Response to consultation on effective management of ML/TF risks when providing access to financial services
Go back
- We recommend that the Annex is updated to reflect the full spectrum of money laundering/terrorist financing (“ML/TF”) risk posed by different NPOs. This will empower FIs to apply a true risk-based approach (“RBA”) to NPOs and not be required to treat the sector as homogenous.
- The Annex could also be updated to address specifically the causes of undue de-risking identified by the EBA and FATF.
- We encourage Competent Authorities to implement an RBA designed to protect NPOs from terrorist financing abuse in line with FATF’s Recommendation 8.
- The EBA should clarify that the list of due diligence measures in the Annex is illustrative and neither mandatory nor comprehensive; instead, an FI can apply such measures as required to manage the risk posed by an NPO effectively, based on the FI’s customer risk assessment where higher-risk NPOs are involved.
- It would be optimal for the Supranational Risk Assessment (“SNRA”) to be updated to reflect Member State risk assessments, thereby supporting the application of simplified due diligence when NPOs pose a low risk of ML/TF.
- We welcome the examples of effective multi-stakeholder dialogue between competent authorities, FIs and NPOs highlighted in the EBA’s 2022 Opinion and encourage further engagement at the national level.
- We encourage the European Commission and Member States to undertake further assessment of the scale and causes of limiting financial access for NPOs to maximise effectiveness of corrective measures whilst minimised unintended consequences. Further assessment will also inform efforts to measure the effectiveness of measures taken to address undue de-risking of NPOs.
RECOMMENDATIONS:
A. SCALE OF DE-RISKING OF NPOs
The EBA’s 2022 Opinion (EBA/Op/2022/01) states “The scale of de-risking cannot be quantified, as no comprehensive statistics are currently available” [Footnote 1].
We encourage the European Commission and Member States to undertake further assessment of de-risking so that any proposed measures are informed by actual causes of undue de-risking to maximise effectiveness while minimising unintended consequences, and so that their impact can be measured against defined success criteria.
B. CAUSES OF DE-RISKING
The EBA Opinion identifies the following reasons for institutions’ decisions to de-risk customers [Footnote 2]. These causes are reflected in FATF’s 2021 Stocktake and other assessments, such as Germany’s 2020 assessment of terrorist financing risk in the NPO sector [Footnote 3]:
1. ML/TF RISKS EXCEED INSTITUTIONS' LEGAL AND REPUTATIONAL RISK APPETITE. FATF’s Stocktake identifies “fear of supervisory actions” and reputational concerns as relevant factors. Any automatic presumption that all NPOs are high risk, rather than permit an RBA, will exacerbate this tendency.
2. LACK OF EXPERTISE BY INSTITUTIONS IN SPECIFIC CUSTOMERS’ BUSINESS MODELS. Again, a relevant factor is the fear of supervisory action when an FI feels it cannot complete due diligence satisfactorily to meet legal and supervisory standards. As highlighted in the EBA’s Opinion [Footnote 4] this is likely true when Financial Institutions (“FIs”) deal with NPOs that have complex set-ups and/or operate across multiple jurisdictions.
3. COST OF COMPLIANCE. The EBA’s 2022 Opinion describes this cause as “where the real or expected cost of compliance exceeds profits” [Footnote 5]. FATF’s 2021 Stocktake identified that “Rules-based requirements increase inclusion barriers as FIs and DNFBPs are not willing to take on or mitigate the ML/TF risks”. Rules-based obligations can significantly increase the cost of compliance with little ANTI-MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM (“AML/CFT”) IMPACT. For example, the requirement to apply mandatory enhanced due diligence measures on all customers with relevant links to high risk third countries, regardless of the level of risk posed [Footnote 6].
We stress the importance of retaining a distinction between undue de-risking and the prudent commercial decisions made by FIs balancing the cost of compliance with the AML/CFT legal and regulatory framework and residual risk against the reasonably expected value of the business when determining the viability of a relationship or product offering.
We believe that the Annex does not address these causes of undue de-risking sufficiently, for the following reasons:
- The Annex does not acknowledge the rights of an FI to set its own risk appetite consistent with the reasonable judgment of its board (cause #1).
- Although clarifying regulatory expectations by “supporting credit and financial institutions in their understanding of the specificities of prospective or existing customers who are NPOs” can help FIs better understand NPOs’ business models (cause #2), we are concerned that the Guidelines will further increase the cost of compliance due to it being insufficiently risk-based (cause #3). The Annex risks exacerbating the issue that the guidelines are seeking to remedy.
- In its Interpretive note to Recommendation 8 (“R.8”), FATF states that “A risk-based approach applying focused measures in dealing with identified threats of terrorist financing abuse to NPOs is essential given the diversity within individual national sectors”. Although the importance of the RBA is recognised by the Annex [Footnote 7], paragraph #9 states that FIs should conduct due diligence to understand bullets a-f regardless of the type of NPO or its activities, albeit with varying degrees of intensity depending on the level of risk. This can be achieved by clarifying that the list of due diligence measures in the Annex is illustrative and neither mandatory nor comprehensive; instead, an FI can apply such measures as required to manage the risk posed by an NPO effectively, based on the FI’s customer risk assessment where higher-risk NPOs are involved.
C. THE RISK-BASED APPROACH TO NPOs
FATF’s 2021 Stocktake suggests that “AML/CFT improvements can be part of the solution, along with a proper implementation of the risk-based approach”. FIs can effectively manage the risk posed by a significant proportion of NPOs within appetite without adopting all the additional (and, for the customer, invasive) measures proposed in the Annex. The adoption of an RBA, informed by a nuanced ML/TF risk assessment of the NPO sector, will improve FIs’ decision making, ensure that enhanced measures are only applied where there is high risk, and thereby minimising adverse consequences on NPOs. Likewise, a focus on identifying lower risk factors and promotion of simplified due diligence would strengthen the RBA and further financial inclusion.
We therefore encourage the EBA to consider carefully whether its draft is appropriate for the entire NPO sector or only a small percentage as applying rules-based requirements to all NPOs, will likely have an adverse effect on the Annex’s aim.
D. ASSESSING THE ML/TF RISK OF NPOS
To support both effective as well as risk-based measures to manage ML/TF risk and financial inclusion, we encourage the EBA and the Commission to produce a comprehensive and nuanced ML/TF risk assessment of the NPO sector, informed by FIUs (and, where established, public-private partnerships) as a key source of threat typologies. This assessment must be reviewed regularly considering evolving threats.
Nuanced ML/TF risk assessments are essential enablers of the RBA. We encourage the EBA and the Commission to consider FATF’s approach to the NPO sector as an example of sound practice. R.8 directs countries to apply the RBA to NPOs by moving away from a sector-wide generalisation to a more detailed assessment of the risks.
When identifying ML/TF risk, FIs are required to refer to the SNRA. Although the SNRA acknowledges there are different categories of NPOs (‘expressive’ and ‘service’), it does not provide a view of the different ML/TF risks of those categories. Instead, the SNRA assesses the risk as ‘medium’ for NPOs, except for those that receive institutional funding. This generalisation undermines the usefulness of the lower risk factors contained in the Annex. For example, although the Annex includes “the NPO’s activities and beneficiaries do not expose it to higher ML/TF risks”, neither it nor the SNRA provides information on what those lower or higher ML/TF risks may be. Although the SNRA recognises threats (complicit and exploited NPOs, infiltration, funding by external countries, funding internally for internal use, funding internally for external use, including HRTCs, countries subject to sanctions), the Annex does not address these issues.
We recommend that the EBA leverages national risk assessments to rearticulate the Annex in a way that targets the known risks. A good example of a practical TF risk assessment is Germany’s 2020 assessment of TF risk in the NPO sector and France’s 2019 national risk assessment [Footnote 8].
E. LOW-RISK NPO ACTIVITY
As per these national risk assessments, NPOs often present lower risk; especially those that are purely domestic and engaged in limited transactional activity. It would be optimal for the lower risk posed by these NPOs to be reflected in the Guidelines and the Annex.
In its Stocktake, FATF identified that “it may be that national authorities and the private sector have been deterred by the optional status of simplified measures”. Where supervisors focus on high-risk situations, FIs may lack the confidence to assess situations as truly low risk. Perceptions of supervisory expectation can therefore dissuade FIs from applying simplified measures to NPOs. Additionally, the requirement to complete a thorough risk assessment to justify applying, and continuing to apply, simplified due diligence (especially where the SNRA assesses NPOs as other than low risk) erodes any potential operational and cost benefit of applying simplified due diligence.
We recommend that this barrier to applying simplified due diligence be addressed through clear articulation of what NPO activity is considered lower (and higher) risk and when competent authorities expect FIs to apply simplified due diligence on NPOs. This will have a direct impact on both the commercial and risk tolerance-based decision-making,
F. HIGHER RISK NPO ACTIVITY
Germany’s 2020 assessment aligns with the EBA’s 2022 Opinion of threats in the NPO sector, for example, entities posing as a legitimate NPO being used in a targeted way for purposes of terrorist financing and Legitimate NPOs operating in conflict zones / zones that pose a terrorist financing risk [Footnote 9].
We recommend that the Annex is amended to require FIs to undertake reasonable measures to identify and mitigate these higher risks when they are present.
G. THE ROLE OF COMPETENT AUTHORITIES
Critically, the Annex must be part of a wider, transformative, programme of partnership between competent authorities, NPOs, and FIs that addresses all three identified causes of undue de-risking. In line with FATF R.8, authorities need to take risk-based measures “protecting NPOs from terrorist financing abuse”. As noted above, this is relevant because FIs operate and assess risk within the wider context of the level of compliance of NPOs.
The EBA’s Opinion [Footnote 10] identifies that de-risking of certain sectors is often caused by the lack of trust in the quality of AML/CFT systems and controls implemented by firms in that sector. This is true of some NPOs, as highlighted by Germany’s 2020 assessment [Footnote 11]. This concern can be reflected in FIs’ risk appetites; the level of understanding shown by an NPO about the risks that it faces, and the controls that it has implemented are important factors when FIs assess the risk exposure and commercial viability of relationships with NPOs.
We welcome the reference in the Annex to the sanctions liability FIs face when supporting the small proportion of NPOs active in sanctioned countries and regions [Footnote 12]. However, we believe that the emphasis on the FI having to “establish whether the NPO benefits from any provisions related to humanitarian aid and derogations in EU/UN financial sanctions regimes, such as humanitarian exemptions or derogations” is not as helpful as it could be; FIs can only support such activity safely when NPOs are aware of their own obligations, have an effective compliance regime and proactively and openly engage with FIs on the operational and risk management aspects of their activities.
We therefore encourage the EBA to implement an RBA designed to protect NPOs from terrorist financing abuse in line with R.8. This starts with a nuanced risk assessment which underpins competent authorities taking risk-based measures, such as capability building through training and awareness and increased monitoring of higher risk NPOs.
FOOTNOTES
[Footnote 1] EBA Opinion para #58
[Footnote 2] EBA Opinion para #51
[Footnote 3] Sectoral Risk Assessment: Terrorist financing through (abuse of) non-profit organisations in Germany: “The main (and certainly understandable) reasons for taking de-risking measures include cost-benefit considerations, risks to reputation, liability risks, the level of fines imposed by supervisory and law enforcement authorities and higher compliance costs”. [https://www.bmi.bund.de/SharedDocs/downloads/EN/publikationen/2020/sectoral-risk-assessment.pdf?__blob=publicationFile&v=5]
[Footnote 4] EBA Opinion #47
[Footnote 5] EBA Opinion para #10
[Footnote 6] Article 18a of Directive (EU) 2015/849, as amended
[Footnote 7] EBA Opinion para #9: “Not all NPOs are exposed in a similar way to ML/TF risk and firms should take risk-sensitive measures”.
[Footnote 8] “Overall, NPOs were found to be involved in terrorist financing only in a few isolated cases”. [Germany]
“There are hardly any cases of a legitimate NPO being abused to finance terrorism”. [Germany]
“Risk Rating BC/FT leads to a low level of risk for the majority of associations, but with a few areas of risk identified as high for some associations operating in sensitive sectors and geographies.” [France]
[Footnote 9] Other relevant risks include “Legitimate NPOs having to pay bribes to terrorist organisations in regions they control in order to be permitted to provide humanitarian aid”, “Use of cash makes the funding cycle of an NPO less transparent”, “Small organisations have often been involved in aid convoys in crisis regions, for instance. In connection with the aid convoys, there is a high risk that the transport of goods and persons can be used to support terrorist organisations.”, “They are reliant on local partner organisations to implement humanitarian aid projects and do not select such organisations according to strict criteria.”
[Footnote 10] Opinion para #71
[Footnote 11] “Smaller organisations tend to be less professional and have fewer permanent staff. Organisations with large numbers of short-term voluntary workers may struggle to maintain robust compliance structures. Such structures are key in reducing vulnerability.”
[Footnote 12] Annex Para #12. We also note the European Commission’s proposal for a directive containing minimum rules concerning the definition of criminal offences and penalties for the violation of EU restrictive measures.
- We recommend the EBA adopts FATF’s definition of de-risking to align with international standards and to avoid unintended consequences: “financial institutions terminating or restricting business relationships with clients or categories of clients to avoid, rather than manage, risk in line with the FATF’s risk-based approach.”
RECOMMENDATIONS
FATF’s Stocktake recognises that “The loss of access to financial services represents de-risking if it is not based on a case-by-case assessment of risk and ability to mitigate that risk”. However, the EBA’s proposed definition of ‘de-risking’ (i.e. a decision “to refuse to enter into, or to terminate, business relationships with individual customers or categories of customers associated with higher money laundering and terrorist financing (ML/TF) risk”) can cause unintended outcomes by not taking account of the reasonable grounds FIs have for exiting/declining customers or transactions to manage risk following a case-by-case assessment. Examples include:
- CUSTOMERS CONDUCT: Including, inter alia customers acting willingly as money mules or defrauding the FI.
- RISK MANAGEMENT OR COMPLIANCE WITH LEGAL OBLIGATIONS: Examples include transactions that may breach relevant sanctions obligations, instances where customer due diligence cannot be completed or where there are reasonable grounds to suspect ML/TF e.g. where wire transfers do not contain all required payer/payee information. Similarly, unclear or divergent legal obligations across the jurisdictions can present FIs with regulatory risk which may fall outside of their risk appetite.
- PRUDENT COMMERCIAL DECISIONS: There is a distinction between undue de-risking and the prudent commercial decisions made by FIs balancing the cost of compliance with the AML/CFT legal and regulatory framework and the residual risk against the reasonably expected value of the business relationship/transaction. It is an appropriate and prudent business practice to consider the cost of effective risk management when determining the viability of a relationship or product offering; only in exceptional cases (e.g. vulnerable groups) should refusal be restricted by law.
- We recommend that the General Guidance acknowledges the following:
a. The principle of FIs having legitimate risk management reasons for exiting/declining individual customers on a case-by-case basis.
b. That it is appropriate and prudent business practice to consider the cost of effective risk management when determining the viability of a product offering.
- In these circumstances, it should not be necessary for FIs to consider all possible mitigating measures.
- The following measures will support FIs applying simplified due diligence on payment accounts with basic features within the meaning of Art. 16 of Directive 2014/92/EU, thereby facilitating access to banking:
a. A regulatory low-risk presumption for these payment accounts with basic features.
b. To be truly effective, this presumption could be supported by clear articulation by Member State competent authorities to FIs and supervisory authorities on access to banking being a policy priority balanced against financial crime risk.
c. Once determined, these measures could be issued by the dedicated Anti-money laundering Authority (“AMLA”) due to be established in the EU.
- Member States/supervisors could set out which forms of identification are considered independent and reliable, while permitting regulated firms to apply flexibility to maximise access to banking.
RECOMMENDATIONS PER PARAGRAPH
Please note that curly brackets {} indicate text to be stricken; text in angle brackets <> is to be added. (See attached file for tracked changes text)
PARAGRAPH #8.
In order to clarify that the list of due diligence measures in the annex is illustrative (and neither mandatory nor comprehensive) and that FIs can apply such measures as required to manage the NPO’s risk effectively, we recommend that paragraph #8 is amended as follows: “Where the customer is a not for-profit organisation (NPO), {the firms} <obliged entities may use as guidance> {should apply} the criteria set out in the annex <when performing their assessment and in accordance with the risk posed by the NPO (i.e. higher risk NPOs (only).>”
PARAGRAPH #9.
We recommend that paragraph 9 is amended as follows: <Where the customer is an NPO, credit and financial institutions may use these criteria when they have determined that the risk posed by the NPO is high.> When assessing the risk profile of a customer or prospective customer who is an NPO for the first time, firms should ensure that they obtain a good understanding of the NPO’s governance…”
PARAGRAPH #10.
It is entirely reasonable for an FI to not provide products or services to sectors that it has taken a commercial decision not to service because the FI will not have the processes or controls to manage the risk posed by that sector. Only in exceptional cases (e.g. vulnerable groups) should refusal be restricted by law (e.g. payment accounts with basic features). We therefore recommend that paragraph #10 is amended as follows: “Credit and financial institutions should ensure that the implementation of these policies, procedures and controls should not result in the <undue/inappropriate> blanket refusal, or termination, of business relationships with entire categories of customers that they have assessed as presenting higher ML/TF risk”.
PARAGRAPH #10.
As an alternative to mandating further procedures, which does not resolve the issue, we recommend this is redrafted as follows: “As part of this, institutions should {put in place appropriate risk-sensitive policies and procedures to} ensure that their {approach to applying} customer due diligence (CDD) measures <as applied> do not result in unduly denying customers’ legitimate access to financial services”.
In the context of our comments above, we recommend that the EBA clarify that this guidance applies to payment accounts with basic features within the meaning of Art. 16 of Directive 2014/92/EU.
PARAGRAPH #11.
We recommend that paragraph #11 is amended as follows: “Credit and financial institutions should set out in their policies, procedures and controls {all} <appropriate measures/>options for mitigating higher ML/TF risk that they will consider applying before deciding to reject a customer on ML/TF risk grounds.”
PARAGRAPH #12.
With reference to our comments to Question 2 above, we have significant concerns that the General Requirements do not consider unacceptable customer conduct (e.g. money mules).
- We stress that, where an FI does not believe that it can manage the financial crime risks associated with an individual business relationship effectively – either with respect to mitigating the risk to within its risk tolerance or to manage the risk in a commercially viable manner - it would not enter or maintain that business relationship, in line with legal obligations and international standards [Footnote 1].
- In addition to ML/TF risk management, it is important to acknowledge that FIs may exit or decline individual customers due to reputational considerations that are separate and apart from legal or commercial considerations. Similarly, unclear or divergent legal obligations across the jurisdictions can present FIs with regulatory risk which may fall outside of their risk appetite.
- We therefore recommend that the General Requirements incorporate the principle of FIs having legitimate risk management reasons for exiting/declining customers on a case-by-case basis. In these circumstances, it should not be necessary for FIs to consider all possible risk-mitigating measures.
PARAGRAPH #13.
FIs already have suspicious activity reporting obligations. We stress that suspicion is situational and informed by appropriate training and awareness provided by FIs to their employees; it is not optimal for FIs to provide definitive lists of suspicious circumstances to cover subjective suspicion.
We recommend that this paragraph is amended to focus on ensuring suspicious activity-related training and awareness to address Article 14(4).
PARAGRAPH #14.
As additional guidance, we recommend that the General Requirements reference the risk of recording this information on customer records that can then be accessed by the customer; this would be inconsistent with suspicious activity reporting confidentiality requirements and prohibitions on tipping off.
In case of refusal, the person is NOT a customer to the FI and other data privacy rules apply in terms processing/recording and deletion of personal data that potentially clash with this requirement. We recommend that this is considered further by the EBA.
PARAGRAPH #15.
Please refer to our comments on Question 1 above on the barriers to applying simplified due diligence to low risk NPOs.
To help overcome these barriers, we welcome a formal REGULATORY LOW RISK PRESUMPTION for these payment accounts with basic features [Footnote 2].
PARAGRAPH #19.
- We note that FATF’s first principle on Identification for Sustainable Development requires “countries to fulfil their obligations to provide legal identification to all residents… particularly when these are a pre-requisite for accessing basic public and private sector services, such as banking.” [Footnote 3]. FIs require legal certainty when applying exceptions relating to verifying identity, while consumers will benefit from standardisation and consistent adoption by regulated firms.
- Member States/supervisors could set out which forms of identification are considered independent and reliable when verifying the identity of residents that have credible and legitimate reasons to be unable to provide traditional forms of identity documentation while permitting regulated firms to apply flexibility to maximise access to banking.
FOOTNOTES
[Footnote 1] For example, FATF Recommendation 10: “Where the financial institution is unable to comply with the applicable requirements… (subject to appropriate modification of the extent of the measures on a risk-based approach), it should be required not to open the account, commence business relations or perform the transaction; or should be required to terminate the business relationship; [https://www.fatf-gafi.org/content/dam/recommandations/pdf/FATF%20Recommendations%202012.pdf.coredownload.inline.pdf] “Basel Committee: “The bank’s customer acceptance policy should also define circumstances under which the bank would not accept a new business relationship or would terminate an existing one” (Sound Management of Risks Relating to Money laundering and Terrorist Financing, para 33). [https://www.bis.org/bcbs/publ/d405.pdf].
[Footnote 2] See FATF’s Guidance on AML/CTF Measures and Financial Inclusion: Para #68 “Jurisdictions may consider establishing a simplified CDD regime, for specifically defined lower risk customers and products”. [https://www.fatf-gafi.org/en/publications/fatfgeneral/documents/financial-inclusion-cdd-2017.html]
[Footnote 3] Annex C [https://www.fatf-gafi.org/content/fatf-gafi/en/publications/Financialinclusionandnpoissues/Digital-identity-guidance.html]
RECOMMENDATIONS PER PARAGRAPH
PARAGRAPH #18A.
Noting industry practice, we recommend that the EBA updates paragraph #18a to recognise that FIs commonly meet this requirement by monitoring against information provided by the customer and against expected transactional activity across groups of customers with common characteristics.
PARAGRAPH #18B.
We are concerned that this sentence does not reflect current industry practice or Article 13 of the ML Directive [Footnote 1]. We recommend that it is amended to read: “Ensuring that the <firm carries out risk-based monitoring of the transaction or business relationship> {customer’s account is reviewed regularly} to <identify> {understand whether} changes to the customer’s risk profile {are justified}”.
PARAGRAPH #19.
We are unclear why this section is under the heading of ‘Adjusting the Intensity of Monitoring Measures’; we believe it should be under ‘General Requirements’.
PARAGRAPH #19B. We recommend that paragraph #19b is amended as follows because the added criteria of working on behalf of official authorities is unduly restrictive and misaligned with local law in several Member States: “…This documentation may include expired identity documents and, where permitted under national law, documentation provided by an official authority such as social services or a well-established Not-for-Profit Organisation {working on behalf of official authorities} (e.g. Red Cross or else), which also provides assistance to this customer.”
PARAGRAPH #19D. “In cases where support for these vulnerable customers is disbursed in the form of prepaid cards and where the conditions related to simplified due diligence are met as set out in Guidelines 4.41, 9.15, 10.18 of the EBA’s ML/TF Risk Factors Guidelines, the indication that credit and financial institutions may postpone the application of initial customer due diligence measures to a later date”.
- To ensure consistency, we recommend that clarity is provided on the how long the postponement of the initial customer due diligence can reasonably be.
- We believe that such postponement is only appropriate in situations where conduct of the account is satisfactory.
PARAGRAPH #19E. “In cases where such customers apply for an access to a payment account and are considered as presenting low ML/TF risks, which alternative forms of ID the institution may accept and the options for postponing the application of full CDD until after the establishment of the business relationship.”
- We welcome the EBA’s recommendation [Footnote 2] that steps are taken to clarify the interaction between AML/CFT requirements and the right to open and use a payment account with basic features.
- As mentioned in our response to Question 3, FIs require legal certainty when applying exceptions relating to verifying identity, whilst consumers will benefit from standardisation and consistent adoption by regulated firms. We therefore recommend that Member States/supervisors set out which forms of identification are considered independent and reliable, whilst permitting regulated firms to apply flexibility to maximise access to banking.
- Please also refer to our comments on applying simplified due diligence in our response to Q1, which are also relevant here.
PARAGRAPH #21.
To ensure this flexibility is not abused, we recommend amending as follows: “…In relation to ML/TF risks associated with customers who are particularly vulnerable such as refugees and homeless individuals, <that may have credible and legitimate reasons to be> unable to provide traditional forms of identity documentation, credit and financial institutions should ensure that their controls and procedures specify that possible limitations of products and service set out in paragraph 20 (b) are applied taking into consideration the personal situation of the individuals, …”
[Footnote 1] “conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity's knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date.”
[Footnote 2] EBA 2022 Opinion paragraph #21
We recommend that the EBA revisits this guidance to ensure it does not result in tension with Article 17 of the Directive 2014/92/EU and does not result in unintended consequences.
RECOMMENDATIONS
A. The suggestion that FIs impose targeted restrictions on financial products and services limits creates tension with Article 17 of the Directive 2014/92/EU:
- According to Article 17 para 1, “the services listed in points (a) to (d) of the first subparagraph shall be offered by credit institutions to the extent that they already offer them to consumers holding payment accounts other than a payment account with basic features”.
- Article 17 para 4 requires Member States to “ensure that a payment account with basic features allows consumers to execute an unlimited number of operations in relation to the services referred to in paragraph 1”.
- Similar prohibitions are transposed into national law in the EU countries. For example, Germany’s Payment Accounts Law; Zahlungskontengesetz – ZKG, (section 38, para 4) prohibits the limitation of payment services associated with consumer accounts with basic functionalities.
B. We recommend that the EBA considers the following practical considerations:
- Targeted restrictions may impact customers adversely, creating unintended consequences such as: a. Displacement of financial activity to the informal economy, thereby making it harder for law enforcement authorities to trace; b. Exacerbating the problems facing NPOs, which the EBA is addressing through the proposed Annex.
- Within the constraints of current payment infrastructure there are practical difficulties in identifying and restricting transactions such as ‘payments to third countries’. For example, given increasing levels of payment disintermediation, the FI may not know that a payment is person-to-person or to a third country if the account is used to move funds to a non-bank PSP,
- It may not be possible, contractually, for FIs to impose targeted restrictions.
- We note that transactional restrictions can be circumvented by criminals opening accounts with multiple FIs, depriving any one FI of a full picture of the customer’s activities. This ultimately makes it harder for law enforcement to follow the money.
1. Do you have any comments on the annex that covers NPO customers?
SUMMARY OF RECOMMENDATIONS- We recommend that the Annex is updated to reflect the full spectrum of money laundering/terrorist financing (“ML/TF”) risk posed by different NPOs. This will empower FIs to apply a true risk-based approach (“RBA”) to NPOs and not be required to treat the sector as homogenous.
- The Annex could also be updated to address specifically the causes of undue de-risking identified by the EBA and FATF.
- We encourage Competent Authorities to implement an RBA designed to protect NPOs from terrorist financing abuse in line with FATF’s Recommendation 8.
- The EBA should clarify that the list of due diligence measures in the Annex is illustrative and neither mandatory nor comprehensive; instead, an FI can apply such measures as required to manage the risk posed by an NPO effectively, based on the FI’s customer risk assessment where higher-risk NPOs are involved.
- It would be optimal for the Supranational Risk Assessment (“SNRA”) to be updated to reflect Member State risk assessments, thereby supporting the application of simplified due diligence when NPOs pose a low risk of ML/TF.
- We welcome the examples of effective multi-stakeholder dialogue between competent authorities, FIs and NPOs highlighted in the EBA’s 2022 Opinion and encourage further engagement at the national level.
- We encourage the European Commission and Member States to undertake further assessment of the scale and causes of limiting financial access for NPOs to maximise effectiveness of corrective measures whilst minimised unintended consequences. Further assessment will also inform efforts to measure the effectiveness of measures taken to address undue de-risking of NPOs.
RECOMMENDATIONS:
A. SCALE OF DE-RISKING OF NPOs
The EBA’s 2022 Opinion (EBA/Op/2022/01) states “The scale of de-risking cannot be quantified, as no comprehensive statistics are currently available” [Footnote 1].
We encourage the European Commission and Member States to undertake further assessment of de-risking so that any proposed measures are informed by actual causes of undue de-risking to maximise effectiveness while minimising unintended consequences, and so that their impact can be measured against defined success criteria.
B. CAUSES OF DE-RISKING
The EBA Opinion identifies the following reasons for institutions’ decisions to de-risk customers [Footnote 2]. These causes are reflected in FATF’s 2021 Stocktake and other assessments, such as Germany’s 2020 assessment of terrorist financing risk in the NPO sector [Footnote 3]:
1. ML/TF RISKS EXCEED INSTITUTIONS' LEGAL AND REPUTATIONAL RISK APPETITE. FATF’s Stocktake identifies “fear of supervisory actions” and reputational concerns as relevant factors. Any automatic presumption that all NPOs are high risk, rather than permit an RBA, will exacerbate this tendency.
2. LACK OF EXPERTISE BY INSTITUTIONS IN SPECIFIC CUSTOMERS’ BUSINESS MODELS. Again, a relevant factor is the fear of supervisory action when an FI feels it cannot complete due diligence satisfactorily to meet legal and supervisory standards. As highlighted in the EBA’s Opinion [Footnote 4] this is likely true when Financial Institutions (“FIs”) deal with NPOs that have complex set-ups and/or operate across multiple jurisdictions.
3. COST OF COMPLIANCE. The EBA’s 2022 Opinion describes this cause as “where the real or expected cost of compliance exceeds profits” [Footnote 5]. FATF’s 2021 Stocktake identified that “Rules-based requirements increase inclusion barriers as FIs and DNFBPs are not willing to take on or mitigate the ML/TF risks”. Rules-based obligations can significantly increase the cost of compliance with little ANTI-MONEY LAUNDERING AND COUNTERING THE FINANCING OF TERRORISM (“AML/CFT”) IMPACT. For example, the requirement to apply mandatory enhanced due diligence measures on all customers with relevant links to high risk third countries, regardless of the level of risk posed [Footnote 6].
We stress the importance of retaining a distinction between undue de-risking and the prudent commercial decisions made by FIs balancing the cost of compliance with the AML/CFT legal and regulatory framework and residual risk against the reasonably expected value of the business when determining the viability of a relationship or product offering.
We believe that the Annex does not address these causes of undue de-risking sufficiently, for the following reasons:
- The Annex does not acknowledge the rights of an FI to set its own risk appetite consistent with the reasonable judgment of its board (cause #1).
- Although clarifying regulatory expectations by “supporting credit and financial institutions in their understanding of the specificities of prospective or existing customers who are NPOs” can help FIs better understand NPOs’ business models (cause #2), we are concerned that the Guidelines will further increase the cost of compliance due to it being insufficiently risk-based (cause #3). The Annex risks exacerbating the issue that the guidelines are seeking to remedy.
- In its Interpretive note to Recommendation 8 (“R.8”), FATF states that “A risk-based approach applying focused measures in dealing with identified threats of terrorist financing abuse to NPOs is essential given the diversity within individual national sectors”. Although the importance of the RBA is recognised by the Annex [Footnote 7], paragraph #9 states that FIs should conduct due diligence to understand bullets a-f regardless of the type of NPO or its activities, albeit with varying degrees of intensity depending on the level of risk. This can be achieved by clarifying that the list of due diligence measures in the Annex is illustrative and neither mandatory nor comprehensive; instead, an FI can apply such measures as required to manage the risk posed by an NPO effectively, based on the FI’s customer risk assessment where higher-risk NPOs are involved.
C. THE RISK-BASED APPROACH TO NPOs
FATF’s 2021 Stocktake suggests that “AML/CFT improvements can be part of the solution, along with a proper implementation of the risk-based approach”. FIs can effectively manage the risk posed by a significant proportion of NPOs within appetite without adopting all the additional (and, for the customer, invasive) measures proposed in the Annex. The adoption of an RBA, informed by a nuanced ML/TF risk assessment of the NPO sector, will improve FIs’ decision making, ensure that enhanced measures are only applied where there is high risk, and thereby minimising adverse consequences on NPOs. Likewise, a focus on identifying lower risk factors and promotion of simplified due diligence would strengthen the RBA and further financial inclusion.
We therefore encourage the EBA to consider carefully whether its draft is appropriate for the entire NPO sector or only a small percentage as applying rules-based requirements to all NPOs, will likely have an adverse effect on the Annex’s aim.
D. ASSESSING THE ML/TF RISK OF NPOS
To support both effective as well as risk-based measures to manage ML/TF risk and financial inclusion, we encourage the EBA and the Commission to produce a comprehensive and nuanced ML/TF risk assessment of the NPO sector, informed by FIUs (and, where established, public-private partnerships) as a key source of threat typologies. This assessment must be reviewed regularly considering evolving threats.
Nuanced ML/TF risk assessments are essential enablers of the RBA. We encourage the EBA and the Commission to consider FATF’s approach to the NPO sector as an example of sound practice. R.8 directs countries to apply the RBA to NPOs by moving away from a sector-wide generalisation to a more detailed assessment of the risks.
When identifying ML/TF risk, FIs are required to refer to the SNRA. Although the SNRA acknowledges there are different categories of NPOs (‘expressive’ and ‘service’), it does not provide a view of the different ML/TF risks of those categories. Instead, the SNRA assesses the risk as ‘medium’ for NPOs, except for those that receive institutional funding. This generalisation undermines the usefulness of the lower risk factors contained in the Annex. For example, although the Annex includes “the NPO’s activities and beneficiaries do not expose it to higher ML/TF risks”, neither it nor the SNRA provides information on what those lower or higher ML/TF risks may be. Although the SNRA recognises threats (complicit and exploited NPOs, infiltration, funding by external countries, funding internally for internal use, funding internally for external use, including HRTCs, countries subject to sanctions), the Annex does not address these issues.
We recommend that the EBA leverages national risk assessments to rearticulate the Annex in a way that targets the known risks. A good example of a practical TF risk assessment is Germany’s 2020 assessment of TF risk in the NPO sector and France’s 2019 national risk assessment [Footnote 8].
E. LOW-RISK NPO ACTIVITY
As per these national risk assessments, NPOs often present lower risk; especially those that are purely domestic and engaged in limited transactional activity. It would be optimal for the lower risk posed by these NPOs to be reflected in the Guidelines and the Annex.
In its Stocktake, FATF identified that “it may be that national authorities and the private sector have been deterred by the optional status of simplified measures”. Where supervisors focus on high-risk situations, FIs may lack the confidence to assess situations as truly low risk. Perceptions of supervisory expectation can therefore dissuade FIs from applying simplified measures to NPOs. Additionally, the requirement to complete a thorough risk assessment to justify applying, and continuing to apply, simplified due diligence (especially where the SNRA assesses NPOs as other than low risk) erodes any potential operational and cost benefit of applying simplified due diligence.
We recommend that this barrier to applying simplified due diligence be addressed through clear articulation of what NPO activity is considered lower (and higher) risk and when competent authorities expect FIs to apply simplified due diligence on NPOs. This will have a direct impact on both the commercial and risk tolerance-based decision-making,
F. HIGHER RISK NPO ACTIVITY
Germany’s 2020 assessment aligns with the EBA’s 2022 Opinion of threats in the NPO sector, for example, entities posing as a legitimate NPO being used in a targeted way for purposes of terrorist financing and Legitimate NPOs operating in conflict zones / zones that pose a terrorist financing risk [Footnote 9].
We recommend that the Annex is amended to require FIs to undertake reasonable measures to identify and mitigate these higher risks when they are present.
G. THE ROLE OF COMPETENT AUTHORITIES
Critically, the Annex must be part of a wider, transformative, programme of partnership between competent authorities, NPOs, and FIs that addresses all three identified causes of undue de-risking. In line with FATF R.8, authorities need to take risk-based measures “protecting NPOs from terrorist financing abuse”. As noted above, this is relevant because FIs operate and assess risk within the wider context of the level of compliance of NPOs.
The EBA’s Opinion [Footnote 10] identifies that de-risking of certain sectors is often caused by the lack of trust in the quality of AML/CFT systems and controls implemented by firms in that sector. This is true of some NPOs, as highlighted by Germany’s 2020 assessment [Footnote 11]. This concern can be reflected in FIs’ risk appetites; the level of understanding shown by an NPO about the risks that it faces, and the controls that it has implemented are important factors when FIs assess the risk exposure and commercial viability of relationships with NPOs.
We welcome the reference in the Annex to the sanctions liability FIs face when supporting the small proportion of NPOs active in sanctioned countries and regions [Footnote 12]. However, we believe that the emphasis on the FI having to “establish whether the NPO benefits from any provisions related to humanitarian aid and derogations in EU/UN financial sanctions regimes, such as humanitarian exemptions or derogations” is not as helpful as it could be; FIs can only support such activity safely when NPOs are aware of their own obligations, have an effective compliance regime and proactively and openly engage with FIs on the operational and risk management aspects of their activities.
We therefore encourage the EBA to implement an RBA designed to protect NPOs from terrorist financing abuse in line with R.8. This starts with a nuanced risk assessment which underpins competent authorities taking risk-based measures, such as capability building through training and awareness and increased monitoring of higher risk NPOs.
FOOTNOTES
[Footnote 1] EBA Opinion para #58
[Footnote 2] EBA Opinion para #51
[Footnote 3] Sectoral Risk Assessment: Terrorist financing through (abuse of) non-profit organisations in Germany: “The main (and certainly understandable) reasons for taking de-risking measures include cost-benefit considerations, risks to reputation, liability risks, the level of fines imposed by supervisory and law enforcement authorities and higher compliance costs”. [https://www.bmi.bund.de/SharedDocs/downloads/EN/publikationen/2020/sectoral-risk-assessment.pdf?__blob=publicationFile&v=5]
[Footnote 4] EBA Opinion #47
[Footnote 5] EBA Opinion para #10
[Footnote 6] Article 18a of Directive (EU) 2015/849, as amended
[Footnote 7] EBA Opinion para #9: “Not all NPOs are exposed in a similar way to ML/TF risk and firms should take risk-sensitive measures”.
[Footnote 8] “Overall, NPOs were found to be involved in terrorist financing only in a few isolated cases”. [Germany]
“There are hardly any cases of a legitimate NPO being abused to finance terrorism”. [Germany]
“Risk Rating BC/FT leads to a low level of risk for the majority of associations, but with a few areas of risk identified as high for some associations operating in sensitive sectors and geographies.” [France]
[Footnote 9] Other relevant risks include “Legitimate NPOs having to pay bribes to terrorist organisations in regions they control in order to be permitted to provide humanitarian aid”, “Use of cash makes the funding cycle of an NPO less transparent”, “Small organisations have often been involved in aid convoys in crisis regions, for instance. In connection with the aid convoys, there is a high risk that the transport of goods and persons can be used to support terrorist organisations.”, “They are reliant on local partner organisations to implement humanitarian aid projects and do not select such organisations according to strict criteria.”
[Footnote 10] Opinion para #71
[Footnote 11] “Smaller organisations tend to be less professional and have fewer permanent staff. Organisations with large numbers of short-term voluntary workers may struggle to maintain robust compliance structures. Such structures are key in reducing vulnerability.”
[Footnote 12] Annex Para #12. We also note the European Commission’s proposal for a directive containing minimum rules concerning the definition of criminal offences and penalties for the violation of EU restrictive measures.
2. Do you have any comments on the section ‘Subject matter, scope and definitions’? If you do not agree, please set out why you do not agree and if possible, provide evidence of the adverse impact provisions in this section would have.
SUMMARY OF RECOMMENDATIONS- We recommend the EBA adopts FATF’s definition of de-risking to align with international standards and to avoid unintended consequences: “financial institutions terminating or restricting business relationships with clients or categories of clients to avoid, rather than manage, risk in line with the FATF’s risk-based approach.”
RECOMMENDATIONS
FATF’s Stocktake recognises that “The loss of access to financial services represents de-risking if it is not based on a case-by-case assessment of risk and ability to mitigate that risk”. However, the EBA’s proposed definition of ‘de-risking’ (i.e. a decision “to refuse to enter into, or to terminate, business relationships with individual customers or categories of customers associated with higher money laundering and terrorist financing (ML/TF) risk”) can cause unintended outcomes by not taking account of the reasonable grounds FIs have for exiting/declining customers or transactions to manage risk following a case-by-case assessment. Examples include:
- CUSTOMERS CONDUCT: Including, inter alia customers acting willingly as money mules or defrauding the FI.
- RISK MANAGEMENT OR COMPLIANCE WITH LEGAL OBLIGATIONS: Examples include transactions that may breach relevant sanctions obligations, instances where customer due diligence cannot be completed or where there are reasonable grounds to suspect ML/TF e.g. where wire transfers do not contain all required payer/payee information. Similarly, unclear or divergent legal obligations across the jurisdictions can present FIs with regulatory risk which may fall outside of their risk appetite.
- PRUDENT COMMERCIAL DECISIONS: There is a distinction between undue de-risking and the prudent commercial decisions made by FIs balancing the cost of compliance with the AML/CFT legal and regulatory framework and the residual risk against the reasonably expected value of the business relationship/transaction. It is an appropriate and prudent business practice to consider the cost of effective risk management when determining the viability of a relationship or product offering; only in exceptional cases (e.g. vulnerable groups) should refusal be restricted by law.
3. Do you have any comments on the section titled ‘General requirements’?
SUMMARY OF RECOMMENDATIONS- We recommend that the General Guidance acknowledges the following:
a. The principle of FIs having legitimate risk management reasons for exiting/declining individual customers on a case-by-case basis.
b. That it is appropriate and prudent business practice to consider the cost of effective risk management when determining the viability of a product offering.
- In these circumstances, it should not be necessary for FIs to consider all possible mitigating measures.
- The following measures will support FIs applying simplified due diligence on payment accounts with basic features within the meaning of Art. 16 of Directive 2014/92/EU, thereby facilitating access to banking:
a. A regulatory low-risk presumption for these payment accounts with basic features.
b. To be truly effective, this presumption could be supported by clear articulation by Member State competent authorities to FIs and supervisory authorities on access to banking being a policy priority balanced against financial crime risk.
c. Once determined, these measures could be issued by the dedicated Anti-money laundering Authority (“AMLA”) due to be established in the EU.
- Member States/supervisors could set out which forms of identification are considered independent and reliable, while permitting regulated firms to apply flexibility to maximise access to banking.
RECOMMENDATIONS PER PARAGRAPH
Please note that curly brackets {} indicate text to be stricken; text in angle brackets <> is to be added. (See attached file for tracked changes text)
PARAGRAPH #8.
In order to clarify that the list of due diligence measures in the annex is illustrative (and neither mandatory nor comprehensive) and that FIs can apply such measures as required to manage the NPO’s risk effectively, we recommend that paragraph #8 is amended as follows: “Where the customer is a not for-profit organisation (NPO), {the firms} <obliged entities may use as guidance> {should apply} the criteria set out in the annex <when performing their assessment and in accordance with the risk posed by the NPO (i.e. higher risk NPOs (only).>”
PARAGRAPH #9.
We recommend that paragraph 9 is amended as follows: <Where the customer is an NPO, credit and financial institutions may use these criteria when they have determined that the risk posed by the NPO is high.> When assessing the risk profile of a customer or prospective customer who is an NPO for the first time, firms should ensure that they obtain a good understanding of the NPO’s governance…”
PARAGRAPH #10.
It is entirely reasonable for an FI to not provide products or services to sectors that it has taken a commercial decision not to service because the FI will not have the processes or controls to manage the risk posed by that sector. Only in exceptional cases (e.g. vulnerable groups) should refusal be restricted by law (e.g. payment accounts with basic features). We therefore recommend that paragraph #10 is amended as follows: “Credit and financial institutions should ensure that the implementation of these policies, procedures and controls should not result in the <undue/inappropriate> blanket refusal, or termination, of business relationships with entire categories of customers that they have assessed as presenting higher ML/TF risk”.
PARAGRAPH #10.
As an alternative to mandating further procedures, which does not resolve the issue, we recommend this is redrafted as follows: “As part of this, institutions should {put in place appropriate risk-sensitive policies and procedures to} ensure that their {approach to applying} customer due diligence (CDD) measures <as applied> do not result in unduly denying customers’ legitimate access to financial services”.
In the context of our comments above, we recommend that the EBA clarify that this guidance applies to payment accounts with basic features within the meaning of Art. 16 of Directive 2014/92/EU.
PARAGRAPH #11.
We recommend that paragraph #11 is amended as follows: “Credit and financial institutions should set out in their policies, procedures and controls {all} <appropriate measures/>options for mitigating higher ML/TF risk that they will consider applying before deciding to reject a customer on ML/TF risk grounds.”
PARAGRAPH #12.
With reference to our comments to Question 2 above, we have significant concerns that the General Requirements do not consider unacceptable customer conduct (e.g. money mules).
- We stress that, where an FI does not believe that it can manage the financial crime risks associated with an individual business relationship effectively – either with respect to mitigating the risk to within its risk tolerance or to manage the risk in a commercially viable manner - it would not enter or maintain that business relationship, in line with legal obligations and international standards [Footnote 1].
- In addition to ML/TF risk management, it is important to acknowledge that FIs may exit or decline individual customers due to reputational considerations that are separate and apart from legal or commercial considerations. Similarly, unclear or divergent legal obligations across the jurisdictions can present FIs with regulatory risk which may fall outside of their risk appetite.
- We therefore recommend that the General Requirements incorporate the principle of FIs having legitimate risk management reasons for exiting/declining customers on a case-by-case basis. In these circumstances, it should not be necessary for FIs to consider all possible risk-mitigating measures.
PARAGRAPH #13.
FIs already have suspicious activity reporting obligations. We stress that suspicion is situational and informed by appropriate training and awareness provided by FIs to their employees; it is not optimal for FIs to provide definitive lists of suspicious circumstances to cover subjective suspicion.
We recommend that this paragraph is amended to focus on ensuring suspicious activity-related training and awareness to address Article 14(4).
PARAGRAPH #14.
As additional guidance, we recommend that the General Requirements reference the risk of recording this information on customer records that can then be accessed by the customer; this would be inconsistent with suspicious activity reporting confidentiality requirements and prohibitions on tipping off.
In case of refusal, the person is NOT a customer to the FI and other data privacy rules apply in terms processing/recording and deletion of personal data that potentially clash with this requirement. We recommend that this is considered further by the EBA.
PARAGRAPH #15.
Please refer to our comments on Question 1 above on the barriers to applying simplified due diligence to low risk NPOs.
To help overcome these barriers, we welcome a formal REGULATORY LOW RISK PRESUMPTION for these payment accounts with basic features [Footnote 2].
PARAGRAPH #19.
- We note that FATF’s first principle on Identification for Sustainable Development requires “countries to fulfil their obligations to provide legal identification to all residents… particularly when these are a pre-requisite for accessing basic public and private sector services, such as banking.” [Footnote 3]. FIs require legal certainty when applying exceptions relating to verifying identity, while consumers will benefit from standardisation and consistent adoption by regulated firms.
- Member States/supervisors could set out which forms of identification are considered independent and reliable when verifying the identity of residents that have credible and legitimate reasons to be unable to provide traditional forms of identity documentation while permitting regulated firms to apply flexibility to maximise access to banking.
FOOTNOTES
[Footnote 1] For example, FATF Recommendation 10: “Where the financial institution is unable to comply with the applicable requirements… (subject to appropriate modification of the extent of the measures on a risk-based approach), it should be required not to open the account, commence business relations or perform the transaction; or should be required to terminate the business relationship; [https://www.fatf-gafi.org/content/dam/recommandations/pdf/FATF%20Recommendations%202012.pdf.coredownload.inline.pdf] “Basel Committee: “The bank’s customer acceptance policy should also define circumstances under which the bank would not accept a new business relationship or would terminate an existing one” (Sound Management of Risks Relating to Money laundering and Terrorist Financing, para 33). [https://www.bis.org/bcbs/publ/d405.pdf].
[Footnote 2] See FATF’s Guidance on AML/CTF Measures and Financial Inclusion: Para #68 “Jurisdictions may consider establishing a simplified CDD regime, for specifically defined lower risk customers and products”. [https://www.fatf-gafi.org/en/publications/fatfgeneral/documents/financial-inclusion-cdd-2017.html]
[Footnote 3] Annex C [https://www.fatf-gafi.org/content/fatf-gafi/en/publications/Financialinclusionandnpoissues/Digital-identity-guidance.html]
4. Do you have any comments on the section titled ‘adjusting monitoring’?
The reference to adjusting intensity of monitoring measures aligns with current industry practice. We believe that to drive an effective AML/CFT framework, it is optimal for FIs to operate in a supervisory regime that encourages de-prioritisation of transaction monitoring (“TM”) measures that have shown to be ineffective and do not add value for law enforcement. To be truly effective, TM must focus on threat priorities identified by law enforcement agencies and competent authorities (with risk input from the private sector). We believe such priorities would be most useful if they are sufficiently specific to pinpoint risk but remain agile enough to reflect the rapidly evolving threat landscape. Resources currently dedicated to demonstrable lower impact TM systems can be redirected to higher-value activities, and ultimately providing highly useful information to law enforcement authorities, helping to protect society and the internal market.RECOMMENDATIONS PER PARAGRAPH
PARAGRAPH #18A.
Noting industry practice, we recommend that the EBA updates paragraph #18a to recognise that FIs commonly meet this requirement by monitoring against information provided by the customer and against expected transactional activity across groups of customers with common characteristics.
PARAGRAPH #18B.
We are concerned that this sentence does not reflect current industry practice or Article 13 of the ML Directive [Footnote 1]. We recommend that it is amended to read: “Ensuring that the <firm carries out risk-based monitoring of the transaction or business relationship> {customer’s account is reviewed regularly} to <identify> {understand whether} changes to the customer’s risk profile {are justified}”.
PARAGRAPH #19.
We are unclear why this section is under the heading of ‘Adjusting the Intensity of Monitoring Measures’; we believe it should be under ‘General Requirements’.
PARAGRAPH #19B. We recommend that paragraph #19b is amended as follows because the added criteria of working on behalf of official authorities is unduly restrictive and misaligned with local law in several Member States: “…This documentation may include expired identity documents and, where permitted under national law, documentation provided by an official authority such as social services or a well-established Not-for-Profit Organisation {working on behalf of official authorities} (e.g. Red Cross or else), which also provides assistance to this customer.”
PARAGRAPH #19D. “In cases where support for these vulnerable customers is disbursed in the form of prepaid cards and where the conditions related to simplified due diligence are met as set out in Guidelines 4.41, 9.15, 10.18 of the EBA’s ML/TF Risk Factors Guidelines, the indication that credit and financial institutions may postpone the application of initial customer due diligence measures to a later date”.
- To ensure consistency, we recommend that clarity is provided on the how long the postponement of the initial customer due diligence can reasonably be.
- We believe that such postponement is only appropriate in situations where conduct of the account is satisfactory.
PARAGRAPH #19E. “In cases where such customers apply for an access to a payment account and are considered as presenting low ML/TF risks, which alternative forms of ID the institution may accept and the options for postponing the application of full CDD until after the establishment of the business relationship.”
- We welcome the EBA’s recommendation [Footnote 2] that steps are taken to clarify the interaction between AML/CFT requirements and the right to open and use a payment account with basic features.
- As mentioned in our response to Question 3, FIs require legal certainty when applying exceptions relating to verifying identity, whilst consumers will benefit from standardisation and consistent adoption by regulated firms. We therefore recommend that Member States/supervisors set out which forms of identification are considered independent and reliable, whilst permitting regulated firms to apply flexibility to maximise access to banking.
- Please also refer to our comments on applying simplified due diligence in our response to Q1, which are also relevant here.
PARAGRAPH #21.
To ensure this flexibility is not abused, we recommend amending as follows: “…In relation to ML/TF risks associated with customers who are particularly vulnerable such as refugees and homeless individuals, <that may have credible and legitimate reasons to be> unable to provide traditional forms of identity documentation, credit and financial institutions should ensure that their controls and procedures specify that possible limitations of products and service set out in paragraph 20 (b) are applied taking into consideration the personal situation of the individuals, …”
[Footnote 1] “conducting ongoing monitoring of the business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity's knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date.”
[Footnote 2] EBA 2022 Opinion paragraph #21
5. Do you have any comments on the section titled ‘applying restrictions to services or products’?
SUMMARY OF RECOMMENDATIONSWe recommend that the EBA revisits this guidance to ensure it does not result in tension with Article 17 of the Directive 2014/92/EU and does not result in unintended consequences.
RECOMMENDATIONS
A. The suggestion that FIs impose targeted restrictions on financial products and services limits creates tension with Article 17 of the Directive 2014/92/EU:
- According to Article 17 para 1, “the services listed in points (a) to (d) of the first subparagraph shall be offered by credit institutions to the extent that they already offer them to consumers holding payment accounts other than a payment account with basic features”.
- Article 17 para 4 requires Member States to “ensure that a payment account with basic features allows consumers to execute an unlimited number of operations in relation to the services referred to in paragraph 1”.
- Similar prohibitions are transposed into national law in the EU countries. For example, Germany’s Payment Accounts Law; Zahlungskontengesetz – ZKG, (section 38, para 4) prohibits the limitation of payment services associated with consumer accounts with basic functionalities.
B. We recommend that the EBA considers the following practical considerations:
- Targeted restrictions may impact customers adversely, creating unintended consequences such as: a. Displacement of financial activity to the informal economy, thereby making it harder for law enforcement authorities to trace; b. Exacerbating the problems facing NPOs, which the EBA is addressing through the proposed Annex.
- Within the constraints of current payment infrastructure there are practical difficulties in identifying and restricting transactions such as ‘payments to third countries’. For example, given increasing levels of payment disintermediation, the FI may not know that a payment is person-to-person or to a third country if the account is used to move funds to a non-bank PSP,
- It may not be possible, contractually, for FIs to impose targeted restrictions.
- We note that transactional restrictions can be circumvented by criminals opening accounts with multiple FIs, depriving any one FI of a full picture of the customer’s activities. This ultimately makes it harder for law enforcement to follow the money.