Response to consultation on Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures
Question 1: Do you agree with the proposed provisions? If you do not agree, please explain how you think these provisions should be amended, and set out why they should be amended. Please provide evidence of the impact these provisions would have if they were maintained as drafted'?
Dear Sir/Madam,
Thank you for the opportunity to comment on the EBA’s consultation on Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national sanctions. The European Savings and Retail Banking Group (ESBG) would like to provide you with the comments below, which we hope will be considered by the EBA.
As the standards, expectations, practices, and enforcement actions of national competent authorities are highly diverging within the EU and as no uniform opinion amongst supervisory authorities in different member states is available, we generally support this initiative to implement harmonised standards for financial institutions and competent authorities on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures.
However, there are already numerous legal and sub-legal regulations in the sanctions world on how the sanctions regulations are to be applied in practice. Financial institutions also already have to deal with a large number of regulatory authorities. We fear that these additional guidelines will create a corset for banks that stands in the way of effective sanctions compliance. In particular, the mixing of separate regulations and responsibilities concerning the prevention of money laundering (AML) and terrorist financing (CFT) as well as financial sanctions causes great difficulties for banks. Other guidelines cannot prevent practical challenges in the implementation of financial sanctions, such as the following: Sanctions regulations sometimes leave too much room for interpretation or cannot be implemented by banks if they do not (or cannot) have the necessary information.
Although the background and rationale of this initiative are fully comprehensible, a large part of the proposed measures are (from our point of view) going beyond the necessary level of harmonisation and provide for a new level of standards, the implementation of which places high demands and challenges (such as high impact on resources, personnel, IT investments) on banks.
Even if sometimes only minor changes are necessary, the implementation of many minor changes can also be very challenging, time-consuming, and resource-intensive.
Mixing AML/CFT processes and responsibilities on the one hand with sanction processes and responsibilities on the other hand
These guidelines are based on Article 23 of Regulation (EU) 2023/1113 in the context of the EU legal and institutional framework to combat money laundering and terrorist financing (AML/CFT), specifically on the information accompanying transfers of funds and certain crypto-assets. The EBA supplements these guidelines in accordance with Article 74 of Directive 2013/36/EU, Article 11(4) of Directive (EU) 2015/2366 and Article 3(1) of Directive (EC) 2009/110/EC with its own guidelines to address broader issues of internal controls and risk management. These clarify how restrictive measures and procedures interact with the broader governance and risk management framework of financial institutions to avoid operational and legal risks for financial institutions and ensure the effective implementation of restrictive measures.
However, AML and CFT differ as different legal regimes in terms of legal and procedural requirements and processes that target the underlying structure of anti-financial crime risk. While AML and CFT require ex-post monitoring and each covers clandestine criminal activity in a variety of criminal sectors, including a prohibition on disclosure of information, financial sanctions ("restrictive measures") are imposed through targeted published legal acts that have policy purposes (notably world peace, respect for human rights) and require ex-ante scrutiny of transactions.
Therefore, the legal regimes, processes and responsibilities for regulation differ significantly between AML/CFT and financial sanctions. While all regulatory requirements on financial institutions entail operational and financial risks, it is crucial for effective and efficient implementation of such requirements that these requirements are clear (and not contradictory) and administered by the same competent authority in order to provide clear guidance in the interest of legal certainty and thus effective implementation.
The requirements should contribute to the effectiveness of sanctions compliance
Banks are already subject to very high legal requirements when it comes to sanctions compliance. In addition to the sanctions regulations, there are the EU Commission's interpretative guidance, the Council's best practices and numerous guidelines and interpretative guidance on the implementation of sanctions from the national supervisory authorities, which banks must already take into account today.
Uniform EU implementation of the sanctions regulations would be more likely to be ensured if some sanctions regulations were formulated more clearly, leaving less room for interpretation for the member states. As mentioned at the beginning, the concrete implementation of sanctions regulations can also be made more difficult by the fact that they require information that is not available to the banks.
These problems will not be solved by further guidance. In particular, the problem of differing interpretations by the supervisory authorities is not necessarily solved by the guidance of a further authority, which incidentally does not have greater interpretative powers.
Furthermore, the EBA's guidance should not contain any requirements that contradict or go beyond the legal requirements. However, this is the case at several points in the document, e.g. when it comes to determining the "beneficial owner", "negative news screening" for sanctions or the processing of pure payment transactions.
Additionally, we have the following comments and questions concerning specific sections of these guidelines:
Guideline 2, section 4.1.5 “Screening of transfers of funds and crypto-assets”
In connection with SEPA payments we consider that EBA should further clarify supervisory expectations on them. As far as we know, not all the EU national supervisors are requiring these payments to be screened against sanctions lists on a transaction basis. In their opinion, it is sufficient to screen the client at onboarding and after on a frequent basis.
The requested clarification should also cover instant payments, on which laws and recommendations seem to anticipate that no screening is necessary on a transaction basis.
Guideline 1, Section 4.2 (Conducting a restrictive measures exposure assessment), margin number 23 b. – d.
We would kindly ask for more information and guidance if it is expected to calculate the mentioned likelihood and impact, and if so, how it (likelihood of non-implementation of restrictive measures; likelihood of non-implementation of circumvention of restrictive measures and the impact of any breaches of restrictive measures) should be calculated. Which indicators and mitigating measures might be taken into consideration to calculate these probabilities and impacts.
Guideline 1, Section 4.2 (Conducting a restrictive measures exposure assessment), margin number 23 e. b) iii.
May we kindly ask you to provide more information on what kind of potential indicator may be used in connection with this customer risk?
Guideline 1, Section 4.2 (Conducting a restrictive measures exposure assessment), margin number 26
Could you please clarify whether this paragraph refers to an update of the risk assessment module/methodology or the performance of an ad hoc re-assessment?
Guideline 2, Section 4.1.4 (Screening the customer base), margin number 17 a. and b.
It is stated that for natural persons “the first name and surname, in the original and transliteration of such data” should be screened and for legal persons “the legal name, in original and/or transliteration of such data”. Is this to be seen as an obligation to always have the original and transliteration of names of natural persons stored in the customer database? Or is it sufficient (as with legal persons) to screen the name in the database irrespective of whether it is the original or transliteration?
Based on the above, we would recommend amending the wording in paragraph 17 a. a. as follows: “the first name and surname, in the original and/or transliteration of such data; and”
Guideline 2, Section 4.1.4 (Screening the customer base), margin number 18
Regarding the wording “persons authorised to act on behalf of the customer”, is our understanding correct, that this only includes persons authorised to act on behalf of the customer towards the financial institution?
Could you please provide more information on the meaning of “to the extent that this information is available”? Is our understanding correct that this refers to the KYC information we are obliged to gather based on applicable AML laws and regulations or are financial institutions obliged to gather the information in 18.b. and 18.c. for all customers (although there is currently no legal obligation to do so), if this information is currently not in their customer database?
If this is to be seen as an obligation to gather further information, we would like to point out, that it is currently not market standard to gather and screen the data of all “persons authorised to act on behalf of a customer” (only the persons authorised to act on behalf of a customer towards the financial institution) and all "persons connected to the customer, such as natural and legal persons within the management or ownership structure, who may be controlling/exercising a dominant influence on the entity as defined in Article 1 of Council Regulation (EC) No 2580/2001". Based on some national laws (e.g. Austrian law), it is from an AML perspective currently also not required to comprehensively gather and screen this information. Therefore, an adaption of the respective laws would be preferable to ensure a uniform approach within the EU. We would also like to point out that obtaining the requested data is very time-consuming and a full implementation by the end of 2024 would be very difficult to achieve.
Guideline 2, Section 4.2.1 (Policies and procedures for the management and analysis of alerts), margin number 32 d)
It is stated that policies and procedures should include “different levels of review to be carried out, for example the discard of false positives approved by at least two people”. Is this to be seen as an obligation that the discard of false positives must be approved by a least two people or is it for the financial institution to decide (based on its restrictive measures exposure assessment) if such a 4-eyes principle should be implemented for false positives and if so under which circumstances?
If this is a general obligation for all false positives, we would like to point out that it would have a major impact (resources and especially personnel) on banks and in our opinion, this additional effort is not proportionate to the potential risk.
Additionally, we would appreciate it if further information on the term “false positives” could be provided. Are all kinds of false positives included or only strong (complex) false positives?
Based on the above, we would recommend amending the wording as follows: “different levels of review to be carried out, for example the discard of complex false positives approved by at least two people.”
Guideline 2, Section 4.2.4 (Controls and due diligence measures to comply with sectoral restrictive measures), margin number 40
May we kindly ask you to elaborate on this paragraph? Are the mentioned requirements to be regarded as a screening obligation or is it for the financial institution to decide, how to manage the risk associated with sectoral restrictive measures and whether a screening of “place of birth” or “nationality” should be implemented?
In our view, there are other potential measures (without screening the “place of birth” or “nationality”) that are more appropriate and target-orientated. For example, if the “place of birth” and “nationality” are taken into consideration when assessing compliance alerts.
Guideline 2, Section 4.2.4 (Controls and due diligence measures to comply with sectoral restrictive measures), margin number 42
We would like to know if our understanding is correct, that these are only examples of controls financial institutions may put in place, but there is no obligation to have all these examples implemented.