Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

An initial general reflection is that although the RTS prescribes which data points should be included in the risk assessment of operators, it is left to the respective national supervisory authority to decide how this information should be collected. Finance Sweden understand that national supervisory authorities have the possibility to collect additional information. This means that there will not be a harmonised reporting in the EU, thus one of the major benefits of the AML package – harmonised reporting – will be lost for cross-border institutions.

How is AMLA going to ensure that all national information collection in support of the risk assessment is equivalent and harmonised? The proposed RTS has not taken into account the need for data minimisation and avoidance of double reporting.

Finance Sweden see a need for obliged entities to provide additional information when submitting information in accordance with the annex, especially regarding information on internal controls (governance structure). However, the RTS does not leave any room for such communication.

An alternative to this suggested data collecting is that the information included in the activity report in the EBA Guidelines (EBA/GL/2022/05) should form the basis for the upcoming new periodic reporting. This information should be accessible to most operators and should also adequately reflect the relevant risks.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

Article 2, paragraph 5, states that with high risk you have an inherent risk score between 3.25 and 4.

Article 3, paragraph 6, states that with a very good control environment you are awarded a score between 1 and 1.75.

Article 4, paragraph 2, states that the residual risk score shall be the average score of the inherent risk score added to the control environment score (unless the control environment score is higher than the inherent risk score, in which case the residual risk score is the same as the inherent risk score).

This means, according to Article 4, paragraph 3, that it is mathematically impossible to reduce a high inherent risk to a low residual risk regardless of how good the control environment is. It is also impossible to reduce a substantial inherent risk to a low residual risk. See example below.

Example 1: If you have a high inherent risk that gives 4 points but at the same time have a completely satisfactory control environment that gives 1 point, you will land on 2.5 residual risk points. This means that you will still land on the next highest residual risk. (In practice, there are certainly few supervised entities that will land on an inherent risk of 4 points, but the control environment will certainly not in practice render 1 point either).

Example 2: even if you land in the lower range of high risk and get 3.25 points for inherent risk but still have an outstanding control environment that gives 1 point, you will still land on 2.125 residual risk points, which therefore gives a medium residual risk.

Example 3: In the case where you still manage to avoid being assessed as having a high inherent risk, and instead land in the lower range of the second highest risk level and receive 2.5 points in inherent risk, while having an outstanding control environment that gives 1 point, the residual risk will only be able to be reduced to medium. This is because the object will land at 1.75 residual risk points.

This will be a disadvantage for larger banks.

Art 4 - Problem Statement for the RTS – Residual Risk Quantification Method under 4.2

Residual risk is defined in ISO 31000 as “risk remaining after risk treatment”. Residual risk is also defined in the FATF guidance as

“Residual risks are ML/TF risks that remain after AML/CFT systems and controls are applied to address inherent risks”

Thus, residual risk according to the ISO 31000 and the FATF guidance:

Residual risk score - Inherant risk score x Control effectiveness

Which can be expressed mathematically as:

Residual risk score = Inherent risk score x Control effectiveness

Which can be simplified mathematically as:

Residual risk score = Inherent risk score x (1 - Control effectiveness)
R = I x (1 - C)

Where

Inherent risk increases with increasing score (i.e. from 0 to 4 or 1-4 depending on the interpretation as the RTS proposed)
Control effectiveness increases with increasing score (Control effectiveness can be scaled as from 0 to 1 with two decimals which represents %-scale from 0% to 100%)
And residual risk increases with increasing inherent risk and decreasing control effectiveness (i.e. from 0 to 4 as the RTS proposed)

For example, according to the literal residual risk definition above, if I: 4 and C: 75%, then:

R = I x (1 - C)

R = 4 x (1 - 0,75) = 1

However, the proposed residual risk quantification in the RTS as below

If , Control quality score > Inherent risk score, then
Residual risk score = Inherent risk score
R = I

If , Control quality score < or = Inherent risk score, then
Residual risk score = (Inherent risk score + Control quality score) /2
R = (I + C) /2

where

Inherent risk increases with increasing score
and Control effectiveness increases with decreasing score (i.e. from 4 to 0 with decimals)

For example, according to the RTS residual risk proposal above, if I: 4 and C: 1, then

R = (I + C) /2
R = (4+1) / 2 = 2,5

The size of the residual risk result example above (2.5) corresponds 62.5% of the inherent risk score (2.5 divided by 4). However, the Control effectiveness score example above (C:1) is in the 75^th percentile in the 4-0 scale.

The proposed Residual risk in the RTS is some kind of average of “Inherent risk score” and “Control score” rather than representing how much risk is remaining after the applied controls.

The proposed residual risk quantification in the RTS is contradicting the literal meaning of “residual/remaining risk”.

The RTS residual risk proposal is difficult to interpret for prioritization and risk based approach perspective for both supervisory authorities, financial institute board and the responsible business unit which is supposed to prioritize the mitigating measure activities.

Conclusion

From a risk-based approach standpoint, the percentage-effectiveness formula (Residual = Inherent * (1-C)) is the only one that satisfies all mathematical and conceptual requirements for measuring residual/remaining risk compared to the RTS proposal. The RTS rule is useful heuristics when firms or supervisors lack mature metrics, but they:

blur the link between control quality and residual exposure,
impede like-for-like comparison across entities and time.
If the policy goal is to allocate supervisory attention and industry investment exactly where the un-mitigated risk still sits, regulators should converge on the percentage-based model, with robust guidance on how to quantify control effectiveness.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

A factor that will drive costs is if the data points in the reporting keeps changing from year to year. That will be an obstacle to build an efficent structure for reporting.

Also some of the points will need a better definition, so it´s clear exactly what is meant.

Section A

Customers/Number of PEP:s related to business relationships (including family members and close associates) by country – It needs to be clarified what the ”country-scope” is for this question? Is it the number of PEP-relationships per the countries where the obliged entity operates in, or does ”country” indicate the homeland of the PEP?

Customers/Numbers of customers with at least one transaction in the previous year – does ”transaction” refer only to transactions initiated by the customer?

Customer/Number of walk-in customers – Please define ”walk-in customer”.

Customer/Number of customers with requests from FIU whose matter or nature of the request is linked with AML/CFT – Why is the question only limited to requests from the FIU? Law enforcing authorities makes requests as well, why are those not of interest? And why is it of no interest how many customers the obliged entity has reported to the FIU?

ProductsServicesTransactions/Payment Account – Please define ”payment account”.

ProductsServicesTransactions/Lending – the section is very concise and doesn´t take into account services as leasing and factoring. Also, it doesn´t distinguish between private and corporate lending.

ProductsServicesTransactions/Lending – Please define ”repayment”.

ProductsServicesTransactions/InvestServicesActivites/-reception and transmission of orders/Number of retail clients – Please define ”client”. Is this something else than ”customer”, otherwise the same terminology should be used throughout.

ProductsServicesTransactions/InvestServicesActivites/-reception and transmission of orders – are funds included in the scope?

ProductsServicesTransactions/InvestServicesActivites/-reception and transmission of orders/Number of professonal clients – Please define ”professional”.

ProductsServicesTransactions/CorrespondentServices – Definition and interpretation of ”respondent” needs to be set uniformly. Also, these datapoints will be hard to retrieve.

Section B

AML/CFTGovernanceStructure/1EAML/CFTTraining/average number of hours of AML training in the last year attended by – Why is the average hours of training significant? It is a data point that is vary hard to measure, since AML/CFT-training can be integrated with training regarding other topics.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

Finance Sweden observes that the same flaw in the methodology that is described above regarding art 4 in the draft RTS under art. 40(2) is incorporated here.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

General remarks

Finance Sweden is grateful for the opportunity to contribute to a robust, risk based and efficient AML/CFT-legislation through the consultation on the draft Regulatory Technical standards (RTS) under the new AML-package.

We appreciate the intention to create a harmonised legal landscape and a “Singel Rule Book”. However, we believe that several provisions in the draft RTS lack sufficient proportionality and risk-based nuance. Requirements such as collecting detailed data on intermediate entities in a structure for parties with whom there is no business relationship, extensive documentation obligations in non-face-to-face onboarding, or exact information on addresses and country of birth, without regard to the risks, impose a significant burden for the obliged entities. Far worse, it will also have negative consequences for the customers in the form of slower processes, higher costs and financial exclusion.

If adopted as currently drafted, the lack of flexibility will lead to disproportionate compliance costs, unnecessary customer outreach, and delays in onboarding, with limited corresponding risk-mitigating effect.

We therefore recommend incorporating clearer references to the risk-based approach, allowing obliged entities to tailor measures to actual risk exposure, particularly in instances where the current RTS wording appears to go above and beyond the Level 1 text. Without such clarification, implementation will involve disproportionate costs and operational challenges with limited added value for AML/CFT effectiveness.

When the AML/CFT-regulation turns to a more rule-based than risk-based approach, EBA needs to provide guidance on how to act in the situations where all compulsory data-points in the KYC-process can´t be obtained.

Rec 7 -The wording “legitimate customer” raises the question of what a “legitimate customer” is, and whether there are also “illegitimate customers”. What EBA seems to want to express is that there may be legitimate reasons for a person to lack ID documents. We suggest that the word “legitimate” be deleted, to avoid confusion.

EBA should also clarify who can be considered to have legitimate reasons for lacking ID documents. We assume that refugees are in scope. Could it be groups other than refugees? If the intent is that the obliged entity should make its own risk-based assessment, this should be clearly stated.

Rec 16 - Regarding the requirement for “customer identification updates”, there is no need to formally re-identify an already identified customer/beneficial owner/representative once again, i.e. check the person’s ID documents, unless there are indications that the person is not who she/he claim to be or has used forged or stolen ID documents. When a customer changes identity (this is rare but happens!) a re-identification is necessary.

But to regularly carry out a specific re-identification activity on each customer is merely a resource-intensive “check-box compliance activity” that does not lead to better risk management. It is simply not risk-based and proportionate to re-identify all customers in order to find those who use false identities. It should be noted that in order for a bank to be able to allow a person to carry out an activity or transaction, either as a customer or as a representative of a customer, it needs to identify the person for civil law reasons to ensure that the customer is who they claim to be and so that the bank pays with acquittal effect, regardless of whether the contact with the bank takes place in a physical meeting or remotely. In practice, “the customer or representative is re-identified at every contact with the bank.

A formal re-identification activity would have negative consequences for customers who will have difficulties in this aspect, typically old persons suffering from conditions like dementia, that prevents them from acquiring new identity documents when their old ones are out of date. The RTS doesn´t state a remote identification procedure that will work for this customer group. If the requirement stands, it will lead to the of-boarding of a number of customers, without achieving better risk management.

Art 1 - AMLR art. 22(1) states that obliged entities shall obtain specific information to identify “the customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted”. Art. 1(1) of the draft RTS cites AMLR art. 22(1) but then only speaks of “the customer”, without mentioning the other persons. Is this a mistake or is this how EBA intends the RTS to be applied?

Art 2 - AMLR art 22 (1) (iv) states that the information to be collected is “the usual place of residence or, if there is no fixed residential address with legitimate residence in the Union, the postal address at which the natural person can be reached”. The draft RTS has narrowed this down to include only “street name” and Finance Sweden question whether EBA really has the mandate to limit AMLR art 22 in that way? Such a limitation entails the financial exclusion of all persons who do not have a street address. Box addresses are quite common in Sweden, especially in rural areas, without this necessarily indicating any higher risk. Homeless persons are referred to box addresses, c/o addresses or poste restante addresses. Persons with protected identities have a box address at the Swedish Tax Agency. It cannot be the EBA's intention to jeopardise these customer groups’ access to a bank account.

If the requirement to obtain street address information remains, the requirement should be applied on a risk-based basis. For a customer who does not have a street address, for example for the reasons stated above, it should therefore be acceptable to provide a PO Box address when the bank assesses that the address information is reasonable and the overall customer knowledge is otherwise sufficient to manage the risk of money laundering and terrorist financing and to monitor the customer's activities and transactions.

The draft RTS doesn´t deal with the emerging trend of digital addresses and digital mailboxes.

Art 3 - The draft RTS states that the concept of “place of birth” in AMLR art 22 (1) (a) p (ii) shall consist of both information about the city of birth and the country of birth. This is an extension of the requirement in AMLR and Finance Sweden question whether it is truly covered by EBA’s mandate? By prescribing more far-reaching requirements than AMLR, EBA is driving financial exclusion.

City of birth and country of birth is not information that appears on Swedish ID documents: the passport contains “homeplace of birth”, (which is the place where the persons mother where living when the person was born – which is not necessarily the same place as the place where the person was born), but not country of birth. National ID cards and driving licenses do not contain any of the information. Hence there can be no expectation from supervisory authorities that this information is verified.

Art 4 - The concept of "nationality" is already a subject of discussion and the understanding of what is meant differs. The obvious interpretation is that it is information about citizenship that required, and this should be clarified in the RTS, otherwise, there will be no harmonisation in this area.

If a person has citizenship in more than one country, this is not stated in her/his identity documents. The only way to obtain information about other citizenships is to ask the customer. If the customer chooses not to inform that the customer has multiple citizenships, the information cannot be found through other sources. There are no national or global registers of citizenship. Nor are so-called adverse media searches of any great help. Finance Sweden therefore question the purpose of Article 4. The wording "obtain the necessary information to satisfy themselves that they know of any other nationalities" suggests an expectation of more measures than simply relying on information from the customer. However, no such measures exist. Instead, there is a risk that the article drives financial exclusion and discrimination in cases where the customer has, for example, a name, an accent or an appearance that could indicate that the person has such contacts with another country that could constitute citizenship.

It would also be of help if EBA could elaborate on what risk information about nationality is supposed to mitigate.

Art 5 and rec 14 - The recital states that the minimum requirements for identifying persons in a low-risk situation should reflect the information that is usually found in passports or other ID documents. Article 5 specifies what a document must contain to be considered equivalent to a passport or an ID document. It is noted that the list in Article 5(1) requires that the document must contain more information than Swedish passports and ID documents do. This will drive financial exclusion, since many of those who lack ID documents also do not have documents that meet the requirements to be equivalent documents, not even documents that meet the requirements in Article 5(2). With today's regulations, it may be possible, based on risk, to open an account for such a person anyway, if the person can present sufficient information and documentation to ensure a sufficiently secure identification can be made according to the bank's own risk-based assessment, something that will not be possible in the future if the proposal for RTS remains.

It must also be pointed out that many of the persons who lack proper ID documents are not associated with low risk. With this proposed RTS, they will be excluded from financial services.

Art 5(1)g – Finance Sweden questions the requirement for biometric data. Is it intended solely as a security function or are obliged entities expected to do something with this data? Does all ID documents worldwide contain biometric data?

Swedish ID documents contain biometric data (fingerprints) that obliged entities are not allowed to use.

Does the words “where available” make allowances for ID documents that lack biometric data – something that is then contradicted by the fact that it´s stated above in the article that all requirements stated must be met.

Art 5(4) – It´s neither risk-based nor proportionate to require that all documents that are written in a foreign language should be translated by means of a certified translation. It must be considered that for some documents it is possible to achieve sufficient translation using digital translation tools. It should also be considered that the obliged entity may have staff with language skills that can be used for translation.

If all foreign documents are supposed to be translated by a certified translator, the CDD-processes will be delayed and it will place an unnecessary burden on consumers, who will have to pay for the translation. Thus, this requirement will drive financial exclusion.

Art 6 – The article states how customers are to be identified remotely. The methods specified are electronic identification or a “remote solution” according to 6(2) which probably refers to video identification, something that is likely to be unusual in Sweden.

However, there are no other possibilities for remote identification, similar to the one found in the current Swedish money laundering regulations (FFFS 2017:11, Chapter 3, Section 5). The possibility of remote identification enables the identification of persons who lack an ID document, for example because the person’s ID documents are no longer valid and cannot be renewed. This applies, for example, to persons whose health condition doesn´t allow them to obtain new ID documents. This concerns very old people, people with dementia, serious illnesses, etc., who need banking services but who will be excluded if remote identification is limited to electronic identification and video identification. Another customer group that will face adverse consequences is persons who by choice or by neccessity live in digital exclusion.

Art 6(2) – The article seems to require the use of video remote identification. However, at the public hearing EBA arranged regarding the draft RTS.es, it was expressly stated that it was not the intention of EBA to force the implementation of this specific tool. The wording in the article therefore needs to be changed to state that such a solution can, but does not have to, be used. Such an identification method also does not solve the problem described above for people who can´t be subject to video identification.

Art 6(3) – Finance Sweden questions why is the customer's consent is required to be remotely identified? If the customer refuses, the consequence is that the customer can´t be identified and the obliged entity must then refuse the customer. If the customer wants to have access to the obliged entity´s services, she/he must give consent, which means that the consent becomes meaningless. The requirement for consent drives the risk of financial exclusion.

Art 10(1)b – The requirements are too extensive and go beyond what is required in AMLR art. 62.1(d) - in particular about intermediaries with whom there is no business relationship. The draft RTS needs to be aligned with the scope of the AMLR and provide clarification on how institutions can obtain this information effectively.

Art 10(1)(c) - The term “extent of the listing” is unclear, and we suggest changing it to “the number or proportion of outstanding shares listed” to reflect the transparency requirements under market regulations.

Art 11 – The definition of “complex ownership structure” is too broad and will be applicable to far too many companies which are part of structures that´s not particularly complex nor non-transparent. In Sweden, it is very easy to start a limited liability company and there are perfectly legal and understandable incentives to place different parts of the business activity in separate legal persons rather than conducting all activities in the same legal person. Structures with holding companies, subsidiaries and sub-subsidiaries are therefore common. There are also perfectly legal reasons to conduct business in other EU countries by forming subsidiaries in the other country, rather than having a branch. Setting the threshold as low as two levels between the customer and the beneficial owner will cover too many corporate customers and it should therefore be raised to at least five levels.

The term “organigram” should be clarified. We interpret it as the ownership/control path between the customer and its beneficial owner - not the entire structure. Where reliable sources exist, operators should not be required to obtain organigrams from the customer.

Art 12 – AMLR art 22(2) states that senior managing officials shall be identified in cases where there is no beneficial owner or where there are doubts about those who have been identified as beneficial owners. However, these senior managing officials are not beneficial owners. EBA states that the same information shall be collected about senior managing officials as for beneficial owners and even if EBA doesn´t state this, it must be information according to AMLR art 62 that is referred to. If the intention had been that senior managing officials would be treated exactly like beneficial owners, this would have been clear from AMLR art 22 (2). Instead, it only states that senior managing officials shall be identified.

Finance Sweden believes that EBA, through the requirement in art 12(a), exceeds its mandate in a way that is not intended in the AMLR. It must also be questioned what is intended to achieve by collecting information; since the persons are not de facto beneficial owners, they cannot act as beneficial owners and the information according to AMLR art 62 then becomes meaningless. It has already been established that it will be difficult to obtain all the information that AMLR requires from all beneficial owners, which may have negative consequences for customers. The EBA extending the requirement also to senior managing officials will increase these problems, without it leading to any better risk management.

To achieve a harmonised application of AMLR art 22(2), the EBA should provide more detailed guidance on what is meant by the expression “sufficient basis”.

Art 13 – Neither AMLR art 22(4) nor the draft RTS art 13 exemplify what is meant by the expression “similar legal entities or arrangements”. According to AMLR art 58(4), Member States must notify the Commission of these by 10 October 2027. Until these lists are made available to obliged entities, there will be different interpretations within the EU of what is covered.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Art 15 – The article is basically redundant, given that AMLR art 25 already supplements AMLR art 20(1) c regarding what measures should be taken to determine “purpose and nature”.

The connection between art 15 and 15 is also unclear and they appear to deal with the same thing but with different wording.

When purpose and nature are obvious from the service or product in question, there can be no risk-based reason to obtain further information. An example is a credit intended to finance the purchase of a car with registration number AAA-111. What further information of purpose and nature is there to obtain in that situation?

Art 15(a) – Does the requirement to find out why the customer has chosen certain services and products refer to something other than investigating the purpose and intended nature? The words “value and benefits expected” can be interpreted as meaning something broader and rather suggest that the obliged entity should assess the customer’s need for the services and products chosen and whether they are of benefit to the customer. This can hardly be the purpose, since it would entail a great risk of financial exclusion.

Art 15(c) – EBA should clarify the concept of “wider group”.

Art 15(d) – Here it´s stated that when the risk is higher, the origin of the customer’s wealth should be investigated (source of wealth). This conflicts with AMLR art 34(4), which states that in cases involving higher risk, enhanced measures shall be applied in proportion to the higher risk identified “which may include the following measures…c) source of funds and source of wealth. Investigating the origin of wealth is not necessary in all high-risk situations under the AMLR and the RTS should not unnecessarily tighten the requirements.

Art 16 – It needs to be clarified whether the reference to take risk-sensitive measures, in the introductory part of the provision, means that the obliged entity can choose to apply only some of the data points specified in (a)-(e)? As is currently worded, it appears that all information is always mandatory to collect on all customers, which does not take into account that customer types differ (corporate vs. individual, retail vs. private banking customer etc.) and that not all information is relevant for all types of customers. It should be made clear that information specified in points a-e should be collected where relevant.

Also EBA has not considered that purpose and nature can be obvious from the service or product in question and that there therefore are no risk-based reasons to obtain further information.

Art 16(a) – How does the “why” in this point differ from the “why” in art 15(a)?

Art 16(d) – Does this point target both natural and legal persons? It cannot be relevant that customers who are natural persons should have to specify types of recipients for payments/transfers)

Art 16(e) – It needs to be clarified which requirements are aimed at natural and at legal persons. It is reasonable that it is the last part of the point that is relevant for natural persons and that they then provide information about whether they are employees, pensioners, etc. Obtaining information about the customer’s actual profession cannot be relevant for all customers. The concept of “key stakeholders” should also be clarified.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Art 17(2) – It´s noted that the wording in the article enables the obliged entity to rely on the PEP screening and not have to ask the customer about PEP status. However, ít´s strange that requirements are set for automated screening without specifying what to screen against. This assumes that there are commercial PEP lists of sufficient quality to screen against, since there are no public lists. What happens if such lists cease to exists, something that could be a result of legal intervention from National Data Protection Authorities.

It should also be noted that screening to find family members and known associates of PEPs (RCA) is already problematic today because the commercial PEP lists are not specific enough. The screening therefore gives rise to a large number of false positives. This problem increases with the new PEP definition, which includes siblings of certain PEPs.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Art 20 - is intended to allow simplified measures in low-risk situations for pooled accounts. The problem is that the requirements are rarely met for those customers who want pooled accounts, such as lawyers and real estate agents. Although these are covered by the money laundering regulations and are under supervision, they are rarely associated with low risk and also do not provide CDD information and documentation at the bank's request. The article will therefore rarely be used and largely make the provision of pooled accounts impossible.

If it is the wish of EBA and the Commission that banks should be able to provide client funds accounts to, for example, lawyers and real estate agents, then the conditions must be changed. The requirements that the customer should be a low-risk customer, and that the customer should provide CDD information and documentation about their own customers must be removed.

Art 21 - The Swedish Financial Supervisory Authority (SFSA) has made Finance Sweden aware that SFSA are of the opinion that AMLR art. 20(1)(h) includes the, in Sweden very common, situation where the shareholder of the fund has transferred the management of the shares to a bank - förvaltarregistrering. Finance Sweden doesn´t agree with that interpretation. The interpretation can´t be deduced from the wording in the AMLR art. 20(1)(h) and draft RTS art 21. The interpretation will have severe negative consequences for the Swedish funds-market. It will also not lead to more transparency and a better management of AML/CFT-risks.

Finance Sweden would like EBA to make it clear in the wording of de proposed art 21, that the specific phenomenon where the shareholder of the fund has transferred the management of the shares to a bank – förvaltarregistrering – is not in scope of art 21.

A fund company must keep, or arrange to be kept, a register of all holders of shares in the fund. If the Swedish Central Securities Depositories and Financial Instruments (Accounts) Act (1998:1479) is applicable to shares in the fund, the register is kept by a Swedish central securities depository (Chapter 4 (11) of the Swedish UCITS Act (2004:46) [LVF]).

If a shareholder of the fund (the consumer) has transferred management of the shares to an organisation which has been authorised as a manager of units or shares (the bank), may that manager of units or shares (the bank) appear in the register instead of the shareholder. It must be explicitly stated in the register that the share in the fund is being managed on someone else's behalf (Chapter 4 (12) first paragraph of the LVF).

The Swedish fund market is a very well-functioning market with a large participation among retail customers. Förvaltarregistrering of fund units has contributed to this by making it easier for various fund platforms to emerge and offer a wide range of funds and for fund companies to offer their funds in many different channels. The positive consequences of this are that Swedish consumers have easy access to a wide selection of funds through their bank and that the fees are kept very low.

If the draft art. 21 are to be applied to this form of fund distribution, it will not be possible to continue this practice. The result will be poor access to funds for consumers, higher fees – and no better management or AML/CFT-risks.

The Swedish Investment Found Association has described this problem in more detail in their reply to the consultation.

Art 22 – The article refers to AMLR art 33(1)(b) and reduces the frequency of updating CDD information in situations associated with lower risk. The draft RTS refers to the requirement that CDD information shall be updated “within 5 years of the date of application of this Regulation”. As has been pointed out earlier, there can be no risk-based motive for re-identifying an already identified customer, if there is no indication that the customer's identity is different from that stated.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Art 24 - Finance Sweden suggests that the wording “shall, at least” in the beginning of Article 24 is replaced by “may”. This wording corresponds better with the risk-based approach set out in Article 34(4) point (a) of the AMLR setting out that enhanced due diligence measures that are proportionate to the higher risks identified shall be applied, which may include the measures set out in (a)-(g). Also the current use of “shall, at least” does not correspond with the last part of (c); “and/or”.

Art 24(d) – If the obliged entity has reasonable grounds to suspect criminal activity, the relevant measures are to report the suspicions in accordance with article 69(1)(a) of the AMLR and then mange the risk, in the end by terminating the business relationship. if the risks posed by the customer cannot be justified. To apply a holistic view is the job of the FIU and law enforcing authorities – not private companies. The aim of the proposed art 24 is to find indications of criminality and obliged entities can´t be supposed to handle such information without a very firm legal basis. Finance Sweden therefore suggests that the requirement is removed or possibly replaced with a reference to reporting the customer to the relevant FIU where there are reasonable grounds to suspect criminal activity.

In case the provision will not be removed, Finance Sweden underlines the importance that it must be clear from the AMLR and the RTS that such investigations will not violate any tipping-off rules or GDPR, meaning that the provision needs to provide a sufficiently clear legal basis for processing this type of data, including data set out in article 10 of the GDPR, which in Sweden includes not only “data related to criminal convictions and offenses” but also suspicions of criminal activities.

Art. 25 - Finance Sweden suggests that the wording “shall, at least” in the beginning of Article 25 is replaced by “may”. This wording corresponds better with the risk-based approach set out in Article 25 of the AMLR setting out that obliged entities shall obtain, “where necessary”, information on (a)-(e). Also the current use of “shall, at least” does not correspond with the last part of (b); “and/or”.

Art 26 – In order to achieve harmonisation further clarification is needed on the concept of "source of wealth" and whether it means that the total wealth of the customer (including assets that are not considered relevant to the customer relationship) should be covered or whether there is a risk-based possibility for the obliged entity to concentrate the investigation on those parts of the customer wealth that pose a risk. There may be situations where an assessment of the entire source of wealth of the beneficial owner becomes disproportionate and too intrusive from an integrity perspective. Therefore, a more risk-based approach should be considered.

Furthermore, it should be clarified that the collection of "additional" information primarily concerns the source of funding, as information on the source of wealth is not required under the customer due diligence requirements.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Art 28 – It should be clarified what is meant by the word “control” in this article, since “control” in the context of sanctions have other connotations than “control” in an AML/CFT-context.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Art 32 – This article appears to tie in with the discussion in Recital 16 regarding the risk-based updating of customer due diligence for existing customers. While the recital could be read as requiring a risk-based update of customer due diligence for all existing customers, the Article implies that the five-year period applies only to simplified due diligence as carried in the referenced article, 23. It is unclear why reference is made to 23(1) as the article contains only one un-numbered paragraph. It is proposed that updating customer due diligence for all existing customers should be permitted on a risk-based basis over the five-year period under Article 32, i.e. that it be clarified that the risk-based approach is not limited only to the low-risk situations in Article 23.

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

Art 7(2) – An investigation leading up to a sanctions-process can go on for a long period of time – over two years is not inheard of in Sweden – and can include a comprehensive material. The statement of findings can also be a very long document, which can refer to material not included in the statement. It´s important tha tobliged entites are given sufficient time to prepare a written statement. To ensure a legally secure process it must be possible for obliged entites to be able to ask for, and be granted, an extended response period.

Art 10 - The wording of the article isn´t completly clear; what does the ”limitation period for the collection of period penalty payments” refer to?

Name of the organization

Finance Sweden

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre