Primary tabs

European FinTech Association a.s.b.l.

The European FinTech Association (in the following also referred to as EFA) has no comments on the proposed changes to the definitions section of the Guidelines.
The EFA has no comments on the proposed amendments to Guideline 1.
We think that there should be further explanation in terms of the impact of tech/data has on the identification of ML/TF risk. A key factor in the identification of ML/TF has become the effective utilization of tech advancements, this needs to be considered and become a core tenet of an effective structure against ML/TF.

In addition there is a lack of focus on actually review and practical application of patterns/typologies and investigative methods. The guideline may be too basic to actually identify sophisticated financial crime.
Our recommendation is to also add further granularity and explanation on the extended data points that exist such as IP-Address, Geolocation and Device ID. In addition, there should be further clarification of what constitutes high risk activity and high risk industries in context of CDD/EDD. The focus is still too large on country-based risk, which has been not the most prevalent indicator of potential financial crime activity.

It should be clarified in the No. 4.29 et seq. that digital identifications should not per se be seen as less safe or trigger enhanced measures of due diligence. In our experience it is not correct to generally establish a preference for face-to-face identification - as is implied in No. 4.29 et seq. Giving preference to face-to-face identification leads to a discrimination of digital service providers as they do not offer face-to-face identification, i.e. they do not provide a level-playing-field. National regulators use this provision to establish stricter measures of customer due diligence for digital business models than for established service providers. We believe that there are benefits in providing services digitally - it gives people access to services remotely that they would otherwise not have had, can be easily supervised as the flow is fully transparent and online and advances cross-border services within the EU - which is in line with the priorities of the European integration. The EBA should consider at least allowing certain highly safeguarded and at the same time digitally workable identification methods such as the identification via reference transaction as not triggering enhanced measures of due diligence.
The EFA has no comments on the proposed amendments to Guideline 5.
The EFA’s recommendation is also to add unusual/suspicious behavior as this also covers internal fraud as well as all possible activity in affected firms.
Regarding the Guideline 7 EFA recommends that any effectiveness review should at best be part of the risk assessment of a firm. Independent risk assessments and effectiveness reviews do not foster a coherent and sustainable risk-based approach.

Moreover, an independent review of the effectiveness of a risk assessment approach should lie with the statutory auditor. If there is tangible evidence for a lack of effectiveness, a statutory auditor MUST identify it. The EBA should refrain from recommending independent reviews by third parties which are not statutory auditors thus weakening responsibilities of the latter.

Based on the recent Wolfsberg Paper and the overall importance of this subject this guideline should be expanded to better highlight for affected parties how effectiveness is measured. All the guidelines prior should be brought together in this one. Being effective as a firm means in our opinion to deploy the right technical foundation with the required expertise in the trained staff acting in a regulatory environment that is focusing on effective measures to prevent financial crime, which can include measures such as concrete suspicious activity reporting guidelines.

The relation of effectiveness versus regulatory obligations in these guidelines do not reflect the actual challenges of firms.
The EFA has no specific comments on the proposed amendments to Guideline 8.
Apart from the other points mentioned above, our proposed amendments here are focused on the increased risk of non-face-to-face relationships. Due to the utilization of technology in verification the ability to detect fraudulent behaviour is much higher than with traditional face-to-face identification. The key in our opinion is to highlight the necessary steps to ensure high quality non-face-to-face identification, which has to include the utilization of the digital ID and compilation of internal as well as external data points. The proposed provisions discriminate digital business models and give preference to incumbents with large networks of local branches. They are neither modern nor based on a thorough analysis of facts. Digital identifications have many benefits for the consumer, the service provider, but also for the regulator. They are fully auditable and objective, whereas a face-to-face identification is always only as safe as the person performing the identification.

In addition the biggest area of concern for financial institutions are the rise of money mules created from social engineered, stolen, faked identities. This concern is not reflected in the guideline and should be considered to be added in detail to the guideline, as this is an industry-wide effort to solve.

Further, we do not see that reliance on a third party as indicated in No. 9.1 should contribute to risk. To the contrary third party reliance is actually a measure to double the efforts in fighting money laundering. The exchange of information should be encouraged, not discouraged. At the same time third party reliance is an important measure in case of B2B cooperations between Fintechs, but also between Fintechs and banks. In particular in cross-border situations reliance plays an important role to enable business relationship as e.g. a Portuguese bank may rely on a Dutch bank for the identification of a customer. Applying local AML identification rules in these cases oftentimes does not work as people are used to their local types of identification methods.

No. 9.6 lit. a) vi) should be amended to exclude EU citizens. This provisions discriminates against the cross-border provision of services, i.e. offering of a simple bank account from a bank in one EU state to a customer in another EU state. It hinders the cross-border provision of services and therefore truly European business models. It is also not appropriate. Why should the opening of a bank account with a digital service provider in another EU member state should be considered a risk factor in a digital single market?
The EFA has no specific comments on the proposed amendments to Guideline 10.
The EFA has no specific comments on the proposed amendments to Guideline 11.
The EFA has no specific comments on the proposed amendments to Guideline 12.
The EFA has no specific comments on the proposed amendments to Guideline 13.
The EFA has no specific comments on the proposed amendments to Guideline 14.
The EFA has no specific comments on the proposed amendments to Guideline 15.
The EFA has no specific comments on Guideline 16.
The EFA has no specific comments on the proposed amendments to Guideline 17.
The EFA has no specific comments on Guideline 19.
The EFA has no specific comments on Guideline 20.
Others
European FinTech Association a.s.b.l.