Response to consultation on Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures
Question 1: Do you agree with the proposed provisions? If you do not agree, please explain how you think these provisions should be amended, and set out why they should be amended. Please provide evidence of the impact these provisions would have if they were maintained as drafted'?
The EACB supports EBA's effort to establish general principles for internal arrangements that European financial institutions should adopt to comply with European and domestic restrictive measures. The draft Guidelines aim to promote a shared understanding of applicable standards across Member States, which is welcome.
However, the two draft Guidelines give rise to specific concerns that we discuss in the general comments section and in the corresponding sections below.
First, while the rationale for these guidelines is clear, the legal basis outlined in both drafts is questionable:
- The first set of guidelines refers to high level provisions laid out in three sectoral legislations (i.e. Article 74(1) CRD, article 11(4) PSD and article 3(1) EMD). These provisions require obliged financial institution to have robust governance arrangements that promote sound and effective risk management. In the lack of a clearly defined general legislative mandate conferred to the EBA for the implementation of restrictive measures, none of these provisions (including further guidelines adopted in relation thereof) could in our view be reasonably construed as enabling the Authority to adopt guidelines on governance arrangements as regard this particular legislative domain.
- Moreover, these texts are only applicable to credit institutions, payment services providers and electronic money issuers. Therefore, they could not consist in a sufficient ground to justify the application of those guidelines to other financial insitutions required to implement restrictive measures (whereas they would fall under the EBA’s scope of intervention according to it founding regulation for certain topics, i.e. AML/FT).
- The second set of guidelines, which focuses on funds and crypto-asset transfer screening systems, refers to Article 23 of Regulation (EU) 2023/1113, whose scope only includes payment and crypto-asset service providers. Given its narrow scope, this legislative provision by itself is not sufficient to support a harmonised implementation of sanction screening standards across the EU, and would not be efficient from a practical perspective. This would not only be inconsistent with the transsectorial dimension of restrictive measure requirements (since sanction screening may concern institutions other than PSPs and CASPs as it is not only used when performing transfers of funds/cryptoassets) but it could also lead to a distorsion in the requirements applicable within the financial sector.
We also note that the upcoming regulation establishing the Anti-Money Laundering Authority (AMLA) will provide for a clearer and more comprehensive legal basis for empowering the AMLA to adopt guidelines on internal arrangements and controls for sanctions. Therefore, it would be advisable to wait for the transfer of competences to the AMLA for initiating works on comprehensive guidelines that would cover entire governance / risk management arrangements.
Last, these guidelines seem to introduce a supplementary compliance/preventive regime that does not exist – or only exist in part - in many Member States’ sanction frameworks. Indeed, for some countries, sanction rules only consist in criminal provision sanctioning intentional failures/negligence to apply restrictive measures in force.
Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures
General provisions
Preliminary comment: As stated previously, the first set of guidelines introduces internal governance rules for the implementation of restrictive measures whereas we could not identify a requirement to implement such internal compliance arrangements in financial EU legislation (references to CRD, PSD and EMD deemed insufficient in our view). This exceeds the typical purpose of guidelines, which is to provide clarifications and explanations about existing legislative frameworks. The lack of a legal basis may result in uncertainty regarding the framework for implementation and could diminish the mandatory nature of the guidelines, as certain financial institutions might consider that they do not have to apply them.
In addition, in our view, internal governance rules should be set out at a later stage, once substantive rules already exist, in order to increase/ensure awareness about those rules by key/responsible people within financial institutions. As regards the implementation of restrictive measures, the EBA is still building up a consistent and firm approach covering all relevant issues (i.e. distinct from the European Commission’s corpus). Therefore, it would be advisable to delay the adoption of this set of guidelines in order to increase the reliability and practicability for financial institutions.
Paragraph 1: We wish to highlight that in the existing legal framework for restrictive measures, there is no mandatory requirement for financial institutions to implement a risk-based approach and evaluate the vulnerability of business areas. Therefore, it would be more fitting to employ an alternative term instead of "should," as it implies the obligatory nature in this paragraph.
4.1 Governance framework and the role of the management body
4.1.1 The role of the management body in its supervisory function
Paragraph 9.a.: This paragraph creates a new reporting requirement not substantiated with a relevant legal basis. This requirement does not seem related to existing expectations of the European Commission either.
Therefore, this paragraph creates uncertainty for obliged entities as regard the binding force and the content of this new obligation.
4.1.2 The role of the management body in its management function
4.1.3 The role of the senior staff member in charge of compliance with restrictive measures
Paragraph 13: The draft guidelines introduce the new concept of “senior staff member”, without including a clear definition. Nevertheless, in these terms, we understand that anyone who is senior could be considered senior staff member and exercise the functions and tasks mentioned in these guidelines. We therefore believe that it would be useful to define this notion precisely.
4.2 Conducting a restrictive measures exposure assessment
Paragraph 22: Same comment as for Paragraph 9.a.
In addition, it seems that this paragraph does not sufficiently take into account the diverse nature of restrictive measures (freezing of asset and other sanctions like sectoral restrictions), notably as regards the actual capability of banks to prevent breaches in comparison with other parties/stakeholders. Banks are at the forefront of the implementation of the freezing of assets and of the enforcement of prohibitions to make assets available to designated persons.
However, they do not often play a major part in the implementation of sectoral restrictions/prohibitions. For instance, in the course of their trade finance/account service activities, banks do not generally have sufficient information on trades/commodities type to conduct a thorough analysis and properly assess the compliance of their clients’ transaction.
Therefore, we anticipate that this obligation may create excessive expectations for banks in the detection and prevention of attempts to circumvent certain restrictive measures, which would not be in line with the European Commission’s position.
Paragraph 23: Considering our comments on Paragraph 22 above, we believe that providing a clear definition of the term “exposure” and clarifying criteria for carrying out the assessment would be beneficial and would enhance certainty for financial institutions.
Paragraph 25: This paragraph requires financial institutions to carry out a “retroactive screening” of their customer database and past transaction record but does not define the criterion to be used as the basis for this retroactive screening. Is the basis for this retroactive screening the entry into force of the restrictive measure? If so, we believe that the example given in the second sentence is not suitable. Indeed, financial institutions cannot reasonably suspect that their previous screening system was inadequate or ineffective whereas the sanctioned person wat not sanctioned at that time.
Paragraph 29: It seems difficult at this stage to require a common methodology for restrictive measures exposure assessments because it is something new and banks were not required before to document such assessment separately from their financial security risk overall assessment. Given the lack of past experiments, we think that such common methodology is premature.
Additionally, requiring parent entities of groups to impose a common methodology for the entire group may not be practicable in decentralized cooperative groups, especially in cases where organizational principles provide that operational compliance matters are addressed at local/sub-consolidated level.
4.3 Effective restrictive measures policies and procedures
4.4 Training
Paragraph 32: It would be appropriate to distinguish the nature and the scope of the restrictive measures (See our comment under paragraph 22 above).
Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures under Regulation (EU) 2023/1113
4.1 Restrictive measures screening
4.1.1 Choice of screening system
As a general comment for this title, we think that screening systems are not the only tool at the disposal of banks to comply with applicable restrictive measures. It could be useful to specify that other due diligence measures, which banks deem appropriate in order to ensure compliance with restrictive measures, should also be implemented.
4.1.3 Defining the set of data to be screened
Paragraph 13: It is possible that the screening solution has been built in a way that white listing would automatically stop working if the white listed person would get designated or customer information has changed. Thus, the suggested review would be unnecessary in this case. We suggest that the wording of the paragraph is modified and replaced by the following:
"Once a new restrictive measure is published, a restrictive measures-related list is amended, or if the customer information has changed, PSPs and CASPs should immediately ensure that persons on the ‘white list’ are not designated."
4.1.5 Screening of transfers of funds and crypto-assets
Paragraph 21: PSPs and CASPs should screen all parties to transfers of funds or crypto-assets against the restrictive measures-related lists. Intermediary PSPs and CASPs should pay special attention in their restrictive measures exposure assessment to the soundness and reliability of the restrictive measures policies and procedures put in place by PSPs and CASPs they are doing business with to ensure compliance with restrictive measures.
Paragraph 22: On the a. identifying data of the payer/originator and the payee/beneficiary stipulated in Articles 4 and 14 of Regulation (EU) 2023/1113; we wish to highlight that this should recognize the coming proposal for a Regulation amending Regulations (EU) No 260/2012 and (EU) 2021/1230 as regards instant credit transfers in euro, which sets a requirement not to screen payer/payee.
Paragraph 22b: Among the details to screen, the EBA guidelines include the purpose of the transfer of funds or crypto-assets. Nevertheless, this information is not always mentioned in payment messages. It could be appropriate to specify that this information should be screened only when this information is provided.
4.1.6 Calibration
Paragraph 25: We think that it would be helpful to define more precisely the term “alert quality” in this paragraph as it can be understood in different manners and thus it is unclear how it should be measured.
Paragraph 25: We think that it would be helpful to define more precisely the term “true positive” in this paragraph. If the term "true positive" refers to a case in which investigators have investigated and found to be a true match, checking the percentage of true positive results associated with different percentages of matching (threshold) is not a feasible expectation in practice.
Indeed, the likelihood of observing a true-match is typically very small and the different thresholds must be tested before they are implemented, to ensure that the changes do not lead to designated persons, entities and bodies not being detected. When assessing the threshold that is above the currently used threshold, the true positive percentage may be calculated from a real alert data.
However, calculating the true positive percentage for thresholds that are below currently used threshold is very difficult. Indeed, no real alert data would be available since the tested threshold would be below the currently used threshold.
The suggested obligation to use true positive percentage as guiding measure to determine correct threshold would mean that in order to get a reliable and representative sample of true-matches, during the testing of thresholds, PSPs and CASPs would need to manually investigate very large number of alerts to be able to calculate reliable true positive percentage. This is very laborious and would not yield best results as tuning the screening based on real alert data could lead to situation where system is "overfitted" to PSPs and CASP's data. Rather, there are more feasible ways of determining the best matching threshold. Instead of using percentage of true positives, one could test how the system captures a large population of exact names and manipulated versions of such names, and based on those results, set the thresholds accordingly, which should maximise the percentage of true positives.
4.2.2 Due diligence measures for alert analysis
Paragraph 35: The wording leaves uncertainty on to whom (“to person”) one should refrain from providing financial services. In customer screening the meaning is clear (the person who is the target of the alert) but in transaction alerts there are more than one person involved.
4.3 Freezing and reporting measures
4.3.1 Suspending the execution of transfers of funds or crypto-assets and freezing funds or crypto-assets
Paragraph 47: We think that it would be helpful to define more precisely the word “freeze” in this paragraph and clarify whether it is also included in the definition of “restrictive measures”.