Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

We acknowledge EBA’s effort to develop a harmonized methodology for assessing and classifying ML/TF risk. However, the current approach raises several concerns regarding clarity, risk sensitivity, operational feasibility, and consistency.

  • Lack of definitional clarity: Key terms such as "data points", "risk factors", and "indicators" are not sufficiently defined. This complicates implementation and alignment with internal risk models.
  • Scoring vs. weighting logic: The methodology relies heavily on quantitative inputs. It is unclear whether ML/TF sensitivity is embedded in scoring thresholds or only reflected in the weighting phase. The dynamic weighting based on outcome scores also lacks clear rationale.
  • Scale inconsistency: The coexistence of five weighting levels and four risk levels introduces ambiguity, particularly regarding their alignment.
  • Geographical risk: Its treatment across multiple categories increases the risk of duplication and inconsistent aggregation.
  • Data burden and proportionality: The granularity of required data, especially on products and service, appears excessive. There is no indication of tolerance thresholds or handling of unavailable data, which may affect comparability.
  • Scope and timing: Clarification is needed on the inclusion of non-EU branches and subsidiaries, and the timeline (first submission in Q3 2027 based on 2026 data) may not provide sufficient lead time for implementation.
  • Impact on internal models: It remains unclear how this framework aligns—or conflicts—with existing internal and national risk assessment processes, and whether national discretion is allowed or limited.

We recommend clarifying definitions, simplifying the scoring model, reducing data complexity, and aligning implementation timelines with system readiness. Transparency on how indicators feed into final scores is essential to ensure trust, comparability, and operational feasibility.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

We support the EBA’s proposal that residual risk should not exceed inherent risk, as it aligns with standard risk assessment logic—controls are intended to mitigate, not amplify, risk.

This approach promotes harmonization and comparability across obliged entities. However, to be effective, it must be supported by clear and consistent criteria for assessing control effectiveness, since this is the only lever to reduce residual risk.

While some frameworks (e.g., Bank of Italy) allow residual risk to exceed inherent risk in rare cases, doing so introduces subjectivity and complexity that may hinder supervisory consistency.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

We consider the list of data points in Annex I to be excessively extensive, particularly in terms of short- and medium-term implementation impact. Collecting 156 data points for inherent risk and 112 for AML/CFT controls will require significant IT developments and dedicated resources, potentially diverting efforts from core AML functions.

 

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

Many data points, especially those related to crypto-assets and third-party services, are not currently available or are inconsistently captured across institutions, particularly in cross-border settings.

The approach raises concerns around:

  • Proportionality, especially for smaller institutions and non-financial entities.
  • Clarity, including scope of application (entity vs. group level) and how to avoid data duplication.
  • Completeness, as key risk dimensions (e.g., financial sanctions and circumvention) are only partially covered.

A phased and proportionate rollout, supported by precise guidance on data requirements, would better align with the European Commission’s simplification goals and ensure operational feasibility.

3c: To what extent could the data points listed in Annex I to this Consultation Paper be provided by the non-financial sector?

NA

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

We believe that an annual review cycle for all obliged entities would be excessively burdensome given the scale and complexity of data collection required.

While appropriate for high-risk entities, applying this frequency across the board would divert significant resources—including full-time staff and IT capacity—without proportionate benefits, especially for low-risk or stable institutions.

We recommend adopting a three-year default cycle, with annual reviews triggered only in the event of material changes in the risk profile. This would preserve effectiveness while improving operational feasibility.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

The proposed criteria for reduced review frequency are too restrictive and do not reflect the operational realities of most institutions.

We suggest:

  • Introducing a broader and clearer definition of “material change” to ensure consistency in off-cycle reviews.
  • Allowing more flexible access to the reduced frequency model, especially for institutions with stable risk profiles and mature control frameworks.

A flexible, risk-based approach—centered on a triennial review with early reassessment when warranted—would strike a better balance between oversight and proportionality.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

We do not fully agree with a blanket distinction that treats EEA jurisdictions as inherently lower risk compared to third countries.

While EEA membership implies regulatory alignment, recent examples—such as FATF grey listings of Bulgaria and Croatia—demonstrate that not all EEA countries uniformly present low risk.

A more appropriate approach would be to align geographical risk assessments with the country designations under Articles 29–31 of the AMLR, using objective indicators rather than EEA affiliation alone.

This would support a dynamic, evidence-based assessment, consistent with the AMLR and Annex II, and avoid underestimating risk in intra-EEA transactions where warranted.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

The thresholds in Article 1 of the draft RTS—based on customer count and transaction volume—are overly simplistic and lack contextual nuance for assessing activity materiality under the freedom to provide services. When used in isolation, these indicators risk misrepresenting the actual risk profile and operational complexity of the activity.

The lack of clear definitions and a weighting methodology undermines the indicators’ usability and leaves entities without adequate guidance to meet supervisory expectations. The use of standalone, quantitative thresholds does not reflect a proportionate, risk-based approach and may lead to inconsistent implementation across institutions and Member States.

From a legal standpoint, the proposed thresholds may raise concerns with respect to EU law principles. The freedom to provide services is defined by its temporary and non-permanent character - unlike the freedom of establishment - yet no reference to temporality is made in Article 1. Moreover, rigid thresholds could inadvertently incentivize “de-risking” of cross-border activities, which would conflict with the objective of fostering an integrated and competitive EU financial market.

A more effective approach would involve the use of cumulative criteria, rather than alternative ones—combining both the number of customers and the volume of transactions—with the addition of qualitative indicators such as the type of services offered, the risk profile of the client base, and the duration and recurrence of the activity. This would enable a more accurate assessment of business relevance and better support proportionate, risk-based supervisory decisions.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

Lowering the thresholds would not resolve the core issue, as it would still rely on purely quantitative criteria that fail to capture the nature, frequency, and risk profile of the activity. Given the temporary nature of the freedom to provide services, lower thresholds risk capturing marginal or low-risk operations and may lead to disproportionate supervisory burdens.

A more appropriate approach would be to retain high thresholds and complement them with qualitative risk-based criteria to ensure proportionality and supervisory focus.

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

A single customer threshold, regardless of customer type, oversimplifies risk assessment. While splitting by retail vs. institutional may add complexity, a more meaningful distinction would be between natural and legal persons, as these categories better reflect actual ML/TF risk exposure across banking segments.

That said, any such distinction should be backed by clear and harmonized definitions, as classifications vary across institutions. Without this, the risk of inconsistent application outweighs the potential benefits.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

While the selection methodology builds on the risk assessment approach under Article 40(2), key clarifications are needed to ensure consistency, proportionality, and transparency.

There is ambiguity over whether the same data points and definitions apply to both Articles 12 and 40, which risks duplication and inconsistent outcomes. Clear alignment and harmonized definitions - especially for metrics like customer numbers and transaction volumes - are essential to ensure comparability.

Additionally, the selection process should be supported by a structured communication framework. Being selected for AMLA supervision should not imply heightened risk or misconduct. Communicating this clearly is key to avoiding reputational harm, particularly in sensitive areas like correspondent banking.

A simplified, standardized methodology, combined with clear communication, would enhance both the effectiveness and legitimacy of the process.

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

The selection methodology should not allow adjustments to the inherent risk score as defined in Article 2 of the RTS under Article 40(2) AMLD6.

The inherent risk score is based on objective, verifiable data. Introducing discretionary adjustments would compromise transparency, consistency, and comparability across Member States, undermining the harmonization objectives of the AML framework.

Without clear and uniform criteria, supervisory discretion creates a high risk of unequal treatment and legal uncertainty. To preserve fairness and reliability, both the inherent risk and controls scores should remain strictly data-driven, without ad hoc modifications.

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

The current methodology for calculating the group-wide score lacks transparency and is difficult to interpret without concrete examples. Providing clarifications and illustrative cases would support consistent application and understanding.

Moreover, the approach may distort risk assessments by over-weighting large, low-risk entities and underrepresenting smaller, high-risk components. This could result in misleading group-level outcomes.

EBCCON recommends allowing flexibility in the aggregation methodology - e.g., transitional rules or justified adjustments - and incorporating qualitative safeguards to better reflect actual group risk profiles.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

The current draft lacks sufficient clarity on the definition of the group-wide perimeter, leading to several implementation uncertainties. Key open points include:

  • Whether and how non-EU entities (subsidiaries, branches) should be included.
  • The role of the parent company in consolidating and submitting data.
  • Whether EU-based subsidiaries and branches located in Member States other than the parent’s should be treated as separate legal entities for reporting purposes, or whether their data must be consolidated and submitted by the parent company.
  • Risks of duplication if data already reported by local entities must be resubmitted centrally.
  • Whether non-obliged entities fall within scope.
  • Standards for currency conversion and data formatting.
  • Treatment of the Group Head Office.

Limiting the perimeter to EU entities may exclude material risks; however, including non-EU components raises feasibility and legal questions.

To ensure consistency and proportionality, the RTS should clearly define:

  • The perimeter of entities included.
  • Data consolidation responsibilities.
  • Treatment of non-EU and non-obliged entities.
  • Reporting and formatting standards.

Without this clarity, there is a high risk of fragmentation, duplicated effort, and distorted risk assessments.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

The parent company should be included in the group-wide assessment, but the absence of clear guidance on how to assign relative weighting to the parent company and other group entities may lead to distorted group-wide profiles—especially if all entities are implicitly treated with equal influence, regardless of size or risk exposure.

A weighted scoring approach is necessary to reflect the relative size, operational relevance, and risk exposure of each entity. In many cases, subsidiaries may carry greater risk than the parent, particularly in business lines like private banking or fintech.

Once clear and objective weighting criteria are defined, the parent’s score can be properly integrated to ensure a balanced and accurate group-wide risk assessment.

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

We do not support the exclusion of supervisory assessments and external controls in the initial application of the methodology, as stated in the first subparagraph of Article 6. Omitting these inputs may artificially lower the control quality score, especially where recent improvements have been implemented and validated through inspection or audit. These risks penalizing entities that have actively enhanced their frameworks.

Incorporating such assessments—under clear, harmonized criteria—would ensure a more accurate and fair evaluation of control effectiveness from the outset.

Regarding the remaining elements of Article 6, we are aligned with the proposal as drafted.

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

For Article 1(2), the obligation to collect the commercial name of legal entities—alongside the registered name—should either be removed or made optional, unless a reliable EU-wide source is defined to retrieve this information.

For Article 4, we would be grateful to obtain confirmation of our understanding that the requirement to “satisfy” that the necessary information is obtained, is fulfilled by having this confirmed by the customer.

For Article 5:

  • We acknowledge the intention to harmonize identity verification requirements under Article 5. However, the criteria currently listed are too restrictive and do not reflect the diversity of acceptable documents across Member States. For instance, several valid Italian ID documents lack a machine-readable zone, and including such elements as essential may create unintended exclusion or require unjustified re-onboarding.
  • We propose the RTS clarify that the documents listed under Article 5(1) and 5(2) are acceptable for onboarding purposes, and that alternative but verifiable forms of ID (e.g., national driving licenses) can be recognized, in line with national legal frameworks. The reference to “legitimate reason” in Article 5(2) should be clarified. We suggest explicitly recognizing cases where a customer holds a valid national ID that lacks certain attributes listed in Article 5(1). In particular, the requirement to verify nationality should be reconsidered, as many legitimate ID documents do not contain this field.

More in general for SMO, the purpose of AMLR is not to treat the senior managing officer as beneficial owner. Accordingly, we believe that the senior managing official should not be overburdened by needing to face the same treatment in terms of identification measures as the beneficial owner. Instead, we recommend adopting simplified measures and identify SMOs by collecting information like names and surnames, place and full date of birth. The above information should be verified relying on public registers or company registers and ID documents. Additional documentation or verification steps should not be required unless justified by specific risk factors.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

We recommend clarifying that the signing of privacy documentation, as part of the onboarding process, can fulfil the obligation to obtain and record explicit consent under Article 6(3). This approach is already standard practice and provides a reliable, auditable trail.

Without such clarification, there is a risk of duplicating consent collection processes, increasing friction in remote onboarding journeys without materially enhancing fraud prevention.

Providing this clarification would ensure consistency with existing data protection practices and help maintain an efficient, compliant remote onboarding process.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Under Article 22(3) of Regulation (EU) 2024/1624, the institution servicing the account must obtain identification and verification data related to users of virtual IBANs issued by third parties within 5 working days. We recommend that the RTS provide technical implementation guidance on the following aspects:

  • The roles identified under Articles 22(3) of Regulation (EU) 2024/1624 and 8 draft RTS (i.e.credit or financial institution servicing the account’, ‘issuer of a virtual IBAN’, ‘entity that provides a virtual IBAN to a person’ and ‘user of a virtual IBAN’).
  • What documentation is considered sufficient to meet the verification requirements, including accepted alternatives in case of limited data availability.

Such clarification is essential to ensure consistency across institutions, avoid delays in compliance, and ensure legal certainty in cross-institutional IBAN relationships.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We would suggest a revised text emphasizing flexibility and alignment with customer profiles, rather than mandating a fixed set of questions. This would supports a more tailored and proportionate approach to understanding customer intent.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Yes, we agree

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We suggest refining the application of Article 22(2) and Recital (16) for low-risk customers by linking the obligation to update identification data to the occurrence of new operations.

Specifically, we recommend that if no new operations are performed within the 5-year period, the first update should be required only at the time of the first subsequent transaction. This would avoid unnecessary updates for passive clients (e.g., pensioners with recurring credits/debits) while maintaining compliance objectives.

Such a clarification would support a risk-based and proportionate approach, reducing unnecessary operational burden without compromising AML/CFT safeguards.

Finally, the 5-year update requirement for all customers where no SDD is applied, could be addressed through straight-through processing, combining trigger-based reviews and automatic confirmation for low-risk customers—ensuring a risk-based approach and cost efficiency in line with the Commission’s intent.

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

We propose that countries, governmental bodies, legal entities under public law and state-owned private entities and companies listed on regulated markets be explicitly included in the scope of sectoral Simplified Due Diligence (SDD), particularly with respect to beneficial ownership requirements.

As for services, financial transactions carried out between regulated financial institutions on regulated markets represent a low ML/TF risk and should also benefit from specific SDD treatment.

Including these categories would align with current risk-based practices and reduce unnecessary administrative burden without compromising AML/CFT objectives.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We suggest clarifying that Enhanced Due Diligence (EDD) does not require a uniform one-year update for all customers subject to EDD, especially those not classified as high-risk. A longer review cycle (e.g., two years) could be applied in such cases, preserving proportionality.

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We broadly agree with Section 6 proposals, particularly Article 29 but we highlight the following points:

  • Transliteration: While not supported by all screening systems, we welcome the EBA’s clarification that it is not mandatory unless available. Furthermore, we note that in the recitals reference is made to transcription (recital 3) and would welcome clarity that it refers to changing the text from one script to another. No further issues arise under this condition.
  • “Any other names” (Art. 29 a.iii): We recommend the RTS provide clearer implementation guidance—such as examples of relevant aliases, trade names, or variations—to support accurate and consistent configuration of screening tools.

Additionally, we note that Articles 28 and 29 are already addressed in the Council of the European Union best practices for the effective implementation of restrictive measures (“EU Best Practices”) and under EBA/GL/2024/15 (e.g. the requirements regarding “date of birth”; “aliases”; “trade names”; “wallet addresses” and the interpretation of the term “without undue delay”). Clarifying how these RTS provisions interact with existing guidelines would help ensure consistency and avoid duplication in implementation.

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Yes, we agree

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We agree with the objective of Article 31(3), which requires obliged entities to supplement missing attributes when electronic means do not provide all required information.

However, we request clarification on how to identify individuals holding shares or directorship positions in nominee form, as required in Annex I, point (iv) for legal entities. This information is not consistently available across jurisdictions, and the lack of clear criteria creates implementation challenges.

We recommend the RTS provide:

  • A definition or typology of nominee arrangements.
  • Guidance on acceptable sources to verify such positions (e.g. registries, declarations, legal agreements).
  • Clarification on when and how due diligence should escalate if information is not readily available.

This would help ensure consistency in compliance efforts and avoid diverging practices across institutions.

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

We express concerns regarding the inclusion of Article 1(l) ("any other indicator identified by the supervisors") in the list of breach gravity indicators.

This open clause undermines the goal of regulatory harmonization, as it allows for divergent supervisory practices across Member States, reintroducing fragmentation the AML Package aims to eliminate.

Moreover, enforcement frameworks already differ significantly at national level—particularly between criminal and administrative regimes—leading to unequal consequences for similar breaches.

To preserve consistency and legal certainty, we recommend removing or strictly limiting the scope of discretionary indicators, and addressing broader enforcement divergences through more structured guidance or coordination.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

We are concerned that the lack of clear definitions for terms such as “moderate” and “significant” impact in Article 2 may lead to inconsistent classification of breaches across Member States. 

This subjectivity risks fragmenting enforcement, and undermines the harmonization goals of the AML/CFT Package. To promote legal certainty - also in order to avoid disputes connected to the interpretation of the words - and a leveled playing field, we recommend that the RTS provide:

  • Objective criteria or thresholds for impact severity.
  • Or, alternatively, illustrative examples to guide supervisory interpretation.

This would support more transparent and uniform application of breach gravity classifications.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

The criteria listed in Article 4 to determine pecuniary sanctions include vague and subjective terms (e.g., “quickly and effectively”, “actively and effectively”, “effective and timely”) that risk inconsistent interpretation across Member States.

Moreover, the inclusion of a catch-all clause (“any other criteria”) – also inserted in Article 1 (see our considerations in Question 1 above: “any other indicator”) and in Article 5 - undermines harmonization by enabling divergent national practices—contrary to the goals of the AML/CFT Package.

We also highlight conflicts with criminal law principles in some jurisdictions (e.g., nemo tenetur in the Netherlands), where entities may be penalized for exercising their right to remain silent.

To ensure legal certainty and fairness, we recommend:

  • Removing or limiting discretionary language;
  • Introducing objective definitions or benchmarks to support uniform application

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

We recommend revising Articles 4(5) and 4(6) to ensure that sanction levels are assessed proportionally, rather than based solely on turnover.

Turnover may not accurately reflect an entity’s true financial capacity or ability to absorb a sanction. A more balanced approach should consider:

  • Profitability.
  • Liquidity.
  • Capital adequacy; and
  • Other financial indicators relevant to sanction impact.

This would ensure sanctions are fair, proportionate, effective, and not unduly punitive, while preserving their deterrent effect.

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

When applying administrative measures, particularly business restrictions, withdrawal of authorization, or governance changes, supervisors should also consider the potential international impact on the entity.

These measures may have cross-border consequences affecting global operations, client confidence, and financial stability. Without this consideration, outcomes may become disproportionate, especially for institutions with international footprints.

We recommend including explicit reference to cross-border effects among the assessment criteria to ensure balanced and risk-sensitive decision-making.

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

See reply to 5a

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

See reply to 5a

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

The concerns outlined in responses to Questions 1 and 3 - particularly regarding discretionary indicators and subjective criteria - apply equally to the non-financial sector.

Until these issues are resolved, extending the same indicators and criteria to non-financial entities risks producing inconsistent and non-comparable outcomes, undermining the goal of a leveled playing field under the AML/CFT framework.

A consistent supervisory foundation must be ensured before sectoral expansion of the RTS provisions.

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

At this stage, EBCCON has not received specific feedback from its member institutions regarding the treatment of natural persons, including senior management, under the draft RTS. 

However, we note that the concerns raised in our responses to Questions 1 through 6—particularly regarding the use of vague or subjective criteria—are equally pertinent here. 

We caution that applying insufficiently defined criteria to individuals who are not obliged entities may introduce inconsistency, reduce legal certainty, and risk disproportionate enforcement. 

Therefore, any extension of indicators to natural persons should be accompanied by clear definitions and thresholds, in line with our broader recommendations for greater objectivity and harmonization across the RTS.

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

At this stage, EBCCON has not received specific feedback from its member institutions regarding the granularity of the rules or the calculation methodology for periodic penalty payments. Nevertheless, we consider the concerns raised in our response to Question 4 to be directly relevant.

In particular, we support a more balanced and risk-sensitive approach that avoids overreliance on turnover as a singular benchmark. Instead, we recommend that additional financial indicators—such as profitability, liquidity, and capital adequacy—be considered. 

A more comprehensive and proportionate methodology would ensure that penalties better reflect an entity’s actual financial capacity, promote fairness, and enhance the deterrent effect without resulting in undue punitive measures.

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

At this stage, EBCCON has not received specific feedback from its member institutions regarding the harmonization of administrative rules for the imposition of periodic penalty payments.

Nonetheless, we consider that the overarching concerns highlighted in our earlier responses—particularly those relating to discretionary enforcement, divergent national practices, and the use of vague criteria—are directly relevant in this context.

We support the development of a more harmonized EU-level framework that includes clearly defined, objective administrative provisions.

Such harmonization would help ensure greater legal certainty, reduce the risk of inconsistent supervisory outcomes, and foster a level playing field across Member States, thereby strengthening the overall coherence and effectiveness of the AML/CFT regime.

Name of the organization

EBCCON - European Banking Chief Compliance Officer Network