Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
Article 1 fails to define the concept of "risk."
Though Article 1 defines "inherent risk" and "residual risk," it does not define "risk" itself. This is problematic for two reasons:
- It undermines the clarity and value of the proposed methodology.
- Public authorities have a long history of, and continue to exhibit, confusion about the meaning of "risk'' in anti-money laundering (AML).
Ferwerda and Reuter (2022), two of the world’s leading scholars on AML, highlight the problem in their review of eight National Risk Assessments (NRAs) on money laundering. The authors find widespread confusion among public authorities regarding the meaning of "risk." Citing Ferwerda and Reuter (2022):
"(...) the NRA of the Netherlands starts with stating that risks are a function of threats, vulnerabilities, and consequences, just as in the FATF methodology, but later, the top 10 threats are called “risks” without consideration of the vulnerability and consequence level of those threats. The Swiss NRA contains a table (on p. 45) in which “threat” is on both the horizontal and vertical axes under different rubrics, rendering the cell entries meaningless."
Confusion about the meaning of "risk" is a key driver behind Ferwerda and Reuter’s depressing insight that NRAs in general:
"(...) show very different conceptualizations, analytic approaches, and products. Each raises serious issues regarding the risk-assessment methodology."
A robust risk-assessment methodology requires a clear definition of "risk." Without it, terms like "inherent risk" and "residual risk" may become meaningless. Furthermore, AML regulation may become subject to arbitrary enforcement.
The broader risk assessment literature (see, e.g., Rausand, 2013) offers a clear definition:
risk = probability of hazard x consequence.
Following Ferwerda and Reuter (2022), we propose a simplification, assuming the consequences of money laundering scale linearly with the amount of money laundered:
risk = probability (or frequency) of money laundering events x amount of money laundered per event.
To have a clear definition of "risk," in line with the broader risk assessment literature, we propose the following addition to Article 1:
"‘Risk’ means the probability (or frequency) of money laundering events multiplied by the amount of money laundered per event.
The definition allows a precise understanding of risk. Probability is measured as a percentage; consequences are measured in a monetary unit (e.g., Euros). Thus, risk is a monetary value. Though this may not fit with everyday usage of the term "risk," it allows clear operationalizations and measurements.
To cite Ferwerda and Reuter (2022), the definition allows authorities to "(...) at least be clear about what is to be analysed and what could be relevant risk factors."
The definition also clarifies that the risk of money laundering is distinct from the risk that a regulated entity is non-compliant with AML regulations.
Additionally, we recommend that the EBA clarify that the conversion rules and risk levels defined in Articles 2(5) and 4(3) represent an ordinal ranking of the amount of money laundering, in monetary terms, an institution is expected to facilitate.
This allows a basic consistency-check and test of the methodology employed by supervisors. Indeed, institutions with a low residual risk must be expected to facilitate less money laundering, in monetary terms, than institutions with a medium, substantial or high residual risk. Otherwise, there is clearly something wrong with the supervisor’s risk-assessment methodology.
Recall the risk levels and conversion rules of Articles 2(5) and 4(3):
- Low risk (scores < 1.75)
- Medium risk (1.75 <= scores < 2.5)
- Substantial risk (2.5 <= scores < 3.25)
- High risk (3.25 < scores)
We propose the following to be added as Article 4(4):
"The risk levels resulting from the conversion rules in Article 4(3) imply an ordinal ranking of the amount of money laundering, in monetary terms, an institution is expected to facilitate. For example, an institution with a low residual risk must be expected to facilitate less money laundering, in monetary terms, than an institution with a medium, substantial, or high residual risk. If this is not the case, the supervisor’s risk-assessment methodology may be flawed. The supervisor should then reassess their scoring weights or assigned risk scores."
The addition allows for a consistency-check and test of the risk-assessment methodology. This is of vital importance; without checks and tests, any methodology will always lack validity.
We realize it may be very difficult to quantify the amount of money laundering, in monetary terms, an institution is expected to facilitate. However, that is no reason to discourage consistency-checks and tests of a supervisor's risk-assessments.
References:
Ferwerda, J. & Reuter, P. (2022). National assessments of money laundering risks: Learning from eight advanced countries’ NRAs. Equitable Growth, Finance & Institutions Insight.
Rausand, M. (2013). Risk assessment: Theory, methods, and applications (Vol. 115). John Wiley & Sons.
Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.
We note that the proposed relationship between inherent and residual risk is compatible with our definition of risk, laid out in our answer to Question 1:
- Inherent risk is the amount of money laundering an institution is expected to facilitate, in monetary terms, absent any controls or mitigating measures.
- Residual risk is the amount of money laundering an institution is expected to facilitate, in monetary terms, given controls and mitigating measures.
As such, we agree with the proposed relationship between inherent and residual risk.
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
N/A.
3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?
N/A.
3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?
N/A.
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
N/A.
Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.
N/A.
Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.
N/A.
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
N/A.
Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.
N/A.
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
N/A.
Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.
N/A.
Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.
N/A.
Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
N/A.
Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.
N/A.
Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?
N/A.
Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
N/A.
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
N/A.
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
N/A.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A.
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A.
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A.
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
N/A.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A.
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A.
Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A.
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
N/A.
Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.
N/A.
Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.
N/A.
Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.
N/A.
Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.
N/A.
5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?
N/A.
5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?
N/A.
5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?
N/A.
Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.
N/A.
Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.
N/A.
Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?
N/A.
Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?
N/A.