Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

Yes, EPIF would welcome clarifications on the following points:

• Clarifications on whether obliged entities should also implement the same risk categories within their CRA and MLRA (as defined above) as well as ensure - as much as possible - an overall alignment with the risk assessment methodology proposed by the EBA.
• EPIF would also welcome an additional focus on the relationship between Competent Authorities and AMLA on this topic, including a clear definition of supervisory responsibility and the impact of reporting obligations on payment institutions.
• According to Recital 7, “Some sectors have specificities that affect the level of ML/TF risks to which the obliged entities operating in these sectors are exposed. These specificities should be reflected in the methodology by adjusting the list of applicable indicators and the weights given to these indicators, depending on the sector(s) to which the assessed obliged entities belong.” These “adjustments” are based on the “assessment … conducted by the Commission pursuant to Article 7 of Directive (EU) 2024/1640 …”. In this regard it is essential to take into account the observations put forward by EPIF with regard to the SNRA and the necessity to ensure proper granularity also within the same industry/sector (please see the link below).
• https://paymentinstitutions.eu/wp-content/uploads/2025/05/EPIF-Letter-on-SNRA-to-Alexandra-Jour-Schroeder-070225-070325.pdf
• On Annex 1, “Section A – Inherent Risk”, Category “Products, services and transactions”: further clarifications would be welcomed on the definition of “payment accounts” for the purposes of reporting, as, for instance, certain products are not covered by the sub-categories proposed by the EBA on the draft RTS (e.g., “credit/debit/purchase cards” are not explicitly mentioned as sub-categories within “Products”). Clear definitions or regulatory references on the sub-categories’ definitions would avoid any misunderstanding on the applicability criteria for the fulfilment of the questionnaire.
• Clarifications are also welcome on “Number of PEPs related business relationships (including family members and close associates) by country” datapoint. I.e. whether “country” is to be intended as country where the PEPs are located (residential address) or as their country of nationality.”

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

Yes. EPIF is aligned with the understanding that residual risk cannot be higher than inherent risk.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

Existing Systems of records are very likely to currently already possess the required data elements. Also taking into account the partial overlapping with data elements required as per EBA GLs on Compliance Officer Annual Activity Reports. However, the data points may be spread across multiple systems of records, therefore it can be anticipated that relevant costs will be sustained to enable timely and coherent extraction.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

More qualitative data elements such as “Number of legal entities with complex structure”, “Number of customers with high-risk activities”, all points in section B, category 1A, “% of outsourced AML/CFT tasks ….” under section B, category 1C, all points in section B, category 4D.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

We would agree with Option 4c provided in the accompanying document of the RTS under Article 40(2), on the frequency of the assessment as per above thus we do not change methodology significantly.

We question whether simply the fact that an entity is “very small” in terms of size/FTEs can automatically be subject to a reduced frequency, as these entities could still have high risks and be subject to yearly reviews.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

Cross-border transactions across EEA jurisdictions should be considered inherently as risky as domestic. This is based on the assumption that AML/CFT requirements are as robust as those required by Regulation (EU) 2024/1624.

Moreover, EPIF would welcome a consistent pan-European treatment of digital onboarding and CDD, and a streamline reporting for digital-first institutions operating in multiple Member States. 

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

Could be considered. The overall impact would be that more credit or financial institutions could fall under the “direct supervision eligibility criteria”.

EPIF would welcome the harmonization of reporting requirements across jurisdictions, and a clear framework for cross-border information sharing. 

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

Number of customers is variable. Consumers and corporate clients are notably different for data points required for collection and verification. Additionally, in some instances corporate clients could present more complex structures. Overall, the definition would depend on the rationale for the calculation but if it is not linked with the potential link profiles of the different customers, then customers (retail and institutional) should be considered as cumulative. 

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

Yes, as long as the inherent risk indicators and the control framework indicators are based on the same data points mentioned in Annex I, and competent authorities apply equal scores to indicators as those foreseen on RTS under AMLD Article 40 (2).

The criteria for determining which entities fall within scope of direct supervision should be made more concrete and quantifiable. The current draft creates significant uncertainty for regulated entities trying to understand their obligations. We recommend establishing clear, objective parameters for assessment with detailed guidance on practical application. This should include ensuring consistent interpretation across member states and specific thresholds and risk factors that determine supervision scope.

Furthermore, it is important to maintain proper granularity in risk assessment methodologies, including within specific sectors. A one-size-fits-all approach may not adequately capture varying risk profiles within the same industry or across different business models.

The methodology should allow for differentiation based on actual operational models and consider demonstrated risk levels and transaction patterns. This would enable proportionate application of requirements based on risk while maintaining effective AML/CFT controls. The current approach may not sufficiently account for operational realities and varying risk profiles within sectors.

More specifically, it appears that the two methodologies are not fully aligned on the following points: 

• Recital 7 of RTS under Article 40(2) adjustments to the weighting may be based on the SNRA, while there is no such provision for RTS under Article 12(7). Suggestion to align.
  • According to Article 2(4) of RTS under Article 40(2), adjustments to the IRS may be made and duly justified based on “national specificities or other circumstances identified by supervisors”, while there is no such provision for RTS under Article 12(7).
  • Group-wide risk assessment foreseen on Article 5 - 1. The AMLA in collaboration with financial supervisors, shall calculate the group-wide risk profile of a group of credit or financial institutions, but this method is not considered for the application by national competent authorities. In this context, certain data points may be not used by national competent authorities (e.g., “Group oversight” section within Section B – AML/CFT Controls).

Suggestion to align as much as possible to ensure an harmonized, consisted criteria and methodology is applied both by national competent authorities and AMLA.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

Overall alignment with the methodology, however, we would suggest considering also the practical, risk-based group-wide information sharing protocols. 

EPIF’s key questions are the following:

• If Alpha is a parameter to enhance the contribution of just the risker entities, why is it reported as a constant value in the formula (i.e. not varying per “i” entity)?
• How is Alpha parameter value defined?
• Would it be possible to add a use case of the formula application as an example?

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

EPIF would welcome clarifications on the “Group” perimeter, specifically on the possibility to link this term with Article 16 from the Regulation (EU) 2024/1624.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

EPIF would welcome a clear definition of "group of payment and financial institutions". This term should be clarified in detail for the purpose of determining the perimeter of entities to carry out the group-wide control effectiveness assessment. For example, the definition may be the one of the AMLR, Article 16, for the sake of consistency.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

As mentioned in the main document – under Article 3 – not all IDs issued by Member States contain place of birth. In case not stated in the ID document - what document should be requested for verification of the place of birth? In addition, every additional verification software or vendor compliance costs.

General observation: It may be necessary to provide instruction on harmonized transliteration approaches from/to data originally in alphabets other than Latin one.

• Article 2 – It may prove beneficial to address cases in which the country has not yet been included in the ISO 3166 while being recognized by certain jurisdictions (e.g., Kosovo).
• Article 4 – In case of multiple nationalities it may be possible that the customer does not hold any identification document or equivalent of some of the nationalities. It could be therefore specified that in case of multiple nationalities, where no ID or equivalent is available, the obliged entity may rely exclusively on the customer self-declaration.
• Article 5 – In order to verify addresses as per Article 2, it may be necessary to define the approach that could be used by the obliged entities (e.g., when the ID document or equivalent does not provide the address).
• Article 7 – In order to simplify the reliability and independence criteria check while using third-party sources, it is suggested to include a non-exhaustive list of official repositories that can be considered reliable and independent.
• Article 9, point a – Same comment as per Article 7.
• Article 10, point a – Clarification required on the concept of “reference”. Suggestion to include explicitly “the registered name, and the commercial name where it differs from the registered name” as per Article 1.

Moreover, the proposed fixed 60-day verification period lacks proper calibration and proportionality. It risks creating unnecessary friction for customers with low transaction volumes without demonstrably improving AML/CFT control effectiveness.

EPIF members are in favour of a risk-based verification timelines based on transaction volumes for low-risk customers. This approach should preserve simplified due diligence options for demonstrably lower-risk scenarios while ensuring requirements are calibrated to actual risk levels.

Simplified due diligence options should be maintained and heightened for demonstrably lower-risk scenarios. The current proposal risks undermining the risk-based approach by applying overly stringent requirements to low-risk customers. We urge regulators to ensure that any new requirements preserve the ability of obliged entities to apply proportionate measures based on demonstrated risk levels.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

In order to ensure a level playing field and consistent protection level across the Member States, it is considered of the utmost importance to require the usage of e-IDAS compliant solutions. At the same time, taking into account development and implementation timelines of such solutions, including their diffusion among the customers, a temporary allowance for alternative remote solutions is agreeable.

e-IDAS needs harmonization – since not all e-IDs contain same data – up to that point remote solutions are and will be in place. Non F2F onboarding should not be seen as higher risk at any point. In line with the risk-based approach, the method of onboarding (face-to-face vs. non-face-to-face) should not automatically determine risk level. Instead, the overall risk profile of the customer and the robustness of the verification measures should be the primary factors in assessing risk. What is important to be mentioned is the requirement for the explicit consent further clarification – this should be retained in the client file (since recorded is mentioned in the Article) or should be retained by the remote solution vendor and if yes – what about historical consent and retention period? 

Also, within criteria for remote solutions there are no provisions or requirements that refer to usage of AI and creation of fake IDs?

In addition to eIDAS, as a temporary approach until eIDAS compliant solutions are fully developed and implemented from a regulatory perspective,  EPIF suggests to also take into account (i) API-based, real-time verification and KYC solutions, (ii) automated, auditable decision-making and record-keeping, and (iii) clear risk-based distinctions between high- and low-risk clients.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

When it comes to the EMIs or PSPs – purpose and intended nature of business relationship for the occasional transaction is irrelevant – for the regular business relationship the same should remain. 

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Note: Instant SEPA Regulation should be considered.

EPIF is, overall, aligned with Section 6 of the draft RTS. We would suggest to take into account the Instant SEPA Regulation in this context.

Moreover, we would suggest the following:

• On Article 28 it is suggested to clarify that also “intermediate entities” that lead to the owning/controlling entity as per Article 10 should be screened when already captured to understand the ownership structure. Also considering that as per the “EBA Guidelines on Internal policies, procedures and controls to ensure the implementation of Union and National Restrictive Measures”, PSPs should, to the extent that this information is available, screen Beneficial Owners through ownership interest and control and any person purporting or being authorised to act on behalf of the customer. Clarifications may ensure that a consistent approach is applied by the PSPs’, in line with EBA’s regulatory framework.

• Article 29, to include addresses in order to capture locations in countries subject to comprehensive restrictive measures.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The exemption for low-value electronic money instruments under Article 19(7) AMLR is based on a clear, risk-based framework, including a EUR 150 storage limit, exclusive use for purchasing goods and services, and transaction monitoring. These risk-mitigating conditions were intentionally defined by the Level 1 legislator. Any further guidance to supervisors should reinforce these principles without introducing de facto additional conditions.

While we acknowledge that the 11 criteria listed in the draft RTS are intended as factors for supervisors to take into account - rather than as binding requirements - their very specific nature and wording risk creating practical barriers to the application of the exemption. Several of the proposed factors are overly narrow or lack a clear link to ML/TF risk, and their cumulative effect could significantly limit the availability of the exemption in practice. We therefore caution against an overly prescriptive interpretation and instead advocate for a broader, risk-proportionate supervisory approach - focused on the effectiveness of the AML controls in place and aligned with the intention of the Level 1 text.

That said, we do not support Article 30(b), which would effectively require identification of the purchaser of low-value, low-risk e-money products. This would contradict the spirit of the Level 1 text, which was designed to also cover e-money products acquired in exchange for cash. This approach is consistent with the legislator’s intent that e-money serve as an electronic substitute for coins and banknotes (Directive 2009/110/EC, Recital 13).

In addition, the term “issued at a nominal” in Article 30(c) lacks clarity. By definition, e-money should always be issued at par value upon receipt of funds, and we would welcome clarification of this point. EPIF also shares the EBA’s view that exclusive usability of e-money for purchasing goods and services should be a relevant factor in assessing low risk. However, we believe that the selection of goods and services should not be restricted to a very limited range, as this would exclude many legitimate e-money products from benefiting from simplified due diligence. Such a restrictive interpretation could undermine the intent of Article 19(7) of Regulation (EU) 2024/1624.

Similarly, we question Article 30(d), which refers to instruments usable only for a “very limited range” of goods or services. This introduces legal uncertainty, as products limited in this way fall outside the definitions in Directive 2009/110/EC and Directive (EU) 2015/2366 and are therefore not considered e-money. Applying this criterion to determine eligibility for simplified due diligence would paradoxically mean that the exemption would only apply to products that are not considered e-money at all. We believe this contradicts the legislative intent of Article 19(7) of Regulation (EU) 2024/1624.

We also question the relevance of certain other criteria proposed for assessing AML/CTF risk and suggest more practical, risk-based alternatives. For instance, we do not see the rationale for requiring a payment instrument to have a specific or limited duration (Article 30(g)). E-money products are subject to extended redemption rights by law, and issuers already apply continuous transaction monitoring throughout the product’s lifecycle. Imposing a time limit does not reduce risk and could even hinder the detection of unusual activity over time. Issuers typically have a sound understanding of expected usage patterns and can identify suspicious behavior through deviations from these patterns.

In addition, we propose deleting the criterion under Article 30(i), which gives weight to distribution via obliged entities. In our view, this does not significantly reduce risk and does not reflect actual market practice, where distribution via such channels is often limited. Moreover, Regulation (EU) 2024/1624 permits waivers of certain due diligence obligations—even for obliged entities—under specific conditions. Therefore, whether distribution is carried out by obliged or non-obliged parties, the residual risk is comparable if due diligence is not applied.

Instead of relying on narrow or impractical criteria, we recommend recognizing risk-based and operationally effective safeguards that issuers already implement to mitigate ML/TF risk in the e-money space. These include:

Distribution monitoring

The issuer should have systems in place to monitor distribution channels in real time to detect suspicious activity. This includes oversight of third-party distributors, agents, and program managers, with a focus on identifying unusual volumes, geographic risks, and behavioral anomalies. Alerts should trigger investigations and feed back into monitoring rules and oversight procedures.

Merchant monitoring

Effective merchant monitoring involves tracking payment flows to and through merchants to identify irregular patterns or activities inconsistent with a merchant’s risk profile. This is particularly important where merchants operate in high-risk sectors or are onboarded by third parties. Monitoring could include transaction spikes and risk scoring to support timely intervention.

Behavioral profiling and instrument disabling

Issuers should apply behavioral profiling to detect suspicious patterns of use and automatically disable the payment instrument if concerns arise. Re-activation should only be possible through direct issuer action, ensuring appropriate controls before continued use of the product.

Technological safeguards

Issuers should also be able to rely on modern technological tools - such as transaction velocity checks and, where appropriate device fingerprinting, IP address tracking - to strengthen detection of suspicious behavior and prevent misuse. Yet, please note that the available technical standards may differ and items like geo-fencing are not available in all cases and may also cause privacy concerns.

These measures are more proportionate, effective, and aligned with real-world practices than many of the narrowly defined criteria in Article 30 and better support the low-risk designation intended under AMLR Article 19(7).

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

EPIF is aligned with the proposal.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

It would be highly appreciated if the action plan with respective deadlines for remediation is included in the steps prior to imposing any penalties and fines. This can be incorporated in between issuing of the report and the hearing of the subject person so the respective committee will be aware of the intentions of the subject person to remediate and to improve their internal processes in relation to identified misdemeanours / findings.

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

As per above.

Name of the organization