With regard to delivery channel risk factors, a new risk factor has been added to Guideline 2.21(a)(i) with relation to a customer who is not physically present: „(…) whether the customer physically present for identification purposes. If they are not, whether the firm considered whether there is a risk that the customer may have sought to avoid face-to-face contact deliberately for reasons other than convenience or incapacity”. According to the rationale of the Guidelines, this shall underline the risk linked with a customer who deliberately avoids a face-to-face contact. The term “customer” suggests that this provision mainly address situations in a business relationship with natural persons (and could therefore be moved to GL 9 for retail banks). In business relationships with legal persons/corporate entities, it may be more common that persons entitled to take action in the name of a corporate entity do not have face-to-face contacts with the obliged entity. Furthermore, this provision seems to be contradicting to the contents of GL 4.29 to 4.31 that define the CDD expectations in non-face-to-face situations. Especially GL 4.31 clarifies that the use of electronic means of identification does not in itself lead to an increased ML/TF risk, especially if these electronic means offer a high level of security within the meaning of Regulation (EU) 910/2014 (eIDAS).
A new risk factor has also been added to Guideline 2.21(f) in relation to the firms using an outsourced service provider for aspects of its AML/CFT obligations. In this context, the GL state that “[w]hen assessing the risk associated with the way in which the customer obtains the products or services, firms should consider a number of factors including: (f) [t]o the extent permitted by national legislation, when the firm uses an outsourced service provider for aspects of its AML/CFT obligations, whether it has considered whether the outsourced service provider is an obliged entity, and whether it has addressed the risks set out in the EBA’s Guidelines on outsourcing (EBA/GL/2019/02), where those Guidelines are applicable.” Several questions arise in view of this new risk factor, for example which aspects of AML/CFT commitments are covered by this provision that is systematically linked to the delivery channel risk factors? (Execution of CDD measures by third parties? Updating of CDD information?). EBA should deliver concrete examples. Besides this, it is also questionable if an outsourcing service provider could also be considered as an obliged entity if it is not regulated by EU money laundering law but by the money laundering law of a third country? In the context of evaluating obliged entities domiciled in third countries, FATF results could be a basis. Furthermore, in the case of an outsourced service provider that is an obliged entity but in a third country, such an outsourced service provider itself is not regulated by EBA’s Guidelines on outsourcing (EBA/GL/2019/02). EBA should give further clarification if this will automatically lead to a higher risk. In the final Guidelines, EBA should also clarify in which kind GL 2.21(f) is interconnected with GL 4.34.
According to GL 4.20(a), firms should resort to identifying the customer’s senior managing officials as beneficial owners only if they have exhausted all possible means for identifying the natural person who ultimately owns or controls the customer. In order to give the obliged entities flexibility and a ground for a risk-based application of this provision, lit. (a) shall be amended as follows: “they have exhausted all reasonable and risk-based means for identifying the natural person who ultimately owns or controls the customer”.
According to GL 4.74(a) sentence 1, firms should in any case determine which transactions they will monitor in real time, and which transactions they will monitor ex-post. Sentence 3 additionally states that firms should ensure that transactions associated with higher ML/TF risk are monitored in real time wherever possible. In order to streamline the wording of sentence 3 with the wording of guideline 4.73, sentence 3 should be amended as follows: “Firms should ensure that transactions associated with higher ML/TF risk are monitored in real time wherever appropriate and effective, in particular where the risk associated with the business relationship is already increased.” In addition, the EBA should take into account that real time monitoring cannot be seen as more effective as ex-post monitoring. By ascribing real time monitoring such a significance, certain disadvantages of real time monitoring might be disregarded. For example, real time monitoring as an effective means of identifying suspicious activity implies that the obliged entity could indicate all relevant factors from one single transaction. In reality, this is not often the case. Instead, obliged entities should be encouraged to search for recurrent behaviours in transactions over time, for patterns. Patterns of activity, combined with other alerts and sources may lead to a more complete picture of the activity and facilitate a better understanding of risk and suspicious activity. Especially in the correspondence banking business, the transaction monitoring scenarios are designed to identify patterns that arise from repeated payments. But therefore, ex-post analysis is needed, because the obliged entity is in need of a transaction history.
The GL 8.5(a) counts to the factors that may contribute to reducing risk in a correspondent banking relationship that such a “relationship” is limited to a SWIFT Risk Management Application (RMA) capability. In this context, the Guidelines define such a relationship, in which no payment account relationships exist, as a so-called “SWIFT RMA relationship”. Notwithstanding the definition of correspondent banking according to Art. 3 no. 8 in Directive (EU) 2015/849, there is a widely shared interpretation in the market that the mere existence of an (perhaps many years old) SWIFT RMA agreement between two banks that is not accompanied by any account relationship cannot be qualified as correspondent banking relationship, far less a business relationship. In view of the application of CDD measures, it is clear that not all contractual relations of an obliged entity trigger the legal obligations of customer due diligence. There is a focus on contractual relationships that – in view of the business model of the obliged entity – are related to possible ML/TF risks. In a RMA only relationship, it is nearly impossible to initiate a transaction. The RMA only enables to directly send an encrypted message to a dedicated post box. Therefore, we advocate for the deletion of lit- (a) in GL 8.5.