Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates
Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?
Article 2, Paragraph 3, Second Paragraph – “Double Punishment”
- There is a concern that strictly weighting inherent risk proportionally to higher risks across different factors leads to a form of “double punishment,” where elevated risks in any factor disproportionately increase the overall inherent risk.
- We suggest to implement fixed weightings, akin to the “predetermined” concept existing in Article 2, paragraph 2, second paragraph, rather than strict proportionality.
Article 3, Paragraph 3(a) – Potential for Arbitrary Manual Intervention
- If “all assessments by supervisory bodies” can trigger a qualitative assessment, this could introduce significant arbitrariness.
It is recommended to limit such manual intervention only to formal supervisory decisions that have been duly concluded, so that entities subject to more frequent supervision are not disproportionately impacted.
Residual Risk Assessment Concerns
- Some stakeholders find the residual risk assessment method deficient, primarily affecting larger institutions with inherently higher risk profiles.
- Articles 2(5), 3(6), and 4(2)-(3) effectively prevent high inherent risks from ever being recalculated as “low” residual risk, even if the control environment is exceptionally strong, see the examples below.
Examples of Residual Risk Outcomes
- A high inherent risk score of 4.0 with a perfect control environment score of 1.0 yields a residual risk of 2.5, which remains in a relatively high tier.
- A slightly lower “high” inherent risk of 3.25 with a perfect control environment score of 1.0 results in a 2.125 residual risk, classified as medium.
- Even moderate substantial risk (2.5) combined with an exemplary control score (1.0) leads to 1.75, generally categorized as medium.
Impact on Major Banks
- Since major banks tend to exhibit higher inherent risk due to their extensive operations, they risk being permanently classified in higher residual risk categories without a plausible route to demonstrate “low” residual risk.
- Because the model guides supervisory focus, it creates an incentive for major banks to contest the methodology, given the substantial resources involved in more frequent investigations.
Recommendation:
- It should be mathematically feasible for high inherent risks to drop to a low residual risk when control environments are demonstrably outstanding.
A closer review of weighting schemes in Articles 2, 3, and 4 is strongly encouraged to ensure fairness and accuracy across different bank categories.
In addition, the introduction of a longer, 3-year minimum frequency in Article 5(3b) of the Draft RTS under Article 40(2) AMLD for the risk assessment of obliged entities with a low-risk residual profile, or with activities that do not fall under the scope of Regulation (EU) 2024/1624, is appreciated.
However, the proposed application of the longer minimum frequency to obliged entities with less than or equal to five FTE employees in Article 5(1a) of the Draft RTS risks falling short of having a meaningful impact due to the marginally low number of entities captured under that scope.
Therefore, and in the case of credit institutions, we propose to replace the threshold of five FTE employees in Article 5(3a) of the Draft RTS under Article(40) AMLD with the SNCI definition for small and non-complex institutions in Article 4(1) (145) of Regulation (EU) 2013/575 as a commonly recognized regulatory definition. This would avoid the introduction of an additional arbitrary threshold.
While ESBG acknowledges and supports the need to continuously adjust the methodology to be used to assess and classify the inherent and residual risk profile of obliged entities in order to adapt it to existing ML/TF risks, we understand that it would be highly beneficial to share both the methodology and the benchmarks not only among supervisors, but also with obliged entities, so that obliged entities are fully aware of the supervisors’ expectations on these issues and can adapt to new ML/TF risks in a mutually beneficial way.
We therefore propose a third option (3c) which would consist of providing a general description of the methodology in the RTS and keeping updated the detailed methodology and benchmarks on the AMLA website, with access restricted to supervisors and obliged entities. This will ensure that each competent authority applies the same methodology to maintain a level playing field. Changes to the methodology have to be discussed and implemented with an appropriate time of adoption.
In addition, the AMLA should ensure that national competent authorities collect data points before approaching obliged entities.
On reputational risk, it should be clearly communicated that an obliged entity under supervision by AMLA does not equal having insufficient risk management or a lacking compliance program.
Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.
As the calculation is very technical, it would be very helpful to include examples, perhaps in an annex.
3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?
On “interpretative note”, it will be helpful if this document is also part of the consultation. There should be a focus on clear definitions to ensure a harmonised approach and data quality.
ESBG requests that the EBA clearly indicate whether specific provisions apply exclusively to certain sectors. In general, if there is a clear definition in the Regulation/RTS it will be helpful to make references to those terms to ensure a consistent harmonised approach and make application easier. e.g. “customer: person having a business relationship as described in Article 2 (2) para 19”.
Section A – Inherent risk
Category – customers
ESBG calls for a definition of NPO and proposes the following wording:
“A non-profit organisation is a legal person or arrangement or an organization that primarily engages in raising or disbursing funds for purposes such as charitable, religious, cultural, educational, social or fraternal purposes.” (definition of EBA Risk Factor Guidelines)
However, ESBG would appreciate clarification from the EBA on the opportunity to distinguish between NPOs and NGOs, as these terms are often used interchangeably in practice
Regarding “complex structure”, ESBG requests that the EBA provide a definition of “high-risk activities”.
As for “requests from FIU” – if a request comes from FIU it should be assumed that this has an AML/CTF background; therefore, ESBG asks the EBA to delete “whose matter or nature of the request is linked with AML/CFT”.
Category Products, Services and Transactions
ESBG requests that the EBA specify:
- “re-issued IBAN”. This data can only be provided by entities reusing IBANs.
- “retail clients”.
- “professional clients”. ESBG suggests that the EBA ensure consistent use of terminology throughout the document e.g., the categories (retail and institutional clients) are mentioned.
- define “TCSP”.
- “unlisted financial instruments”.
- “safe deposit boxes”. Does this also include “Sparbuchschließfächer” (safes which hold savings books)?
ESBG suggests that, in general, the full term be written out when introducing abbreviations—for example, 'Trust or Company Service Providers (TCSP).
Section B – AML/CFT Controls
3A: Customer Due Diligence
ESBG would like to ask the EBA to elaborate on the data fields which indicate non-compliance.
For example, if verification can’t occur or there is missing data, would the customer relationship need to be terminated?
Regarding no automated score: how is this data obtained?
Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.
Given the duration of many relationships, a longer review period could be considered: five years for low-risk profiles and one year for higher-risk profiles or newly established relationships. Additionally, a monitoring system should be implemented to trigger reassessments as needed... At the same time, ESBG emphasises that any extension of review periods must not result in additional obligations or supervisory expectations for obliged entities. The goal should be to streamline and reduce unnecessary workload.
Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.
Setting up a harmonised regulatory framework should create a regulatory environment less prone to ML/CT risks, making it possible to consider transactions within the EEA differently than transactions linked to third countries.
Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.
With regards to the materiality thresholds provided in Article 1 of the draft RTS for operations under the freedom to provide services, we understand that those thresholds should be met together to reflect a minimum level of activity, because it should be borne in mind that a significant number of customers may be inactive in terms of operations during a certain period. The suggested amendment would be:
‘The activities of a credit institution or a financial institution under the freedom to provide services in a Member State other than where it is established shall be considered material for the purposes of meeting the conditions of Article 12(1) of Regulation (EU) 2024/1620, where: a) the number of its customers that are resident in that Member State is above 20,000; or and b) the total value in Euro of incoming and outgoing transactions generated by the customers referred to under letter (a) is above 50,000,000 ....’
We therefore propose to choose EBA’s option (1b): establishing thresholds on customers and volumes of transactions to be met together.
Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.
ESBG is against lowering the threshold.
Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.
We agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers, provided that thresholds on customers and volumes of transactions are met together.
However, we would appreciate it if you could define “retail customer” and “institutional customer”.
Differentiation makes sense because for each category (retail/NAT or institutional/NNAT) other risk factors could be applied.
Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.
As the calculation is very technical it would be helpful to provide examples e.g. in the annex
Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.
The use of pre-determined thresholds / weights brings a lack of transparency as these data are not disclosed to the obliged entities, e.g. please see Article 2.
Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.
ESBG is of the opinion that Recital 5 should be revised to ensure clarity and consistency with other frameworks like Basel IV. Instead of using the phrase “level of the highest parent company”, the wording “highest consolidation level” should be used.
Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?
ESBG disagrees. In some cases, complex group structures mean that the risk profile of a small company may depend on specific circumstances, transactions, or institutional processes.
Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Preamble
On preamble (8), ESBG believes that the present concept of linking UBO registers is insufficient, as the quality and the approaches of local beneficial ownership registers significantly differ from each other.
A centralized UBO register should also enjoy “good-faith”-protection so that the obliged entities can rely on the data contained therein. Furthermore, beneficial ownership registers do not provide added value if the underlying documents are not stored. A good benchmark could be seen in the “Austrian Compliance Package” approach of the Austrian beneficial ownership register. Maybe it can serve as an inspiration. In greater detail, in Austria, the documents required for identification and verification of beneficial owners can be uploaded to the beneficial owner register (which is run by the Ministry of Finance) and subsequently be used by obliged parties for the purpose of fulfilling their AML/CTF due diligence obligations. This so-called “Austrian Compliance Package” may only be uploaded by a professional party representative (e.g. lawyers, tax consultants) and includes all documents required in the chain up to the beneficial owner.
Please also see the input regarding Article 9.
Preamble (14): Please ensure the risk-based approach – in some cases a driver’s license may be accepted as identity document, but these documents do not contain the nationality (e.g. Austrian passport).
As for Preamble (16), ESBG would like to request that the EBA specify clear transition periods for the review of existing customers, especially for high-risk customers. It should be clarified that the application date of the delegated regulation implementing the RTS will not be applicable earlier to the application date of the AML Regulation. We assume that for existing high-risk customers the RTS on CDD must be applied by 10th July 2028 (start of the application date of the AML Regulation plus one year in accordance with Article 26 para 2 lit a AML Regulation) - please confirm - and state a clear date for the application concerning the other risk classes.
Article 1 – the legal entity name is verified via the registered name, please specify how the commercial name is to be obtained. Article 29 refers to ‘trade names. If the ‘trade name’ is supposed to be the ‘commercial name’, we suggest using one term to ensure clarity. Otherwise please define the difference.
Art 1 – ESBG would appreciate it if EBA could clarify the following issue: Obliged entities shall obtain all names but ask the customer to provide at least the names that feature on identity document. Please also clarify how the commercial name (when it differs from the registered name) shall be obtained and assess if it is reasonable that obliged entities shall ask all legal entities if they use a commercial name different from their registered name (since there are no tools to gather such information from databases, etc.).
Art 2 – AMLR art 22 (1) (iv) states that obliged entity shall obtain” the usual place of residence or, if there is no fixed residential address with legitimate residence in the Union, the postal address at which the natural person can be reached”. EBA has narrowed the scope by only entailing ”street name”. ESBG is of the opinion that this draft article narrows the scope in relation to AMLR art 22 (1) (iv), the EBA thereby possibly goes beyond its mandate in drafting the RTS.
Such limitation could potentially lead to financial exclusion, given that certain EU citizens lack “street name” in their addresses. Box addresses are not uncommon, especially in rural areas. The homeless or individuals with protected identity may also not be able to provide a “street name” in their residential address. The narrowing to “street name” may, in conclusion, lead to financial exclusion of the aforementioned groups.
However, if the provision is retained, we would propose, in regard to corporate customers, allowing the use of the business address of the (notional/subsidiary) beneficial owners instead of their residential address. This is because they are not direct customers of the obliged entity and can be reached at their business address. The other option would be to provide a telephone number and email address.
Art 3 – EBA states that ”place of birth” in AMLR art 22 (1) (a) p (ii) is both the city and the country name. In our opinion, this wording goes beyond the AMLR, in a way which may be outside the EBA’s mandate.
In some EU countries, e.g. in Sweden, it is not possible to verify the customer’s stated place of birth through ID cards or passports, since ID documents do not contain this information. ESBG therefore requests that the EBA clarifies that, in cases where ID documents do not provide verification of place of birth, information provided by the customer will be considered sufficient.
Moreover, it is unclear how the information on place of birth is intended to be used, specifically, in what way place of birth is expected to affect the risk of money laundering or terrorist financing associated with the customer relationship. In this regard, any rationale and reasoning provided in, for example, recitals, on how the intended benefit of obtaining the information has been weighed against the risk of discrimination and financial exclusion, i.e. the risk that a possibly vague connection to a country negatively impacts a customer’s access to financial services, would be helpful to banks in their future application of the RTS and AMLR. In any case, we consider it to be information that should be requested from the client only when there are doubts in the case of international sanctions screening. Additionally, each country assigns a unique fiscal ID to every entity—whether individual or legal, consumer or business—which should be sufficient for customer identification. ESBG is of the opinion that requesting additional information may be difficult to verify, subject to misuse, or redundant.
Article 4 – Given that there are no central/global citizenship registers, the only way to obtain information on citizenship is to pose the question directly to the customer and review whatever ID documents the customer chooses to provide. Consequently, if the customer does not reveal multiple citizenships, there is no way to find that information from other sources. . .Therefore we suggest to explicitly state that institutions may rely on customer-provided information unless there are risk factors or red flags that would warrant additional verification . Next, clarification on citizenship is necessary in relation to sanctions requirements such as the 12th sanctions package and the EBA Guidelines on restrictive measures applicable from 30 December 2025.
Article 5 ESBG stresses that it is important to ensure that a risk-based approach can continue to be applied. For example, the Austrian driver’s license and Swedish driver’s licenses—until now considered an acceptable identification document—does not include information on nationality. Additionally, it should be acknowledged that documents issued to asylum seekers may not fully meet the outlined requirements. The proposed rule will exclude persons that don’t have e.g. a recently issued passport to become customers.
Article 5.2. prescribes that there might be a “legitimate reason” why a document does not fulfil para 1, please state potential legitimate reasons. In addition, most documents issued to asylum seekers might not only not fulfil para 1, but also do not fulfil para 2.
Article 5.3 please provide examples regarding the “reasonable steps”.
Article 5.4 please confirm that internal translations by employees of the obliged entity or employees of the banking group are deemed sufficient for translating documents.
Article 5.5 - Although AMLR Art 22(6) indeed mentions electronic identification means, Article 5.5 of the RTS only refers to physical ID documents (and certified copies thereof) and to identification in accordance with Article 6. However, Article 6 applies only to non-face-to-face situations, and only in Article 6.1 are electronic identification means mentioned. It is therefore requested that it be clarified that electronic identification means may be used in face-to-face situations. It can be questioned why an identification method is acceptable in one situation but not another, especially considering additional risks that only remote identification entails. Furthermore, the stricter requirements concerning what data physical ID documents must include to be acceptable will lead to fewer customers carrying ID documents acceptable to banks. The widespread use of means for electronic identification means and the fact that many carry such means with them in their phones underscores the importance of universal acceptance of electronic identification for both efficiency and financial inclusion reasons. If the RTS were to exclude means for electronic identification from use in face-to-face situation, it would not only appear to be at odds not only with current trends, but also with the EU’s ambitions regarding electronic identification and trust services, as evident by the eIDAS regulation. In addition, please state if “certified copies” are necessary for all risk classes or if, following a risk-based approach, simple copies verified via e.g. databases are also acceptable.
Article 6 - It appears that identity verification in non-face-to-face situations, where no electronic identification means are available, presupposes some form of video identification as described in Article 6.3-6. For reasons of cost-efficiency and simplification, it is requested that it be considered whether such certified copies of documents mentioned in Article 5.5 may also be used for identification and verification purposes in non-face-to-face situations, particularly with respect to representatives and beneficial owners of legal persons. (Reproductions of original documents, as mentioned in 6.5, seem to be allowed only as part of the process in points 3-6.).
Article 7- Please clarify how an assessment as prescribed within this article (e.g. “whether a source of information is reliable and independent”) is to be done by an obliged entity.
Additionally, We consider that the reference in Art. 22 (6) (a) AMLR to the use of reliable and independent sources “where relevant” should be interpreted in a risk-based manner. This implies that for customers rated as low or medium risk, it may not be necessary to acquire additional information beyond the identification document to verify the customer’s identity.
Further clarification is needed on what constitutes “risk-sensitive measures to assess the credibility of the source.” The current language leaves room for different interpretations, particularly regarding what level of due diligence is expected for different risk categories.
We also advocate further clarification of the term “up-to-date”. There is no consistent practice across EU Member States regarding the acceptable age or ‘up-to-datedness’ of legal entity data and supporting documentation used for KYC reviews. This includes both the duration of the acceptable age and the starting point for determining ‘up-to-dateness’. We request that the RTS clarify the duration for which relevant documents are to be considered recent or ‘up-to-date’. This could be done by imposing the “up-to-date” requirement only for documents that originate from a public register and are therefore provided with an extract date and then set a deadline for these extracts.
Article 9 - On verification of the identity of the beneficial owner, ESBG thinks that in lower-risk situations it should not be necessary to verify the beneficial owner’s identity, e.g., inoperative entities, public entities, listed companies, etc. Following a risk-based approach the requirement for identity certification by an independent professional (lit b) should be limited to documents issued in jurisdictions which are identified as high-risk (please refer to one of the country lists of AMLR Section 2).
Arts. 10 and 11 It would be advisable to structure the sources and types of minimum information necessary to establish the ownership or control structure indicated in Article 11.
Also, please specify Art 10 1 lit a “a reference”.
In our opinion, Article 10 1.b should be simplified so that only the names of the entities that make up the structure up to the beneficial owner, the jurisdiction of each entity, and the percentage of ownership are requested. Based on this information, it would be possible to determine whether the ownership or control structure is complex, and if so, we would apply Article 11 with the additional detail required by Article 10.
Article 10(1)(b) – "Jurisdiction of incorporation":
In our view, the term “country of registration” should be sufficient. Referring to the “jurisdiction” can be problematic, as it may be difficult to verify and could also refer to contractually agreed jurisdictions.
Article 10(1)(c) – Information on the regulated market where securities are listed:
It is unclear what the purpose of this information is. Could it potentially serve as a basis for an exemption from identifying or verifying the ultimate beneficial owner (UBO)? If the currently existing simplification is removed, we suggested to re-introduce it. A listing on a qualified stock market is a strong indicator that the entity is following regulatory requirements and sufficient transparency.
To ensure a harmonized approach across the EU, a list of regulated markets (or markets considered equivalent) should be made available at the European level.
Article 11 - The definition of a “complex ownership structure” in Article 11 will encompass companies that belong to structures that are not complex or non-transparent. For example, in Sweden, it is very easy to establish a limited liability company, and there are legitimate and rational reasons to place different parts of a business in separate companies instead of operating through a single company. Structures with holding companies, subsidiaries, and sub-subsidiaries are common. There are also entirely legitimate reasons to conduct operations in other EU countries by forming subsidiaries in those countries rather than operating branches. Any quantitative thresholds regarding ownership layers risk leading to uncomplicated corporate structures being considered complex, even though the number of ownership levels is rarely a decisive indicator of a lack of transparency in ownership and control. Instead, any quantitative threshold could be used as a prompt to carry out the specific measures set out in Article 11(2) and (3), along with an assessment of whether the ownership structure is complex in the sense of being commercially unjustified. Very widely dispersed ownership or ownership layers in high-risk countries, as identified by the EU or by the institution itself, are also relevant risk indicators.
In other words, it is proposed that the Article should not define the precise threshold at which an ownership structure becomes “complex” but instead provide guidance or thresholds at which the obliged entity shall carry out a risk-based assessment. Complexity is relative to the line of business, and obliged entities should be permitted-on a risk-based basis-to determine whether a given ownership structure is complex. If a risk-based approach is not permitted in regard to this complexity assessment, customers will unavoidably be risk-classified in ways that do not accurately reflect the risk the obliged entity believes the business relationship entails, ultimately misallocating AML resources.
Article 11 (1)
ESBG requests that the EBA change to “more than three layers”.
The “any of the layers” should be changed to “legal arrangement in any layers that is relevant for the UBO determination”: to ensure that only relevant arrangements fall within this category (Lit a).
The “in different jurisdictions” should be changed to “more than three different”: to ensure only truly complex structure fall within this scope – otherwise e.g. a legal entity customer in AT with its mother company registered in DE would be considered complex (lit b ).
ESBG suggests that the EBA remove: there are indications of non-transparent ownership with no legitimate economic rationale or justification”. If the beneficial owner is unclear or no legitimate reasons for the structure are detected, the business relationship should be declined anyway. Otherwise, please provide guidance on how these customers are to be detected (lit d).
Article 11 (2)
Regarding “organigram”, ESBG suggest that the EBA change it to “organigram displaying the structure relevant for the UBO determination”. This is because some structures are complex and it could be difficult to display the whole structure in a readable manner – it is necessary to state that only those relevant have to be displayed.
Art. 12- ESBG is of the opinion that a detailed description of what constitutes a "senior managing official" (SMO) is necessary. For example, in Spain, this is very clear, as it refers to the "Administrator(s)." It should be clearly stated that an authorized signatory can’t be considered in such a function. If they are indeed considered to be equivalent to UBOs it should be limited how many of them are to be identified e.g. a larger entity can have up to 80 or more. It is not feasible to collect data from each of these persons. Also, ESBG asks for further guidance which information should be collected for SMO in accordance with the AMLR. We believe that a business address should suffice for senior managing officials. Requiring a residential address is disproportionate and questionable since SMOs do not act as and are explicitly not being considered UBO. The scope of data collection should therefore be limited accordingly.
Article 15(c) – ESBG requests a clarification in respect of the information expected to be shared within a group, given the assumption of the understanding of the customer and the origin of funds that an obliged entity will develop further to such information. Issues of bank secrecy and personal data/privacy should be taken into account when clarifying the expected information sharing, so that the extensive requirements under the AMLR and the RTS in this regard can be fulfilled without each respective bank having to weigh the issues against each other in each individual case. The legal basis for the exchange of information must be clear and unambiguous.
Article 19 -ESBG suggest that EBA refer to previous comments on preamble 8 regarding a Central UBO register.
Article 20 – regarding pooled accounts, for example, under the national risk assessment of Sweden, pooled accounts are considered high risk due to their anonymous character. ESBG would appreciate it if EBA could provide some clarification on the basis of its assessment. It would provide valuable information to the obliged entities.
Article 22.2 – With respect to customer identification data, clarification is requested as to whether such data is to be distinguished from verification of customer identity. If so, 22.2 should consequently be understood as not demanding “re-identification,” i.e. repeated verification of the customer’s identity.
Article 32 – This article appears to tie in with the discussion in Recital 16 regarding the risk-based updating of customer due diligence for existing customers. While the recital could be read as requiring a risk-based update of customer due diligence for all existing customers, the Article implies that the five-year period applies only to low-risk situations in Article 22. It is proposed that updating customer due diligence for all existing customers should be permitted on a risk-based basis over the five-year period under Article 32, i.e. that the risk-based approach not be limited only to the low-risk situations in Article 22.
Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.
Regarding consent to videoconference (Art. 6.3), the RTS indicates that consent must be recorded. ESBG understands that it could also be obtained in writing.
Regarding verification of identification documents for customers that are not natural persons (Art. 6.5), it would be helpful to provide more details about the measures to be applied.
We think that the remote solutions described under Article 6 do not provide the same level of protection against identity fraud as the electronic identification, but it's similar as the ID verification made in person in a branch, so we consider that the process described is correct and secure for ID validation. Some controls regarding biometric comparison between video and ID should be available regardless of GDPR regulations.
For reasons of cost-efficiency and simplification, it is requested that it be considered whether such certified copies of documents mentioned in Article 5.5 may also be used for identification and verification purposes in non-face-to-face situations, particularly with respect to representatives and beneficial owners of legal persons. (Reproductions of original documents, as mentioned in 6.5, seem to be allowed only as part of the process in points 3-6). In other words, certified copies of original documents would, further to this request for consideration, in and of themselves be acceptable for verification purposes under article 6.
Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.
In a specific context, compliance is easy, but in a context with millions of clients and transactions, it is practically impossible for the entity issuing the IBAN to know if a virtual IBAN has been granted to a third party by a financial institution that is a client of ours. In this sense, although the obligation to report falls on the client who provides the virtual IBAN to their client, the distribution of responsibility should be more detailed and clearer: the means through which the copy of the identification must be delivered, the frequency with which entities must receive these reports, and the regulatory consequences of not complying with this condition, which should fall, both at the management level and in the sanctioning regime, on the entity that provides the virtual IBAN to the natural or legal person who will use it. In general, we believe that the use of vIBANs should be more detailed in regulations, determining what can and cannot be done.
In addition, we would like to learn more about the extent to which the information required for identifying and verifying the identity of the natural or legal person using the virtual IBAN should be provided. Should this apply solely to the customer, or also include beneficial owners, members of management, etc.? Further guidance on this article would be appreciated
Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
We disagree. This would require performing a KYC check on every occasional transaction, even when there are operational limitations already implemented by the entity for this type of transaction (if they are not taken into account in the RTS). For example:
- When there are limits on the amounts for a certain type of transaction, it should not be necessary to obtain all this information. For example, foreign currency exchange transactions of less than €3,000 in a quarter do not require the application of additional due diligence measures by financial institutions in Spain.
- When the reason for visiting the entity can be inferred from the type of transaction, in our opinion, it should not be necessary to obtain this information: for example, in the case of collecting lottery prizes or cashing checks issued by one of our clients.
Article 15 lit c states: “whether the customer has additional business relationships with the obliged entity or its wider group, and the extent to which that influences the obliged entity’s understanding of the customer and the source of funds”. ESBG would appreciate getting further guidance on how the entity can determine this.
Moreover, in regard to the same article, ESBG requests a clarification in respect of the information expected to be shared within a group, given the assumption of the understanding of the customer and the origin of funds that an obliged entity will develop further based on such information. Issues of bank secrecy and personal data/privacy should be taken into account when clarifying the expected information sharing, so that the extensive requirements under the AMLR and the RTS in this regard can be fulfilled without each respective bank having to weigh the issues against each other in each individual case. The legal basis for the exchange of information must be clear and unambiguous.
Article 16:
Article 25 of the AMLR states that obliged entities shall, where necessary, obtain certain information, whereas Article 16 of the RTS seems to make all such information-gathering mandatory. We would appreciate the clarification on that.
Similar to Article 15, this provision also applies to “occasional transactions.” In our view, it is important to differentiate between a business relationship and a one-off occasional transaction.
For example, in point (b): How should this information be obtained?
Regarding lit d in relation to the destination of funds, ESBG suggest that the EBA add, “in relation to the destination of funds, on a risk-sensitive basis, information on the expected types of recipient(s), including information about the jurisdiction where the transactions are to be received, and intermediaries used.”
It should be clearly stated that this passage is based on a risk-based approach.
Regarding lit e, please clarify if obliged entities are expected to always obtain the stated information (i.e. key stakeholders for individuals), or if the information shall be obtained when necessary.
Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
The same as indicated in the previous question for occasional operations but applied to check the Politically Exposed Persons (PEPs) list.
Since SMOs are not beneficial owners, we understand that they are not subject to PEP screening. Could you please confirm?
Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Section 4
ESBG would like to ask some questions:
Article 19: could the listing on a regulated market (or equivalent market with adequate transparency of beneficial ownership) be considered as an exemption from the identification and verification of the beneficial owners or will be this process only “simplified”? Does “regulated market” mean only market within EU/EEA or also others, which can be considered as equivalent? A list of markets considered equivalent to EU standards should be provided on authority level.
Article 20: Which types of account(s) are covered by the term “pooled account” (e.g. escrow/safeguarding account)?
Moreover, is the fulfilment of the requirements from Article 20 covered by a respective wording in the contract with the customer?
Please specify how lit b and d shall be ensured. In practice, there are various forms of pooled accounts, all of which have a low risk, but in which the customer is not an obliged entity within the meaning of the regulation. This includes, in particular, collective rent deposit accounts and escrow accounts of bailiffs and debt collection agencies. Assuming that the conditions set out in Art. 20 must be met cumulatively, these are no longer subject to SDD. Against the background that these accounts generally have a low risk and are subject to public service and (national) regulations, these cases should generally fall under SDD as well.
Lit a “the customer is an obliged entity that is subject to AML/CFT obligations in an EU Member State or a third country with an AML/CFT requirements that are not less robust than those required by Regulation (EU) 2024/1624”, please provide a list of such countries or refer directly to one of the country lists mentioned in AMLR Section 2 (preferable as to not create another country list).
Article 22 (1) (a): How frequently should the relevant circumstances of the customer be monitored to ensure there is no change?
Regarding Art. 22 (2), the maximum period of 5 years should be extended with regard to Art. 33 (1) (b) AMLR. Otherwise, there is no valid scope of application on this rule.
Article 23: The wording of Article 23 indicates that the obliged entity must actively make minimum findings on the purpose and intended nature of the business relationship. We advocate a clarification that, according to Art. 33 (1) (c) AMLR, inferring it from the type of transactions or business relationship established is sufficient.
Article 22.2: With respect to customer identification data, clarification is requested as to whether such data is to be distinguished from verification of customer identity. If so, 22.2 should consequently be understood as not demanding “re-identification,” i.e. repeated verification of the customer’s identity.
Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.
ESBG would welcome details on whether simplified measures can be applied in the KYC update. In some cases, where the client has barely any operations with the entity and presents no risk factors, the update may be based on certain triggers, such as restarting activity or exceeding certain thresholds, rather than every five years. It would be interesting to have more details on the situations in which simplified MDD can be applied.
In our view, there should be special accounts for lawyers, notaries, and similar professionals, similar to the provisions in Austria's Anderkontensorgfaltspflichten Verordnung, which explicitly outlines simplified due diligence measures.
Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Section 5
Since the AMLR introduces a new definition of the Politically exposed person the number of Persons falling under EDD will increase. At the same time, the requirements for additional information on the customer and UBO are being considerably extended.
Section 5 of the RTS specifies Enhanced Due Diligence measures and which actions an obliged entity at least shall perform to comply with the requirements in AMLR Article 34(4) points (a) through (d). However, AMLR Article 34(4) requires obliged entities to apply enhanced due diligence measures that are proportionate to the higher risks identified and which may include obtaining additional information on e.g. the intended nature of the business relationship. The underlying requirement in AMLR thus states examples of which measures that could be required/proportionate, but the RTS makes all these measures mandatory AND adds further detail to the requirements. Article 24 of the RTS is not aligned with the requirements in AMLR Article 34(4) and virtually removes any trace of a risk-based approach when applying enhanced due diligence measures.
Article 24 (a) states that “enable the obliged entity to verify the authenticity and accuracy “: ESBG understands that in case of high-risk customers, an additional source of information is necessary, which confirms the information on the customer and the beneficial owners? We would welcome further guidance on it.
Article 24 (c) raises questions regarding the methods for collecting and documenting the beneficial owner‘s previous business activities, as well as whether any changes should be tracked. Additionally, it is unclear how far back the documentation should cover. In our view a maximum of five years should not be exceeded, given that this is the maximum retention period stipulated by the AMLR. A shorter period (e.g. 3 years) should also be sufficient.
Article 24 (d): Point (d) of the regulation raises concerns regarding the data protection of family members, persons known to be close associates, or any other close business partners. In order to conduct a risk assessment lots of personal data have to be obtained with the involvement of the internal data protection board. Only a little of the required information are generally publicly available.
At the same time, it is unclear how the collection of the required parameters will go along with the ban on tipping off according Art. 73 AMLR? If the obliged entity has “reasonable grounds to suspect criminal activity”, it has to submit a suspicious activity report and shall not disclose this to the customer. However, disclosure can hardly be avoided regarding the extensive investigation obligations. The RTS should clarify that customer outreach in cases of suspicion is critical and therefore delete Art. 24 (d).
Article 25 (1) lit a “a. enable the obliged entity to verify the legitimacy of the destination of funds, which may include information from authorities and other obliged entities;”
ESBG suggests that the EBA delete this added part. Please specify how it is to be collected – how is this to be requested from the authorities?
Article 26 “the source of funds, and source of wealth” – We would appreciate it if the EBA could provide further guidance on how this can be done in practice (e.g. certified copies of recent pay slips).
Article 27 – Please consider thresholds for the transactions in scope for the required measures, since it will otherwise lead to an unproportionate burden for the obliged entities.
Article 27 (c) und (d) – Please provide information on how this can be obtained in practice.
Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Section 6
Article 28 of the draft RTS states that obliged entities shall apply screening measures to their customer and to ALL the entities or persons which own or control such customers. However, based on Article 20(1)(d) of Regulation (EU) 2024/1624, not ALL owners need to be screened, but only insofar to confirm that not 50% are owned by sanctioned persons. Therefore, we would suggest clarifying and amending Article 28 of the draft RTS that not ALL owners (e.g., with minority shares) need to be screened (e.g., if information is not available).
Article 29c.i. of the draft RTS states that screening of customers and beneficial owners should at least take place, among other situations, before performing an occasional transaction. We would like to highlight that in case of daily screening of the customer base an additional screening before a transaction is being performed does not significantly increase the likelihood of identifying a sanctioned person.
Article 29c.iii. The draft RTS states that screening of customers and beneficial owners should at least take place if significant changes occur in the customer due diligence data of an existing customer, or beneficial owner, such as but not limited to a change of name, residence, or nationality or a change of business operations. We would kindly ask to clarify what is meant by “significant changes”. We would like to highlight that in case of many designations, for example, neither the nationality nor the business operations are stated in the targeted financial sanctions lists. In light of that, also a change of these parameters cannot constitute a “significant change”, and, therefore, Article 29c.iii. of the draft RTS should be limited to “change of name” (e.g., a renewed screening of the customer with updated nationality does not bring any benefit, if the nationality is not stated in the targeted financial sanctions list in the first place).
Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Article 32
This article appears to tie in with the discussion in Recital 16 regarding the risk-based updating of customer due diligence for existing customers. While the recital could be read as requiring a risk-based update of customer due diligence for all existing customers, the Article implies that the five-year period applies only to low-risk situations in Article 23. It is proposed that updating customer due diligence for all existing customers should be permitted on a risk-based basis over the five-year period under Article 32, i.e. that the risk-based approach not be limited only to the low-risk situations in Article 23.
Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?
Section 8
Article 31 (1) and Annexe I: Are not all of the customer´s full names and surnames required as defined in Section 1, Article 1 (1)?
We understand that Art. 32 comprehends a five year-grace period for updating all customers that are not high risk. In combination with Recital 16 of the RTS and Guideline 43 in chapter 3.2.3 of the consultation document, we understand this to include the application of all customer due diligence obligations.
Although Art. 32 refers to the entry into force of this Regulation (being this RTS on CDD), we consider that the five-year period is intended to begin from the application date of Regulation (EU) 2024/1624 (the AMLR), as confirmed in Art. 90 AMLR, which sets this date as 10 July 2027. Recital 16 of the RTS supports this interpretation by explicitly referring to the “application date” as the moment from which the update obligation should be calculated. Accordingly, we interpret Art. 32 to mean that all existing customer information must be updated, in a risk-based manner, by no later than 10 July 2032.
In line with recital 43, customers representig a high risk have to be prioritised. The order in which banks will review and update lower-risk customers will be based on the banks’ internal risk assessments and ensuring compliance within the five-year timeframe.
For the purpose of clarification we ask to include the provision that the 5-year period applies on a risk-based basis to all customers who are not considered high-risk customers.
Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.
In our view, Article 1 para h, k should be aligned as much as possible with SREP process.