Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Requirement for place of birth for all customers
Recital 14 - Minimum requirements for the ID of natural persons in low-risk situations
Article 5 – Documents for the verification of the identity
Article 18 - Minimum requirement for the customer identification in situations of lower risk
Findings
Recital 14 states the minimum requirements for the identification of natural persons in low-risk situations should mirror the type of information which is usually included in a passport or identity document.
Article 5 “Documents for the verification of the identity“ paragraph 1 then refers to the requirement for place of birth to be included as a mandatory field in identity verification checks.
Article 5(2) then refers to situations where the customer cannot provide a document that meets the requirements in article 5(1) for legitimate reason, a document shall be considered equivalent to an identity document or passport if it is issued by a state or public authority and it contains a number of data points including place of birth.
The requirement for place of birth is repeated in Article 18 “Minimum requirement for the customer identification in situations of lower risk”.
Proposal
For Nordic countries place of birth is not included on state or public authority issued Identity Cards commonly used for identification verification purposes. The AMLR and RTS requirements would mean that passports are the only acceptable form of identification for Nordic customers, placing overly burdensome requirements on banks and potential difficulties for large numbers of customers to provide the required documentation. It should be noted that passports also do not state country of birth as required by RTS Article 3.
Article 5 paragraphs 1 and 2 should therefore remove any reference to the requirement for place of birth as a mandatory identification field. Paragraph 2 should also provide examples of acceptable documentation such as National ID Cards, Drivers License.
Article 18 should align with Recital 14 by referring to the type of information usually included in a passport or identity document that would not necessarily include place of birth.
Recital 16 – re-identification and verification should not be needed, unless reasons to do so.
Findings
There is a requirement for customer information to remain up to date including customer identification updates for all customers on a risk-sensitive basis. The requirement refers to AMLR Article 26(2) update periods of 1 year for higher-risk customers and 5 years for all other customers.
Proposal
Re-identification of customers, customer representatives, BOs etc. should not have to be performed within the ongoing due diligence, unless there is the occurrence of a trigger event or signs of change in relevant circumstances that would motivate such a check. Compulsory re-identification creates a disproportionate burden/customer disturbance without clear value from a risk perspective.
Article 4 – Specification on nationalities
Findings
Obliged entities must obtain the nationalities of customers who are natural persons and of the beneficial owners, respectively under Article 22 (1) (a) and Article 62 (1) (a). It can be difficult to identify whether a customer or a beneficial owner has several nationalities.
Further clarification would be welcomed regarding ”necessary information”, and what efforts an institution needs to take to comply with this provision. The identification of several identities will to a high degree rely on customer declarations, in the absence of central registers with nationalities/citizenships, and customers might choose to disclose only one nationality. The bank cannot be held liable when a customer has not disclosed other nationality information.
Proposal
Considering the difficulty to comply with the requirement of identifying whether a customer or a beneficial owner has two or more nationalities, it should be specified that this requirement only applies if the bank has any readily available indications of multiple nationalities (to the best of their knowledge).
In addition, due to local differences in terms of the concept of “nationality” and in order to achieve a harmonized understanding of the provision, there needs to be clarification of the definition of “nationality” as obliged entities and customers will otherwise have different interpretations. It would be less subjective if “nationality” was replaced with “citizenship”. Finally there is a concern that future risk requirements will be based on this customer measure, which may lead to unnecessary monitoring of customers and baseless discrimination against customer groups.
Article 11 – Understanding the ownership and control structure of the customer in case of complex structures
Findings
RTS defines an ownership and control structure as complex where there are two or more layers between the customer and the beneficial owner and in addition, one of the conditions listed in a to d, for example b) which refers to “the customer and any legal entities present at any of these layers are registered in different jurisdictions”.
Proposal
A structure with two layers between the customer and beneficial owner is common, as is for example having layers registered in different jurisdictions. Therefore rather than Article 11 paragraph 1 providing a strict definition of what is a complex structure, the list of criteria provided in a) to d) should be considered using a risk based approach to determine whether a complex ownership and control structure exists.
In addition it would be helpful for a definition of “legal arrangement” (paragraph 1a) to be provided.
Article 12 – Information on senior managing officials
Findings
Recital 10 of the RTS
“The identification of SMOs is allowed by Regulation (EU) 2024/1624 only in cases where the obliged entity has been unable to identify beneficial owners having “exhausted all possible means of identification” or where “there are doubts that the persons identified are the beneficial owners”. Finding it difficult to identify the beneficial owner, for example in cases of complex structures, does not amount to such ‘doubts’ and therefore will not provide a sufficient basis for the obliged entity to identify the SMOs instead”
Proposal
- For the purposes of harmonized application of this provision, further guidance or examples of what could constitute ”sufficient basis” would be welcomed.
- Further guidance is needed in terms of how obliged entities are expected to act in case reasonable grounds to suspect that funds or activities are the proceeds of criminal activity, or related to terrorist financing or criminal activity, appears during the customer due diligence process. As an example; in case there are doubts whether the persons identified are the beneficial owners due to circumstances pertaining to the customer, e.g. incorrect information provided, or the customer is uncooperative, it seems counterintuitive to proceed with the customer due diligence by identifying the SMOS instead. Intuitively, the customer due diligence process should be discontinued, and all circumstances be reported to the FIU, instead of proceeding with identifying the SMOs. The same unclarity exists in terms of applying Article 22(2), section 3, of the AMLR and indirectly Article 12 of the RTS.
Findings
AMLR article 22(2) second paragraph refers to where no natural persons are identified as beneficial owners, or where there are doubts that the persons identified are the beneficial owners, obliged entities shall record that no beneficial owner was identified and identify all the natural persons holding the positions of senior managing officials in the legal entity and shall verify their identity.
Proposal
We however note that there is a definition of “senior manging officials” under article 63(4) of the AMLR, but that seems to be related only to that specific paragraph. Hence consider if a general definition should be added in the AMLR, or clarify that the same definition applies also for article 22(2) of the AMLR as well as Article 12 of the RTS.
Article 13 – Identification and verification of beneficiaries of trusts and similar legal entities or arrangements
Findings
Neither the related AMLR article 22(4) or RTS provides examples of “similar legal entities or arrangements”. We note that Article 58(4) of the AMLR requires Member States to notify to the Commission by 10 October 2027 a list of types of legal arrangements similar to express trusts which are governed under their law. Until this list of legal arrangements is made available to obliged entities there is a risk of different interpretations of what is a “similar legal entity or arrangement”.
Proposal
RTS to provide country specific examples of what types of entities or arrangements would be in scope. E.g. Denmark/Sweden Foreninger/Föreningar, Finland Yhdistys.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 15 – Identification of the purpose and intended nature of the business relationship or the occasional transactions
Findings
RTS Article 15 refers to AMLR CDD Article 20(1)(c) – “assessing and, as appropriate, obtaining information on and understanding the purpose and intended nature of the business relationship or the occasional transactions”.
RTS Article 15(a) refers to “why the customer has chosen the obliged entities’ products and services”.
RTS Article 15(d) states that where the ML/TF risk is higher, to determine the source of wealth.
This requirement is contrary to the AMLR that states in Article 34(4) that in cases of higher risk referred to in 34(1), obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures…..c) source of funds and source of wealth.
Proposal
Article 25 of AMLR intends to supplement Article 20(1)(c) of AMLR in terms of what measures that needs to be taken to identify and assess “purpose and nature”. Hence article 15 of the RTS seems superfluous, and further requirements with regards how to identify and assess purpose and nature should rather be gathered into the current article 16 of the RTS. The connection between article 15 and 16 of the RTS is currently not clear, and adds confusion rather than clarity.
In case both article 15 and 16 will be kept:
RTS Article 15(a) – Clarification is requested on whether the reference to “why the customer chose the obliged entities’ product or service” is different to “purpose and intended nature”. Further information or exemplifications are needed to better understand this provision in order to achieve a harmonized application.
RTS Article 15(d) – Wording should be changed to align with Article 34(4) requirement that CDD measures for higher risk customers “may include” the source of wealth.
Article 16 – Understanding the purpose and intended nature of the business relationship or the occasional transactions
Findings
RTS Article 16 refers to AMLR Article 25, “Identification of the purpose and intended nature of a business relationship or occasional transaction”.
RTS Article 16 (a) – Refers to information on “why” the customer has chosen the obliged entities’ products or services which is difficult to understand if meaning is different from purpose and nature.
RTS Article 16 (c) – A very long list of potential sources of funds is provided and it is unclear whether the customer needs to answer to each potential source listed.
RTS Article 16 (d) – Requirement for information on destination of funds and types of recipient, but unclear as to whether this only refers to corporate customers or personal customers also.
RTS Article 16 (e) – Very detailed requirements are listed regarding the “the business activity or the occupation of the customer” i.e. customer sector, industry, operations etc. It is however unclear for personal customers whether such information is required, or whether for personal customers there is only a requirement to gather employment status whether employed, unemployed, self-employed or retired.
Proposal
It should be clarified whether taking risk based measures, in the introductory part of the provision, imply that the obliged entity may choose to obtain information on only some of the data points set out in (a)-(e), as types of customers may differ (such as corporates vs. individual) and not all information seems relevant or adapted to all types of customers. Having such choice would be aligned with the language of the underlying Article 25 of the RTS which specifies that the obliged shall obtain the data points (listed under (a) to (c) of that Article) ‘where necessary’, which means that the obliged entity shall not be always obliged to obtain all of them. Otherwise it should be clarified which information that is expected for each customer type.
- Section (a) - clarification required on meaning of wording “why”.
- Section (c) - the customer should be allowed to provide a list of source of funds, without having to confirm yes or no to every type of potential source listed. This should be made clear in the RTS.
- Section (d) – Clarity is required as to whether RTS is directed towards corporate or personal customers. Types of recipients for personal customers for examples seems unnecessary.
- Section (e) – Clarity is required as to whether RTS is directed towards corporate or personal customers. Detailed occupation types for personal customers (doctor, fireman, banker etc) seems unnecessary and a waste of resource.
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 17 – Identification of Politically Exposed Persons
Findings
Paragraph 2 refers to the requirement for automated screening tools and measures for PEP and RCAs.
Screening for RCAs currently considered very difficult especially considering the new requirements regarding siblings of certain PEP positions.
Proposal
Member states to coordinate centralised lists of PEPs / RCAs so banks can apply a uniform approach to scanning requirements.
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 22 – Customer identification data updates in low-risk situations
Findings
The RTS Article 22 refers to AML Article 33(1)(b) and reducing the frequency of customer identification updates in lower risk simplified due diligence situations. The RTS refers to the requirement for customer information to be up to date “within 5 years after the application date of this Regulation”.
The 5 year limit is also aligned with AMLR Article 26(2) that refers to the period between updates of customer information not exceeding 1 year for higher risk customers and 5 years for all other customers.
Proposal
The update of customer information has an external dependency on customers who in many situations are not quick in responding to information requests. It is therefore proposed that the RTS should refer to obliged entities requesting the required information from customers within the relevant time frames of 1 year for higher risk customers and 5 years for all other customers.
Failure to clarify this timeline would lead to overburdensome requirements especially for higher risk customers where updates would have to commence potentially after every 9 months. There is also a risk that strict customer blocking or exit measures would be required impacting vulnerable customers and not aligned to the risk based approach.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 24 – Additional information on the customer and the beneficial owners
Findings
The RTS Article 24 refers to AML Article 34(4)(a) enhanced due diligence measures in cases of higher risk, “obtaining additional information on the customer and the beneficial owners”.
The RTS 24(d) refers to - in case the obliged entity has reasonable grounds to suspect criminal activity, enable the obliged entity to obtain a more holistic view on ML/TF risks by obtaining information on family members, persons known to be a close associate or any other close business partners or associates of the customer or the beneficial owner.
Proposal
In the circumstance that the obliged entity has reasonable grounds to suspect criminal activity, the resultant action would usually be the exit of the customer rather than additional investigations towards family members or close associates that could very likely tip off the customer.
The proposal is therefore to remove this requirement or potentially replace with a reference to reporting the customer to the relevant FIUs where there is reasonable grounds to suspect criminal activity.
Article 26 - Additional information on the source of funds, and source of wealth of the customer and of the beneficial owners
Findings
The provision sets out that additional information should be obtained regarding source of funds, and source of wealth of the customer and of the beneficial owners.
Proposal
Further clarification would be welcomed in terms of the term “source of wealth” and whether that requires the obliged entity to assess the customer’s total wealth (also such assets that are not assessed to be relevant for the customer relationship), or if there is a discretion for the obliged entity to obtain information on certain parts of the customers wealth that is assessed to potentially impact the risk connected with the customer relationship. There might be situations where an assessment of the beneficial owner’s source of wealth seems disproportionate and too intrusive from an integrity perspective. Hence a more risk-based approach should be considered in terms of obtaining information on source of wealth of the beneficial owner.
Furthermore it should be clarified that obtaining “additional” information relates primarily to source of funds, as information on source of wealth is not required under the customer due diligence requirements of simplified due diligence measures.
General Observation of AMLR / RTS, authorised representatives and legal representatives
- In regards to customer representatives, guardians, PoAs and similar, there is no guidance on measures obliged entities should take to understand and verify the powers granted to these authorised representatives. This is considered to be a gap in guidance for an important financial crime risk factor.
- The term and scope of “persons purporting to act on behalf of the customer” is unclear and needs clarification. Suggestion to clarify that the scope is “persons purporting to act on behalf of the customer in connection with establishing and amending a customer relationship” as opposed to all persons employed by a customer that might be in contact with an obliged entity (e.g. a credit/financial institution) on a daily basis, which could amount to a very large number of persons.
- The term and scope of “person on whose behalf a transaction or activity is being conducted” and “person for the benefit of whom a transaction or activity is being conducted” needs to be clarified in order to avoid divergent interpretations and application.
- Article 22(1)(b) refers to the “names of the legal representatives” of the legal entity however no definition is provided as to who would constitute a legal representative.