Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
In order to ensure reasonable compliance costs and avoiding unnecessary bureaucracy, it is essential that the data points requested by AMLA remain limited in numbers, avoid unnecessary duplication, and follow the proportionality principle according to the nature and risk of the activity.
Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.
Yes.
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
In some cases, the proposed list would increase the number of data points substantially (in Denmark to at least 82 from 25. In France it would provide for more than 50 additional data points). This would be excessive and unhelpful, leading to unnecessary bureaucracy without tangible benefits for the intended purposes.
Moreover, we want to highlight concerns regarding the scale of data points required. While some alignment exists with national questionnaires, many data points are not stored in distinct fields, and, moreover, calculation methods can also differ from one country to the other.
While factors such as the complexity of a client’s structure are taken into account during risk assessments at onboarding or re-identification, this information is not recorded separately in current systems. As a result, implementing such a requirement would necessitate substantial IT development and lead to significant compliance costs.
Moreover, the counting of PEPs risks leading to double accounting (as a customer or as a family member of a customer).
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
Many financial institutions already apply an annual frequency to their Enterprise-Wide Risk Assessment. A reduced frequency is more appropriate for entities with lower exposure to ML/TF risks, such as those offering a limited range of products, services, or activities. For lower risk activities, an alternative solution could be streamlined annual reporting.
Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.
Yes.
Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.
Yes, under the new AML Package, which aims to ensure a more consistent interpretation and application of EU regulations across jurisdictions, EEA countries would naturally apply equivalent AML standards.
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
Regarding the threshold of over 20,000 customers residing in each Member State where the obliged entity operates under the freedom to provide services:
What is the appropriate approach for customers who were initially onboarded as residents of a given Member State but have since relocated abroad? Should they now be classified as clients acquired under the freedom to provide services?
A considerable number of such cases involve individuals who retire abroad while keeping their domestic bank accounts as well as credit agreements. These customers typically pose a very low AML risk, as their primary source of income is pension payments.
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
It is important to distinguish between individual and corporate customers, as individuals generally carry a much lower risk of money laundering and terrorist financing.
In addition, retail clients typically display more uniform patterns of behaviour, whereas institutional or corporate clients vary considerably in their risk profiles. A single institutional client also tends to represent significantly greater financial and compliance exposure than a single retail client.
Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.
Yes.
Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.
We find it inconsistent that national supervisors are permitted to adjust a financial institution’s inherent risk classification, either upward or downward by one risk category, based on specific ML/TF-related factors or other contextual elements, while AMLA lacks the same capacity. If AMLA identifies relevant characteristics at the national level that justify a revised assessment, it should likewise be empowered to recalibrate the institution’s risk score accordingly. Such an adjustment could be made in coordination with national authorities and communicated transparently to affected institutions.
Given that the AML framework is intended to function as a single rulebook, the possibility that two comparable institutions within the same Member State could receive divergent risk ratings undermines the objective of supervisory consistency.
Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
While we support the overall methodology, we would strongly recommend that data submissions be scheduled outside of the main holiday months, specifically July, August, and September. These months typically coincide with reduced staffing levels at financial institutions, which may hinder their ability to manage operational and reporting demands effectively
Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.
As we understand it, a single client with relationships across multiple entities within the same group, for instance, holding accounts with both a financial institution and its affiliated insurance company, would be counted separately for each relationship in the risk scoring process. In our view, it would be more appropriate to enable and account for such intra-group client overlaps to avoid inflating the perceived risk level.
Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?
Yes, with weighting method in article 5 (i.e. same consideration ≠ same weight).
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
- Article 1 - Information to be obtained in relation to names
We support the requirement to collect the names as stated on official identification documents, such as passports or equivalent, as this aligns with established market practice. However, we recommend removing the reference to ‘all of the customer’s full names and surnames’, as this phrasing introduces ambiguity and may conflict with the minimum standard set out in the RTS, i.e. the name as it appears on the identity document.
We therefore propose amending Article 1(1) to state that ‘In relation to the names and surnames of a natural person as referred to in Article 22(1)(a) point (i) of Regulation (EU) 2024/1624, obliged entities shall obtain the customer’s full names and surnames as featured on their identity document, passport of equivalent’.
- Article 2 – Information to be obtained in relation to addresses
Article 2 specifies the collection of ‘full country name’, ‘postal code’, ‘city’, ‘street name’ and ‘where available, building number and the apartment number’. While the inclusion of apartment numbers may be relevant in specific cases, we consider the combination of street name and building number to be a sufficiently robust standard for meeting the mandatory address requirement.
- Article 3 – Specification on the provision of the place of birth
Requiring both the city and country of birth to satisfy the 'place of birth' criterion may generate disproportionate compliance costs relative to its limited value in accurately identifying individuals, and for addressing money laundering and terrorist financing overall.
A practical concern arises when identification documents only display the city of birth without specifying the country, raising questions about how obliged entities are expected to verify the country of birth in the absence of supporting documentation such as a birth certificate. For example, cities often exist in more than one country, which could create ambiguity.
Given that the information included on passports and identity documents varies depending on the jurisdiction and whether the customer resides within or outside the EU, the RTS should account for such differences and allow flexibility where specific data points are unavailable.
Place of birth can be difficult to obtain for beneficial owners and legal representatives which are not customers. It should be possible to collect it from beneficial owners registers.
We therefore propose that Article 3, Section 1 of the RTS require only the country of birth as a minimum, while permitting entities to collect the city of birth at their discretion when it is relevant and feasible.
- Article 4 – Specification on nationalities
We do not see how requesting all of a customer's nationalities would enhance customer identification or contribute to combating money laundering and terrorist financing. On the contrary, this requirement would complicate implementation within the customer journey.
The obligation to obtain sufficient information to determine whether a customer holds additional nationalities may entail significant implementation costs. This is because it would require financial institutions to ask targeted questions beyond the information available in standard identification documents, which typically display only one nationality.
Moreover, there is no centralised register to confirm all nationalities an individual may possess, meaning institutions would need to rely entirely on the customer’s self-declaration.
This raises a number of operational uncertainties, for instance, what methods are acceptable for verifying additional nationalities, how extensive such checks must be, and what consequences arise during onboarding. If a client discloses dual nationality, must they present a passport for each? Can the process move forward without documentation for the second nationality, and what if that passport is expired or no longer available? Moreover, financial institutions will not be notified in the case of a customer subsequently obtaining a new nationality.
The text should be changed to ‘obliged entities shall ask customers to disclose any other nationalities they may hold’. Moreover, it should also be clarified that “obliged entities will not be held to account for not discovering additional nationalities, where such are not disclosed by the individual, and in the absence of any other source to verify their existence”.
- Article 5 – Documents for the verification of the identity
Article 5 (1) provides for a number of questions and observations:
In cases where identity verification relies on physical (paper-based) documents such as passports, it is unclear how obliged entities are expected to confirm the existence of a machine-readable zone (MRZ). Further clarity is also needed on the applicable standards used to define what constitutes a valid MRZ. Additionally, it should be specified whether obliged entities are required to assess the authenticity of the MRZ itself.
The phrase "it contains, where available, biometric data" suggests that identification documents lacking biometric features are permissible in cases where such data is not embedded in the document. This raises the question of whether obliged entities are expected to keep an up-to-date inventory of all identification methods issued by each country and determine, for each case, whether biometric data is included. If so, clarification is needed on the extent of this obligation and how it should be operationalised in practice.
The criteria as set out under paragraphs (e), (f) and (g) appear to be both unclear and excessive (i.e. document containing a ‘machine-readable zone’, ‘security features’ and ‘biometric data’), thereby excluding the use of any alternative document for identity verification
Furthermore, cumulative criteria (‘where all of the following conditions are met’) coupled with apparent non-mandatory in paragraph (g) (‘it contains, where available, biometric data’) gives rise to confusion.
We suggest either deleting the criteria outlined in paragraphs (e), (f), and (g), or revising the provision to eliminate the cumulative requirement, so that it is not necessary for all the specified conditions to be fulfilled.
It would be welcomed with a clarification, allowing a broad interpretation, as to what is to be considered legitimate in relation to the situation outlined in Article 5(2).
In accordance with Article 5(3), obliged entities are required to ‘take reasonable steps’ to ensure that the documentation obtained for identity verification is authentic and has not been altered. We recommend providing further clarity on the expected obligations through a non-exhaustive list of examples. This would offer useful guidance while preserving the necessary flexibility and avoiding excessive specificity, which could inadvertently aid fraudulent behaviour.
A certified translation of a document´s foreign language content is to be obtained when deemed necessary, in accordance with Article 5(4). However, it is not clear as to when this could be necessary. Moreover, a certified translation would be qualified by what standards? In the situation where an internal translation can be expected to be adequate due to internal resources, would a certified translation be unnecessary?
Article 5(5), by referencing Article 22(6), states that individuals must provide the obliged entity with an original identity document, passport, or an equivalent, or a certified copy thereof. However, it remains unclear what criteria or standards obliged entities should rely on to determine whether a copy qualifies as certified. Requiring certified copies to be attested by a notary, solicitor, or similar authority would create a significant barrier to onboarding and undermine the aim of ensuring a customer journey that is as seamless as possible.
If the use of electronic identities or eIDAS-compliant solutions is only required where such tools are available and their use can be reasonably expected, several questions arise. Not least, which authority will be responsible for determining and publishing whether eIDAS-compliant solutions exist for a given country of issuance? Or, alternatively, will obliged entities be expected to make this determination independently based on their own assessment?
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
We support the explicit recognition in the RTS of multiple methods for verifying the identity of natural persons in non-face-to-face scenarios, particularly where appropriate to the level of risk and in the context of low-value, standardised consumer credit products. These should include methods such as:
a) Acceptance of a first payment initiated from an account held in the sole or joint name of the customer with an EEA-regulated credit or financial institution, or with a credit institution located in a third country whose AML/CFT framework is not less robust than that required under Directive (EU) 2015/849; or
b) Use of an account information service provider (as defined under PSD2) to confirm the customer's identity based on verified account ownership and transaction history.
These approaches are effective, traceable, and widely used across the EU. Their inclusion in the RTS would enhance legal certainty, improve customer experience, and facilitate proportional and practical compliance by obliged entities. These methods provide traceable, auditable processes that meet high standards of reliability and customer security. They are particularly appropriate for low-value, standardised credit products, and their continued acceptance under the RTS is essential to preserving market access, legal certainty, and a seamless customer journey. They should also generally be used alongside a copy of the identity document or passport, in line with good practice.
In this context, we would like to emphasise the importance of maintaining flexibility in light of the relevant market context, particularly regarding the use of secure video identification technologies. For example, in Germany, where eIDAS-compliant solutions are not yet widely adopted and most citizens have not activated, respectively do not actively use, the eID function of their national ID cards, the sector commonly relies on VideoIdent as a standard and regulated onboarding tool, for which BaFin has approved and detailed the requirements, setting out robust criteria for employee training, technical measures, and fraud prevention procedures.
Requiring the exclusive use of eIDAS-compliant solutions is not feasible, particularly from a financial inclusion perspective and considering the limited uptake of such solutions in several Member States. Mandating eIDAS-only methods could inadvertently exclude large segments of the population. It is essential that obliged entities retain the ability to use secure, remote verification alternatives, which are proven, regulated, and widely accepted in the market. A flexible, risk-based approach is crucial to preserving access to finance and supporting a customer journey that is as seamless and inclusive as possible. These alternative methods should be recognised not as transitional measures but as valid and enduring components of a flexible, risk-based identification framework.
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
The level of detail required by the proposed questions appears overly burdensome, in parts irrelevant, and unlikely to be manageable for the average client.
We are also concerned that some of the obligations introduced in Articles 15 to 17 appear disproportionate, as well as irrelevant, when applied to low-risk consumer credit products such as Buy Now Pay Later (BNPL) services or small-value, short-term loans (e.g., under €1,000 or with a term shorter than three months). These products are generally subject to standard measures such as identity verification, sanctions screening, and PEP checks, which we believe are appropriate and sufficient given the limited risk exposure. Naturally, where there is a suspicion of heightened risk, the financial institution will escalate the customer’s risk classification accordingly and apply enhanced measures.
To reflect this, we recommend that Article 15 explicitly reference the principle of proportionality, clarifying that the listed obligations should apply only where appropriate based on the risk associated with the customer relationship. Requiring detailed information on transaction purposes or intermediaries in the context of standardised, low-risk consumer lending offers limited value for AML/CFT objectives.
Moreover, we find that the requirement under Article 15(c), in particular, the expectation to identify 'additional relationships with the wider group', is difficult to operationalise in retail contexts for some groups. This requirement may not be relevant or proportionate for typical low-risk clients, such as individuals with standard retail banking accounts and regular, predictable financial activity.
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
The RTS provides that PEP screening should follow a risk-based approach and, at a minimum, be triggered by relevant changes in customer due diligence information. Factors such as the customer's occupation, professional background, or business activity are noted as potential indicators. From this, we understand that any update to KYC data may require a new screening.
In practice, PEP checks are generally carried out by matching customer information, typically first and last name, date of birth, and place of birth, against dedicated databases. We therefore recommend that mandatory rescreening should be limited to cases where changes occur in the specific identity data referenced in Article 22(1) of the AMLR. Expanding this obligation to broader KYC elements would create unnecessary operational burdens with limited added value.
Furthermore, we believe that the requirement for senior management approval prior to establishing a relationship with a politically exposed person should not apply to low-risk consumer credit products. We suggest that Article 17 include an exemption for products such as BNPL and small-value credit agreements below €1,000, where the financial and AML/CTF risks are minimal and simplified due diligence measures are more proportionate.
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
- Article 18 RTS – Minimum requirements for the customer identification in situations of lower risk
Article 18(1)(a) would benefit from a number of clarifications, as to:
- If simplified due diligence (SDD) does not require the collection of national identification numbers or place of residence, this should be clarified. At the same time, we question the rationale for omitting 'usual place of residence' as a required data point under SDD. This information often plays a central role in risk assessments and customer profiling.
Omitting it from the mandatory requirements in SDD scenarios may create operational challenges, particularly when engaging with customers who are aware that such information is not formally required and may therefore decline to provide it.
- In the case of simplified due diligence, if the provisions that precise the requirements of Article 22(1)(a) AMLR (Section 1 Articles 1, 2 and 4 of the RTS), apply. The connection between Section 1 and Section 4 should be more explicitly defined.
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
Consumer-credit products generally carry a low AML/CFT risk because their structure provides little opportunity or incentive for illicit money use. This include products, such as, BNPL and small-value credit agreements below €1,000, as well as linked credit agreements, which are exclusively tied to the purchase of a clearly defined product or service.
See answers to questions 4 & 5.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Regarding additional information on the source of funds, and source of wealth of the customer and of the beneficial owners, we suggest to add in article 26(h new) specifying “any other relevant information” in order to allow the financial institution to define their criteria/evidence.
Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.
The suggested criteria for supervisors align well with those typically applied internally when evaluating past incidents. However, the possibility given to the supervisor to take into account “any other indicator identified by the supervisors” introduces legal ambiguity and may lead to inconsistent or overly expansive application.
Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.
We suggest that the list of criteria include mitigating factors similar to those considered by OFAC, such as voluntary self-disclosure, proactive cooperation with authorities, implementation of remedial actions, and structural improvements to internal processes and policies.
5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?
In light of the severity of potential measures, we suggest the following clarifications to enhance the proposed criteria:
The reference to the “conduct of the natural or legal person held responsible” should explicitly set out uncooperative or intentionally misleading behaviour.
The criterion relating to “structural failure” should be refined to cover instances where the obliged entity either failed or was demonstrably unable to address the issue in a timely manner. Where a structural issue has been promptly and effectively remedied, it should not in itself justify the withdrawal of the entity’s licence.
Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.
Yes, It is important to clearly distinguish the responsibilities and potential consequences for individuals acting on behalf of the legal entity, versus the obligations of the entity itself.