like to note that, usually, a beneficial owner has no authority to act on a customer’s behalf. Therefore, we do not understand why the beneficial owner must be properly ‘authorised by the customer to act on the customer’s behalf’.
The EBA is asked to provide more clarity on the expectations in this regard. In fact, we suggest deleting this reference as we do not see how it could be exercised in practice.
Additionally, we would suggest following a risk based approach in determining the BOs of public administrations. For low risk countries, determining the BOs of public administrations may add little value
Guideline 4.25 refers to applying EDD measures to a senior managing official of a state owned entity who may be a PEP.
State owned entities can be low risk clients. Therefore, we believe that the impact of the proposed addendum is disproportioned to the risk that a senior managing official may pose and would add very little benefit to preventing ML risk.
It would be helpful to clarify that EDD does not need to be applied if the senior managing official is a PEP only because he/she is the senior managing official of public administrations or state owned entities. In fact, just because the customer is a PEP does not mean that they should automatically be considered as high risk and this should be determined on a risk based basis. As a reference, please refer to the Financial Conduct Authority’s (FCA) guidance on PEPs.
We think that the mandatory EDD measures should only be applied when the senior management official of public administrations and state owned enterprises is a PEP in their own right and he/she is opening accounts as a private persons OR he/she is a senior managing officials, UBO or a legal owner of a private legal entity.
- Guidelines 4.29 to 4.31 define the CDD expectations in non-face-to-face situations;
In relation to situations where transactions are performed in non-face-to face situations, we would like the EBA to refer to our comment made at the beginning of our response under the section dealing with definitions. Once again, we would like to stress that video-identification should be recognised as face-to-face means of identification and, therefore, it should not trigger the performance of EDD measures.
Can the EBA reconsider the wording under the Guideline 4.30?
- Guidelines 4.32 to 4.37 deal with the use of innovative technological means to verify identity so as to promote convergence among the firms; and
Guidelines 4.32 to 4.37 refer to the use of innovative technologies.
We note that it is important that firms may choose to use electronic or documentary means to evidence their customers’ identity.
Therefore, we welcome the guidelines 4.32 to 4.37.
- Guidelines 4.38 and 4.39 set out the measures firms should take to establish the nature and the purpose of the business relationship.
Guidelines 4.38 and 4.39 set out the measures that firms should take to establish the nature and purpose of the business relationship.
We would like to note that in some circumstances it may be possible for a firm to define the acceptable purpose and nature of the business relationships from the terms and conditions and fair usage policies (as agreed with the customers).
Therefore, it would be helpful to clarify that the measures that firms should take to establish the nature and the purpose of the business relationship can also be established by other methods than just collecting this information from the customer as part of CDD.
In addition, we ask the EBA to clarify that the measures identified in the Guideline 4.38 should only be applied on a risk-based approach. For instance, firms will be able to identify low risk cases from the nature of the product e.g. mortgage payments.
We also think that the Guideline 4.38 c) ‘The value and sources of funds that will be flowing through the account’ goes beyond of what is expected by regulators and the 4th and 5th AMLD (e.g. this is required for all customers regardless of risk rating) and its implementation will likely give rise to data protection issues.
We also note that understanding sources of funds is an example of EDD requirement set out in the EBA’s Guideline 10.16.
Therefore, we propose to reword the Guideline 4.38 c) as follows:
‘The anticipated value of funds used for the business relationship’.
Guidelines 4.38 e) states that firms should take steps to understand e) ‘Whether the customer has other business relationships with other parts of the firm or its wider group, and the extent to which this affects the firm’s understanding of the customer‘.
We note that in line with Directive (EU) 2015/849 and where an obliged entity is part of a group, AML/CFT policies and procedures should be implemented effectively and consistently at a group level.
Therefore, we believe that the requirement set out in the Guideline 4.38 e) should only be executed when information sharing is allowed by law and group wide policies. In addition, it should also only concern higher risk situations and international complex structures.
We note that this is also the approach taken by the Joint Money Laundering Steering Group (JMLSG) in the UK. Section 5.3.23 of the JMLSG Guidance reads (with our underlining) ‘A firm must understand the purpose and intended nature of the business relationship or transaction to assess whether the proposed business relationship is in line with the firm’s expectation and to provide the firm with a meaningful basis for ongoing monitoring. In some instances this will be self-evident, but in many cases the firm may have to obtain information in this regard. Whether, and to what extent, the customer has contact or business relationships with other parts of the firm, its business or wider group can also be relevant, especially for higher risk customers.’
Can the EBA comment?
Guideline 4.38 f) reads that firms should take steps to understand ‘What constitutes ‘normal’ behaviour for this customer or category of customers‘.
The EBA is asked to clarify what ‘normal’ in this context means. Some exaples would be helpful.
- Guidelines 4.46 (c) and 4.47 (b) have been amended to be in line with the AMLD5 provisions related to high-risk third countries.
Guideline 4.46 delineates a few cases that firms must always treat as high risk.
For instance, it seems that in line with the Guideline 4.46 c) all business relationships or transactions involving high risk third countries should undergo enhanced customer due diligence screening.
This prescriptive requirement set in the Enhanced Due Diligence section of the EBA’s guidance will likely create a significant increase in international firm’s high risk client base across the EU, targeting firm’s resources in a way which may not necessarily be risk-based.
In order to avoid this, this requirement should, in our view, be targeted at ‘occasional transactions’.
Hence, we request that the EBA changes the wording in paragraph 4.46 (c) to [with our underlining].
‘‘where a firm maintains a business relationship or carries out an occasional transaction involving high-risk third countries’.
This will clarify firms’ obligations to apply EDD requirements on a risk-based approach.
The EBA is asked to make the relevant changes throughout the entire guidelines.
- Guidelines 4.48 provides a reference to the list of prominent public functions pursuant to Article 20a(3) of Directive (EU) 2015/849.
Guideline 4.48 talks about risk-sensitive policies and procedures to identify PEPs and having regard to the list of prominent public functions.
Can the EBA provide more clarification on how to adjust the list of functions in Article 3(9) of 4AMLD with regards to prominent public functions from third countries which may materially have different governmental and political structures in place e.g. level of prominence afforded to a ‘Member of Parliament’ in Europe is materially different to other countries?
- With regard to PEPs, Guidelines 4.49 provide guidance to firms that use commercially available PEPs lists.
Guideline 4.49 reads that ‘Firms that use commercially available PEP lists should ensure that information on these lists is up to date and that they understand the limitations of those lists. Firms should take additional measures where necessary, for example in situations where the screening results are inconclusive or not in line with the firm’s expectations’.
It is unclear as to when or under what conditions screening results are to be classified as ‘inconclusive’ or what is specifically meant by the prerequisite ‘not in line with the firm`s expectations.
We ask the EBA to either clarify the Guideline 4.49, or delete it completely as we do not understand how it can be executed in practice.
- With regard to high-risk third countries and other high risk situations, the paragraphs of the original Risk Factors Guidelines on ‘high risk third countries and other high risk situations’(paragraphs 58 to 61) have been split into two different sub-sections; one dedicated to ‘high-risk third countries’ and the other one to ‘other high-risk situations’ so as to clarify the respecting obligations.
o Guidelines 4.53 to 4.57 set out how firms should comply with the specific EDD measures specified by the AMLD5 concerning high-risk third countries.
General comment on the high risk third countries’ section
Extra-territoriality:
We would like the EBA to align its Guidance with the 4th AMLD article 18(1) which deals with EDD measures and high risk third countries.
The Article 18(1) stresses that EDD would not automatically be invoked with respect to branches or majority-owned subsidiaries of obliged entities established in the Union and located in high-risk third countries. This is in respect of situations where branches or majority-owned subsidiaries fully comply with the group-wide policies and procedures.
Can the EBA comment?
Specific comments on the high risk third countries’ section
Guideline 4.53 refers to EDD requirements and business relationships or transactions involving high risk third countries.
We request that the EBA is more precise and states that the EDD requirements in this context apply to transactions linked to clients/business relationships domiciled in high risk third countries.
Guideline 4.55 provides a list of factors that would indicate that a business relationship or transaction involves a high risk third country.
‘A business relationship or transaction always involves a high risk third country if
a) the funds were generated in a high risk third country;
b) the funds are received from a high risk third country;
c) the destination of funds is a high risk third country;
d) the firm is dealing with a natural person or legal entity resident or established in a high risk third country; or
e) the firm is dealing with a trustee established in a high risk third country or with a trust governed under the law of a high risk third country.’
This Guideline appears to be a rules based requirement, contradicting the risk-based approach.
In our understanding any payment made directly/indirectly inbound/outbound involving a high risk third country would require treating the customer as high risk and require EDD. This will likely create a significant increase in international firm’s high risk client base across the EU, targeting firm’s resources in a way which may not necessarily be risk-based.
For this reason, we suggest changing the word ‘transaction’ to ‘occasional transaction’ to ensure that this requirement is triggered on a risk-based approach.
In addition, we would like to make another comment in respect of the Guideline 4.55 a) which reads that ‘a business relationship or transaction always involves a high risk third country if the funds were generated in a high risk third country.’
We note that financial institutions cannot always identify where funds were generated. There are situations in which financial institutions are involved in transactions between a client and a counterparty both domiciled in the EU and for which funds are generated in a high risk third country.
We suggest deleting the Guideline 4.55 a) altogether, since implementing this provision in practice is almost impossible.
We would also like to suggest rephrasing the Guidelines 4.55 d) and e) to make them more targeted and commensurate to the risk (our wording underlined).
d) the firm is dealing with a natural person or legal entity as its customer resident or established in a high risk third country; or
e) the firm is dealing with a trustee as its customer established in a high risk third country or with a trust governed under the law of a high risk third country
Guideline 4.56 relates to performing EDD measures when ‘a) the transaction passes through a high risk third country, for example because of where the intermediary payment services provider is based; or b) a customer’s beneficial owner is established in a high risk third country.’
We would like to point out that 4th MLD Article 18 (1) clearly calls out that EDD is required in situations when dealing with natural persons or legal entities established in the third countries identified by the European Commission as high-risk third countries.
When considering the duty to apply EDD under certain circumstances involving high risk third countries, we encourage the EBA to clearly set out in the Guidance what a ‘relevant transaction’ and being ‘established in’ a high risk third country means.
To this end, we encourage the EBA to take a similar approach as set out in the UK ML Regulation 33 (c)(3):
‘(b) a “relevant transaction” means a transaction in relation to which the relevant person is required to apply customer due diligence measures under regulation 27;
(c) being “established in” a country means— (i) in the case of a legal person, being incorporated in or having its principal place of business in that country, or, in the case of a financial institution or a credit institution, having its principal regulatory authority in that country; and (ii) in the case of an individual, being resident in that country, but not merely having been born in that country.”;’
Guideline 4.57 talks about maintaining close personal or professional links with a high risk third country.
We note that this information can only be obtained by ‘accident’, as it is rather impossible to obtain it via different routes.
We also do not consider that professional or personal links to high risk third countries should, in themselves, trigger EDD. We also consider that there is a clear risk that requiring firms to identify such links as part of standard CDD measures could lead to discriminatory treatment on the basis of ethnicity or nationality (including mistaken perceptions of ethnicity or nationality).
Can the EBA reconsider the ask in the Guideline 4.57?
We note that Guideline 4.58 must be updated to align with the Guideline 8.14 of the EBA’s guidelines on ML/TF risks.
We recommend using the following wording (our wording underlined):
‘Firms must take specific EDD measures where they have a cross-border correspondent relationship which involves the execution of payments with a respondent who is based in a third country’.
o Guideline 4.64(b)(ii), clarifies as for other high-risk situations that firms should have regard to the fact that funds from legitimate business activity may still constitutes ML/TF as set out in paragraph (3) to (5) of Article 1 of Directive (EU) 2015/849.
From our point of view, Guideline 4.64 is not in line with data protection rules.
For example, Guideline 4.64 (a) requires considering information about family members and close business partners. Having regard to data protection requirements, we suggest the guidelines to stress that such information is only relevant if the family member/close business partner is a PEP. It remains unclear to what extent past business activities of the customer and/or the beneficial owner are relevant in this context (Guideline 4.64 (b)).
We would also welcome more clarity on the EBA’s expectations set out in the Guideline 4.64(b)(ii).
- With regard to monitoring, a standalone section has been created as monitoring is an essential part of effective customer due diligence measures. Notwithstanding, the 2019 Joint Opinion on ML/TF risks in the EU’s financial sector highlights that competent authorities across the EU remain concerned by the quality of firms’ ongoing monitoring of business relationships, including transaction monitoring. For this reason, Guidelines 4. 69 to 4.74 set expectations of the systems and controls firms should in place to monitor their business relationships.
o Guidelines 4.72-4.74 are new and specify the points firms should consider to ensure that their transaction monitoring system is effective.
Guideline 4.74 refers to real-time transaction monitoring for higher-risk transactions.
We note that transaction monitoring for AML purposes monitors a number of customer behaviours and their transactions over varying time periods normally daily, weekly and monthly. Therefore, it is not always possible to determine potentially suspicious activity from a single transaction as it is dependent on the specific circumstance or scenario that has generated the alert.
When considering the potential volumes involved, the design and implementation of appropriate technical solutions for automated real time monitoring for AML purposes will be a significant undertaking for any financial institution.
There is an aspiration in the industry to have sophisticated real-time, intelligent monitoring systems that could detect and stop payments with high precision.
However, at the moment an automatic system that would halt transactions if indicators show potential suspicion, could either cause harmful disruption in payment flows (if the net is too tight) or be of no use (if the net is too loose).
For this reason, the EBA is asked to consider recalibrating the expectations set in the Guideline 4.74. For instance, the Guideline could be rephrased as following: ‘Firms may apply real time monitoring to transactions associated with higher ML/TF risks, wherever possible’.
We encourage the EBA to provide examples/clarification on the intent for performing ex-post sampling review of transactions ‘to identify trends that could inform their risk assessments’. Trends analysis, by its nature, must involve analysis of linked/series of related transactions to identify trends instead of random selections of transactions.
Guideline 1.4 refers to record keeping.
We note that banks are subject to supervision from more than one national supervisor. This effectively means that different supervisors may have different views on how recording of risk assessments should be made.
We would like to ask the EBA to provide more guidance regarding the recording requirement so that firms can comply with a one set of rules. This will effectively allow for more harmonisation.
In addition, we note that the text in the previous Guidance used the following wording: ‘Firms must keep their risk assessment up to date and under review’.
We think this wording is sufficiently precise and means that banks have an obligation to keep an audit trail and document the process.
It would be helpful to get further guidance on minimum record keeping requirements (e.g. when a group-wide risk assessment should be considered sufficiently granular).
We note that most companies implement the training obligation through an online based training module.
To this end, we would like to ask for more clarity around tailoring training to staff and their specific roles.
It would be helpful to clarify what is meant by ‘independent review’ in the context of this Guideline.
21. The CP proposes to amend the sectoral Guideline 8 for correspondent banks as follows:
- The measures in Guideline 8.14 have been amended in line with article 19 of AMLD5; - The measure in Guideline 8.17 about correspondents being required to take risk-sensitive measures has been clarified to require correspondents to ask respondents about their customers if necessary (a), to obtain senior management approval also where new risks emerge (d), to conclude an agreement setting out specific content (e); and
Guideline 8.17 e. i. – e. iv. provides guidelines on documenting the responsibilities of each institution when dealing with respondents based in non-EEA countries.
We think that is should be clarified that these requirements are required for new business relationships only.
Moreover, we think that the provided conditions may lead frequent, and unnecessary, updating of the ‘terms and conditions’ used in correspondent banking relationships. We suggest that the Guideline 8.17 e. i. – e. iv. should read as follows:
Guidelines 8.17 e.i – e. iv are non-exhaustive examples of what can be document in the written agreement as responsibilities of each institution.
Furthermore, we would like to understand the requirements under the Guideline 8.17 e. iii and iv. better. Do they relate to the request for information process in relation to missing payer/payee information required in the Funds Transfer Regulations and request for information required to address alerts from transaction monitoring/screening? Can the EBA comment?
- The measures in Guidelines 8.20 to 8.25 are new and set out the measures that need to be applied to respondents established in high-risk third countries and correspondent relationships involving high-risk third countries.
Guideline 8.17 c. talks about requiring correspondents taking risk-sensitive measures such as ‘on-site visits and/or sample testing to be satisfied that the respondent’s AML policies and procedures are implemented effectively.’
We believe that on-site visits and/or sample testing in this context can have implications for competition and business secrecy rules. That is why, we do not think that these rules should be part of the standard CDD measures.
Guideline 8.21 refers to respondents established in high-risk third countries, and correspondent relationships involving high risk third countries. It reads that ‘correspondents should also, as part of their standard CDD measures, determine the likelihood of the respondent initiating transactions involving high-risk third countries, including because a significant proportion of the respondent’s own customers maintain relevant professional or personal links to high-risk third countries.’
We believe that determining the likelihood of the respondent initiating transactions involving high-risk third countries because a significant proportion of the respondent’s own customers maintain relevant professional or personal links with high-risk third countries would essentially lead to conducting Know Your Customer’s Customer (KYCC).
We do not consider that professional and personal links to high-risk third countries should, in themselves, trigger EDD. And we do support a risk-based approach to EDD on correspondent banking relationships that should focus on the respondent’s general risk exposure and mitigating control framework (as required by the 4th & 5th AMLD).
Therefore, we suggest that the requirement set out in the Guideline 8.21 should not be part of the standard CDD measures.
Guideline 8.23 reads ‘unless the correspondent has assessed ML/TF risk arising from the relationship with the respondent as particularly high correspondents should be able to comply with the requirements in Article 18a(1) by applying Article 13 and 19 of Directive (EU) 2015/849.’
We understand that the EBA’s view is that the specific EDD requirements for high risk third countries should apply in parallel with the specific EDD requirements for correspondent relationships. If our understanding is correct, then we do not think this is the right approach.
We believe that further guidance is required on how firms can support financial inclusion through a proportionate and risk-based approach to EDD measures for correspondent banking in relation to high risk third countries
We consider that firms may still choose to establish a correspondent banking relationship with a respondent situated in a high risk third country by mitigating this risk through their EDD correspondent banking measures and/or through supplementary risk-based EDD measures.
Guideline 8.24 reads ‘to discharge their obligation under Article 18a (1)(c) of Directive (EU)2015/849, correspondents should apply guideline 8.17(c) c) and take care to assess the adequacy of the respondent’s policies and procedures to establish their customers’ source of funds and source of wealth and carrying out onsite visits or sample-checks, or asking the respondent to provide evidence of the legitimate origin of a particular customer’s source of wealth or source of funds, as required.’
We note that the determination of source of wealth and source of funds is only required for high risk clients which make up a small percentage of respondent’s customers. Furthermore, non-EEA respondents are not subject to the same high risk third country measures which EU correspondents (except when FATF calls for counter measures to such jurisdiction).
We believe that focusing on source of wealth and source of funds standards in this Guideline will not be commensurate to the risk. We ask the EBA to reconsider it.
Additional comment on correspondent banking:
The EU ML Directive’s definition goes further than just correspondent banking.
Could the scope of the guidance cover other correspondent relationships, in and amongst financial institutions, and, for the purposes of securities transactions (as per the 4MLD definition below in Article 3). We would welcome guidance (similar to that of the UK JMLSG) on correspondent trading relationships and correspondent securities relationships. The guidance should also make clear, that as per FATF standards outlining the risk-based approach, there is no expectation or requirement for KYCC.
Article 3(8)(a) of Directive (EU) 2015/849 ‘correspondent relationship’ means:
(a) the provision of banking services by one bank as the correspondent to another bank as the respondent, including providing a current or other liability account and related services, such as cash management, international funds transfers, cheque clearing, payable-through accounts and foreign exchange services;
(b) the relationships between and among credit institutions and financial institutions including where similar
services are provided by a correspondent institution to a respondent institution, and including relationships
established for securities transactions or funds transfers;
1. We are not sure why the sector guidance for Virtual Currencies is included in the sectoral guidance for retail. We think that this section should be incorporated into the EBA’s guidelines in a separate section.
2. We recommend the EBA to provide a definition of virtual currencies in order to clarify whether this intends to capture the entire scope of crypto-assets, or a smaller subset of crypto-assets that are used for payment and that are widely currently unregulated. We recommend the EBA to consider the definitions in our proposed approach to classification of crypto-assets, which can be found in Annex A of the GFMA response to the BCBS Discussion Paper on Designing a Prudential Treatment for Crypto-assets .
3. We ask the EBA to comment as to whether virtual currencies should be aligned with the funds transfer regulations, i.e. they should include the required payee/payer information in asset transfers or when converting fiat to virtual currency or virtual currency to fiat.
Specific comments:
Regarding Guideline 9.22, we request clarification as to what would be considered as a virtual currency in the context of a “virtual currency trading platform”, “custodian wallet services”, or “arranging, advising or benefiting from ‘initial coin offerings’ (ICOs).
We believe this should at a minimum include those crypto-assets that currently fall outside of the regulatory perimeter. For more detail on our views on AML/CFT regulation of crypto-assets, please see the FCA Policy Statement Guidance on Crypto-assets PS19/22 and AFME response to JMLSG proposed guidance on Part II Sector 22 – cryptoasset exchange providers and custodian wallet providers published on 18 May .
Guideline 9.23 reads that ‘to ensure that the level of ML/TF risk associated with such customers is mitigated, banks should not apply simplified due diligence measures. At a minimum as part of their CDD measures, firms should
(b) In addition to verifying the identity of the customer’s beneficial owners, carry out due diligence on senior management to the extent that they are different, including consideration of any adverse information.’
We note that adverse information screening is currently performed as part of EDD measures. We suggest following the same rules in relation to virtual currencies.
Furthermore, we believe that this assessment should be done on a risk based approach. Adverse information screening may be considered necessary for some clients but not others eg. if a client is listed on a regulated market and/or regulated in an equivalent jurisdiction, then we do not see value in performing such screening.
‘(e) Finding out whether businesses using ICOs in the form of virtual currencies to raise money are legitimate and, where applicable, regulated.’
We would like to understand how it can be assessed whether business is legitimate in the context of the Guideline 9.23 e.
‘c) the transaction is cash-based or funded with anonymous electronic money, including electronic money benefiting from the exemption under Article 12 of Directive (EU) 2015/849;’
We suggest adding virtual currencies in this section.
We do not understand why difficulties in ascertaining whether a customer has legitimate title to a collateral is a risk increasing factor from AML perspective. Can the EBA comment?
The following comment relates to Guideline 12.4 g.
Banks are obliged to ascertain group wide and unified AML/CFT standards. Due to this, we do not understand why depositing or managing assets in another group entity is a risk increasing factor in the context of wealth management.
In the context of Guideline 12.8 a., we would like to understand what is meant by ‘obtaining and verifying more information about clients than in standard risk situations’. What are banks’ expectations in this regard?
We would also like to point out that banks are not in a position to determine over and under insurance in line with the Guideline 13.10 g).
It would be helpful to know that these expectations are no targeted at banks.
‘c) The customer’s business, for example the customer’s funds are derived from business in sectors that are associated with a higher risk of financial crime, such as construction, pharmaceuticals and healthcare, the arms trade and defence, the extractive industries or public procurement.’
In our experience these industries are mainly exposed to ABC risk and will only impact risk assessment with regards to PEPs.
We also do not think that industries, such as construction, pharmaceuticals and healthcare, are associated with a higher risk of financial crime particularly in the context of Investment Management Services. Can the EBA comment?
We note that the Guideline 8.14 was updated to align with article 19 of 5AMLD which only requires EDD ‘where the correspondent relationships involves in the execution of payments’.
In the context of investment management services, Guideline 16.17 should, in our opinion, be clear that EDD is only required when it involves execution of payments, such as securities transacted on a “delivery versus payment” basis.
With regard to Guideline 16.20, we note that FATF guidance on the securities sector was very clear that when the customer is the intermediary, ‘there is no expectation, intention or requirement for the correspondent institution to conduct customer due diligence on its respondent institution’ customers." Can the EBA comment?
c) where there is no evidence the customer has received a mandate or a sufficiently senior management approval to conclude the contract;
We note that this is a legal risk and not financial crime risk, therefore we propose to delete it.
Guideline 20.7 refers to EDD requirements in the context of corporate finance.
The Guideline reads ‘where the risk associated with a business relationship or an occasional transaction is increased, firms should apply EDD measures such as beneficial ownership, and in particular any links the customer might have with politically exposed persons, and the extent to which these links affect the ML/TF risk associated with the business relationship;
b) Assessments of the integrity of directors, shareholders, and other parties with significant involvement in the customer’s business and the corporate finance transaction;
We note that this information is not obtained as part of onboarding or customer review, therefore it will be impossible to make this assessment. Our suggestion is to delete it.
c) Verification of the identity of other owners or controllers of a corporate entity
Can the EBA clarify what is meant by ‘other owners’?
e) Establishing the financial situation of the corporate client;
Can the EBA clarify what is meant by ‘financial situation of the corporate client’? It is not clear how this requirement would help to mitigate financial crime risk.
g) Risk-sensitive customer due diligence checks on other parties to a financial arrangement to gain sufficient background knowledge to understand the nature of the transaction (…)’.
We agree that risk-sensitive checks on other parties to a financial arrangement to gain sufficient background knowledge to understand the nature of the transaction should be performed.
However, we suggest that the EBA should make it clear that this only involves getting an understanding of who these parties are and their role, as well as subjecting these parties to sanctions screening.
h) Firms offering corporate finance services should apply enhanced ongoing monitoring. In that regard, firms that use automated transaction monitoring should combined it with the knowledge and expertise of staff engaged in the activity. This enhanced monitoring should result in a clear understanding of why a customer undertakes a particular transaction or activity; for this purpose, firms should ensure that their staff use their knowledge of the customer, and what would be normal in the given set of circumstances, to be able to spot the unusual or potentially suspicious.
Corporate Finance is typically relationship based rather than transaction based.
This practice is delineated in JMLSG’s sectoral guidance Part II section 14.38 which reads ‘Monitoring of corporate finance activity will generally, due to the relationship-based, rather than transaction-based (in the wholesale markets sense), nature of corporate finance, be undertaken by the staff engaged in the activity, rather than through the use of electronic systems .’
Therefore, we note that EDD monitoring for Corporate Finance is typically undertaken manually by the staff engaged in the activity as part of the deal management process and not via the use of automated transaction monitoring systems.
h) i) When taking part in securities’ issuance, the firm should seek to protect its own reputation by confirming that third-parties participating in selling securitisation instruments or transactions to investors have sufficient customer due diligence arrangements of their own in place.
In our view reputational risk is not related to financial crime risk and should be managed by individual firms.
Question 1: Do you have any comments with the proposed changes to the Definitions section of the Guidelines?
For high level summary of AFME draft response, please see the attached PDF file.Amendments to title I: ‘Subject matter, scope and definitions’
12. The draft Guidelines propose to amend the definitions section of the original Guidelines as follows:
We would like to comment on the definition of non-face to face relationships or transactions which states that ‘Non-face to face relationships or transactions’ means any transaction or relationship where the customer is not physically present, that is, in the same physical location as the firm or a person acting on the firm’s behalf. This includes situations where the customer’s identity is being verified via video-link or similar technological means.’
We believe that identifying situations where the customer’s identity is verified via a video-link or similar technological means should not be identified as non-face to face relationships or transactions. For instance, in Germany video identification is recognised as face-to-face means of identification by the German Ministry of Finance and Federal Financial Supervisory Authority (BaFin) ,
Categorising these forms of identification as non-face-to-face is likely to counteract the risk-based approach taken by many market participants especially in relation to performing EDD requirements when the customer’s location does not allow for a physical identification.
To this end, we would also like to emphasise that in line with the FATF guidance on digital identity ‘using reliable, independent digital ID systems with appropriate risk mitigation measures in place, may present a standard level of risk, and may even be lower-risk.’ This is also in line with the Guideline 4.31 of the EBA’s guidance stating that ‘(…) the use of electronic means of identification does not of itself give rise to increased ML/TF risk (…).
Therefore, we ask the EBA to not explicitly call out verifying customer’s identity via video-links or similar technological means in the context of the definition of non-face to face relationships and transactions as these are safe means of verification that pose low ML/TF risk when properly used.
Question 2: Do you have any comments on the proposed amendments to Guideline 1 on risk assessment?
Amendments to title II: ‘Assessing and managing risk: general’- Guideline 1.4 is new and clarifies that firms should record their risk assessments in a way that makes it possible for the firm and its supervisor to understand how it was conducted.
Guideline 1.4 refers to record keeping.
We note that banks are subject to supervision from more than one national supervisor. This effectively means that different supervisors may have different views on how recording of risk assessments should be made.
We would like to ask the EBA to provide more guidance regarding the recording requirement so that firms can comply with a one set of rules. This will effectively allow for more harmonisation.
In addition, we note that the text in the previous Guidance used the following wording: ‘Firms must keep their risk assessment up to date and under review’.
We think this wording is sufficiently precise and means that banks have an obligation to keep an audit trail and document the process.
It would be helpful to get further guidance on minimum record keeping requirements (e.g. when a group-wide risk assessment should be considered sufficiently granular).
- Guidelines 1.6-1.9 are based on paragraph 10 and 65-69 in the original Risk Factors Guidelines. Paragraph 10 was expanded to provide guidance on the systems and controls firms should put in place to ensure their risk assessments remain up to date and relevant.
Guideline 1.9 b) i. b. refers to having processes in place to ensure that relevant information is regularly reviewed. This particular Guideline refers to individual risk assessments and making use of b. ‘media reports that are relevant to the sectors or jurisdictions in which the firm is active’.
We would like to encourage the EBA to make it clear that media reports should only be used in this context when they are relevant and credible. Otherwise, it is difficult for firms to solely rely on media reports that may be biased and based on presumptions.
- Guidelines 1.16-1.17 are new and provides guidance on the use of business-wide risk assessments in the design of AML/CFT policies and procedures, and the individual risk assessment methodology.
Guideline 1.17 a) states that ‘firms should make their business-wide risk assessment available to competent authorities’.
We note that the available local guidance on business-wide risk assessments differs across member states and harmonising practices across member states would be very helpful in this respect. It would further enhance a dialogue between firms and different competent authorities.
- Guidelines 1.18-1.20 are based on paragraph 10 in the original Risk Factors Guidelines. They establish the link between business-wide and individual risk assessments and clarify that individual risk assessments are no substitute for a business-wide risk assessment.
Guideline 1.18 refers to firms using the findings from their business-wide risk assessment to inform their AML/CFT policies and procedures.
The business wide risk assessment impacts the group risk appetite, which in turn impacts the individual risk assessment. This means that the business wide risk assessment only indirectly impacts the individual risk assessment.
Can the EBA provide more clarification on how the business wide risk assessment should feed directly into the individual risk assessment?
Guideline 1.19 states that ‘to comply with paragraph 1.18 and also having regard to paragraphs 1.21 and 1.22, firms should use the business-wide risk assessment to inform the level of initial customer due diligence that they will apply in specific situations, and to particular types of customers, products, services and delivery channels.’
We note that the business wide assessment can be used to complete/update the list of sensitive products or sectors and may be used to identify new delivery channels. As such it can have an impact on CDD, but we do not see how it can inform CDD on customers.
Considering the above and our comment to the Guideline 1.18, could the EBA clarify how the business wide risk assessment should inform the initial level of CDD?
- Guidelines 1.26-1.27 are based on paragraph 17 in the original Risk Factors Guidelines. They clarify that firms should identify relevant risk factors to obtain a holistic view of the risk both at the beginning and throughout the life of the business relationship, or before carrying out an occasional transaction.
Guideline 1.26 refers to firms applying additional CDD measures, and assessing risk factors to obtain a holistic view of the risk associated with a particular business relationship or occasional transaction.
Our understanding of the holistic view in this context is that one risk factor should not be considered in isolation. Could the EBA confirm?
Question 3: Do you have any comments on the proposed amendments to Guideline 2 on identifying ML/TF risk factors?
16. The CP proposes to amend the original general guidance on risk factors and to add new guidance in Guideline 2 on identifying ML/TF risk factors as follows:- With regard to customers risk factors, a new Guideline 2.7 has been added so as to help firms to better identify the risk factors associated with the nature and behavior of a customer or a beneficial owner’s nature that could point to increased terrorist financing risks;
Guideline 2.7 a. reads ‘Is the customer or the beneficial owner a person included in the lists of persons, groups and entities involved in terrorist acts and subject to restrictive measures, or are they known to have close personal or professional links to persons registered on such lists (for example, because they are in a relationship or otherwise live with such a person)?’
This guideline is very broad as it refers to close personal and professional links to certain persons.
Current practice is that firms may seek to identify professional and personal links with certain countries but only on an exceptional basis.
In order to narrow down the scope of the Guideline, we propose to add the following wording [underlined]:
‘Is the customer or the beneficial owner a person included in the lists of persons, groups and entities involved in terrorist acts and subject to restrictive measures, or the financial institution knowns that he/she has close personal or professional links to persons registered on such lists (for example, because they are in a relationship or otherwise live with such a person)? ‘
Guideline 2.7 b. refers to customers or beneficial owners who are ‘publicly known to be under investigation for terrorist activity or has been convicted for terrorist activity, or are they known to have close personal or professional links to such a person (for example, because they are in a relationship or otherwise live with such a person)?’
We note that any information with regard to terrorist activities is very sensitive and rarely in the public domain.
Therefore, we think that the wording in the Guideline 2.7 b. should be changed as follows:
“Is the customer or the beneficial owner a person who is publicly known to be under investigation for terrorist activity or has been convicted for terrorist activity (…)”
We would also like to stress that it is rarely possible for banks to assess whether an individual in question is ‘in a relationship or otherwise live(s) with such a person.’ This Guideline should only apply when, for some reason, a firm actually possesses such information.
Therefore, we propose to change the wording in the Guideline 2.7 b to:
‘(…) (for example, because firms know that they are in a relationship or otherwise live with such a person)?’
Guideline 2.7 d. i. refers to ‘activities or leadership (…) publicly known to be associated with extremism or terrorist sympathies’.
If the EBA decides to redraft Guideline 2.7 b. as we suggest above, then the Guideline 2.7 d. i. will also have to be redrafted.
We suggest it should be clear that firms should pay particular attention to those risk factors when, in fact, they are aware of them.
- With regard to countries and geographical areas, Guideline 2.9(c) has been amended to specify that, when identifying the risks associated with countries and geographical areas, firms should also consider the risk related to which the customer or the beneficial owner has ‘financial or legal interest’;
Guideline 2.9 c) has been amended to specify that, when identifying the risks associated with countries and geographical areas, firms should also consider the risk related to which the customer or the beneficial owner has ‘relevant personal or business links, or financial or legal interest’.
We would like to ask for more clarification around the meaning of personal and business links, or financial and legal interests and how these are thought to impact the risk.
In our view, the Guideline 2.9 c) in its current form could be read as if domestic customers with family members who were born in high risk countries could be rated as high risk.
We think it is important that the expectation set in the Guideline 2.9 c) does not become another standard item of CDD information to collect. In order to avoid this, we request that the Guideline 2.9 c) allows for more flexibility on how to evaluate these risks, which in turn will help to avoid customer risk assessment methodologies producing some unhelpful outcomes.
Question 4: Do you have any comments on the proposed amendments and additions in Guideline 4 on CCD measures to be applied by all firms?
17. The CP proposes to amend the original general guidance on risk management and to add new guidance in Guideline 4 on CDD measures as follows:- With regard to CDD measures, Guideline 4.7 clarifies what is expected in this regard in the firms’ policies and procedures;
Guideline 4.7 a) refers to policies and procedures for identifying customers and, where applicable beneficial owners for each type of customer and category of products and services.
We would like to note that in practice, setting out who the customer and beneficial owner is for each type of customer/product/service will depend on the specific context at hand. In addition, CCD requirements under the EU AML Directive mainly refer to the customer and generally not products and services that a customer uses.
Therefore, the requirement under the Guideline 4.7 a) can be fulfilled for specific customer groups (e.g. funds), however laying this out for all the customer groups is difficult and from our point of view disproportionate.
Hence, we propose to broaden the wording in the Guideline 4.7 a) as follows:
‘Firms should set out clearly, in their policies and procedures, who the customer and, where applicable, beneficial owner is for different customer types/products and services each type of customer and category of products and services, and whose identity has to be verified for CDD purposes. (…)’
Guideline 4.7 b) we would welcome more guidance on defining when a series of one-off transactions amount to a business relationship, rather than an occasional transaction.
We note that this definition varies across jurisdictions. For instance, the Swedish Financial Supervisory Authority (SFSA) has stated that 12 transaction during a 12-month period will normally constitute a business relationship.
We would also like to draw your attention to the Joint Guidelines under Article 25 of Regulation (EU) 2015/847 on the measures payment service providers should take to detect missing or incomplete information on the payer or the payee, and the procedures they should put in place to manage a transfer of funds lacking the required information published by the Joint Committee of the European Supervisory Authorities.
More specifically we encourage the EBA to consider the excerpt that relates to Articles 5, 6 and 7 of the Wire Transfer Regulation (EU) 2015/847 and reads:
‘In order to apply rules in Articles 5, 6 and 7 of Regulation (EU) 2015/847 related to transfers of funds that do not exceed EUR 1 000, [Payment Service Providers] PSPs and [Intermediary Payment Service Providers] IPSPs should have in place policies and procedures to detect transfers of funds that appear to be linked. PSPs and IPSPs should treat transfers of funds as linked if these fund transfers are being sent:
a) from the same payment account to the same payment account, or, where the transfer is not made to or from a payment account, from the same payer to the same payee; and
b) within a reasonable, short timeframe, which should be set by the PSP in a way that is commensurate with the ML/TF risk to which their business is exposed.
PSPs and IPSPs should determine whether other scenarios might also give rise to linked transactions, and if so, reflect these in their policies and procedures.’
In light of the above, we request the EBA to clarify when a series of one-off transactions amount to a business relationship, rather than an occasional transaction.
Guideline 4.9 refers to firms carefully balancing the need for financial inclusion with the need to mitigate ML/TF risks.
We note that this is already a part of banks’ daily routine.
In this regard, we would welcome clearer guidance on where to draw the line between inclusion and financial crime prevention.
Guideline 4.10 refers to customers who do not provide traditional forms of identity documentation.
We believe that this should only be applicable to private individuals and only in exceptional cases.
To this end, we note that corporates should always be obliged to provide valid documentation.
- Guidelines 4.12 to 4.25 clarify the CDD expectations regarding the beneficial owners, in particular the use of beneficial ownership registers, new developments on how to identify the customer’s senior managing officials or the beneficial owner of a public administration or a state-owned enterprise;
Guideline 4.12 a) refers to an obligation for firms to understand the customer’s ownership and control structure by, for instance, asking customers who their beneficial owners are.
Pursuant to the existing legal framework, firms may determine who the beneficial owners are by other means. In fact, there is no requirement to determine the customer’s beneficial ownership and control structure by asking the customer.
Therefore, we would like to propose to add the following wording in the Guideline 4.12 a) [our wording underlined]:
‘Firms should ask the customer who their beneficial owners are; or ascertain the beneficial owner(s) by other means, such as external sources that could, for instance, include annual reports, third party vendors database, extract from corporate registries, self-sourced constitutional documents.’
Guideline 4.13 refers to firms using beneficial ownership registers.
We would welcome if the EBA could encourage the development of an EU wide company register that provides verified data that can be relied upon.
This would be very helpful given that banks have to comply with many different registers that may sometimes give divergent results that have to be additionally checked. This considerably lengthens the entire process of checking beneficial owners and proves to be burdensome for the industry.
We also believe that asking the private sector to verify data entered into registers appears to be inconsistent with the FATF Recommendations 24 and 25 where, in fact, ‘countries should ensure that there is adequate, accurate and timely information’ available in the registers.
Guideline 4.15 b) refers to firms’ understanding of opaque and complex ownership and control structures.
We note that firms cannot exhaustively assess if customers complex/opaque ownership and control structures have a legitimate legal or economic reason.
We suggest deleting this sentence as it seems to be disproportionate.
Guideline 4.17 refers to paying particular attention to persons who may exercise ‘control through other means’.
Firstly, we ask the EBA to clarify that control through other means will only be relevant if control through ‘ownership’ or ‘control’ of shareholdings cannot be established.
Secondly, we note that these references imply that firms should exercise higher standards of due diligence that is in contradiction with derogations of SDD where a firm may adjust the extent, type and timing of measures applied. In our view, firms should react to risk factors identified as part of CDD measures and ask additional questions on a risk-based basis.
We propose to add the following wording in the Guideline [our wording underlined]:
‘Firms should pay particular attention to persons who may exercise ‘control through other means’ where identified, or where such information is made available to the firm as part of CDD (…).’
Guideline 4.20 refers to circumstances under which the customer’s senior managing officials should be identified as beneficial owners.
4.20 a) ‘They have exhausted all possible means for identifying the natural person who ultimately owns or controls the customer;’
Would the EBA be able to provide more guidance on what is meant by exhausted all possible means in line with the CDD measures that firms are required to comply with as per 4.20 a)?
4.20 c) They are satisfied that the reason given by the customer as to why the natural person who ultimately owns or controls the customer cannot be identified is plausible.’
We believe that the reasons do not necessarily have to be given by the customer, therefore we suggest amending Guideline 4.20 c) as follows:
“They are satisfied that the reason(s) given by the customer as to why the natural person who ultimately owns or controls the customer cannot be identified is plausible”.
Please also refer to our comment to the Guideline 4.12 in this regard.
Guideline 4.21 refers to senior managing officials who should be considered as having either ultimate or overall responsibilities for the customer.
Could the EBA please clarify whether this Guideline refers to the so-called fictitious beneficial owners?
If so, we would like to note that the European supervisory authorities have issued different interpretations on whether all members of senior management must be identified as fictitious beneficial owners, or it is sufficient to identify one. More harmonisation in this space would be welcome.
Guidelines 4.19 and 4.22 refer to identifying the beneficial owner and customer’s senior managing officials.
The draft guidelines assume that there will always be a natural person to identify as a beneficial owner (whether a true UBO through ownership/control or a senior official in their absence).
AFME members continue to find this approach problematic as in many cases private companies do not have a beneficial owner through shareholding or control and their constitutional documents contradict the notion of designating the most senior official due to responsibilities over decision making being vested with the board of directors.
In addition, we would find it helpful if a clear definition of senior managing officials could be spelled out in the EBA’s guidelines (preferably in the definitions section of the Guidelines).
This could further be accompanied by a more granular detail on the type of ownership structures. For examples, we would like to understand how to proceed in a situation where the most senior official may be a PEP. Please also consider that sometimes PEPs can exert very little power within the organisation, or senior managing officials will not contribute to sources of wealth or sources of funds.
We suggest revising the guidelines 4.23 and 4.25 to exempt certain customer types from the requirement to identify the senior managing official as a beneficial owner when there is no reasonable expectation to identify a beneficial owner, for example, in the case of supranational organisations, wholly state-owned entities, certain multilateral financial institutions, government agencies and sovereign wealth funds.
Guideline 4.24 We would like to make two comments in respect of Guideline 4.24. They relate to different parts of the guideline as quoted below.
1) ‘In those cases, and in particular where the risk associated with the relationship is increased, for example because the state-owned enterprise is from a country associated with high levels of corruption (…)’.
We note that corruption is embedded in the ML risk and there is no specific list of countries with high levels of corruption.
We suggest that the EBA refers to high level of ML risks rather than high levels of corruption.
2) ‘(…) firms should take risk-sensitive steps to establish that the person they have identified as the beneficial owner is properly authorised by the customer to act on the customer’s behalf.’
We would like to note that, usually, a beneficial owner has no authority to act on a customer’s behalf. Therefore, we do not understand why the beneficial owner must be properly ‘authorised by the customer to act on the customer’s behalf’.
The EBA is asked to provide more clarity on the expectations in this regard. In fact, we suggest deleting this reference as we do not see how it could be exercised in practice.
Additionally, we would suggest following a risk based approach in determining the BOs of public administrations. For low risk countries, determining the BOs of public administrations may add little value
Guideline 4.25 refers to applying EDD measures to a senior managing official of a state owned entity who may be a PEP.
State owned entities can be low risk clients. Therefore, we believe that the impact of the proposed addendum is disproportioned to the risk that a senior managing official may pose and would add very little benefit to preventing ML risk.
It would be helpful to clarify that EDD does not need to be applied if the senior managing official is a PEP only because he/she is the senior managing official of public administrations or state owned entities. In fact, just because the customer is a PEP does not mean that they should automatically be considered as high risk and this should be determined on a risk based basis. As a reference, please refer to the Financial Conduct Authority’s (FCA) guidance on PEPs.
We think that the mandatory EDD measures should only be applied when the senior management official of public administrations and state owned enterprises is a PEP in their own right and he/she is opening accounts as a private persons OR he/she is a senior managing officials, UBO or a legal owner of a private legal entity.
- Guidelines 4.29 to 4.31 define the CDD expectations in non-face-to-face situations;
In relation to situations where transactions are performed in non-face-to face situations, we would like the EBA to refer to our comment made at the beginning of our response under the section dealing with definitions. Once again, we would like to stress that video-identification should be recognised as face-to-face means of identification and, therefore, it should not trigger the performance of EDD measures.
Can the EBA reconsider the wording under the Guideline 4.30?
- Guidelines 4.32 to 4.37 deal with the use of innovative technological means to verify identity so as to promote convergence among the firms; and
Guidelines 4.32 to 4.37 refer to the use of innovative technologies.
We note that it is important that firms may choose to use electronic or documentary means to evidence their customers’ identity.
Therefore, we welcome the guidelines 4.32 to 4.37.
- Guidelines 4.38 and 4.39 set out the measures firms should take to establish the nature and the purpose of the business relationship.
Guidelines 4.38 and 4.39 set out the measures that firms should take to establish the nature and purpose of the business relationship.
We would like to note that in some circumstances it may be possible for a firm to define the acceptable purpose and nature of the business relationships from the terms and conditions and fair usage policies (as agreed with the customers).
Therefore, it would be helpful to clarify that the measures that firms should take to establish the nature and the purpose of the business relationship can also be established by other methods than just collecting this information from the customer as part of CDD.
In addition, we ask the EBA to clarify that the measures identified in the Guideline 4.38 should only be applied on a risk-based approach. For instance, firms will be able to identify low risk cases from the nature of the product e.g. mortgage payments.
We also think that the Guideline 4.38 c) ‘The value and sources of funds that will be flowing through the account’ goes beyond of what is expected by regulators and the 4th and 5th AMLD (e.g. this is required for all customers regardless of risk rating) and its implementation will likely give rise to data protection issues.
We also note that understanding sources of funds is an example of EDD requirement set out in the EBA’s Guideline 10.16.
Therefore, we propose to reword the Guideline 4.38 c) as follows:
‘The anticipated value of funds used for the business relationship’.
Guidelines 4.38 e) states that firms should take steps to understand e) ‘Whether the customer has other business relationships with other parts of the firm or its wider group, and the extent to which this affects the firm’s understanding of the customer‘.
We note that in line with Directive (EU) 2015/849 and where an obliged entity is part of a group, AML/CFT policies and procedures should be implemented effectively and consistently at a group level.
Therefore, we believe that the requirement set out in the Guideline 4.38 e) should only be executed when information sharing is allowed by law and group wide policies. In addition, it should also only concern higher risk situations and international complex structures.
We note that this is also the approach taken by the Joint Money Laundering Steering Group (JMLSG) in the UK. Section 5.3.23 of the JMLSG Guidance reads (with our underlining) ‘A firm must understand the purpose and intended nature of the business relationship or transaction to assess whether the proposed business relationship is in line with the firm’s expectation and to provide the firm with a meaningful basis for ongoing monitoring. In some instances this will be self-evident, but in many cases the firm may have to obtain information in this regard. Whether, and to what extent, the customer has contact or business relationships with other parts of the firm, its business or wider group can also be relevant, especially for higher risk customers.’
Can the EBA comment?
Guideline 4.38 f) reads that firms should take steps to understand ‘What constitutes ‘normal’ behaviour for this customer or category of customers‘.
The EBA is asked to clarify what ‘normal’ in this context means. Some exaples would be helpful.
- Guidelines 4.46 (c) and 4.47 (b) have been amended to be in line with the AMLD5 provisions related to high-risk third countries.
Guideline 4.46 delineates a few cases that firms must always treat as high risk.
For instance, it seems that in line with the Guideline 4.46 c) all business relationships or transactions involving high risk third countries should undergo enhanced customer due diligence screening.
This prescriptive requirement set in the Enhanced Due Diligence section of the EBA’s guidance will likely create a significant increase in international firm’s high risk client base across the EU, targeting firm’s resources in a way which may not necessarily be risk-based.
In order to avoid this, this requirement should, in our view, be targeted at ‘occasional transactions’.
Hence, we request that the EBA changes the wording in paragraph 4.46 (c) to [with our underlining].
‘‘where a firm maintains a business relationship or carries out an occasional transaction involving high-risk third countries’.
This will clarify firms’ obligations to apply EDD requirements on a risk-based approach.
The EBA is asked to make the relevant changes throughout the entire guidelines.
- Guidelines 4.48 provides a reference to the list of prominent public functions pursuant to Article 20a(3) of Directive (EU) 2015/849.
Guideline 4.48 talks about risk-sensitive policies and procedures to identify PEPs and having regard to the list of prominent public functions.
Can the EBA provide more clarification on how to adjust the list of functions in Article 3(9) of 4AMLD with regards to prominent public functions from third countries which may materially have different governmental and political structures in place e.g. level of prominence afforded to a ‘Member of Parliament’ in Europe is materially different to other countries?
- With regard to PEPs, Guidelines 4.49 provide guidance to firms that use commercially available PEPs lists.
Guideline 4.49 reads that ‘Firms that use commercially available PEP lists should ensure that information on these lists is up to date and that they understand the limitations of those lists. Firms should take additional measures where necessary, for example in situations where the screening results are inconclusive or not in line with the firm’s expectations’.
It is unclear as to when or under what conditions screening results are to be classified as ‘inconclusive’ or what is specifically meant by the prerequisite ‘not in line with the firm`s expectations.
We ask the EBA to either clarify the Guideline 4.49, or delete it completely as we do not understand how it can be executed in practice.
- With regard to high-risk third countries and other high risk situations, the paragraphs of the original Risk Factors Guidelines on ‘high risk third countries and other high risk situations’(paragraphs 58 to 61) have been split into two different sub-sections; one dedicated to ‘high-risk third countries’ and the other one to ‘other high-risk situations’ so as to clarify the respecting obligations.
o Guidelines 4.53 to 4.57 set out how firms should comply with the specific EDD measures specified by the AMLD5 concerning high-risk third countries.
General comment on the high risk third countries’ section
Extra-territoriality:
We would like the EBA to align its Guidance with the 4th AMLD article 18(1) which deals with EDD measures and high risk third countries.
The Article 18(1) stresses that EDD would not automatically be invoked with respect to branches or majority-owned subsidiaries of obliged entities established in the Union and located in high-risk third countries. This is in respect of situations where branches or majority-owned subsidiaries fully comply with the group-wide policies and procedures.
Can the EBA comment?
Specific comments on the high risk third countries’ section
Guideline 4.53 refers to EDD requirements and business relationships or transactions involving high risk third countries.
We request that the EBA is more precise and states that the EDD requirements in this context apply to transactions linked to clients/business relationships domiciled in high risk third countries.
Guideline 4.55 provides a list of factors that would indicate that a business relationship or transaction involves a high risk third country.
‘A business relationship or transaction always involves a high risk third country if
a) the funds were generated in a high risk third country;
b) the funds are received from a high risk third country;
c) the destination of funds is a high risk third country;
d) the firm is dealing with a natural person or legal entity resident or established in a high risk third country; or
e) the firm is dealing with a trustee established in a high risk third country or with a trust governed under the law of a high risk third country.’
This Guideline appears to be a rules based requirement, contradicting the risk-based approach.
In our understanding any payment made directly/indirectly inbound/outbound involving a high risk third country would require treating the customer as high risk and require EDD. This will likely create a significant increase in international firm’s high risk client base across the EU, targeting firm’s resources in a way which may not necessarily be risk-based.
For this reason, we suggest changing the word ‘transaction’ to ‘occasional transaction’ to ensure that this requirement is triggered on a risk-based approach.
In addition, we would like to make another comment in respect of the Guideline 4.55 a) which reads that ‘a business relationship or transaction always involves a high risk third country if the funds were generated in a high risk third country.’
We note that financial institutions cannot always identify where funds were generated. There are situations in which financial institutions are involved in transactions between a client and a counterparty both domiciled in the EU and for which funds are generated in a high risk third country.
We suggest deleting the Guideline 4.55 a) altogether, since implementing this provision in practice is almost impossible.
We would also like to suggest rephrasing the Guidelines 4.55 d) and e) to make them more targeted and commensurate to the risk (our wording underlined).
d) the firm is dealing with a natural person or legal entity as its customer resident or established in a high risk third country; or
e) the firm is dealing with a trustee as its customer established in a high risk third country or with a trust governed under the law of a high risk third country
Guideline 4.56 relates to performing EDD measures when ‘a) the transaction passes through a high risk third country, for example because of where the intermediary payment services provider is based; or b) a customer’s beneficial owner is established in a high risk third country.’
We would like to point out that 4th MLD Article 18 (1) clearly calls out that EDD is required in situations when dealing with natural persons or legal entities established in the third countries identified by the European Commission as high-risk third countries.
When considering the duty to apply EDD under certain circumstances involving high risk third countries, we encourage the EBA to clearly set out in the Guidance what a ‘relevant transaction’ and being ‘established in’ a high risk third country means.
To this end, we encourage the EBA to take a similar approach as set out in the UK ML Regulation 33 (c)(3):
‘(b) a “relevant transaction” means a transaction in relation to which the relevant person is required to apply customer due diligence measures under regulation 27;
(c) being “established in” a country means— (i) in the case of a legal person, being incorporated in or having its principal place of business in that country, or, in the case of a financial institution or a credit institution, having its principal regulatory authority in that country; and (ii) in the case of an individual, being resident in that country, but not merely having been born in that country.”;’
Guideline 4.57 talks about maintaining close personal or professional links with a high risk third country.
We note that this information can only be obtained by ‘accident’, as it is rather impossible to obtain it via different routes.
We also do not consider that professional or personal links to high risk third countries should, in themselves, trigger EDD. We also consider that there is a clear risk that requiring firms to identify such links as part of standard CDD measures could lead to discriminatory treatment on the basis of ethnicity or nationality (including mistaken perceptions of ethnicity or nationality).
Can the EBA reconsider the ask in the Guideline 4.57?
We note that Guideline 4.58 must be updated to align with the Guideline 8.14 of the EBA’s guidelines on ML/TF risks.
We recommend using the following wording (our wording underlined):
‘Firms must take specific EDD measures where they have a cross-border correspondent relationship which involves the execution of payments with a respondent who is based in a third country’.
o Guideline 4.64(b)(ii), clarifies as for other high-risk situations that firms should have regard to the fact that funds from legitimate business activity may still constitutes ML/TF as set out in paragraph (3) to (5) of Article 1 of Directive (EU) 2015/849.
From our point of view, Guideline 4.64 is not in line with data protection rules.
For example, Guideline 4.64 (a) requires considering information about family members and close business partners. Having regard to data protection requirements, we suggest the guidelines to stress that such information is only relevant if the family member/close business partner is a PEP. It remains unclear to what extent past business activities of the customer and/or the beneficial owner are relevant in this context (Guideline 4.64 (b)).
We would also welcome more clarity on the EBA’s expectations set out in the Guideline 4.64(b)(ii).
- With regard to monitoring, a standalone section has been created as monitoring is an essential part of effective customer due diligence measures. Notwithstanding, the 2019 Joint Opinion on ML/TF risks in the EU’s financial sector highlights that competent authorities across the EU remain concerned by the quality of firms’ ongoing monitoring of business relationships, including transaction monitoring. For this reason, Guidelines 4. 69 to 4.74 set expectations of the systems and controls firms should in place to monitor their business relationships.
o Guidelines 4.72-4.74 are new and specify the points firms should consider to ensure that their transaction monitoring system is effective.
Guideline 4.74 refers to real-time transaction monitoring for higher-risk transactions.
We note that transaction monitoring for AML purposes monitors a number of customer behaviours and their transactions over varying time periods normally daily, weekly and monthly. Therefore, it is not always possible to determine potentially suspicious activity from a single transaction as it is dependent on the specific circumstance or scenario that has generated the alert.
When considering the potential volumes involved, the design and implementation of appropriate technical solutions for automated real time monitoring for AML purposes will be a significant undertaking for any financial institution.
There is an aspiration in the industry to have sophisticated real-time, intelligent monitoring systems that could detect and stop payments with high precision.
However, at the moment an automatic system that would halt transactions if indicators show potential suspicion, could either cause harmful disruption in payment flows (if the net is too tight) or be of no use (if the net is too loose).
For this reason, the EBA is asked to consider recalibrating the expectations set in the Guideline 4.74. For instance, the Guideline could be rephrased as following: ‘Firms may apply real time monitoring to transactions associated with higher ML/TF risks, wherever possible’.
We encourage the EBA to provide examples/clarification on the intent for performing ex-post sampling review of transactions ‘to identify trends that could inform their risk assessments’. Trends analysis, by its nature, must involve analysis of linked/series of related transactions to identify trends instead of random selections of transactions.
Question 5: Do you have any comments on the amendments to Guideline 5 on record keeping?
Please refer to our comment on record-keeping under Guideline 1.4. For ease of reference, we repeat it here again.Guideline 1.4 refers to record keeping.
We note that banks are subject to supervision from more than one national supervisor. This effectively means that different supervisors may have different views on how recording of risk assessments should be made.
We would like to ask the EBA to provide more guidance regarding the recording requirement so that firms can comply with a one set of rules. This will effectively allow for more harmonisation.
In addition, we note that the text in the previous Guidance used the following wording: ‘Firms must keep their risk assessment up to date and under review’.
We think this wording is sufficiently precise and means that banks have an obligation to keep an audit trail and document the process.
It would be helpful to get further guidance on minimum record keeping requirements (e.g. when a group-wide risk assessment should be considered sufficiently granular).
Question 6: Do you have any comments on Guideline 6 on training?
According to the Guideline 6.3, firms should ensure that AML/CTF training is ’tailored to staff and their specific roles’.We note that most companies implement the training obligation through an online based training module.
To this end, we would like to ask for more clarity around tailoring training to staff and their specific roles.
Question 7: Do you have any comments on the amendments to Guideline 7 on reviewing effectiveness?
Guideline 7.20 reads that ‘firms should consider whether an independent review of their approach may be warranted or required’.It would be helpful to clarify what is meant by ‘independent review’ in the context of this Guideline.
Question 8: Do you have any comments on the proposed amendments to Guideline 8 for correspondent banks?
Amendments to title III: ‘Sector specific guidelines’21. The CP proposes to amend the sectoral Guideline 8 for correspondent banks as follows:
- The measures in Guideline 8.14 have been amended in line with article 19 of AMLD5; - The measure in Guideline 8.17 about correspondents being required to take risk-sensitive measures has been clarified to require correspondents to ask respondents about their customers if necessary (a), to obtain senior management approval also where new risks emerge (d), to conclude an agreement setting out specific content (e); and
Guideline 8.17 e. i. – e. iv. provides guidelines on documenting the responsibilities of each institution when dealing with respondents based in non-EEA countries.
We think that is should be clarified that these requirements are required for new business relationships only.
Moreover, we think that the provided conditions may lead frequent, and unnecessary, updating of the ‘terms and conditions’ used in correspondent banking relationships. We suggest that the Guideline 8.17 e. i. – e. iv. should read as follows:
Guidelines 8.17 e.i – e. iv are non-exhaustive examples of what can be document in the written agreement as responsibilities of each institution.
Furthermore, we would like to understand the requirements under the Guideline 8.17 e. iii and iv. better. Do they relate to the request for information process in relation to missing payer/payee information required in the Funds Transfer Regulations and request for information required to address alerts from transaction monitoring/screening? Can the EBA comment?
- The measures in Guidelines 8.20 to 8.25 are new and set out the measures that need to be applied to respondents established in high-risk third countries and correspondent relationships involving high-risk third countries.
Guideline 8.17 c. talks about requiring correspondents taking risk-sensitive measures such as ‘on-site visits and/or sample testing to be satisfied that the respondent’s AML policies and procedures are implemented effectively.’
We believe that on-site visits and/or sample testing in this context can have implications for competition and business secrecy rules. That is why, we do not think that these rules should be part of the standard CDD measures.
Guideline 8.21 refers to respondents established in high-risk third countries, and correspondent relationships involving high risk third countries. It reads that ‘correspondents should also, as part of their standard CDD measures, determine the likelihood of the respondent initiating transactions involving high-risk third countries, including because a significant proportion of the respondent’s own customers maintain relevant professional or personal links to high-risk third countries.’
We believe that determining the likelihood of the respondent initiating transactions involving high-risk third countries because a significant proportion of the respondent’s own customers maintain relevant professional or personal links with high-risk third countries would essentially lead to conducting Know Your Customer’s Customer (KYCC).
We do not consider that professional and personal links to high-risk third countries should, in themselves, trigger EDD. And we do support a risk-based approach to EDD on correspondent banking relationships that should focus on the respondent’s general risk exposure and mitigating control framework (as required by the 4th & 5th AMLD).
Therefore, we suggest that the requirement set out in the Guideline 8.21 should not be part of the standard CDD measures.
Guideline 8.23 reads ‘unless the correspondent has assessed ML/TF risk arising from the relationship with the respondent as particularly high correspondents should be able to comply with the requirements in Article 18a(1) by applying Article 13 and 19 of Directive (EU) 2015/849.’
We understand that the EBA’s view is that the specific EDD requirements for high risk third countries should apply in parallel with the specific EDD requirements for correspondent relationships. If our understanding is correct, then we do not think this is the right approach.
We believe that further guidance is required on how firms can support financial inclusion through a proportionate and risk-based approach to EDD measures for correspondent banking in relation to high risk third countries
We consider that firms may still choose to establish a correspondent banking relationship with a respondent situated in a high risk third country by mitigating this risk through their EDD correspondent banking measures and/or through supplementary risk-based EDD measures.
Guideline 8.24 reads ‘to discharge their obligation under Article 18a (1)(c) of Directive (EU)2015/849, correspondents should apply guideline 8.17(c) c) and take care to assess the adequacy of the respondent’s policies and procedures to establish their customers’ source of funds and source of wealth and carrying out onsite visits or sample-checks, or asking the respondent to provide evidence of the legitimate origin of a particular customer’s source of wealth or source of funds, as required.’
We note that the determination of source of wealth and source of funds is only required for high risk clients which make up a small percentage of respondent’s customers. Furthermore, non-EEA respondents are not subject to the same high risk third country measures which EU correspondents (except when FATF calls for counter measures to such jurisdiction).
We believe that focusing on source of wealth and source of funds standards in this Guideline will not be commensurate to the risk. We ask the EBA to reconsider it.
Additional comment on correspondent banking:
The EU ML Directive’s definition goes further than just correspondent banking.
Could the scope of the guidance cover other correspondent relationships, in and amongst financial institutions, and, for the purposes of securities transactions (as per the 4MLD definition below in Article 3). We would welcome guidance (similar to that of the UK JMLSG) on correspondent trading relationships and correspondent securities relationships. The guidance should also make clear, that as per FATF standards outlining the risk-based approach, there is no expectation or requirement for KYCC.
Article 3(8)(a) of Directive (EU) 2015/849 ‘correspondent relationship’ means:
(a) the provision of banking services by one bank as the correspondent to another bank as the respondent, including providing a current or other liability account and related services, such as cash management, international funds transfers, cheque clearing, payable-through accounts and foreign exchange services;
(b) the relationships between and among credit institutions and financial institutions including where similar
services are provided by a correspondent institution to a respondent institution, and including relationships
established for securities transactions or funds transfers;
Question 9: Do you have any comments on the proposed amendments to Guideline 9 for retail banks?
General comment:1. We are not sure why the sector guidance for Virtual Currencies is included in the sectoral guidance for retail. We think that this section should be incorporated into the EBA’s guidelines in a separate section.
2. We recommend the EBA to provide a definition of virtual currencies in order to clarify whether this intends to capture the entire scope of crypto-assets, or a smaller subset of crypto-assets that are used for payment and that are widely currently unregulated. We recommend the EBA to consider the definitions in our proposed approach to classification of crypto-assets, which can be found in Annex A of the GFMA response to the BCBS Discussion Paper on Designing a Prudential Treatment for Crypto-assets .
3. We ask the EBA to comment as to whether virtual currencies should be aligned with the funds transfer regulations, i.e. they should include the required payee/payer information in asset transfers or when converting fiat to virtual currency or virtual currency to fiat.
Specific comments:
Regarding Guideline 9.22, we request clarification as to what would be considered as a virtual currency in the context of a “virtual currency trading platform”, “custodian wallet services”, or “arranging, advising or benefiting from ‘initial coin offerings’ (ICOs).
We believe this should at a minimum include those crypto-assets that currently fall outside of the regulatory perimeter. For more detail on our views on AML/CFT regulation of crypto-assets, please see the FCA Policy Statement Guidance on Crypto-assets PS19/22 and AFME response to JMLSG proposed guidance on Part II Sector 22 – cryptoasset exchange providers and custodian wallet providers published on 18 May .
Guideline 9.23 reads that ‘to ensure that the level of ML/TF risk associated with such customers is mitigated, banks should not apply simplified due diligence measures. At a minimum as part of their CDD measures, firms should
(b) In addition to verifying the identity of the customer’s beneficial owners, carry out due diligence on senior management to the extent that they are different, including consideration of any adverse information.’
We note that adverse information screening is currently performed as part of EDD measures. We suggest following the same rules in relation to virtual currencies.
Furthermore, we believe that this assessment should be done on a risk based approach. Adverse information screening may be considered necessary for some clients but not others eg. if a client is listed on a regulated market and/or regulated in an equivalent jurisdiction, then we do not see value in performing such screening.
‘(e) Finding out whether businesses using ICOs in the form of virtual currencies to raise money are legitimate and, where applicable, regulated.’
We would like to understand how it can be assessed whether business is legitimate in the context of the Guideline 9.23 e.
Question 11: Do you have any comments on the proposed amendments to Guideline 11 for money remitters?
Guideline 11.5 refers to money remitters and the factors that can contribute to increasing risk such as;‘c) the transaction is cash-based or funded with anonymous electronic money, including electronic money benefiting from the exemption under Article 12 of Directive (EU) 2015/849;’
We suggest adding virtual currencies in this section.
Question 12: Do you have any comments on the proposed amendments to Guideline 12 for wealth management?
We request clarification as to what is meant by ‘very high-value transactions’ under Guideline 12.4 b.We do not understand why difficulties in ascertaining whether a customer has legitimate title to a collateral is a risk increasing factor from AML perspective. Can the EBA comment?
The following comment relates to Guideline 12.4 g.
Banks are obliged to ascertain group wide and unified AML/CFT standards. Due to this, we do not understand why depositing or managing assets in another group entity is a risk increasing factor in the context of wealth management.
In the context of Guideline 12.8 a., we would like to understand what is meant by ‘obtaining and verifying more information about clients than in standard risk situations’. What are banks’ expectations in this regard?
Question 13: Do you have any comments on the proposed amendments to Guideline 13 for trade finance providers?
Guideline 13.10 d) and g) talks about checking quality and quantity of goods, and the agreed value of goods. We would like to point out that banks do not inspect the actual goods.We would also like to point out that banks are not in a position to determine over and under insurance in line with the Guideline 13.10 g).
It would be helpful to know that these expectations are no targeted at banks.
Question 15: Do you have any comments on the proposed amendments to Guideline 15 for investment firms?
Guideline 15.5 c) states that ‘the following factors may contribute to increasing risk’ in the context of providing or executing investment services.‘c) The customer’s business, for example the customer’s funds are derived from business in sectors that are associated with a higher risk of financial crime, such as construction, pharmaceuticals and healthcare, the arms trade and defence, the extractive industries or public procurement.’
In our experience these industries are mainly exposed to ABC risk and will only impact risk assessment with regards to PEPs.
We also do not think that industries, such as construction, pharmaceuticals and healthcare, are associated with a higher risk of financial crime particularly in the context of Investment Management Services. Can the EBA comment?
Question 16: Do you have any comments on the proposed amendments to Guideline 16 for providers of investment funds and the definition of customer in this Guideline?
Guidelines 16.17 reads ‘where a financial intermediary is based in a third country and has established a relationship similar to correspondent banking with the fund or the fund’s manager, the measures described in guidelines 16.20 and 16.21 are not applicable. In such cases, to discharge their obligations under Article 19 of the Directive (EU) 2015/849, firms should apply toward the intermediary the enhanced due diligence measures listed in Sectoral Guideline 8. 14 to 8.17.’We note that the Guideline 8.14 was updated to align with article 19 of 5AMLD which only requires EDD ‘where the correspondent relationships involves in the execution of payments’.
In the context of investment management services, Guideline 16.17 should, in our opinion, be clear that EDD is only required when it involves execution of payments, such as securities transacted on a “delivery versus payment” basis.
With regard to Guideline 16.20, we note that FATF guidance on the securities sector was very clear that when the customer is the intermediary, ‘there is no expectation, intention or requirement for the correspondent institution to conduct customer due diligence on its respondent institution’ customers." Can the EBA comment?
Question 20: Do you have any comments on the additional sector-specific Guideline 20 on corporate finance?
Guideline 20.3 refers to offering corporate finance services and ‘taking into account the following risk factors as potentially contributing to increased risk.’c) where there is no evidence the customer has received a mandate or a sufficiently senior management approval to conclude the contract;
We note that this is a legal risk and not financial crime risk, therefore we propose to delete it.
Guideline 20.7 refers to EDD requirements in the context of corporate finance.
The Guideline reads ‘where the risk associated with a business relationship or an occasional transaction is increased, firms should apply EDD measures such as beneficial ownership, and in particular any links the customer might have with politically exposed persons, and the extent to which these links affect the ML/TF risk associated with the business relationship;
b) Assessments of the integrity of directors, shareholders, and other parties with significant involvement in the customer’s business and the corporate finance transaction;
We note that this information is not obtained as part of onboarding or customer review, therefore it will be impossible to make this assessment. Our suggestion is to delete it.
c) Verification of the identity of other owners or controllers of a corporate entity
Can the EBA clarify what is meant by ‘other owners’?
e) Establishing the financial situation of the corporate client;
Can the EBA clarify what is meant by ‘financial situation of the corporate client’? It is not clear how this requirement would help to mitigate financial crime risk.
g) Risk-sensitive customer due diligence checks on other parties to a financial arrangement to gain sufficient background knowledge to understand the nature of the transaction (…)’.
We agree that risk-sensitive checks on other parties to a financial arrangement to gain sufficient background knowledge to understand the nature of the transaction should be performed.
However, we suggest that the EBA should make it clear that this only involves getting an understanding of who these parties are and their role, as well as subjecting these parties to sanctions screening.
h) Firms offering corporate finance services should apply enhanced ongoing monitoring. In that regard, firms that use automated transaction monitoring should combined it with the knowledge and expertise of staff engaged in the activity. This enhanced monitoring should result in a clear understanding of why a customer undertakes a particular transaction or activity; for this purpose, firms should ensure that their staff use their knowledge of the customer, and what would be normal in the given set of circumstances, to be able to spot the unusual or potentially suspicious.
Corporate Finance is typically relationship based rather than transaction based.
This practice is delineated in JMLSG’s sectoral guidance Part II section 14.38 which reads ‘Monitoring of corporate finance activity will generally, due to the relationship-based, rather than transaction-based (in the wholesale markets sense), nature of corporate finance, be undertaken by the staff engaged in the activity, rather than through the use of electronic systems .’
Therefore, we note that EDD monitoring for Corporate Finance is typically undertaken manually by the staff engaged in the activity as part of the deal management process and not via the use of automated transaction monitoring systems.
h) i) When taking part in securities’ issuance, the firm should seek to protect its own reputation by confirming that third-parties participating in selling securitisation instruments or transactions to investors have sufficient customer due diligence arrangements of their own in place.
In our view reputational risk is not related to financial crime risk and should be managed by individual firms.