Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

The Royal Netherlands Institute of Chartered Accountants (NBA) appreciates the opportunity to respond to the consultation on the Proposed Regulatory Technical Standards in the context of the EBA’s response to the European Commission’s call for advice on new AMLA mandates, specifically on Customer Due Diligence under Article 28(1) of Regulation (EU) 2024/1624 ('AMLR'). We drafted this reaction in cooperation with the Register Belastingadviseurs (Dutch association for tax advisors for small and medium sized enterprises).

We support the objective of creating harmonized Customer Due Diligence requirements across the EU to enhance consistency and effectiveness in combating money laundering and terrorist financing ('AML/CFT'). Our members, being accountants, auditors and (tax-) advisors, play a significant role in safeguarding the European Financial System from money laundering and terrorist financing and have direct experience with the practical implementation challenges of the current framework.

We believe there are four overall concerns relating to the proposed RTS on Customer Due Diligence:

  1. Applicability for all obliged entities
    While the draft RTS is composed to specify information and requirements necessary for the performance of customer due diligence by all obliged entities, there seem to be several challenges for obliged entities outside the financial sector and also for smaller sized entities to apply the draft RTS. In our view, it is important that obliged entities have the opportunity to apply measures risk based and applicable for their type of business and clients. The challenges, in our opinion, are caused by the following:
    1. In general, the draft RTS requires the collection of a large number of information about customers, making customer due diligence a time-consuming process and potentially causing problems for smaller obliged entities outside the financial sector (for example 1-50 employees). This raises the question of whether such amounts of information are proportionate to the risk of money laundering and terrorism financing these obliged entities are exposed to.
    2. The bar set is, in some respects, unrealistically high and not commensurate with the risk of money laundering and terrorist financing. For example, ensuring documents are authentic as prescribed in Article 5 paragraph 3 and ensuring reproductions of an original document are reliable as prescribed in Article 6 paragraph 5, sets a high standard.  This appears less relevant for obliged entities such as accountants and tax advisors, because the type of service may face a lower risk of receiving forged identity documents. For example, the acceptance of a client by an accountant or tax advisor does not lead to the direct utility of bank accounts for criminal activities. In addition, accountants also have to comply with professional regulation and standards, where measures are also included to evaluate possible risks relating to a new client. For example, regulation relating to the transfer of an audit engagement from one accountant to another, where an accountant will evaluate possible risks relating to a client. It may be considered unnecessary to impose the same level of document verification on all obliged entities, regardless of risk profile.
    • Some requirements appear less relevant to apply for obliged entities outside the financial sector or do not seem to be applicable to such entities. The extensive requirements in section 2 concerning the purpose and intended nature of business relationships are examples of requirements that seem less relevant for obliged entities outside the financial sector. Also, whereas Article 25 of the Regulation indicates that obliged entities obtain information “where necessary, Article 16 of the draft RTS prescribes that the obliged entities “shall take risk-sensitive measures to obtain the following information:… a-e”.. “This seems a stricter explanation of the Regulation.
    • The requirements set out in Article 25 regarding the legitimacy of the destination of funds and the requirements set out in Article 27 regarding the reasons for the intended or performed transactions are other examples of requirements that appear less relevant or not applicable to for instance tax advisers or accountants. Also here, there seems to be a stricter explanation of the Regulation, because Article 34 paragraph 4 of the Regulation prescribes “which may include the following measures”, whereas Article 25 of the draft RTS prescribes that the additional information obliged entities obtain on the intended nature of the business relationship, …, shall, at least: …”. A similar remark is applicable for Article 27 of the draft RTS. We propose to adhere in the draft RTS to the terminology used in the Regulation.

2. Risk-based versus rule-based and associated administrative burden
In our view, the requirements are, in many instances, overly detailed or prescriptive and could hinder the application of proportionate risk-based CDD-measures. In The Netherlands, the Minister of Finance and the Minister of Justice and Safety have recently published their view on the anti-money laundering approach, which emphasizes the importance of a risk-based approach. We strongly support this approach, as it enables us to effectively contribute to a safer financial system. Therefore, we request to include more possibilities for a risk-based approach in the RTS.

Additionally, the extensive data collection requirements could result in a high administrative burden and associated expenses. This raises questions about whether all data elements are necessary from a risk perspective. We are concerned that these requirements may not align with a truly risk-based approach.

  • For example, Article 11 sets criteria for complex ownership and control structures defining them as cases with just two or more layers between customer and beneficial owner, registered in different jurisdictions. This would classify many standard international group structures as ‘complex’, necessitating additional information gathering and assessment. 

  • Another example pertains to the data requirements outlined in Article 10 paragraph 1(b). This Article requires detailed information on each legal entity or legal arrangement within the referred intermediary connections in the ownership structure. For each entity, obliged entities must collect:

    • The legal form of each entity or legal arrangement;
    • References to the existence of any nominee shareholders;
    • The jurisdiction of incorporation or registration of the legal person or legal arrangement;
    • For trusts, the jurisdiction of governing law;
    • The shares of interest held by each legal entity or legal arrangement, broken down by class or type of shares;
    • Voting rights expressed as a percentage of respective totals;
    • For control-based beneficial ownership, detailed information on how control is expressed and exercised.

     

    This level of detail would be required even for entities that are merely part of the ownership chain and do not exercise control over the client. For accountants working with multinational clients, this would mean collecting and verifying extensive documentation on potentially dozens of intermediate entities that have no operational relationship with the client and pose minimal ML/TF risk. In practical terms, this would require significant additional time and resources, while adding little value to AML/CFT risk mitigation. Especially the requirement to obtain information on the shares of interest held by each legal entity or legal arrangement, its sub-division, by class or type of shares and/or voting rights expressed as a percentage of the respective total seems excessive. This is particularly true when these intermediate entities do not exert control over the client and are not significant for identifying beneficial ownership or assessing relevance concerning financial sanctions. It must be noted that in situations where there are co-investors with minority stakes, gathering this information can be particularly difficult, if not impossible. This is because the client or even the UBO may not have access to or hold this information themselves. As a result, the effort to collect data on these intermediate entities may not only be burdensome but also yield little useful insight into the actual ownership and control of the entity in question. Therefore, we question the proportionality of these requirements in light of a risk-based approach and measures.

  • A third example concerns the requirements for verifying the identity of UBOs in Article 5. These requirements appear excessive in many lower-risk scenarios, such as a compilation engagement of a Dutch entity within an international group. We strongly urge re-evaluation of these requirements to allow more limited verification measures in cases where there is no elevated risk.
     

    3. Treatment of Senior Managing Officials (SMOs)

    We have significant concerns regarding the requirements for Senior Managing Officials (SMOs) in Article 12. Under Article 12, obliged entities must collect the same information for SMOs as for beneficial owners, which creates a disproportionate administrative burden. Furthermore, the draft RTS lacks clarity on whether enhanced due diligence measures (including source of funds/wealth verification) should be applied to SMOs in high-risk situations, even though SMOs do not contribute funds to the business relationship. This ambiguity could lead to excessive compliance requirements, particularly for government entities and state-owned enterprises where SMOs are reported instead of UBOs. Clear guidance is needed on the proportionate application of due diligence measures to SMOs based on actual risk.

    4. Practical implementation challenges 
    We strongly believe that there are significant challenges in implementing certain requirements in practice. 

    • For example, the non-face-to-face verification of identity indicated in Article 6 poses a notable hurdle as there is currently a lack of eIDAS-compliant tools and solutions available. The requirements in respect of alternative methods for online verification in the draft RTS are very complex and challenging to execute in practice.
    • Another example is that, according to Article 9, reasonable measures include consulting public registers other than the central registers and other reliable national systems. In the Netherlands obliged entities do not have access to such systems. 

     

    We strongly urge reconsideration of these requirements based on our detailed feedback provided below.

     

    Question 1

  • Do you agree with the proposals as set out in Section 1 of the draft RTS?
  • If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 1 – Information to be obtained in relation to names

  • Article 1 of the RTS only consists of paragraphs 1 and 3; paragraph 2 is missing.

Article 3 – Specification on the provision of the place of birth

  • The requirement in Article 3 to include country name / city of birth may present verification difficulties as not all identity documents (e.g., passports) contain the country/city of birth.
    • Also, cities with identical names exist in different countries, creating potential verification challenges.
    • In addition, it is not clear why this information is needed from a risk assessment or screening perspective. This requirement could add to administrative burden without mitigating any risk or providing clarity.

Article 4 – Specification on nationalities

  • Apart from inquiring directly with the customer, there appears to be no feasible method for acquiring information regarding any second nationality of an individual. Consequently, in this context, 'obtaining necessary information' seems impractical to implement. 

Article 5 – Documents for the verification of the identity

  • Article 5's requirements would exclude certain currently acceptable identity documents in the Netherlands (such as driver's licenses) as they do not include nationality information, whereas these documents are considered to be reliable. This would require substantial changes to existing verification processes.
  • In addition, Article 22 paragraph 7 of the Regulation prescribes: “Obliged entities shall determine the extent of the information to be consulted, having regard to the risks posed by the occasional transaction or the business relationship and the beneficial owner, including risks relating to the ownership structure.” However, Article 5 of the RTS includes extensive requirements on the documentation to be used. This seems to limit the risk-based approach as included in the Regulation.
  • Subparagraph 3: ensuring documents are authentic sets a high standard and appears more relevant for obliged entities such as banks, which may face a higher risk of receiving forged identity documents, given the direct utility of bank accounts for criminal activities. However, for other obliged entities, such as accountants and tax advisers, the risk of encountering forged identity documents is lower. It may be considered unnecessary to impose the same level of verification on all obliged entities, including those at a lower risk.
    • We ask to re-evaluate if this measure should be included (for all obliged entities). If so, this requirement would benefit from practical examples of acceptable verification measures.

Article 6. Verification of the customer in a non face-to-face context

  • See Question 2.

Article 7– Reliable and independent sources of information

  • This requirement seems excessive as this information might not be available/obtainable for all possible sources of information used for identification and verification purposes. It also seems excessive considering all the requirements in the previous articles.
  • In addition, the article provides a very generic list of criteria. Examples of acceptable sources would enhance practical application.

Article 8 – Identification and verification of the identity of the natural or legal persons using a virtual IBAN

  • See Question 3.

Article 9 – Reasonable measures for the verification of the beneficial owner

  • We believe that consulting registers other than the central register to verify the identity of a UBO imposes an excessive administrative burden and is disproportionate in light of risk mitigation. Also, accessing other public registers than the central register faces legal and technical barriers in many jurisdictions. In the Netherlands, for example, such registers are not accessible for obliged entities. Furthermore, excluding consulting the central register as a "reasonable measure" seems contradictory with the Article 22(7) AMLR's requirement to consult the central register.
  • We would propose to include the possibility of a risk-based approach in applying reasonable measures.
  • We would propose to include the use of UBO-declaration forms as a reasonable measure, which is standard practice in the Netherlands.

The implementation of these changes would entail significant compliance costs through:

  • Modifications to customer onboarding systems and processes
  • Staff retraining on new documentation requirements
  • Additional verification steps for existing customers during the transition period
  • Potential delay to customer onboarding processes in cases where currently accepted documentation no longer meets requirements

Article 10 – Understanding the ownership and control structure of the customer

  • Collecting information on all intermediate entities within the ownership structure of the client seems excessive and limits the possibilities of a risk-based approach. This is particularly true when these intermediate entities do not exert control over the client and are not significant for identifying beneficial ownership or assessing relevance concerning financial sanctions.
  • It must be noted that in situations where there are co-investors with minority stakes, gathering this information can be particularly difficult, if not impossible. This is because the client or even the UBO may not have access to or hold this information themselves. As a result, the effort to collect data on these intermediate entities may not only be burdensome but also yield little useful insight into the actual ownership and control of the entity in question.
  • Article 10 sub b. "with respect to each legal entity or legal arrangement within the referred intermediary connections (…)" could be replaced by "with respect to legal entities or legal arrangements holding a controlling interest of 25% or more within the referred intermediary connections (…)
  • We suggest to identify securities listed on EU/EEA regulated markets as a risk-lowering factor requiring less information.

Article 11 – Understanding the ownership and control structure of the customer in case of complex structures

  • We do not agree with using one set of criteria to regard any structure as complex, irrespective of the type of customer. A structure deemed standard for a multinational would differ significantly from what is considered complex for a small company that only has economic presence in one country. It must be noted that a "complex ownership structure" will inevitably lead to increased consequences regarding client risk scoring and due diligence requirements, beyond just the need to collect an organizational chart. This approach should be carefully considered to avoid mischaracterizing standard business practices as overly complex or high risk. We suggest to include a risk-based evaluation by obliged entities to determine whether a structure is regarded as complex.
  • In addition, automatically categorizing an entity/client as having a complex structure simply because there are two or more layers of intermediate entities established in different jurisdictions seems excessive and does not accurately reflect the reality of global corporate organizations or industries. For example, private equity groups frequently use intermediate entities located in various jurisdictions to structure acquisitions for legitimate business reasons. Also, any company in the Netherlands will be advised to have at least two layers: a holding entity and an operating entity. Three layers is no exception either. The proposed criteria would mean that every operating entity in the Netherlands that is part of a multinational structure will be considered to be part of a complex ownership and control structure. Therefore, if there need to be one set of criteria for all entities, we would strongly suggest to reconsider the criteria to define a complex structure, such as presence of nominee directors/shareholders, presence in tax havens, questionability on group structure given the context and activities.

Article 12 – Information on senior managing officials

  • It seems excessive to require the same set of information for SMO's as for UBO's as there are oftentimes far more board members than UBO's which adds hugely to the administrative burden without truly mitigating any risks.

Article 13 – Identification and verification of beneficiaries of trusts and similar legal entities or arrangements

  • The phrase "to ensure" places an unrealistic burden on obliged entities who cannot control whether trustees provide timely updates.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

  • In the Netherlands, each obliged entity must individually confirm that an e-ID meets the assurance levels 'substantial' or 'high', without centralized guidance.
  • Subparagraph 5: ascertaining that the reproduction is reliable sets a high standard and appears more relevant for obliged entities such as banks, which may face a higher risk of receiving forged identity documents, given the direct utility of bank accounts for criminal activities. However, for other obliged entities, such as accountants and tax advisers, the risk of encountering forged identity documents is lower. It may be considered unnecessary to impose the same level of verification on all obliged entities, including those at a lower risk.
  • We strongly believe that alternative remote verification solutions should be considered permanent rather than temporary for the following reasons:
    • e-IDAS solutions are not universally available across all Member States
    • Many legitimate customers, particularly those from outside the EU, cannot reasonably be expected to provide e-IDAS compliant identification
    • Technological innovation in identity verification continues to advance rapidly
    • Excluding alternative remote verification could lead to financial exclusion for certain customer segments, contrary to public policy objectives

We recommend a technology-neutral approach that focuses on security outcomes rather than specific technologies. This would allow for continued innovation while maintaining appropriate risk management standards. Clear guidelines on the minimum security requirements for remote verification would be more effective than limiting acceptable methods to specific technologies.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Article 8 pertains to obliged entities outside the scope of professional groups we represent, hence we have refrained from providing a response to this question. 

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

General observations:

We have several concerns about Section 2 requirements, particularly around their risk-based proportionality and practical implications: 

These requirements appear designed for financial institutions managing ongoing financial transactions and are less well applicable for the professional services sector. Examples of disproportionate requirements:

  • For many professional services, such as legally required audits, the purpose is self-explanatory, yet detailed documentation would still be required under Article 15.
  • For accountants and tax advisors who don't manage client funds, requirements to verify 'flow of funds' through accounts (Article 15.b) are not relevant or applicable.
  • The requirement of Article 16.e to document 'key stakeholders' is excessive and lacks risk-based proportionality, particularly for routine professional services.

Also here, there seems to be a stricter explanation of the Regulation, because Article 25 of the Regulation prescribes “ To that end, the obliged entity shall obtain, where necessary, information on”, whereas Article 16 of the draft RTS prescribes that “When obtaining information in accordance with Article 25 of the Regulation…, obliged entities shall take risk-sensitive measures to obtain the following information …”. We propose to adhere in the draft RTS to the terminology used in the Regulation.

Also, the RTS requirements would benefit from:

  1. verification examples for different risk scenarios
  2. Examples of practical implementation, particularly for remote verification
  3. Better alignment with existing national practices where these are effective
  4. Clearer differentiation between requirements applicable to legal entities versus natural persons

Article 15 – Identification of the purpose and intended nature of the business relationship or the occasional transactions

  • Subparagraph a: The requirement to determine "why" the customer chose the obliged entities’ products and services is excessive, potentially encompassing commercial considerations that have limited relevance to ML/TF risk assessment.
    • In addition, for some obliged entities, the service itself -e.g. a legally required audit of financial statements - is self-explanatory regarding the choice for that service. So this requirement does not seem applicable to all types of obliged entities or all services. Therefore, we would propose to add ‘if applicable’.
    • Subparagraph b: In the context of their services, not all obliged entities will have knowledge of or access to any flow of funds. Therefore, this requirement seems not applicable to all obliged entities. Therefore, we would propose to add ‘if applicable’.
    • Subparagraph d: " where the ML/TF risk is higher, to determine the source of wealth" seems to be in contradiction with article 26 that requires, in cases of enhanced due diligence, to collect  "additional information" on the source of funds and source of wealth of the customer and the beneficial owners and to" verify that the source of funds and source of wealth is derived from lawful activities".
      • The RTS appear to differentiate between high-risk situations and those that require enhanced due diligence. However, in practice, these two concepts are inherently linked; all high-risk clients should be subject to enhanced due diligence measures.
      • Determining the Source of funds / Source of Wealth is one thing (i.e., collecting information) - Art 15- and collecting additional information and verifying such information is another thing -Art 26-, as it implies a further step in terms of due diligence.
      • We suggest to reconsider when it is necessary to determine the source of wealth and to include a risk based approach with regard to the measure to collect and / or verify information on source of wealth.
    • The lack of clarity on these points may lead obliged entities to implement inconsistent approaches, potentially increasing compliance costs without corresponding risk-reduction benefits, or creating competitive disadvantages between institutions taking different approaches to the same requirements.

Article 16 – Understanding the purpose and intended nature of the business relationship or the occasional transactions

  • This article has significant overlap with article 15, with inconsistencies regarding source of wealth checks in higher risk cases.
  • For some obliged entities, the service itself -e.g. a legally required audit of financial statements - is self-explanatory regarding the choice for that service and the benefits expected. So this requirement does not seem reasonable for all types of obliged entities.
  • Subparagraph c: it is unclear what is meant with source of funds? The source of the money used to pay the obliged entity? We suggest to include here a risk based approach meaning that obtaining information should only be required if the funds are not likely to be generated with the business activities/occupation.
  • Subparagraph e: key stakeholders ' seems excessive information to require from all obliged entities regarding all customers for all products and services. 

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 17– Identification of Politically Exposed Persons

  • The formulation in Article 17(1)(b) suggests that changes in "nature of the customer's business, employment or occupation" always constitute significant changes requiring verification, which may be disproportionate. A more risk-based approach would recognize that certain changes may have minimal impact on ML/TF risk and could be addressed through periodic rather than immediate verification.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

General observations:

  • Proportionality framework: The SDD provisions could benefit from practical examples on the precise ways in which due diligence can be simplified while remaining effective.
  • Risk-based flexibility: More detailed examples of acceptable risk-sensitive approaches would help obliged entities implement SDD effectively.
  • Consistency across provisions: Better alignment of terminology and requirements across different sections of the RTS would improve clarity and application.

Article 20 – Sectoral simplified measures: Pooled accounts

Article 20 pertains to obliged entities outside the scope of professional groups we represent, hence we have refrained from providing a response to this question.

Article 21 – Sectoral simplified measures: Collective investment undertakings

Article 21 pertains to obliged entities outside the scope of professional groups we represent, hence we have refrained from providing a response to this question.

Article 23 – Minimum information to identify the purpose and intended nature of the business relationship or occasional transaction in low-risk situations

  • For some obliged entities, the service itself -e.g. a legally required audit of financial statements - is self-explanatory regarding the choice for that service. Therefore, we propose to include ‘if applicable’.
  • Source of funds does not seem to be applicable to all obliged entities or services. Therefore we propose to include, ‘if applicable’.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

We recommend additional sectoral simplified due diligence measures for:

  1. Professional service providers, including accountancy firms:

    • Subject to professional regulation with established ethics and independence requirements
    • Typically maintain robust risk management systems as part of their professional standards
    • Already subject to AML/CFT obligations in most jurisdictions

    Simplified measures could include reduced frequency of updates and streamlined verification procedures when acting as clients themselves.

  2. Public sector entities and government-owned enterprises:

    • Lower inherent ML/TF risk profile due to transparent governance
    • Public accountability and oversight mechanisms
    • Transparent and traceable funding sources
    • Significant compliance burden under full CDD requirements when banking relationships are established

    For these entities, simplified verification of ownership and control structures would be appropriate, as would reduced documentation requirements for source of funds.

  3. Pension funds and pension providers:

    • Restricted purpose and controlled payment flows
    • Heavy regulatory oversight in most jurisdictions
    • Limited opportunity for ML/TF abuse due to long-term nature of investments
    • Transparent governance requirements

    Simplified measures could include streamlined beneficial ownership verification and source of funds documentation that recognizes the regulated nature of these entities.

Based on the experience of our members, these sectors consistently present lower ML/TF risks and would benefit from tailored simplified due diligence measures that would reduce compliance costs without compromising AML/CFT effectiveness.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

General observations:

  1. Proportionality and practicality: EDD requirements should balance thoroughness with practical implementation, particularly for high-volume customer categories.
  2. Need for specificity: More detailed examples of acceptable documentation and verification methodologies would significantly improve implementation consistency.
  3. Risk-based flexibility: More possibilities to apply a risk-based approach within EDD requirements would help obliged entities allocate resources effectively.
  4. Inconsistent scoping: Better alignment needed between EDD requirements and standard CDD, with clearer distinction of what constitutes "additional" information.
  5. Implementation burden: Particularly for high-risk third country requirements, consideration should be given to practical implementation challenges and the potential for a more nuanced, risk-based approach.

Article 24 - Additional information on the customer and the beneficial owners

  • Verifying the authenticity of information: see comment at Article 5.

Article 25 – Additional information on the intended nature of the business relationship

  • Not all parts of this article seem applicable to accountants / tax advisors. Only paragraph c seems applicable and reasonable.

Article 26 – Additional information on the source of funds, and source of wealth of the customer and of the beneficial owners

  • This seems excessive to apply to all customers with enhanced due diligence, we would propose to only require such measures in cases where there are doubts about the source of funds or the source of wealth.
  • Authenticity documentation: see comment at Article 5.

Article 27 – Additional information on the reasons for the intended or performed transactions and their consistency with the business relationship 

  • We question whether this requirement is applicable and executable for non-financial entities.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

General observations:

  1. Consistency of requirements: Better alignment is needed between TFS screening requirements and other CDD provisions, particularly regarding:
    • Terminology used for customer attributes
    • Scope of entities subject to screening
    • Information collection requirements
  2. Proportionality and risk-based approach: The provisions should more clearly enable obliged entities to apply a risk-based approach, particularly regarding:
    • The frequency of screening for different customer risk categories
    • The triggers for re-screening existing customers
    • The level of screening applied to different types of relationships
  3. Technology considerations: The provisions should acknowledge the role of advanced screening technologies while ensuring smaller entities can implement effective measures proportionate to their size and risk exposure.
  4. Alignment with international standards: Better harmonization with other international sanctions regimes (such as OFAC) would reduce compliance complexity for globally active institutions.

Article 29 – Screening requirements

  • Subparagraph (a)(iii): Obliged entities might not have knowledge of 'any other names, aliases, trade names, wallet addresses, where available in the lists of targeted financial sanctions'. Therefore, the requirement under (a)(iii) is not executable: you cannot check if you don’t know. It should be the other way around: obliged entities only have the information on the customers that they have obtained whilst performing (E)CDD and they can merely check if that matches any name/information on the lists of targeted financial sanctions.
  • Subparagraph (c)(iii):The formulation suggests that name changes, residence changes, nationality changes, or business operation changes always constitute "significant changes" warranting a customer information update. This seems disproportional and limits obliged entities' ability to apply a risk-based approach, particularly when considered alongside other examples in Article 17.

These inconsistencies could lead to implementation challenges, potential compliance gaps, and divergent practices across the financial sector. Clear alignment with existing sanctions compliance frameworks would improve effectiveness and efficiency.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Section 7 pertains to obliged entities outside the scope of professional groups we represent, hence we have refrained from providing a response to this question.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

General observations:

  • Interoperability considerations: The relationship between these requirements and broader digital identity frameworks, particularly for cross-border transactions, requires further elaboration.
  • Technology neutrality: The framework should ensure that innovative verification technologies can be incorporated while maintaining appropriate security standards.

Article 31- Electronic identification means and relevant qualified trust services

  • The requirement for each individual obliged entity to independently ascertain that electronic identification means meet the assurance levels "substantial" or "high" creates inefficiency and potential inconsistency, as also noted in Article 6 of the CDD RTS.
  • The provision for simplified due diligence in paragraph 1 appropriately allows for a reduced set of attributes; examples on the attributes for different risk scenarios would be beneficial.
  • Paragraph 3 requires obliged entities to obtain missing attributes "through other means" when electronic identification means are insufficient, but provides limited examples on alternative verification methods.
  • Central lists of compliant solutions would improve efficiency and consistency.
  • There is a risk that obliged entities lack the technical expertise to effectively evaluate e-ID compliance with eIDAS requirements.

Annex 1:

  • No clear indication of how multiple nationalities should be captured through these attributes, despite this being a requirement under Article 4 of the CDD RTS.
    • "resident_state" is included as an attribute despite not being a required data point under the CDD RTS for certain situations.
    • Unclear alignment between the terms:
      • "current legal name" in the Annex
      • "registered name" in the CDD RTS
      • "commercial name" in the CDD RTS (with no corresponding attribute in the Annex)
    • Particularly challenging areas include handling multiple nationalities, capturing commercial names for legal entities, and addressing statelessness or refugee status.
    • It's unclear how obliged entities should handle situations where an e-ID with required assurance levels lacks certain mandatory CDD attributes.

We recommend developing considering a centralized assessment mechanism for e-ID compliance to improve efficiency and consistency.

Article 32 – Entry into force

General observations

  • Proportionate approach: The transitional provisions should balance the need for up-to-date information with the practical challenges of updating massive customer portfolios.
  • Resource allocation: obliged entities may struggle to efficiently allocate resources for customer information updates, potentially leading to either over-compliance or non-compliance.
  • Risk-based implementation: The final provisions should explicitly link to the risk-based approach in Article 26(2) of the AMLR, allowing prioritization based on risk levels while setting clear expectations for compliance timeframes.

In line with consideration 43, we recommend comprehensively clarifying the scope and timing of transitional provisions for all risk categories of existing customers to enable effective planning and implementation by obliged entities. This would significantly reduce compliance uncertainty and allow for more efficient resource allocation.

  • The provision references "entry into force" of the Regulation, which would be approximately one year before the application date of the AMLR (10 July 2027). This raises questions about whether the correct timing reference should be the "date of application."
  • The provision refers to Article 23(1), which appears to be incorrect and should likely reference Article 22 of the RTS (regarding customer information updates in low-risk situations).

Name of the organization

Royal Netherlands Institute of Chartered Accountants (NBA) & Register Belastingadviseurs