Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 1: Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile of obliged entities?

With regard to reporting obligations for obliged entities it should be noted that - regardless of whether they follow a fully harmonized or only partially harmonized approach – they always represent a high bureaucratic burden for obliged entities. Against this background, only those surveys should be carried out that appear inevitable for supervisory purposes. The EU Commission has also made it a priority to reduce the burdens associated with reporting obligations for companies by 25 %. Should a fully harmonized reporting obligation be pursued, the current volume of data collection should not be increased under any circumstances.

Recital 9 and Art 2, Art 3:

According to Recital 9 it will be the role of AMLA, in cooperation with competent authorities, to ensure that each competent authority applies the same thresholds and weights. Supervisors shall determine combined scores and apply predetermined weights (Art 2, Art 3).

Based on this, we have the following comments:

It will be important that a uniform approach across the EU will be ensured.
Without knowing these (combined) scores and weights we are currently unable to assess whether the result of the assessment using the methodology proposed in the draft RTS and the applied (combined) scores and weights that will subsequently be defined by AMLA in combination with the national supervisors will appropriately reflects the risks of the assessed obliged entities.

While we acknowledge and support the need to continuously adjust the methodology to be used to assess and classify the inherent and residual risk profile of obliged entities in order to adapt it to existing ML/TF risks, we understand that it would be highly beneficial to share both the methodology and the benchmarks not only among supervisors, but also with obliged entities, so that obliged entities are fully aware of the supervisors’ expectations on these issues and can adapt to new ML/TF risks in a mutually beneficial way.

We therefore propose a third option (3c) which would consist of providing a general description of the methodology in the RTS and keeping updated the detailed methodology and benchmarks on the AMLA website, with access restricted to supervisors and obliged entities. This will ensure that each competent authority applies the same methodology to maintain a level playing field.

In addition, the AMLA should ensure that national competent authorities collect data points before approaching obliged entities.

On reputational risk, it should be clearly stated that just because AMLA supervises a bank, this does not necessarily mean that it has issues within its risk profile.

Question 2: Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual risk can be lower, but never be higher, than inherent risk? Would you favour another approach instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

We agree with the proposed relationship between inherent and residual risk.

As the calculation is very technical, it would be very helpful to include examples, perhaps in an annex.

3a: What will be the impact, in terms of cost, for credit and financial institutions to provide this new set of data in the short, medium and long term?

Additional effort and considerable additional costs, as a number of data points are currently not automatically available or require additional manual effort.

3b: Among the data points listed in the Annex I to this consultation paper, what are those that are not currently available to most credit and financial institutions?

The volume of data listed in Annex I is very large and the granularity of the questions is very high. Therefore, the provision of certain data could prove to be difficult, such as:

Number of investors by country (for AMCs)
Total value of investments (EUR) by country (for AMCs)
Number of legal entities with complex structures

Some indicators which are common to the financial sector as a whole, are not always adapted to the insurance sector. Examples:

Number of walk-in customers
Number of occasional transactions carried out by walk-in customers

In general, we would like to refer to the testing exercise which is currently done by EBA and NCA. The results with regard to the availability of data points should be considered when selecting the data points in Annex I for insurance companies.

More general comments:

The description of certain proposed data points is not clear enough and leaves room for different interpretations. These data points should be further determined and specified. See our comments in separate excel worksheet on Annex I attached to this statement.
For a number of data points, it is in general questionable whether they can attribute added value for the proper assessment of the risks, for other data points the added value for the risk assessment seems to be disproportionate to the additional (manual) effort that is required to deliver the respective data.

See our comments in separate excel worksheet on Annex I attached to this statement.

On “interpretative note”, it will be helpful if this document is also part of the consultation. There should be a focus on clear definitions to ensure a harmonised approach and data quality.

We request that the EBA clearly indicate whether specific provisions apply exclusively to certain sectors. In general, if there is a clear definition in the Regulation/RTS it will be helpful to make references to those terms to ensure a consistent harmonised approach and make application easier. e.g. “customer: person having a business relationship as described in Article 2 (2) para 19”.

Section A – Inherent risk

Category – customers

We call for a definition of NPO and proposes the following wording:

“A non-profit organisation is a legal person or arrangement or an organization that primarily engages in raising or disbursing funds for purposes such as charitable, religious, cultural, educational, social or fraternal purposes.” (definition of EBA Risk Factor Guidelines)

However, we would appreciate clarification from the EBA on the opportunity to distinguish between NPOs and NGOs, as these terms are often used interchangeably in practice

Regarding “complex structure”, we request that the EBA provide a definition of “high risk activities”.

As for “requests from FIU” – if a request comes from FIU it should be assumed that this has an AML/CTF background; therefore, we ask the EBA to delete “whose matter or nature of the request is linked with AML/CFT”.

Category Products, Services and Transactions

we request that the EBA specify:

- “re-issued IBAN”. This data can only be provided by entities reusing IBANs.

- “retail clients”.

- “professional clients”. We suggest that the EBA ensure consistent use of terminology throughout the document e.g., the categories (retail and institutional clients) are mentioned.

- define “TCSP”.

- “unlisted financial instruments”.

- “safe deposit boxes”. Does this also include “Sparbuchschließfächer” (safes which hold savings books)?

We suggest that, in general, the full term be written out when introducing abbreviations—for example, 'Trust or Company Service Providers (TCSP).

Section B – AML/CFT Controls

3A: Customer Due Diligence

We would like to ask the EBA to elaborate on the data fields which indicate non-compliance.

e.g., if verification can’t take place or there is missing data, would the customer relationship need to be terminated?

Regarding no automated score: how is this data obtained?

Question 4: Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once per year for the normal frequency and once every three years for the reduced frequency)? What would be the difference in the cost of compliance between the normal and reduced frequency? Please provide evidence.

Following the first assessment the normal frequency should be extended applying the risk-based approach as follows:

A yearly assessment for entities previously assessed as “High risk” or “Substantial risk”
every second year. for entities previously assessed as “Medium risk”
every third year for entities as “Low risk”

This proposed frequency should be sufficient, considering the fact that according to Art 5 (4) to (6) an ad hoc assessment shall be conducted in case of mayor events or developments.

Question 5: Do you agree with the proposed criteria for the application of the reduced frequency? What alternative criteria would you propose? Please provide evidence.

See our comment to question 4.

Question 6: When assessing the geographical risks to which obliged entities are exposed, should crossborder transactions linked with EEA jurisdictions be assessed differently than transactions linked with third countries? Please set out your rationale and provide evidence.

Setting up a harmonised regulatory framework should create a regulatory environment less prone to ML/CT risks, making it possible to consider transactions within the EEA differently than transactions linked to third countries.

A different assessment should not be applied to all third countries in general but instead the assessment of geographical risks linked with cross-border transactions should focus on those countries with higher ML/TF risks listed in the respective lists defined via delegated regulations pursuant to Art 29 to Art 31 AMLR.

Question 1: Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value? If you do not agree, which thresholds to assess the materiality of the activities exercised under the freedom to provide services should the EBA propose instead? Please explain your rationale and provide evidence of the impact the EBA’s proposal and your proposal would have.

With regards to the materiality thresholds provided in Article 1 of the draft RTS for operations under the freedom to provide services, we understand that those thresholds should be met together to reflect a minimum level of activity, because it should be borne in mind that a significant number of customers may be inactive in terms of operations during a certain period. The suggested amendment would be:

‘The activities of a credit institution or a financial institution under the freedom to provide services in a Member State other than where it is established shall be considered material for the purposes of meeting the conditions of Article 12(1) of Regulation (EU) 2024/1620, where: a) the number of its customers that are resident in that Member State is above 20,000; or and b) the total value in Euro of incoming and outgoing transactions generated by the customers referred to under letter (a) is above 50,000,000 ....’

We therefore propose to choose EBA’s option (1b): establishing thresholds on customers and volumes of transactions to be met together.

See our response to question 3, an adaptation of the thresholds should be made by amending different thresholds for retail and wholesale customer segments.

Question 2: What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the draft RTS? What would be the possible impact of doing so? Please provide evidence.

no comment

Question 3: Do you agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers? Alternatively, do you think a distinction should be made between these two categories? Please explain the rationale and provide evidence to support your view.

We agree on having a single threshold on the number of customers, irrespective of whether they are retail or institutional customers, provided that thresholds on customers and volumes of transactions are met together.

However, we would appreciate it if you could define “retail customer” and “institutional customer”.

Differentiation makes sense because for each category (retail/NAT or institutional/NNAT) other risk factors could be applied. Therefore, a distinction should be made between the retail segment and corporate and institutional clients, as corporate and institutional clients bear a higher complexity with regards to the number and complexity of offered products and services, the assessment of the customer risk, source of funds, business model, requirement to identify and verify beneficial owners, transaction patterns etc.

Question 4: Do you agree that the methodology for selection provided in this RTS builds on the methodology laid down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence of the impact the EBA’s proposal and your proposal would have.

no comment

Question 5: Do you agree that the selection methodology should not allow the adjustment of the inherent risk score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the rationale and evidence of the impact the EBA’s proposal would have.

As the calculation is very technical it would be helpful to provide examples e.g. in the annex

Question 6: Do you agree with the methodology for the calculation of the group-wide score that is laid down in article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

The use of pre-determined thresholds / weights brings a lack of transparency as these data are not disclosed to the obliged entities, e.g. please see Article 2.

See our comment on question 8 – the different weight of the parent company with regards to the quality of its AML/CFT controls should be accordingly considered in the methodology for the calculation of the group-wide risk score.

Question 7: Do you have any concern with the identification of the group-wide perimeter? Please provide the rationale and the evidence to support your view on this.

We are of the opinion that Recital 5 should be revised to ensure clarity and consistency with other frameworks like Basel IV. Instead of using the phrase “level of the highest parent company”, the wording “highest consolidation level” should be used.

Question 8: Do you agree to give the same consideration to the parent company and the other entities of the group for the determination of the group-wide risk profile? Do you agree this would reliably assess the group-wide controls effectiveness even if the parent company has a low-relevant activity compared to the other entities?

The parent company defines group standards and is obliged to control and steer its group entities to ensure that the group standards are effectively implemented within the group. For this reason, the quality of AML/CFT controls of the parent company has a considerable impact on the AML/CFT controls within the group entities and therefore the results of the assessment of the quality of AML/CFT controls in the parent company should have a higher weight for the overall group residual risk.

Question 9: Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal would have.

no comment

Question 1: Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

We note the fourteen Articles of Section 1 of the draft RTS and submit the following comments.

Comments on Recitals:

Recital 8:

“Obtaining beneficial owner information for all customers that are not natural persons is essential for complying with anti-money laundering and countering the financing of terrorism (AML/CFT) requirements and with targeted financial sanctions obligations. For this reason, consultation of the central registers for information on the beneficial owners is necessary but not enough to fulfil the verification requirements.”

The correctness, accurateness and up-to-dateness of the data collected in the central beneficial owner registries should be ensured by appropriate measures and obliged entities should be permitted to rely on the registered data when performing their CDD obligations. E.g.: complete excerpts from the Austrian beneficial owner registry are accepted as a reliable source to verify the beneficial owners of a customer outside the high-risk segment. A centralized UBO register should also enjoy “good-faith”-protection so that the obliged entities can rely on the data contained therein.

We believe that the present concept of linking UBO registers is insufficient, as the quality and the approaches of local beneficial ownership registers significantly differ from each other.

Furthermore, beneficial ownership registers do not provide added value if the underlying documents are not stored. A good benchmark could be seen in the “Austrian Compliance Package” approach of the Austrian beneficial ownership register. Maybe it can serve as an inspiration. In greater detail, in Austria, the documents required for identification and verification of beneficial owners can be uploaded to the beneficial owner register (which is run by the Ministry of Finance) and subsequently be used by obliged parties for the purpose of fulfilling their AML/CTF due diligence obligations. This so-called “Austrian Compliance Package” may only be uploaded by a professional party representative (e.g. lawyers, tax consultants) and includes all documents required in the chain up to the beneficial owner.

Please also see the input regarding Article 9.

Recital 14 and Art 5:

“Minimum requirements for the identification of natural persons in low-risk situations should mirror the type of information which is usually included in a passport or identity document.” (Recital 14)

The list in Art 5 aims to clarify what an equivalent document to an identity document or passport should be, but by doing so it sets the standard higher than what currently is deemed an identity document in EU jurisdictions. For example, in certain countries a driver’s licence or a birth certificate for a minor is accepted as identity document, but these documents do not contain the nationality. It would not assist the fight against financial crime for longstanding and well-functioning practice in accepting these documents to be disrupted.

Recital 16 and Art 32 (application date):

It should be clarified that the application date of the delegated regulation implementing the RTS on CDD will not be applicable earlier to the application date of the AMLV and that the grace period for existing customers will start with the application date of the AMLR, i.e. 10^th July 2027. We assume that for existing high-risk customers the RTS on CDD have to be applied by 10^th July 2028 and for other risk classes a grace period latest by 10^th July 2032 is applicable and request for clarification.

Article 1 – Information to be obtained in relation to names

Focus on retail business

The current drafting appears to be focused predominantly on retail business, which may not be fully applicable to all customer types. We recognise the challenge the EBA faces in drafting regulation applicable to all sectors. We nevertheless note the importance of the wholesale sector in Europe’s capital markets and underline the importance of tailoring requirements also to the needs and realities of wholesale entities.

Clarity of targeted population

Article 22 (1) of the Anti-Money Laundering Regulation (‘AMLR’) requires obliged entities to obtain specific information to identify ‘the customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted’. Article 1 (1) of the draft RTS cites Article 22 (1) AMLR, but then sets out requirements citing only ‘the customer’, with no mention of the additional classes of persons set out in Article 22 (1) AMLR. It is unclear whether this is an oversight, or whether the EBA intends to target measures at a more limited population than that identified in the AMLR.

We therefore request that the EBA clarify

whether the reference in Article 1 (1) draft RTS to a more limited population (of ‘customer[s]’) than that cited in Article 22 (1) AMLR is an oversight, or a deliberate choice,
the scope of the information to be obtained with regard to the identification of persons purporting to act on behalf of the customer, and of natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted, and
whether the requirements set out for ‘customers’ similarly apply to the identification of
- natural person trustees of an express trust or persons holding an equivalent position in a similar legal arrangement, pursuant to Article 22 (1) (c) AMLR, and
- beneficial owners pursuant to Article 22 (2) AMLR, in combination with Article 62 (1) AMLR and/or also, where appropriate, to the identification of individuals as per Article 22 (1) (c) AMLR, in combination with Articles 57 to 60 AMLR.
the collection of city of birth only where available on the ID document, noting that there is no requirement to collect ID documents for UBOs, or
obtain city of birth to support financial crime risk management outcomes such as to discount screening hits, or
whatever is standard in the relevant country (e.g., US passports contain State rather than city).
the reference to ‘the customer’ in paragraph 2 is intended to cover all other natural person roles covered by Article 22 (6) and (7) AMLR
the reference to ‘the person’ in paragraph 3 is intended to cover both natural and legal persons, and therefore encompasses all legal persons pursuant to Article 22 (1) (a), (b) and (c) AMLR
the reference to ‘the person referred to in Article 22(6) [AMLR]’ in paragraph 5 includes the various relevant roles a natural person may have, which may include that of a beneficial owner or a natural person on whose behalf a transaction or activity is conducted, due to the reference in Article 22 (7) AMLR to Article 22 (6) AMLR.
- the application of Art 54 AMLR (multi-layered ownership structures)
- Nominee agreements on shareholding by a nominee (clarification that nominee is not a beneficial owner – in accordance with TATF’s approach)
- Private equity funds in the legal form of limited partnerships and, in general, case examples for collective investment undertakings (Art 61 AMLR) that also clarify to which extent investment managers have the “ability to define or influence the investment policy of the collective investment undertaking” (Art 61 lit b) AMLR)

These questions apply mutatis mutandis to Articles 1 to 6 draft RTS.

We have understood that EBA is bound by its mandate as set out within Article 28 AMLR when drafting the present RTS. However, since Article 28 (1) (a) AMLR clearly references Article 22 AMLR, including Article 22 (1) and (2) AMLR, we assume that clarifications on the complete population of roles as outlined above should be within EBA’s mandate.

Clarity of definition – person purporting to act

The RTS should explicitly define ‘any person purporting to act on behalf of the customer’. It should also clarify whether this definition includes only third parties acting via proxy or power of attorney (e.g. agents), or if interpreted extensively, it also encompasses authorized signers and senior managers of the customer. The clear definition of the ‘person purporting to act on behalf of the customer’ is key to ensuring maximum harmonisation and will avoid a continuation of the present state where Member States continue to interpret this term differently.

In light of our members’ experience stemming from the implementation of Directive (EU) 2015/849 and Directive (EU) 2018/843), it would be sensible to limit the definition to third parties acting via proxy or power of attorney. In the context of wholesale banking, capturing individuals acting in their professional capacity belonging to the customer’s sphere (e.g., authorized signers, senior managers), in particular those employed with regulated financial institutions, has proved excessively burdensome and ineffective in combatting financial crime. Individuals acting only as authorised signatories and senior managers will not add to potential ML/TF risks and focusing attention on them is not in keeping with the risk-based approach.

We therefore suggest that a clear definition of a ‘person purporting to act’ could be:

‘legal representative(s) (e.g., legal guardians) of a natural person customer; any natural person, other than an employee or senior manager of a legal person authorised to act on behalf of a legal person customer pursuant to a mandate (e.g. an agent), or any natural person authorised to act on behalf of legal person customers pursuant to a proxy agreement.’

This definition (or other similarly agreed definition) should be applied consistently across the AMLR and RTS.

If this proposal is not accepted, we suggest at least a clarification, that only those senior managers or other authorized persons (e.g. proxy holders) should be relevant that effectively act legally relevant vis-à-vis the obliged entity.

Example: a customer (company) has 5 members of the management board and 70 proxy holders, of which only 1 manager and 2 proxy holders act towards the respective financial institution -> only these 3 persons have to be classified as “person purporting to act on behalf of the customer”.

Level 1 differentiation between obtaining and verifying

Article 22 (1) AMLR requires obliged entities to ‘obtain’ various pieces of information, which are to be collected ‘in order to identify’ three classes of natural persons. The use of separate verbs, and the statement that the obtaining is done to make possible (‘in order to’) the verifying, make clear these are separate actions, with the first undertaken so as to permit the second.

It is possible that a particular identification document may not contain all the information set out in Article 22 (1) AMLR. In that case, the identification document should still be usable for verification of identity, and the obliged entity should not have to verify the data points that are not available.

For instance, a German passport does not contain an address. In that case, it should be sufficient to obtain the address from the individual and to verify the individual’s identity using the passport, but not to obtain a second document for the purpose of verifying the address. This is already existing practice and is a sensible, pragmatic approach. To require otherwise would be very burdensome, particularly for retail clients, and would require the presentation of multiple documents with very little value added.

Data point variability – limit collection of names to those on ID documents

Article 22 (1) (a) (iv) AMLR requires obliged entities to obtain for a natural person ‘all names and surnames’. Article 1 (1) draft RTS repeats this obligation to obtain ‘all of the customer’s [see targeted population point above] full names and surnames’, but then limits the requirement to ‘at least those names that feature on their identity document, passport or equivalent’.

Naming conventions vary across cultures and around the world. Passports and identification documents also vary in the data points they provide, in accordance with the choices of the issuing authority.

As such, the RTS should acknowledge this variability and require obliged entities to obtain only those names that appear on identity documents, passports, or equivalents.

We therefore suggest amending the text as follows:

Article 1 (1) draft RTS

‘In relation to the names and surnames of a natural person as referred to in Article 22 (1) (a) point (i) of Regulation (EU) 2024/1624, obliged entities shall obtain all of the customer's full names and surnames. Obliged entities shall identify ask the customer to provide at least the those names that feature on their the relevant person’sidentity document, passport or equivalent".

Translation / transcription

The names of natural persons from non-Western jurisdictions may often be written in non-Latin scripts in languages of origin. Western languages differ in how they transcribe identical non-Western names (consider the variations of Mohammed/Muhammad, the latinised Pinyin script etc.). Natural persons from non-Western backgrounds may have documents issued by more than one EU Member State in more than one language. Where non-Western origin names have been transliterated, the RTS should clarify whether obliged entities may take a risk-based decision as to the probability that the documents in question refer to the individual presenting them.

Additionally, we request clarification as to whether screening in different scripts can occur, in accordance with the risk-based approach.

With regard to consistency in the use of terms – we note that Recital 3 draft RTS refers to the ‘transcription’ of names, which we interpret to be broad in scope, and that Article 29 draft RTS refers to the ‘transliteration’ of names, which we interpret to refer to the conversion of text from one script to another. If particular nuances are intended, we request that the EBA clarify these in the RTS.

Use of official registers / constitutional documents

For legal entities, the identification and verification process should rely on official commercial registries, or equivalents. Since commercial names are not always included in these registries, the scope of identification should be limited to data points available in official registers.

A company’s constitutional documents (articles of incorporation, company constitution etc.), when drawn up in accordance with relevant law, should also be considered an adequate source to identify and verify a legal entity.

Commercial name – consistent use of terms

Article 1 (2) and Article 18 (1) (b) draft RTS refer to ‘commercial name’. Article 29 refers to ‘trade name’. If ‘trade name’ is intended to be synonymous with ‘commercial name’, we suggest that the RTS uses one term consistently.

We note that the Wolfsberg Payment Transparency Standards offer a definition of ‘trade name’ as ‘[t]he name a business uses for advertising and sales purposes that is different from its legal name. A trade name can also be referred to as a doing business as – DBA’.

We note that the Level 1 texts make no use of either ‘commercial name’ or ‘trade name’.

Availability of commercial name

Article 1 (2) draft RTS requires obliged entities to obtain the registered name, and where it differs, the commercial name. The commercial name may not always be available, and where is it is available, may be written in varying ways. The RTS should recognise the potential (un)availability of the commercial name and be amended as follows:

Article 1(2) – ‘For legal entities, firms must obtain both the registered name, and where available in the commercial register or comparable customary register, other alternate names, as applicable the commercial name where it differs from the registered name.’

Commercial name – applicability of requirements by analogy

We note that according to Article 18 draft RTS, the requirement to collect the commercial name shall also apply to other organisations (‘…for a legal entity and other organisations that have legal capacity under national law…). We assume that the requirements of Article 1 (2) draft RTS apply to these organisations by analogy. We would welcome confirmation of this assumption in the text of the final RTS.

Clarification of requirements relating to beneficial owners

A short note on scope - we have understood that EBA is bound by its mandate as set out within Article 28 AMLR when drafting the present RTS. However, since Article 28 (1) (a) AMLR clearly references Article 22 AMLR, including Article 22 (7) AMLR, we would assume that clarifications on the complete population of roles as outlined above should be within EBA’s mandate.

As per our earlier statement (‘clarity of targeted population’), the draft RTS is unclear on what requirements (if any) are to be met regarding the names of beneficial owners.

We recommend that the names of beneficial owners should only be collected by obliged entities ‘where available’, when obliged entities take reasonable measures pursuant to Art 22 (7) (b) AMLR. Article 22 (7) AMLR does not require obliged entities to collect copies of identity documents of the beneficial owners (lit a), but also allows them to take other ‘reasonable measures’, as laid down in lit (b).

In practice, obliged entities experience difficulties in obtaining copies of identification documents for beneficial owners. This is particularly the case in certain jurisdictions with strong privacy protections – which in other contexts usually includes the EU. A general obligation to obtain identification documents from all beneficial owners would go significantly beyond international market practice, is unhelpful for EU competitiveness, and is unlikely to foster effective use of scarce AML resources.

Article 2 – Information to be obtained in relation to addresses

Clarity of targeted population

Article 22 (1) AMLR requires that address information be obtained for the customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted. These groups are envisaged as being natural persons, legal entities, trustees of an express trust or equivalent, or other organisations that have legal capacity under national law. Article 22 (2) refers to obligations relating to beneficial owners as set out in Article 62 (1) AMLR.

The draft RTS however only makes reference to the AMLR’s categories of natural persons and legal entities. We request that the RTS clarify if the obligations set out here are intended also to apply to trustees of an express trust or equivalent, other organisations that have legal capacity under national law, and beneficial owners.

Potential focus on retail business – residential address requirements

The requirement to collect full residential addresses appears to be drafted from a retail perspective. It may not be necessary or appropriate for related parties in a wholesale context, where only the country of residence might suffice. The RTS should consider this distinction and provide flexibility accordingly.

Place of residence for representatives

The AMLR and draft RTS require the collection of the personal place of residence for natural persons purporting to act on behalf of the customer. As already outlined above, we strongly recommend that only third parties acting on behalf of the customer should be considered as persons purporting to act on behalf of the customer. Otherwise, in many cases, this individual is an employee of the client, and in any case, collecting their personal residence may not add value for risk mitigation. It may also expose that individual to increased personal risk, particularly in high-risk jurisdictions and generally leads to an extensive collection of personal data which is not in line with data protection objectives. The RTS should clarify that the registered address of the legal entity client can be used in such scenarios.

Place of residence for UBOs / SMOs

A short note on scope – we have understood that EBA is bound by its mandate as set out within Article 28 AMLR when drafting the present RTS. However, since Article 28 (1) (a) AMLR clearly references Article 22 AMLR, including Article 22 (7) AMLR, we would assume that clarifications on the complete population of roles as outlined above should be within EBA’s mandate.

The specifications in the RTS are more prescriptive than the Level 1 text, which only requires (Article 22 (1) (a) point (iv) AMLR) obliged entities to obtain

‘the usual place of residence or, if there is no fixed residential address with legitimate residence in the Union, the postal address at which the natural person can be reached and, where available the tax identification number’.

As already mentioned with regard to the person purporting to act on behalf of the customer, the collection of the personal address of ultimate beneficial owners (UBOs) and senior managing officials (SMOs) is unlikely to advance the fight against money laundering and financial crime. More concerningly, full residential information for UBOs and SMOs are sensitive data points for corporate customers, in particular in jurisdictions with heightened kidnap risk (such as Mexico).

The sharing of certain details regarding the place of residence – particularly the street name – would increase the personal risk (e.g., kidnap risk, risk of other violence against the person) faced by certain UBOs and SMOs to an unacceptable level, in particular in high-risk jurisdictions. In these cases, these individuals may prefer that their firms decline to enter into a business relationship, rather than provide the details requested. This would not be an efficient outcome and would make the EU less competitive against other major financial markets which do not request this level of personal data.

For screening purposes, it should be sufficient to obtain the country of residence and – only to the extent where available when taking reasonable measures – the name of the city. Further investigations could be restricted to hits (i.e., the results of searches) where further data are required to assess the hit.

Suggested amendment

As a general principle, address information should be sufficient to identify clearly the location of the party/parties for sanctions screening and AML/CTF monitoring. We note that the AMLR requires obliged entities to obtain the ‘place’ of residence. This need not be as specific as the draft RTS currently suggests – and need not include ‘city’ in all circumstances. In situations where the provision of ‘city’ could pose security risks to the individuals concerned, or in jurisdictions of such a size as to render the inclusion of ‘city’ irrelevant (small island states such as Bermuda, or microstates such as Monaco, where the jurisdiction itself is simply one single settlement) then ‘city’ should not be required. Obliged entities should retain the ability to judge what is required to ascertain the ‘place’ of residence, in keeping with the risk-based approach.

We hope the EBA accepts the rationale set out here. If however the preceding point is not accepted, we then suggest amending Article 2 draft RTS at least to read as follows:

The information on the address as referred to in Article 22(1) (a) point (iv) and 22(1) (b) point (ii) of Regulation (EU) 2024/1624 shall consist of the following information: the full country name or the abbreviation in accordance with the International Standard for country codes (ISO 3166) (alpha-2 or alpha-3), city, and where available other aspects of the address in accordance with the resident country conventions such as postal code, city, street name, and where available building number, building name and the apartment number.

It should be ensured that also the data concerning the address follows a risk- based approach. Limiting the address to a strict format might lead to financial exclusion since some people lack “street name” in their addresses. People who are homeless or have protected identity are also examples of those who might lack a “street name” in their residential address. We conclude that it can´t be the EBA's intention to make it difficult for those people to become customers in a bank.

For beneficial owners or SMOs we would propose allowing the use of the business address of the (notional/subsidiary) beneficial owners instead of their residential address. This is because they are not direct customers of the obliged entity and can be reached at their business address.

Article 3 – Specification on the provision of the place of birth

Clarity of targeted population

Variability in identification documents

Passports and identification documents vary in the data points they provide. The RTS should provide flexibility around specific data points such as place, city, and country of birth. This flexibility is important to address sanctions and screening risks without creating an additional burden for collecting data points that may not be present on certain countries' documents.

In some EU countries, e.g. in Sweden, it is not possible to verify the information by controlling ID cards, passports, because such details are not in these documents. Consequently, there is no possibility (e.g. in Sweden) to verify the place of birth stated by a customer.

Moreover, it is unclear how the information on place of birth is intended to be used, specifically, in what way place of birth is expected to affect the risk of money laundering or terrorist financing associated with the customer relationship. In this regard, any rationale and reasoning provided in, for example, recitals, on how the intended benefit of obtaining the information has been weighed against the risk of discrimination and financial exclusion, i.e. the risk that a possibly vague connection to a country negatively impacts a customer’s access to financial services, would be helpful to banks in their future application of the RTS and AMLR. In any case, we consider it to be information that should be requested from the client only when there are doubts in the case of international sanctions screening.

Carve-out for city of birth

The specifications in the draft RTS are more prescriptive than the AMLR which only requires ‘place’ of birth. The co-legislators did not specify the extent to which the ‘place’ should be defined – and did not suggest the level of precision implied by ‘city’.

Given that some passports and identity documents may not provide such detail, we suggest that the RTS require

Either of these approaches would ensure that the requirement will be practical and reasonable.

Notwithstanding the suggestions above, if the choice is made to require city as well as country name to be identified for a natural person customer, there should nevertheless be alleviated requirements for UBOs and SMOs. To require such data from these classes of persons would be disproportionate, intrusive, and would go above and beyond requirements set by the co-legislators.

Change of name of cities / states which cease to exist

The names of cities and states occasionally change – and so do international borders between them. Most obliged entities could recognise that a reference in a document to ‘Leningrad, Soviet Union’ should be regarded as referring to the same place later known as ‘Saint Petersburg, Russian Federation’. The journey of Chemnitz to Karl-Marx-Stadt and back to Chemnitz may however be less well known beyond the borders of the state in question, and some situations – particularly where border changes are disputed – may be emotive.

The RTS should recognise that the names of cities and states (and in the case of the latter, their ongoing existence) may evolve over time, and obliged entities may use open-source information to verify such changes and take risk-based decisions on the location information presented to them. Additionally, the RTS should clarify that obliged entities may rely on naming conventions provided on official documents submitted to them for the purpose of identification and verification of customers and related parties.

Article 4 – Specification on nationalities

Clarity of targeted population

Article 22 (1) AMLR refers to the ‘customer, any person purporting to act on behalf of the customer, and the natural persons on whose behalf or for the benefit of whom a transaction or activity is being conducted’. Article 4 draft RTS cites Article 22 (1) (a) point (iii) AMLR, but then refers only to ‘customers’.

We request that the RTS clarify if Article 4 is intended to apply to the other classes of persons cited by Article 22 (1) AMLR, and to beneficial owners.

Ability to rely on declarations made by the relevant individual

There is no central record to verify nationalities which may or may not be held by an individual. As such, obliged entities must rely on declarations made by the individual.

The draft RTS requires obliged entities to ‘obtain necessary information to satisfy themselves that they know of any other nationalities their customers may hold’. Given the limitations to verify nationalities, we understand the RTS to imply that obliged entities will not be held to account for not discovering any additional nationalities held by an individual, where such are not disclosed by the individual, and in the absence of any other source to verify the existence of such possible additional nationalities.

We request that the RTS confirm that sourcing nationality information from the relevant individual, and verifying that information with one data source provided by the individual, should be deemed to fulfil the requirement to verify the nationality(-ies) of that individual, unless – in accordance with the risk-based approach – the obliged entity has reasons to doubt the completeness or correctness of information provided by the individual. Otherwise, it is kindly requested of the EBA to clarify in what way banks are expected to “satisfy themselves” of knowledge of all citizenships.

Article 5 – Documents for the verification of the identity

Clarity of targeted population

Article 22 (6) AMLR refers to the customer and of any person purporting to act on their behalf. Article 22 (7) AMLR refers to the beneficial owner and, where relevant, the persons on whose behalf or for the benefit of whom a transaction or activity is being carried out.

Article 5 (1) draft RTS refers to ‘the person’ and ‘natural persons’. Article 5 (2) draft RTS refers to ‘the customer’. Article 5 (3) draft RTS refers to ‘the person pursuant to Article 22(6)(a) and Article 22(7)(a) [AMLR]’. Article 5 (5) draft RTS refers to ‘the person referred to in Article 22(6) [AMLR]’.

We request that the draft RTS clarify whether

Prescriptive nature of conditions for document equivalency

The requirements set out in Article 5 (1) draft RTS are very prescriptive and would significantly limit the verification possibilities available to obliged entities to verify the identity of natural persons. The list aims to clarify what an equivalent document to an identity document or passport should be, but by doing so it sets the standard higher than what currently is deemed an identity document in EU jurisdictions. For example, in certain countries a driver’s licence or a birth certificate for a minor is accepted as identity document, but these documents do not contain the nationality respectively information on the period of validity. It would not assist the fight against financial crime for longstanding and well-functioning practice in accepting these documents to be disrupted.

As drivers’ licences and birth certificates (for minors) often contain no nationality information, and rarely if ever contain a machine-readable zone, they would currently not fulfil the criteria set out in the draft RTS. We recommend that longstanding use of these documents be permitted to continue – and so request deletion of the reference to ‘and their nationality’ in Article 5 (1) b), and the reference to ‘it contains a machine-readable zone’ in Article 5 (1) (e).

The requirement for a document to contain ‘biometric data’ is problematic. It is unclear whether all identity documents from jurisdictions outside of the EU would or should contain this data – and in the absence of a central registry, it is equally unclear how obliged entities would be expected to verify this. Obliged entities do not have the computer hardware to read biometric data stored in microchips embedded within identification documents – and if such were available, the legal basis which would permit such reading is unclear.

We recognise the qualification provided by the EBA via the inclusion of ‘where available’, but suggest nevertheless that lit. (g) be deleted.

Clarity regarding ‘legitimate reason’ and of ‘state or public authority’

Article 5 (2) draft RTS speaks of ‘situations where the customer cannot provide a document that meets the requirements in paragraph 1 of this article for [a] legitimate reason…’. It is not clear what a ‘legitimate reason’ for such a situation might be. Is this intended to encompass cases where the passport or identity document equivalent does not include all conditions listed in paragraph 1 (a to g)? Or is it intended to be limited to cases of asylum seekers or persons in similar situations, as the example given in Recital 7 draft RTS may suggest? We request that the RTS clarify the intended meaning of this phrase.

We also request clarification of the scope of the provision which states that ‘a state or public authority’ may provide a document that is equivalent to an identity document or passport. Is this intended to refer only to national level entities, or are sub-national authorities also in scope?

Inappropriate narrowing of scope through ‘legitimate reason’

We consider the use of ‘legitimate reason’ in Article 5 (2) draft RTS to inappropriately narrow the scope of when an obliged entity may accept a document issued by a state or public authority. Under the current draft, an obliged entity may only accept an alternative document under paragraph 2 if the customer is unable to provide one meeting the criteria in paragraph 1 for a ‘legitimate reason’.

There is however no clear reason for this. Notwithstanding the lack of clarity as to what would constitute a ‘legitimatereason’, as noted above, a document which has been issued by a state or public authority and which is sufficient for the purposes of the state – establishing civil status, gaining employment, paying taxes, participating in legal proceedings, receiving state payments, starting a business and so on – should be sufficient for the purposes of the private sector.

It is not appropriate to hold the private sector to a higher standard than the public sector. If a public authority has issued a valid identity document – whether or not a ‘legitimate reason’ is present – that should be sufficient and acceptable for the private sector.

Obligation to take reasonable steps to ensure authenticity

Article 5 (3) draft RTS requires obliged entities to take ‘reasonable steps’ to ensure that documents are authentic and have not been forged or tampered with. There is no known source of expertise or central register to verify every possible document issued by every possible global public authority. In the absence of such, we request that the EBA clarify what would constitute obliged entities taking ‘reasonable steps’, as used in this context.

Potential recourse to certified translation – ability to understand / translate in-house

We understand Article 5 (4) draft RTS) to require a certified translation of an identity document only in those situations ‘when deemed necessary’ by the obliged entity – i.e., it should only be required if the mandatory content of the information in Article 5 cannot be understood through other measures (e.g. internal translation by the obliged entity). We request that the RTS confirm that obliged entities can rely on other (including internal) measures.

Acceptability of simple copy vs. certified copy

Article 5 (5) draft RTS states that obliged entities must see an original identity document, passport or equivalent, or a certified copy thereof, or must verify in accordance with Article 6.

The reference to ‘certified copy’ is not included in Article 22 (6) AMLR. It is unclear if obliged entities can accept simple copies if verified through other sources, in keeping with the risk-based approach, or if only certified copies are deemed acceptable for verification of identity. We request that the EBA clarify if simple copies can be used for this purpose.

Acceptability of certified copy provided by client vs. received from notary / qualified lawyer

If a certified copy is required, it is unclear whether obliged entities may accept (in a non-face-to-face context) a certified copy directly from the relevant person, or if the certified copy must be received directly from the relevant notary / qualified lawyer. We request clarification from the EBA, and suggest that – in the absence of any other risk indicators - the former is pragmatic, resource-efficient, and sensible. In this context, we also want to bring to EBA’s attention that it is common practice, especially in the UK and the US, that certified copies are often produced by company secretaries i.e. not necessarily a qualified lawyer or notary. We would welcome a clarification that also these copies, in line with the current practice, are deemed certified. If not this potentially could result in a significant competitive disadvantage for entities operating in the EU.

It is important to consider that the requirement for a certification of a copy of an identity document/passport would incur costs for customers. Apart from the negative customer experience, certified ID-copies would significantly disrupt the whole (automated) onboarding-process of standard customers. So far, a certification of an ID-copy is completely unusual in providing standard financial services, like opening a bank account or issuing a life insurance policy. A general requirement of "certification" of a copy would mean a huge step backwards towards manual processes, hardly mitigating any AML/CTF-risk. It should therefore be removed.

Article 6 – Verification of the customer in a non face-to-face context

[see our response to Question 2]

Article 7 – Reliable and independent sources of information

Requirement to assess the reputation, official status and independence of the source

We note that Article 7 draft RTS requires obliged entities to assess ‘the reputation, official status and independence of the information source’.

It is not clear how an obliged entity is to assess reputation, official status or independence, or how an entity could document this to provide evidence of appropriate completion to a supervisory authority. We consider that obliged entities should decide for themselves what measures they take, in line with the risk-based approach. We therefore request that it be deleted from the Article, and greater emphasis placed on simply ‘risk-sensitive measures’ to make clear that obliged entities are expected to use their judgment, in accordance with the risk-based approach.

Definition of ‘up-to-date’

Article 7 draft RTS requires obliged entities to assess the extent to which information is ‘up-to-date’. There is no consistent practice across EU Member States regarding the acceptable age or ‘up-to-datedness’ of legal entity data and supporting documentation used for KYC reviews. This includes both the duration of the acceptable age and the starting point for determining ‘up-to-datedness’. We request that the RTS clarify the duration for which relevant documents are to be considered recent or ‘up-to-date’.

Assessment of potential risk of forging

Obliged entities will in practice usually not have sufficient information from KYC data providers or adverse media providers to assess ‘the ease with which the identity information or data provided can be forged’. In the absence of such information, it is unclear how obliged entities could perform such assessments. We therefore request that the RTS set out how obliged entities should perform such an assessment – or simply, that the requirement be removed.

Article 8 – Identification and verification of the identity of the natural or legal persons using a virtual IBAN

[see our response to Question 3]

Article 9 – Reasonable measures for the verification of the beneficial owner

Preliminary general proposal with regards to the beneficial owner definition:

Guidelines on rules to identify beneficial owners, beneficial ownership calculation and specification of co-existence of ownership interest and control in the ownership structure, including case examples

The methodology for calculating beneficial ownership may continue to vary across member states in the absence of guidance at EU level. Although a mandate for such guidance is not explicitly set out in the articles of the AMLR, Recital 105 introduces the possibility for the Commission to issue guidelines on rules to identify beneficial owners in different scenarios, including through the use of case examples.

We would welcome such guidelines, and strongly encourage the use of case examples, including i.a. the following topics

Comments on Article 9:

Focus on retail business

The reference to ‘utility bills’ as an example of ‘third-party sources’ in the context of identifying the beneficial owner in Article 9 draft RTS is unhelpful in the context of wholesale business. Given the nature of wholesale business and of the customers of wholesale banks, it is not credible to expect wholesale banks to obtain utility bills (or similar items) from UBOs (or SMOs).

We recognise the challenges the EBA faces in seeking to draft regulation applicable to all sectors. Regulation must nevertheless be realistic, fit for purpose, and appropriate for the sectors regulated. To require the collection of sources of such intimacy or detail goes beyond the requirements set by the co-legislators. As such, we request that the RTS require simply ‘reasonable measures’, in line with Article 9 draft RTS.

Certification by independent professionals

Certification of identity by an independent professional should only be required for documents originating in certain high-risk jurisdictions. For other risk classes, such certification should only be necessary in case of reasonable doubts about the authenticity of the document deriving from indications that the document could have been forged.

We note this point following our reading of Recital 5 draft RTS, which could be interpreted as a rule-based requirement for all risk segments to collect either official copies of statutory or constitutive documents from the applicable public register, or unofficial copies certified by an independent professional or a public authority.

Such an approach would be excessively burdensome and would have a negative impact on the competitiveness of EU financial institutions, due to the additional cost and burden of certifications on the side of the customer.

We therefore request that the requirement to provide certified copies be restricted to

situations where reasonable doubt about the authenticity of the document exists deriving from indications that the document could have been forged (irrespective of the customer risk), and
in cases of EDD, but only if the document had been set up or signed by one of the parties in a high-risk country as listed under Regulation 2016/1675 (please refer to one of the country lists of AMLR Section 2).

We request that the draft RTS be amended to make clear that if an obliged entity has direct access to a public register, information taken from that register shall be deemed as an official copy coming from the applicable register.

Clarification of legal base for information sharing

We note the statement in Article 9 draft RTS that ‘reasonable measures’ may include

‘…up-to-date information from credit or financial institutions as defined in Article 3(1) and (2) of Regulation (EU) 2024/1624, which confirm that the beneficial owner has been identified and verified by the respective institution’.

We welcome the possibility for credit and financial institutions to be able to share beneficial owner KYC information to avoid unnecessary duplication. We understand that Article 22 (7) (b) AMLR and Article 9 draft RTS provide a clear basis for such data sharing for KYC purpose as being within the scope of prevention of money laundering and terrorist financing. We request that the RTS confirm this understanding.

Article 10 – Understanding the ownership and control structure of the customer

Challenges for wholesale business – departure from the risk-based approach

For wholesale clients, many of whom are well-known listed or regulated entities, the detailed approach to assessing ownership and control structures set out in the draft RTS is likely to create significant administrative and operational burdens. The requirement as currently drafted may lead to missing genuine risks if the focus is on exhaustive ownership structure analysis, rather than on undertaking a more proportionate, targeted and risk-based assessment.

Article 20 (1) (b) AMLR sets the taking of ‘reasonable measures’ as the starting point for the obliged entity to satisfy itself that it understands the ownership and control structure of the customer. The approach set out in the RTS goes however significantly beyond the AMLR text and introduces the requirement to obtain specific information, which may not in all cases be required or appropriate for understanding the customer’s ownership structure.

We request that the RTS consider the wholesale customer base and provide flexibility regarding the situations when assessment of all ownership layers is to be required. The level of such assessment should vary according to the customer type, sector, and potential status as a regulated or listed entity as well as the customer risk.

Clarification of ‘a reference’

Article 10 (1) (a) draft RTS requires obliged entities to obtain ‘a reference to all the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners…’. It is not clear what is meant by ‘a reference’ in this context. The term is not used elsewhere in the draft RTS. If it is intended that obliged entities shall collect the names of the legal entities and/or legal arrangements cited, we suggest that the word ‘name’ be used.

Scope of identifying intermediary layers

Article 10 (1) (a) draft RTS requires obliged entities to reference all the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners, if any. We consider this to be excessive and not in line with the risk-based approach.

We suggest instead that the focus should be on intermediary layers and that the identification of intermediaries should apply to higher risk customers, thus reducing the administrative burden for lower risk scenarios.

In our opinion, Article 10 1.b should be simplified so that only the names of the entities that make up the structure up to the beneficial owner, the jurisdiction of each entity, and the percentage of ownership are requested. Based on this information, it would be possible to determine whether the ownership or control structure is complex, and if so, we would apply Article 11 with the additional detail required by Article 10.

Article 10(1)(b) – "Jurisdiction of incorporation":

In our view, the term “country of registration” should be sufficient. Referring to the “jurisdiction” can be problematic, as it may be difficult to verify and could also refer to contractually agreed jurisdictions.

Nominee shareholder guidance

The existence of nominee shareholders is not always apparent. We request that the RTS clarify whether firms are expected to proactively inquire about potential nominee arrangements.

Information on the regulated market

In cases where a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, Article 10 (1) (c) draft RTS requires obliged entities to obtain information on the regulated market on which the securities are listed.

It is not clear what risk management outcome the EBA is looking to achieve by requiring obliged entities to gather this information. Noting that the relief for listed entities has been removed from the regime, we do not understand the risk mitigation that is expected to be derived by obtaining this information

For most customers, such a requirement then would not add benefit commensurate to the cost imposed. We suggest that information on the regulated market should only be required if the fact that a customer is listed on such a regulated market is used as the basis for assessing the customer as low risk.

Regulated market exemption

The absence of a regulated market exemption in the article, despite its mention in intermediary layers analysis, raises questions about whether there is an implied level of comfort for entities listed on a regulated market. We suggest that re-introducing a regulated market exemption is likely to reduce unnecessary burdens and would be in keeping with the risk-based approach.

A listing on a qualified stock market is a strong indicator that the entity is following regulatory requirements and sufficient transparency.

To ensure a harmonized approach across the EU, a list of regulated markets (or markets considered equivalent) should be made available at the European level.

Beneficial ownership reporting

It is not clear from the draft RTS what is to be considered in beneficial ownership reporting. It would be helpful for the RTS to provide clarification of acceptable information that an obliged entity can obtain to satisfy this requirement

Plausibility assessment

Article 10 (2) draft RTS requires obliged entities to assess whether the information included in the description is ‘plausible’.

In any clarification of how the ‘plausibility’ of such information should be assessed (which may be provided by the final text of the RTS, or in future guidance), we request that obliged entities retain the ability to apply a risk-based approach and not be forced to follow a rules-based alternative.

It would be an error to imagine that the extent of all such situations which may arise can be anticipated, and appropriate rules written, ex ante. It would be better to permit obliged entities to tailor their assessment to the facts of the situation at hand, in accordance with the risk-based approach.

Obligation to assess the economic rationale behind the structure

Article 10 (2) draft RTS requires obliged entities to assess the economic rationale behind the structure presented by a customer. We do not consider it appropriate – or feasible – to require obliged entities to perform such an assessment. We also note the wording in Article 20 (1) (b) AMLR which requires simply ‘understanding’ the ownership and control structure. Assessing the economic rationale and performing a plausibility check (see above) go significantly beyond having an understanding of the control structure.

There are many reasons a customer (or other legal entity) may choose to structure itself as it does. The choice of structure will often arise from internal information known only to the customer (or other legal entity) itself. It should not be expected for obliged entities to understand – or even to infer – the economic rationale behind the structure, as such an understanding (or inference) would require knowledge of internal information of the customer (such as tax implications or political and market considerations relevant to particular jurisdictions) which the customer is not obliged and would not expect to disclose.

We recommend that the obligation should be changed to require obliged entities to assess whether a structure might have been set up only in order to avoid or reduce the transparency of beneficial ownership with no other likely or possible legitimate justification. As with the plausibility assessment, this would be triggered by the facts of the situation and in accordance with the risk-based approach.

Little differentiation between requirements of Articles 10 and 11

Article 10 draft RTS sets requirements to build understanding of the ownership and control structure of the customer in standard cases. Article 11 sets requirements to build understanding in complex cases. The sole additional provision for higher risk entities as set out in Article 11 (2) draft RTS is that an organigram must be obtained. The level of information which obliged entities must obtain for standard and complex cases is therefore essentially the same at both levels. This is not in keeping with the risk based approach, and suggests the requirements set out in Article 10 for standard cases are excessive.

Suggested amendments

We suggest that the text of this Article be redrafted to focus on understanding the ownership and control structure of customers, particularly in complex and higher-risk situations, as follows:

For the purposes of understanding the ownership and control structure of the customer in accordance with Article 20(1) (b) of Regulation (EU) 2024/1624, where the customer's structure appears unusually or excessively complex given the nature of the customer’s business, and may pose a higher risk of ML/TF and in situations where the customer’s ownership and control structure contains more than one legal entity or legal arrangement, obliged entities shall obtain the following information:

a. a reference to all the names of the legal entities and/or legal arrangements functioning as intermediary connections between the customer and their beneficial owners, if any;

b. with respect to each legal entity or legal arrangement within the referred intermediary connections, the legal form of each legal entity or legal arrangement, and reference to the existence of any nominee shareholders; the jurisdiction of incorporation or registration of the legal person or legal arrangement, or, in the case of a trust, the jurisdiction of its governing law and; where applicable, the shares of interest held by each legal entity or legal arrangement, its sub-division, by class or type of shares and/or voting rights expressed as a percentage of the respective total, where beneficial ownership is determined on the basis of control, understanding how this is expressed and exercised.

c. information on the regulated market on which the securities are listed, in case a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, and the extent of the listing if not all the legal entity’s securities are listed on a regulated market’.

If the suggested deletion of (c) set out above is not accepted, then we suggest at least reducing the scope of the requirement to the ultimate parent, as follows:

c. information on the regulated market on which the securities of the ultimate parent are listed, in case the ultimate parent a legal entity in an intermediate level of the ownership and control structure has its securities listed on a regulated market, and the extent of the listing if not all the ultimate parent legal entity’s securities are listed on a regulated market’.

2. Where warranted by the facts of the situation at hand, obliged entities shall assess whether the information included in the description, as referred to in Article 62(1)d of Regulation (EU) 2024/1624, is plausible, there is economic rationale behind the structure, and it explains how the overall structure affects the ML/TF risk associated with the customer whether a structure might have been set up only in order to avoid or reduce the transparency of beneficial ownership, with no other likely or possible legitimate justification apparent.

Article 11 – Understanding the ownership and control structure of the customer in case of complex structures

On Article 11, we question the legal basis for defining ‘complex structures’ in the RTS, as the AMLR does not introduce such a concept. Should Article 11 be retained, a minimum of more than two layers should be required between the customer and the beneficial owner to define complexity. Regarding Article 11(1)(b), if it is maintained, it should be clarified that ‘different jurisdictions’ refers specifically to jurisdictions outside the EU/EEA, to avoid unnecessary classification of legitimate EU cross-border structures as complex. However, we would support the deletion of Article 11 altogether, given the absence of a legal mandate to impose additional CDD requirements for so-called complex structures.

Overly broad definition of ‘complex structure’ – request for industry to determine complexity

The definition of a complex structure as one which has ‘two or more layers’– even when qualified by the conditions set out in Article 11 (1) draft RTS – is too broad.

In a wholesale context, it is possible that almost all ownership structures could be classified as ‘complex’ under the criteria as set out, noting that multinational companies and large financial entities typically have multiple layers of ownership. To classify all such structures as ‘complex’ would not be aligned with the risk-based approach and would require the obtaining of detailed and potentially certified ownership structure charts – a significant administrative burden – for almost all clients, for little benefit.

In the first instance, we request that the assessment criteria be removed and the responsibility placed upon obliged entities to determine the complexity of the structures they encounter. This would allow obliged entities to apply specialist knowledge and experience to identify (and allocate resources to) cases which involve genuinely higher risk structures. This would be in keeping with the risk-based approach and allow most efficient use of scarce resources, the better to advance the fight against financial crime.

If this request should not be accepted, we then request that the definition of ‘complex structure’ be tailored to genuinely higher risk scenarios, rather than applying (as in the present draft) broadly to large institutions. We make drafting suggestions below to this end. This approach would allow better use of scarce resources and ensure that the focus is on genuinely complex and high-risk structures.

For example, in Sweden, it is very easy to establish a limited liability company, and there are legitimate and rational reasons to place different parts of a business in separate companies instead of operating through a single company. Structures with holding companies, subsidiaries, and sub-subsidiaries are common. There are also entirely legitimate reasons to conduct operations in other EU countries by forming subsidiaries in those countries rather than operating branches. Any quantitative thresholds regarding ownership layers risk leading to uncomplicated corporate structures being considered complex, even though the number of ownership levels is rarely a decisive indicator of a lack of transparency in ownership and control.

Removal of ‘legal arrangement’ condition

We do not consider that the condition set out in Article 11 (1) (a) draft RTS – that of having a ‘legal arrangement’ in any of the layers – to be an appropriate signifier of complexity. Legal arrangements are common in ownership structures – particularly in wholesale contexts. We therefore suggest that this condition be amended to take account of the reality of wholesale business, or simply removed.

Clarity on ownership structure assessment / organigrams

We request that the RTS clarify how obliged entities may ensure that an organigram provides a comprehensive understanding of the ownership and control structure, including effective assessment and validation measures.

Allowing banks to draft organisational charts based on client-provided information, with client attestation, or on reliable public information, could address the practical challenges of obtaining organisational charts directly from clients. This approach would streamline the process while ensuring accuracy and would be in keeping with the risk-based approach.

Regarding “organigram”, we suggest that the EBA change it to “organigram displaying the structure relevant for the UBO determination”. This is because for some structures d it could be difficult to display the whole structure in a readable manner – it is necessary to state that only those relevant have to be displayed.

Suggested amendments

We propose the text for an entirely new Article 11. This would require obliged entities to define, within their specific context, the criteria for what constitutes a complex ownership and control structure. This reads:

To understand the complexity level of the ownership and control structure of the customer in accordance with Article 20(1)(b) of Regulation (EU) 2024/1624, obliged entities shall develop specific internal procedures to specify the criteria that make ownership and control structures complex for the business relationships for which the obliged entity provides products and services.

These procedures shall provide internal arrangement dealing with:

the number of layers between the customer and the beneficial owner that are an indicator of complex ownership structure and
the presence of nominee shareholders and / or directors that are involved in the structure.

If this proposal is not accepted, we suggest at least to reconsider the number of layers that are regarded as a factor for complex ownership and control structure. Only multiple layers (of at least three or more layers) in combination with other clear indicators for complex ownership should be deemed as complex ownership and control structure.

The “in different jurisdictions” should be changed to “more than three different”: to ensure only truly complex structure fall within this scope – otherwise e.g. a legal entity customer in AT with its mother company registered in DE would be considered complex (lit b).

Article 12 – Information on senior managing officials

Clear definition of ‘senior managing officials’

We request that the RTS provide a clear definition of SMOs and their powers. This is particularly important for application in a wholesale environment, where roles and responsibilities vary greatly across the sector.

We note that in the public hearing the EBA held on 10 April 2025, there was a suggestion that SMOs could be defined in accordance with Article 63 AMLR. This would suggest that ‘senior managing officials’ would include executive members of the management body, as well as the natural persons who exercise executive functions within a legal entity and are responsible and accountable to the management body for the day-to-day management of the entity.

Such an interpretation would capture in some instances a very large number of natural persons and would be very burdensome for obliged entities to implement. This would not be in keeping with the risk-based approach or the proportionality principle and would not further efforts to prevent and detect financial crime. On the contrary – by requiring the use of scarce resources for largely unnecessary and unhelpful work, it would likely reduce the efficacy of wider financial crime risk mitigation efforts. We therefore request a more focused interpretation, in accordance with the risk-based approach.

It should be clearly stated that an authorized signatory can’t be considered in such a function. If they are indeed considered to be equivalent to UBOs it should be limited how many of them are to be identified e.g. a larger entity can have up to 80 or more. It is not feasible to collect data from each of these persons.

Distinction between senior managing officials and beneficial owners

The roles and responsibilities of SMOs differ significantly from those of natural person economic beneficial owners. SMOs manage the legal entity, but do not personally own or control it. Article 12 of the draft RTS does not however recognise this distinction, requiring obliged entities to ‘collect the same information as for beneficial owners’ pursuant to Article 22 (2) AMLR.

Given the disparity in roles, responsibilities, benefits and degree of control, this is disproportionate. We request that the data elements to be collected for SMOs be tailored to the extent that they may exercise control over the entity, in keeping with the risk-based approach.

Requirement to collect identification documentation and personal address

We do not consider that obliged entities should be required to collect an identification document for SMOs – noting that SMOs would in many cases be unwilling to provide such personal data, and the risk of tipping off the customer to the existence of concerns that such a request would entail.

We consider that the registered address of the legal entity should be deemed as the residential address of its SMOs, where such addresses are to be recorded. We also note the potential personal risk provision of such information could have for the SMO (e.g., kidnap risk – please see our earlier remarks relating to Article 2 draft RTS noting this point for both UBOs and SMOs).

Article 13 – Identification and verification of beneficiaries of trusts and similar legal entities or arrangements

Clarification on scope of AMLR in relation to trusts

It is unclear whether the AMLR refers to trusts as direct customers or trusts in the ownership structure. We therefore request that the RTS clarify the scope of the AMLR in relation to trusts. We suggest that the focus should be on trusts as direct customers, as applying requirements to ownership structures would be significant and challenging to implement.

Limited applicability of beneficiary information

We request that Article 13 (1) draft RTS be amended to clarify that Article 22 (4) AMLR requires the collection of sufficient information to establish the identity of beneficiaries only when they are designated by particular characteristics or class, and not in all circumstances. This limits the applicability to specific cases and is in keeping with the risk-based approach.

Source of beneficiary descriptions

We request that the wording ‘…from the trustee, the legal entity or the legal arrangement…’ be removed from Article 13 (1) draft RTS to avoid implying that descriptions of the class of beneficiaries must be obtained directly from these sources. In some instances, the descriptions might be sourced from trust corporate documents.

Documentation for Article 13 (1) (b)

Article 13 (1) (b) draft RTS cites ‘…relevant documents to enable the obliged entity to establish that the description is correct and up-to-date’.

It is unclear what documents would satisfy Article 13 (1) (b). While an updated trust deed may contain beneficiary information, it may not always be available. In most instances, obliged entities would rely on trustees to attest that the documentation is correct and up-to-date.

We request therefore that the RTS allow obliged entities to complete verification using reasonable measures. This would permit obliged entities to tailor their verification processes to the facts of the situation at hand, the better to ensure appropriate verification is undertaken without pre-judging how best any particular description received may be verified.

Definition of ‘up-to-date’

In keeping with our comments on other Articles, we request that the RTS specify how obliged entities are to judge what is to be regarded as ‘up-to-date’.

Article 13 draft RTS requires obliged entities to assess the extent to which a description of the class of beneficiaries and its characteristics is ‘up-to-date’. There is no consistent practice across EU Member States regarding the acceptable age or ‘up-to-datedness’ of information provided and supporting documentation used for KYC reviews. This includes both the duration of the acceptable age and the starting point for determining ‘up-to-datedness’. We request that the RTS clarify the duration for which the description provided and relevant documents are to be considered recent or ‘up-to-date’.

Measures to be taken for updates

Article 13 (2) draft RTS requires obliged entities to ‘take risk-sensitive measures to ensure that the trustee, the legal entity or the legal arrangement provide timely updates’. We request that the RTS provide examples of what would constitute such ‘risk-sensitive measures’ in order to ensure shared understanding between industry and supervisory authorities of how this requirement may be fulfilled.

Treatment of private foundations

Private foundations are customary legal forms used notably in Austria, Germany, Liechtenstein and Switzerland. We request that the RTS clarify if such foundations are intended to be treated as ‘trusts’ for the purpose of this Article.

Article 14 – Identification and verification of beneficiaries of discretionary trusts

Feedback to Article 13 also relevant to Article 14

Several points made in relation to Article 13 are also relevant to Article 14. We do not propose to repeat them in full. As a brief recap, they include

the need to clarify the scope of the AMLR in relation to trusts,
the intended treatment of private foundations,
the need to provide examples of ‘relevant documents’,
how firms should judge what is to be deemed ‘up-to-date’,
the measures to be taken for updates.

Article 15(c) – we request a clarification in respect of the information expected to be shared within a group, given the assumption of the understanding of the customer and the origin of funds that an obliged entity will develop further to such information. Issues of bank secrecy and personal data/privacy should be taken into account when clarifying the expected information sharing, so that the extensive requirements under the AMLR and the RTS in this regard can be fulfilled without each respective bank having to weigh the issues against each other in each individual case. The legal basis for the exchange of information must be clear and unambiguous.

Article 22.2 – With respect to customer identification data, clarification is requested as to whether such data is to be distinguished from verification of customer identity. If so, 22.2 should consequently be understood as not demanding “re-identification,” i.e. repeated verification of the customer’s identity.

Question 2: Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6 would provide the same level of protection against identity fraud as the electronic identification means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the use of such remote solutions should be considered only temporary, until such time when e-IDAS-compliant solutions are made available? Please explain your reasoning.

Potential limiting of scope of Article 22 (6) AMLR

Article 22 (6) AMLR sets out two means for verification of the identity of the customer or any person purporting to act on their behalf. Only the second of these is ‘electronic identification means’.

Article 6 draft RTS cites Article 22 (6) AMLR, but initially appears to limit the scope to only the second means set out in that Article (‘…obliged entities shall use electronic identification means…’).

The RTS should avoiding any suggestion of limiting the scope of the options set out by the co-legislators. We therefore request that the final RTS text be amended to make clear that both options set out in Article 22 6) AMLR are available. We suggest drafting such as:

Article 6 (1) draft RTS

‘To comply with the requirements of Article 22(6) of Regulation (EU) 2024/1624 in a non-face to face context, obliged entities shall apply specific and additional measures to compensate the potentially higher risk that this type of customer relationship presents, or may use electronic identification means, which meet the requirements of Regulation (EU) No 910/2014 with regard to the assurance levels ‘substantial’ or ‘high’, or relevant qualified trust services as set out in that Regulation’.

Clarity of targeted population

Article 22 (6) AMLR refers to ‘the customer and of any person purporting to act on their behalf’. Article 6 (3) draft RTS refers only to ‘the customer’.

If the scope of Article 6 (3) draft RTS is intended to match that of Article 22 (6) AMLR, or indeed is intended to cover additional roles that a natural person may have (including, notably, that of beneficial owner), we request that the text be amended to make this clear.

Possible focus on retail banking

The draft Article appears to have been written with predominantly retail banking scenarios in mind. We request that in finalising the Article – and others noted elsewhere in our response – that the characteristics and practices of wholesale banking scenarios also be considered.

Definition of ‘non face-to-face’

There is a need for clarity on what constitutes a non-face-to-face interaction. Historically, interpretations have varied – particularly in the wholesale context. For example, meeting a customer representative at a site visit may be considered ‘face-to-face’, even if the ultimate beneficial owner is not met. Clear definitions are crucial, especially if some competent authorities may consider wholesale interactions non face-to-face. We therefore request that the RTS clarify what constitutes ‘face-to-face’ – with a particular focus on the wholesale context.

Premature reliance and excessive focus on eIDAS – need for other solutions to be equal alternative

We welcome the acknowledgement that tools and solutions that are not eIDAS-compliant can be used to verify the identity of customers and other roles in an online context. This is and shall be an important and permanent approach, in particular for customers and other persons not resident in the EU.

Paragraph 42 of the EBA document accompanying the draft RTS recognises that electronic identities are not mandatory for individuals or for legal persons under the eIDAS Regulation, and that some groups (such as those not resident in the EU, the disadvantaged, or other vulnerable groups) may not be able to obtain an electronic identity. Nevertheless, and notwithstanding the fact the eIDAS solutions are a choice and not an obligation for natural and legal persons, the phrasing of Article 6 (2) draft RTS states that ‘remote solutions’ (which we interpret to include video identification) may be used ‘[i]n cases where the solution described in paragraph 1 [i.e., an eIDAS solution] is not available, or cannot reasonably be provided…’.

This inappropriately limits the use of non-eIDAS solutions, placing them in a second order of preference, to be used only in certain circumstances. This is unhelpful and unwelcome. eIDAS solutions are not yet widely available. When they are rolled out, it remains to be seen whether they will be accepted by the public. Video identification is however already widely used, is understood and accepted by the public, and is already built into banks’ systems and controls.

A reliable, independent digital ID system with appropriate risk mitigation measures in place which meets the standards equivalent to eIDAS (and not necessarily fully compliant with eIDAS) should in general be considered acceptable for non face-to-face customer identification and transactions. We therefore request that the draft RTS be amended to make clear that remote solutions, including video identification, are an equal alternative to eIDAS solutions, and in all cases their use should not be limited to situations only where eIDAS solutions are unavailable or cannot reasonably be provided – or at least to allow for a transition period of several years in the case of EU natural persons of whom eIDAS solutions can reasonably be expected to be provided.

Consent requirement

After setting out possibilities for verifying the customer’s identity in paragraphs 1 and 2, Article 6 (3) draft RTS requires obliged entities to obtain the customer’s explicit consent – but only with regard to the solutions set out in paragraph 2. We request that the RTS specify what time of consent should be recorded (privacy-type or data protection-type consent), and clarify why consent is required in relation to the solutions set out in paragraph 2 but not those set out in paragraph 1.

Clarity on ‘commensurate’ solutions

The RTS permits

the use of electronic identification means, which meet the requirements of Regulation (EU) No 910/2014 with regard to the assurance levels ‘substantial’ or ‘high’,
relevant qualified trust services as set out in that Regulation,
remote solutions that meet the conditions set out in paragraphs 3-6 of Article 6 draft RTS. In this possibility, solutions are required to be ‘commensurate to the size, nature and complexity of the obliged entity’s business and its exposure to ML/TF risks’.

We request that the RTS clarify what ‘commensurate to the size, nature, and complexity of the obliged entity’s business and its exposure to ML/TF risks’ means in this context.

Proposal to replace ‘commensurate’ with ‘proportionate’

The FATF recently consulted and finalised a review to replace use of the word ‘commensurate’ with ‘proportionate’ in FATF Recommendation 1. It explained its change as follows:

Replacement of the term ‘commensurate’ with ‘proportionate’, defined as a measure or action that appropriately corresponds to the level of identified risk and effectively mitigates the risks, throughout the Recommendations in order to provide clarity on how the concept should be applied in the context of a risk-based approach and align the FATF’s language more closely with that of financial inclusion stakeholders and frameworks.

We recommend that the draft RTS uses FATF language to better ensure shared understanding and global consistency between standards setters.

Verification of security features embedded in official documents

Article 6 (5) draft RTS requires obliged entities to verify the security features (such as holograms) embedded in the official document to verify their authenticity.

Security features vary significantly depending on the jurisdiction producing the document. Although we recognise the mention as illustrative, ‘holograms’ are not a feature that is generally used in the identification and verification of legal persons. It is also not clear how an obliged entity would verify the authenticity of a hologram (or similar) on a document.

Where obliged entities accept ‘reproductions’ of original documents, the draft RTS requires them to take ‘steps’ to ascertain that the reproduction is reliable. We do not consider that obliged entities are likely to be in a position where they are able to validate the integrity and authenticity of reproductions of documents. In most instances, the process of adding reliable and independent sources to internal procedures should be sufficient.

Where documents are obtained directly from the customer, it is not realistic or reasonable to ask obliged entities to accept the burden of checking the authenticity of documents – especially given the rise of the capabilities of artificial intelligence. We therefore request that this provision be removed from the RTS.

Should this request not be accepted, we request that the RTS provide criteria to define what we assume must be reasonable ‘steps' to ensure the authenticity and integrity of reproductions of documents. This will help ensure consistent and effective implementation across different business contexts.

Use of terminology – ‘customers that are not natural persons’

We also note the reference to ‘customers that are not natural persons’. This is not a term that is used elsewhere in the draft RTS, or in the broader AML package. If this is intended to refer to legal entities, or other organisations that have legal capacity, we suggest that it may be more appropriate to use such terms.

Definition of ‘up-to-date’

Article 6 draft RTS (and other subsequent Articles) requires obliged entities to assess the extent to which information is ‘up-to-date’. There is no consistent practice across EU Member States regarding the acceptable age or ‘up-to-datedness’ of legal entity data and supporting documentation used for KYC reviews. This includes both the duration of the acceptable age and the starting point for determining ‘up-to-datedness’. We request that the RTS clarify the duration for which relevant documents are to be considered recent or ‘up-to-date’.

Consistency of terminology

The title of Article 6, and Article 6 (2) draft RTS, refer to ‘the customer’. In Article 6 (3), reference is made first to ‘a customer’, and subsequently to ‘the person to be identified’. We recommend that terminology be used consistently and precisely to avoid possible confusion.

Question 3: Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Clarity on obligations and language

The current language in the draft RTS is unclear and does not specify the obligations of an obliged entity to the extent that entities can be certain as to the actions they must take. The language of the AMLR text appears to provide clearer statements as to obligations. We request that the language of the RTS be revised to ensure that the actions expected of obliged entities are explicitly stated and easily understood in terms of the role a credit or financial institution undertakes in a transfer.

Identification and verification for virtual IBANs

We request that the RTS specify the extent to which a credit or financial institution issuing the IBAN is required to identify and verify the identity of natural or legal persons using the virtual IBAN. This should include clarification of whether the issuer of the virtual IBAN must obtain identification and verification information from their customer about the underlying users of the virtual IBAN. If this is the intention, it could impact the viability of virtual IBANs as a product in the EU.

Clarification of Roles and responsibilities

The RTS references three types of roles for credit or financial institutions in relation to virtual IBANs. These are

a credit or financial institution issuing a virtual IBAN
a credit or financial institution servicing the account
a credit or financial institution (which is other than the issuer of the virtual IBAN) that provides the virtual IBAN to a natural or legal person for their use.
a credit or financial institution issuing a virtual IBAN
a credit or financial institution servicing the bank or payment account to which a virtual IBAN issued by another institution redirects payments.

The AMLR however references only two roles:

We request that the RTS define what constitutes a credit or financial institution servicing the bank or payment account for virtual IBAN accounts.

We also note the apparent introduction of the third class of institution by the draft RTS, and request that the RTS clarify the definition of roles related to virtual IBANs.

In our reading, the draft RTS puts the onus on an institution that provides a virtual IBAN to a person to provide information to identify and verify the identity of that person to the issuing institution – but given such a class of institution is seemingly a creation of the draft RTS, it would be helpful for this to be explained further.

In a context with millions of clients and transactions, it is practically impossible for the entity issuing the IBAN to know if a virtual IBAN has been granted to a third party by a financial institution that is a client of ours. In this sense, although the obligation to report falls on the client who provides the virtual IBAN to their client, the lines of responsibility should be more detailed and clearer.

In general, we believe that the use of vIBANs should be more detailed in regulations, determining what can and cannot be done.

Use of the term ‘provides’

The draft RTS uses the term ‘provides’ to refer to the passing of information between the various roles set out in Article 8. We request that the EBA clarify if in practice this means requesting and/or providing information via one of the existing payment rails or payment infrastructure, or similar means.

Inconsistency between text of AMLR and draft RTS – potential inability to extend scope

Difference in text between AMLR and draft CDD RTS

Article 22 (3) sub-paragraph 2 reads:

The credit institution or financial institution servicing the bank or payment account to which a virtual IBAN issued by another credit institution or financial institution redirects payments, shall ensure that it can obtain from the institution issuing the virtual IBAN the information identifying and verifying the identity of the natural person using that virtual IBAN without delay and in any case within 5 working days of it requesting that information.

Article 8 of the draft RTS reads:

Where a credit or financial institution, other than the issuer of the virtual IBAN and other than the credit or financial institution servicing the account, provides a natural or legal person a virtual IBAN for their use, it shall provide to the issuer of the virtual IBAN the information for identifying and verifying the identity of that natural or legal person using the virtual IBAN within a time period that enables the credit institution and financial institution servicing the bank or payment account to fulfil its obligation under Article 22(3) second subparagraph of Regulation (EU) 2024/1624.

We flag here the difference in scope between the AMLR reference to ‘the natural person using that virtual IBAN’ and the draft RTS reference to ‘that natural or legal person using the virtual IBAN’. In general, we would expect such a requirement to apply to natural or legal persons – but it is not clear that a Level 2 measure may extend the scope of a measure previously set out in Level 1.

Responsibility placed upon the institution servicing the account

Article 22 (3) AMLR requires a credit or financial institution servicing the account to which a virtual IBAN issued by another credit or financial institution redirects payments to ensure that it can obtain from the credit or financial institution issuing the virtual IBAN the information identifying and verifying the identity of the natural person using that virtual IBAN within five working days.

It is not clear that a servicing credit or financial institution will know that a given IBAN is a virtual IBAN. It is also not clear how the servicing credit or financial institution can ensure that it will receive the information, since the completion of the action relies on prompt action of an external party.

We request that the RTS clarify how a servicing institution may differentiate between virtual and non-virtual IBANs, and to explain how the servicing institution may fulfil the responsibility set out by Article 22 (3) AMLR in the absence of control over the actions of the issuing institution.

Responsibility of virtual IBAN intermediaries

We consider that the draft RTS could place more responsibility on virtual IBAN intermediaries for identification and verification processes. We suggest that the draft RTS state that the virtual IBAN issuer can rely on the identification and verification checks conducted by an intermediary without additional outsourcing governance, such as spot checks, when the data is provided. This responsibility could also be extended to non-EU regulated entities to ensure a more efficient process and better use of resources.

RTS requirements to align with changes to FATF Recommendation 16

As per our understanding, the ‘provision’ of required information as per this Article in the RTS will be via a payment rail or external payments infrastructure. The Financial Action Task Force (FATF) is currently processing feedback received to its consultation on changes to Recommendation 16 on Wire Transfers, which concerns payment transparency. The FATF consultation focused on ensuring that the account number or payment message data which are transmitted as part of a transaction can identify the financial institution and the country where the funds are held. FATF is expected to publish the results of its consideration of feedback in June 2025 – which will coincide with the EBA considering feedback received to this consultation.

We request that to the extent possible, the EBA look to align the final requirements of Article 8 with final changes to Recommendation 16 expected to be published by FATF in June 2025. Global alignment is helpful in ensuring effective compliance and reinforces the benefit of FATF’s work to set standards at the global level.

Question 4: Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 15 – Identification of the purpose and intended nature of the business relationship or the occasional transactions

Requirements not in keeping with approach of AMLR; requirement to first assess appropriateness / necessity

Article 20 (1) (c) AMLR requires obliged entities to obtain information on and understand the purpose and intended nature of the business relationship or the occasional transactions ‘as appropriate’. Article 25 AMLR similarly requires obliged entities to obtain information ‘where necessary’.

In both Articles, it is clear that the co-legislators did not intend obliged entities to take the actions set out in all instances. Rather, obliged entities are required to apply their judgement and take action in certain circumstances, in accordance with a risk-based approach.

The drafting of Article 15 draft RTS does not sufficiently reflect the risk-based approach evident in the AMLR. We recognise that the text makes reference to ‘risk-sensitive measures’. It is not however clear in the text of the draft RTS that obliged entities should first assess whether the measures need to be applied at all.

We request that the text of the RTS be amended to reflect the risk-based approach chosen by the co-legislators. In particular, we request that the text clarify that obliged entities should first assess whether the specific situation warrants the application of any of the listed measures, and if so, that a proportionate and risk-based approach should be applied, with obliged entities exercising judgment in determining which topics or points to seek information on – and to what extent – and which may be reasonably excluded from further inquiry.

Where the purpose and intended nature of the relationship or transaction is self-evident from the products and services themselves, there should be no requirement to collect any further information.

Request for definition of ‘occasional transaction’

We request that the RTS provide a definition of ‘occasional transaction’ . We note that Directive 2015/849, Article 11 (b) states

(b) when carrying out an occasional transaction that:

(i) amounts to EUR 15 000 or more, whether that transaction is carried out in a single operation or in several operations which appear to be linked; or

(ii) constitutes a transfer of funds, as defined in point (9) of Article 3 of Regulation (EU) 2015/847 of the European Parliament and of the Council ( 1 ), exceeding EUR 1 000;

An updated definition would assist obliged entities in understanding their requirements. We note that the definition previously provided by Directive 2015/849 is very low for wholesale banking contexts and should be amended to take account of the reality of wholesale banking transactions.

Clarity regarding ‘risk-sensitive measures’

Article 15 draft RTS requires obliged entities to ‘…take risk-sensitive measures…’. We request that the RTS provide examples of what would constitute such ‘risk-sensitive measures’ in order to ensure shared understanding between industry and supervisory authorities of how this requirement may be fulfilled.

Requirement to determine why the customer has chosen the obliged entities’ products and services

In many cases, there may be no specific reason for a customer choosing a certain service provider. Where a reason is present, it may be known only known to the customer, who may not (or may not wish) to provide it. For example, a customer may choose a bank because of branding, a particular advertisement, the available offers on the market, or simple physical convenience due to proximity to a branch of the institution. We understand the RTS to be in line with the risk-based approach set out in the AMLR and assume that further determination of why the customer has chosen the obliged entities' products or services is not required in such cases.

Requirement to assess relationship with the ‘wider group’

The requirement in Article 15 (1) (c) draft RTS to assess whether the customer has additional relationships with the ‘wider group’ is excessively broad. It would be particularly unrealistic in certain sectors of banking, where high-volume business is usual.

In cases where the obliged entity is a subsidiary of a third country entity, obtaining this information may conflict with local data sharing and banking secrecy provisions (e.g., Switzerland). For obliged entities based in the EU, there may be significant issues regarding data sharing with third country jurisdictions which do not adhere to similar data protection standards and data deletion requirements (e.g., China). To fulfil such a requirement would be a significant burden for industry and would send a strongly negative signal for EU competitiveness. We therefore request that Article 15 (1) (c) draft RTS be deleted.

If it is not deleted, we would appreciate getting further guidance on how the entity can determine this.

Requirement to assess source of wealth

The requirement set out in Article 15 (1) (d) draft RTS to obtain information relating to the source of wealth goes beyond the scope of Article 20 (1) (c) AMLR, which is explicitly cited as the setting the scope of Article 15. Assessment of the source of wealth is only required for EDD and is not to be required for the purposes of Article 20 (1) (c) AMLR. We therefore ask for Article 15 (d) draft RTS to be clarified, to read

where the ML/TF risk is higher such that EDD is necessary, to determine the source of wealth.

Comments from the Insurance Industry:

Articles 15 and 16 do not reflect the business model of life insurance. Life insurance is based on a comprehensive contractual agreement. The amount and frequency of the customer's premium payments and the terms of the contract are set out in the contract. It is not an account where funds flow through to other recipients.

Article 15(c) of the draft RTS requires obliged entities to determine whether the customers have additional business relationships with the obliged entity or its wider group, and the extent to which that influences the obliged entity’s understanding of the customers and their source of funds. We would like to point out that Article 20 (1) (c) AMLR does not provide a basis for such a group-wide requirement. Although the measures mentioned in Article 15 shall be taken “risk-sensitive”, there is a great concern that this provision may be interpreted widely.

Currently according to the Austrian AML law, entities within a group are only obliged to share information within the group about customers who were reported to FIUs. A general requirement to share or obtain group-wide information about any customer’s insurance contracts would be massively excessive, not only from the perspective of a risk-based approach but also from the perspective of data protection. Each insurance company within a group is a controller within the meaning of GDPR, and as a basic GDPR rule, customer data and data on insurance contracts is available only for the respective controller. Companies within a group often use different IT-systems which are strictly separated in terms of data protection, IT security, access rights etc., so there is no central “overview” of a customer’s business relationships in a group because this would violate the very basic principles of GDPR. A general requirement for collecting information about a customer’s business relationships from all companies within a group would not only be massively excessive as mentioned above, but would also create enormous difficulties and expenses with regard to the IT systems involved. Therefore, the wording “and its wider group” in this provision should be deleted, i.e. the provision should only apply to business relationships of the obliged entity as provided by Article 20 (1) (c) AMLR.

Composite insurers are active not only in the life insurance sector but also in non-life insurance sector. However, having information about additional business relationships of customers in the non-life sector does not provide relevant insights for obliged entities to better understand customers and their source of funds. In addition, there are legal restrictions to access data from other lines of business within an insurance company. We suggest restricting the inquiry to additional business relationships with the obliged entity that are subject to AML requirements.

Article 25 AMLR requires obliged entities to obtain information on the purpose and intended nature of a business relationship or occasional transaction only if considered necessary. This should be reflected in Article 16 of the draft RTS as well, as it may not be necessary for insurers to collect additional information on the purpose and intended nature of the business relationship under Article 25 AMLR due to the following reasons: Insurance companies are required by existing legislation (e.g. IDD), prior to the conclusion of the of the contract, to collect information about and evaluate the customers’ demands and needs. In addition, in the case of an insurance-based investment product, an appropriateness or suitability test is required and the policyholder's knowledge and experience, financial circumstances, risk tolerance, and loss-bearing capacity are evaluated. In the case of many life insurance products, the purpose and intended nature of the business relationship are self-explanatory (e.g. pension provision, biometric risk coverage, etc.).

Article 16 – Understanding the purpose and intended nature of the business relationship or the occasional transactions

Requirements not in keeping with approach of AMLR

Similar to Article 15, this provision also applies to “occasional transactions.” In our view, it is important to differentiate between a business relationship and a one-off occasional transaction.

As per our comments to Article 15, the requirements of Article 16 draft RTS are not in keeping with the risk-based approach of the AMLR. Article 25 AMLR sets out measures that obliged entities shall take ‘where necessary’. Notwithstanding the use of ‘risk-sensitive measures’ in the opening paragraph, the requirements set out in Article 16 draft RTS are excessive, overly-detailed, and unrealistic for high volume business – and this particularly so in banking, e.g. the ‘anticipated number of transactions’, which is in general not known by the customer

We request that the text be amended to make clear that obliged entities should apply their judgement to form a view on whether any particular measure is necessary in a given situation, and if so, should then assess the extent of information required to obtain an appropriate level of assurance. This would be sensible, proportionate, and in keeping with the risk-based approach chosen by the co-legislators.

Clarity on terms used

When speaking of transactions that are likely to be executed during the business relationship, Article 16 (b) draft RTS cites ‘the category of funds that such transactions relate to’.

When speaking of the destination of funds, Article 16 (d) draft RTS cites the ‘intermediaries used’.

We request that the RTS provide further clarification of the intended meaning of these terms in these contexts.

Regarding lit d in relation to the destination of funds, we suggest that the EBA add, “in relation to the destination of funds, on a risk-sensitive basis, information on the expected types of recipient(s), including information about the jurisdiction where the transactions are to be received, and intermediaries used.”

It should be clearly stated that this passage is based on a risk-based approach.

Clarity regarding ‘key stakeholders’ and other information in Article 16 (e)

Article 16 (e) draft RTS requires obliged entities to obtain information on the business activity or occupation of the customer, which shall include information on the industry, operations, products and services, regulated status, key stakeholders, geographical presence, revenue streams, and (where applicable) employment status.

This information is not straightforward to obtain (even for the customer themselves) and would not significantly impact the customer’s risk profile (e.g., in the case of an employed natural person). Several of the data fields listed also apply only to certain categories of customers. We therefore consider that to require obliged entities to seek to obtain such information would lead to cost without benefit.

We therefore request that the scope of the information to be obtained be significantly reduced, with obliged entities required instead to apply judgment on what information is appropriate to obtain, in accordance with the risk-based approach.

Question 5: Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 17– Identification of Politically Exposed Persons

Clarity regarding SMOs

As per our earlier comments, we request clarification on the treatment of SMOs when no beneficial owner can be identified.

The exposure of beneficial owners to politics and political decision-making may entail a heightened risk of financial crime. But SMOs – who do not own assets, control resources, or offer or stand to benefit from political influence to the same extent as beneficial owners – do not pose equivalent risks.

Applying the same measures to individuals who pose a lower risk as those who present a higher risk would be an inefficient use of resources and would divert attention away from the most significant sources of risk.

Notwithstanding considerations relating to proportionality, following the text of the AMLR, we understand that SMOs are not beneficial owners. This understanding is reinforced by Recital 9 of the RTS, which states ‘[w]hile SMOs are not beneficial owners…’.

Article 20 (1) (g) AMLR only makes reference to the beneficial owner. This is in contrast to Article 22 (2) AMLR, which explicitly makes reference to SMOs. Therefore, we understand that SMOs are not subject to PEP screening. We request that the RTS confirm this understanding.

Clarity regarding ‘manual check’

Article 17 (2) draft RTS requires obliged entities to put in place automated screening tools and measures, or a combination of automated tools and manual checks. We request that the RTS clarify whether inquiring with the client or conducting independent-source research is to be considered a ‘manual check’.

Potential typographical error

Article 17 (1) (b) refers to situations ‘when the obliged entity has any indications that the customer beneficial owner of the customer…’. We assume that there is a missing comma or ‘or’ intended between ‘customer’ and ‘beneficial owner of the customer’. We suggest that this be amended for clarity.

Question 6: Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 18 – Minimum requirement for the customer identification in situations of lower risk

We provided detailed comments on requirements relating to names, place and date of birth, nationalities and statelessness, refugee or subsidiary protection status in our comments on Articles 1 to 4.

We refer the EBA (and other readers) to those comments at this point. We do not consider it necessary to repeat them in full. We do however offer a brief summary of key points to recap the detailed explanation offered earlier in our response.

Names
- to be limited only to those names that appear on identity documents, passports, or equivalents
- to take risk-based decisions on potential variations in transliteration of non-Western names
- for legal entities, to rely on official public registries, or equivalents
Place and full date of birth
- place to be collected only where and as given on ID document
Nationalities and statelessness, refugee or subsidiary protection status
- ability to rely on declarations made by relevant individual
- obliged entities not accountable for inability to discover nationalities or statuses where such are not disclosed by the individual.
‘third country…not less robust’ – a potentially political or controversial decision, best taken by a public authority
‘effectively supervised’ – also a political or controversial decision, as in effect a judgment on the competence of the local competent authority.

Also as noted in our earlier comments, the definition of ‘person purporting to act’ should in case of customers that are legal entities, not include senior management officials or employees of the customer and in general the definition should be restricted to those natural persons that effectively act legally relevant on behalf of the customer vis-à-vis the obliged entity;

Suggested amendment

We suggest that Article 18 (b) draft RTS be amended to read as follows:

for a legal entity and other organisations that have legal capacity under national law, the legal form and registered name of the legal entity including its commercial name and where available other alternate names, in case it differs these differ from its registered name; the address of the registered or official office and the registration number, the tax identification number or the legal entity identifier where applicable available.

Article 19 – Minimum requirements for the identification and verification of the beneficial owner or senior managing officials in low-risk situations

We consider the requirements set out in Article 19 draft RTS to be excessively prescriptive.

As drafted, obliged entities would be required to use a central register or company register to identify the beneficial owner or SMOs (a), and then a confirmatory statement from the customer (b) or publicly available reliable sources of information (c) to verify that information.

We do not consider that such a tiered process is appropriate. We consider instead that an obliged entity should have the choice of taking ‘appropriate measures’ to identify and verify the beneficial owner and SMOs in situation of lower risk, without a limitation to any of the methods mentioned under lit (a) to (c).

The limitation of methods as per lit (a) to (c) would limit obliged entities in particular where, for example, a suggested method is not available at all (e.g. there is no central register or company register). At the minimum, obliged entities should be able to use a combination of (a), (b) and (c), with the exact choice made according to the facts of the situation at hand. We request that the RTS permit such flexibility, the better to promote an efficient and risk-based approach.

We also suggest to expand the scope of Article 19 draft RTS to include persons on whose behalf or for the benefit of whom a transaction or activity is being conducted. To apply full identification and verification requirements on these persons does not appear appropriate in SDD cases. This would also go significantly beyond practice as currently conducted in many member states and would significantly weaken the EU’s competitiveness, without being justified by underlying money laundering or terrorist financing risks.

Suggested amendment

We therefore suggest that the opening sub-paragraph of Article 19 draft RTS be amended to read as follows:

In situations of lower risk, the obliged entity may consult one two or more of the following sources for the identification of, and use another sources from the same list under b. or c. for the purposes of verification of the beneficial owner or the senior managing officials:

Article 20 – Sectoral simplified measures: pooled accounts

Focus on obliged entities

We welcome the possibility to apply SDD for pooled / escrow accounts, as set out in Article 20 draft RTS. However, the focus on customers who are obliged entities themselves limits this possibility unnecessarily.

There are other types of pooled accounts or collective trust accounts (e.g. rent deposit accounts, collective trust accounts of debt collection agencies) which may also be subject to SDD from a risk perspective. We therefore request that the condition set out in Article 20 (a) draft RTS be deleted.

Inclusion of accounts held by non- obliged entities in low-risk cases

There are many cases where non-obliged entities hold (pooled) accounts for their clients which should also benefit from SDD. This applies, for example, for rental deposit accounts, accounts for school classes or (senior) home residents, insolvency administrators or collection agencies.

In all of these cases, only low ML/TF risks exist and in all of these cases, the full identification and verification of the persons on whose behalf or for the benefit of whom the account is set up is not feasible or not possible. Thus, we request that the RTS provide a general possibility to apply SDD measures in such cases. If this is not done, there will be severe damage, both in an economic sense, and for the financial inclusion of certain groups, without adding to the reduction of ML/TF risk.

Clarification on transactions for legal entities

Article 20 AMLR refers to transactions conducted on behalf of a natural person other than a customer but does not address transactions conducted on behalf of a legal entity different from the client. We request that the RTS clarify whether the article applies when the transaction is conducted on behalf of an underlying legal entity.

Potential extension of applicability / inclusion in general CDD section

The article is currently included in the simplified due diligence section and is not applicable to customers rated medium risk. It would be preferable to extend its applicability to customers that do not pose a high risk of ML/TF. This would include medium-risk customers, allowing for a more comprehensive application of due diligence measures.

We suggest to remove the article from the simplified due diligence section and include it in the general CDD section. This would ensure that the requirements are applicable to a broader range of customer risk profiles, not just those classified as low risk.

Request to define ‘third country with an AML/CFT requirements that are not less robust’

If the EBA declines to delete the criterion set out in Article 20 (a), as per our earlier request, we then request that it (or an appropriate authority) issue a list of third countries with AML/CFT requirements that are not less robust that those required by the AMLR. Such a judgment may be politicised or controversial, and as such, may be most appropriately taken by a public authority.

Request to define ‘effectively supervised’

In a similar manner, the decision as to whether a customer is ‘effectively supervised’ could be equally politicised or controversial, as it is possible to interpret the criterion as a requirement to form a judgment on the competence of the local competent authority. Again, given the potential political consequences of such a judgment, such a decision may be most appropriately taken by a public authority.

Clarification of ‘the credit institution is satisfied’

An obliged entity assesses the AML/CFT risk posed by its customer. It does not generally audit the internal workings of its customer. It is therefore unclear how an obliged entity may ‘satisfy’ itself that the customer ‘applies robust and risk-sensitive customer due diligence measures to its own clients and its clients’ beneficial owners’. We request that the RTS clarify how such satisfaction is to be achieved – or that this condition be deleted.

Article 21 – Sectoral simplified measures: Collective investment undertakings

The substance of two of our comments to Article 20 also apply to Article 21. We do not consider it necessary to repeat them in full, but as a brief recap:

Challenge of assessing business relationship risk as ‘low’

We consider the condition set out in Article 21 (c) draft RTS – that is, to judge that the risk associated with the business relationship is ‘low’ – to be problematic and requiring a more nuanced definition.

The business relationship with a collective investment undertaking is a mix of the relationship with the collective investment undertaking itself, and with the relevant investment manager.

If one entity in this pair were rated other than ‘low’, then the overall relationship could be judged to be outside the scope of SDD – even if a more holistic assessment would deem the overall risk to be negligible.

We therefore request that the ‘business relationship’ be better defined, or for the condition in (c) to be deleted.

We also suggest to remove the article from the simplified due diligence section and include it in the general CDD section. This would ensure that the requirements are applicable to a broader range of customer risk profiles, and not just those classified as low risk.

Clarification of wording

The phrase ‘When a collective investment undertaking is acting in his own name’ is misleading. We suggest it be amended to read ‘…collective investment undertaking investor in a collective investment undertaking is acting in his its own name…’.

Article 22 – Customer identification data updates in low-risk situations

Potential ability to reduce frequency of customer identification data updates

There is ambiguity as to whether the frequency of customer identification updates can be reduced to less than every five years when applying SDD.

Article 33 (1) (b) AMLR and Article 22 (1) draft RTS allow a reduction in the frequency of customer identification updates specifically in cases of SDD, without setting a maximum period. However, the reduction of the frequency of customer identification updates beyond five years if applying SDD is not explicitly addressed.

Obliged entities will monitor the relevant circumstances, potential trigger events, and transactions and activities of the customer on an ongoing basis. If a change in circumstances, trigger event or transaction or activity were to occur, obliged entities would conduct a customer identification update. In the absence of such, and where a low-risk relationship continues in a stable manner, permitting obliged entities to reduce the frequency of customer identification updates for low-risk customers would permit more resources to be allocated to more significant sources of risk, in keeping with the risk-based approach.

In line with the overarching guiding principles to have a proportionate and risk-based approach, as well as the focus on effective, workable outcomes, we request that the RTS clarify if such an approach is permissible.

Clarity on customer identification updates

We request that the RTS clarify how firms should perform ‘customer identification updates’. This includes specifying the information that needs to be updated for clients with different risk profiles (high, medium, and low risk), and the frequency of these updates.

How frequently should the relevant circumstances of the customer be monitored to ensure there is no change? (Art 22 (1) (a).

Definition of ‘at all times’

We request that the RTS clarify the concept of ‘at all times’ in the context of customer identification updates. This will ensure that firms understand the expectations for maintaining current and accurate customer information and can implement processes that align with regulatory requirements.

Article. 23 – Minimum information to identify the purpose and intended nature of the business relationship or occasional transaction in low-risk situations

RTS exceeds scope of / removes possibility present in AMLR

Article 33 (1) (c) AMLR allows obliged entities to reduce the amount of information collected to identify the purpose and intended nature of the business relationship or occasional transaction, or to infer it from the type of transactions or business relationship established.

Article 23 draft RTS appears to remove this second possibility by setting out minimum requirements and seemingly requiring the collection of certain information to identify the purpose and intended nature of the business relationship – that is to say, to remove the possibility to infer otherwise granted by Article 33 (1) (c) AMLR.

It is possible that this is inadvertent, and removal is not intended. It is also possible however that supervisory authorities may read it as removing the possibility to infer. In this way, the RTS may remove a possibility the co-legislators chose to include.

We therefore request that the RTS be amended to clarify that that obliged entities may infer the purpose and intended nature of the business relationship or occasional transaction from the nature of the type of transactions or business relationship established.

Clarity regarding ‘risk-sensitive measures’

Article 23 draft RTS requires obliged entities to ‘…take risk-sensitive measures…’. We request that the RTS provide examples of what would constitute such ‘risk-sensitive measures’ in order to ensure shared understanding between industry and supervisory authorities of how this requirement may be fulfilled.

Suggestion to replace ‘source’ with ‘origin’

The ‘risk-sensitive measures’ discussed above are to be applied inter alia to understand ‘…the source of the funds used in the business relationship or occasional transaction…’. We suggest that it would be more appropriate to the majority of intended contexts (and in our reading, would come closer to what we understand the EBA is seeking to achieve) to apply such measures to the origin of the funds in question. We therefore suggest that ‘source’ be replaced by ‘origin’.

Inadequate simplification of measures

Article 23 draft RTS is part of Section 4 on Simplified Due Diligence. As such, it should permit the obliged entity to put in place substantially simplified measures for lower risk situations when compared with those required for standard CDD.

The measures set out in Article 23 draft RTS appear however to be substantively the same as those set out in earlier Articles for standard CDD.

In Article 16 (a) draft RTS (standard CDD), obliged entities are required to obtain information on why the customer has chosen the obliged entities’ products and services (or two other largely equivalent options, which are presented as alternatives via the use of ‘or’). This is substantively repeated in Article 23 draft RTS (SDD).

In Article 16 (b) draft RTS (standard CDD), obliged entities are required to obtain information on the estimated amount of funds to be deposited, with some secondary additional details. In Article 23 draft RTS (SDD), obliged entities are also required to obtain information (‘where applicable’) on the estimated amounts which will flow through the account.

In Article 16 (c) draft RTS (standard CDD), obliged entities are required to obtain information on the activity that generated the funds and the means through which the customer’s funds were transferred. In Article 23 draft RTS (SDD), obliged entities are required to obtain information on the source of the funds.

In Article 15 (b) draft RTS (standard CDD), obliged entities are required to obtain information on how the customer plans to use the products or services provided. This requirement is repeated verbatim in Article 23 draft RTS (SDD).

Given the above and noting that SDD allows greater resources to be dedicated to more significant sources of risk, in keeping with the risk-based approach, we request that the alleviations set out in Article 23 be strengthened to permit genuinely simplified due diligence, the better to ensure efficient allocation of resources to further the fight against financial crime.

Industry-specific wording

The phrase ‘...estimated amounts flowing through the account’ is more appropriate for the banking industry. We suggest however that this wording be tailored to fit the context of the specific industry to which it applies.

Requirement to determine why the customer has chosen the obliged entities’ products and services

Comments on Question 6 from the Insurance Industry:

Sector specific simplified measures for the insurance sector:

The ML / TF risk in the life insurance sector is generally low for the following reasons:

Life insurance is based on a comprehensive contractual agreement. The amount and frequency of premium payments, additional payments, benefits, and surrenders, as well as the term of the contract, are specified in the contract.
Life insurance contracts typically have a term of several decades.
Payments are generally made via bank accounts (often by direct debit), which are also subject to comprehensive provisions to prevent ML/TF, and not in cash.
Payouts are made upon the occurrence of the insured event (survival or death). Prior to payout, the contractually specified beneficiaries are checked according to the existing legislation.
During the term of the contract, no payments are made to the policyholder, except in the case of (lifetime) pension insurance. In the case of single-premium insurance products, no further payments are made by the policyholder. A life insurance contract is not comparable to an account on which transactions with different objectives and purposes take place.
Early surrender is possible under insurance law, but may result in losses, particularly in the early years, due to the business model. In addition, in Austria, early termination of a single premium products may result in significant tax disadvantages.
The average life insurance premium per capita per year in Austria was € 562 in 2023.
In the case of many life insurance products, the purpose and intended nature of the business relationship are self-explanatory: e.g. pension provision, biometric risk coverage, etc.
The business model, legal structure, and the self explanatory purpose of life insurance products show that life insurance contracts are only suitable for GW/TF purposes to a limited extent.

For the insurance sector, it should be explicitly stated in the RTS that sector specific simplified due diligence measures might be applied at least for the following life insurance product types:

Pure risk life insurance products aim solely at providing protection against the risk of a certain event, such as death. These products only pay out against a pre-defined event (e.g. death) and have no investment element. In addition, premiums are usually low and determined by the insurer. That is why they are considered as low risk for ML/TF.
Occupational pension products: Occupational pension products are subject to a comprehensive legal and regulatory framework and are based on entitlements under employment law. The AML / TF risk by legal entities and their beneficial owners can be considered to be non-existent to very low for the occupational pension products. This is generally due to the clear purpose of the insurance benefits (company pension scheme, financing of statutory severance entitlements, etc.), extensive statutory documentation requirements for cash flows and the specific legal requirements for these products. The source of funds for premium payments to the insurance company is based on the business activities of the legal entity. In addition, there are also limits on the amounts that can be paid into certain occupational pension schemes. In Austria, in the case of the occupational group life insurance (BKV), for example, the employer can pay a maximum of up to 10 % of total wages and salaries into either a pension fund and/or an occupational group life insurance. In the context of the Austrian “Zukunftssicherung according to Article 3 para. 1 no. 15 lit. a Austrian Income Tax Act”, the contributions per employee and per year may not exceed EUR 300(!). The premium payments made by the employer for the employee are nonlapsable.
Private pension product: The state-subsidized pension provision in accordance with Article 108g et seq. Austrian Income Tax Act have a precisely defined legal framework with legally limited premium payments as well as a clearly defined purpose, conditions and beneficiaries.
Life insurance contracts with low premium payments: already to date, simplified due diligence measures can be applied to life insurance contracts with a premium volume up to EUR 1,200 per year for regular premium payments and up to EUR 2,500 for a single premium payment in accordance with the current legal provisions on the AML / TF prevention.

Simplified due diligence measures in the insurance sector:

For customers who invest exclusively in life insurance products for which simplified due diligence measures can be applied due to the product characteristics, a balanced consideration of the risk factors should be possible. If the product characteristics of a life insurance product result in a low ML/TF risk, it should be possible to give priority to product-specific over customer-specific risk factors (e.g. PEP characteristics) when assessing the risk.
The measures in Article 22 relating to the regular updating of identification data for low-risk customers seem disproportionate, especially for natural persons (in view of the data concerned, which, barring exceptional circumstances, is not intended to evolve over time). These measures do not follow a risk-based approach and will have an impact in terms of cost and efficiency, consuming means and resources that could be put to better use. Article 26(2) of the AMLR obliges insurers to update customer information every year or every 5 years depending on the risk, whereas Article 33(1) of the AMLR allows to reduce the frequency of customer information updates for business relationships presenting a low degree of risk. Proceeding a customer information update every year or even every 5 years makes little sense for low-risk life insurance contracts (see list above). Such unnecessary updating of customer’s information will be burdensome for the insurance company as well as for the customer. Insurance companies do not have regular contacts with their customers for long-lasting low-risk life insurance products.

Ideally it should be possible to proceed to an update of customer information on an "event-driven" basis (e.g. in the event of risk-relevant contract changes), or prior to payment of the insurance benefit to the beneficiary. The insurer only pays benefits in the event of an insured event or at the end of the contract. Life insurance products are not comparable with other financial products that involve a large number of transactions (in unpredictable numbers and amounts).

In addition, in the case of single premiums, it must be taken into account that periodic updating of customer data / source of funds does not add any value at all, as this is only relevant at the time of the payment of the single premium. This also applies to life insurance policies that are premium-free. As the customer no longer pays any premiums due to the lack of an obligation to pay premiums, the source of funds no longer plays a role here either, meaning that there should be no obligation to update customer data in this regard.

In any case, it should be possible to go beyond the period of 5 years for low-risk situations. According to Article 28(1) of the AMLR, AMLA shall develop draft regulatory standards specifying the type of simplified due diligence measures which obliged entities may apply in situations of lower risk pursuant to Article 33(1) of the AMLR. In this respect, Recital 16 proposed by EBA is extremely worrying. It states that, when reducing the frequency of customer information updates for low risk-situations, the maximum period of 5 years may not be exceeded. For life insurance products, such as pension policies which can last for more than 40 years with very limited customer contact, an update of customers’ information every five years is disproportionate. Such an update should only be triggered on an event-driven basis, as previously explained. Therefore, Recital 16 of the draft RTS should be amended by removing the following part of the second sentence: “without exceeding the maximum period provided in point (b) of Article 26(2) of the Regulation”. It would allow obliged entities to go beyond the current maximum 5-year period for customers’ information update.

Alternatively, if recital 16 cannot be amended as suggested above, it should be clarified the suggested 5-year period for customers’ information update should not be considered as the mandatory maximum for the insurance industry specifically. For the reasons explained above, there should be sector specific simplified due diligence measures specifying that for low risk customers in the insurance sector an update should be possible on an event-driven basis (instead of periodic updates).

Furthermore, as it is clarified in the AMLR, insurers do not have the ability to unilaterally terminate an insurance contract. The requirement to regularly (every one or five year(s)) update the customer's information is not compatible with long-lasting low-risk life insurance contracts (as highlighted above) and may put insurance companies in difficult situations if they are neither able to update such information due to the unresponsiveness of a customer, nor able to terminate the contract. Therefore, in case customers do not respond, it should be clarified in the RTS that customer data should be updated before the payout of benefits at the latest.
Article 23: In the case of many life insurance products, the purpose and intended nature of the business relationship are self-explanatory. Therefore, it should be clarified that the assessment of the purpose and intended nature in these low-risk situations may be based on assumptions about how customers normally use the products concerned or be considered self-explanatory from the contractual agreement entered into with the customer. For example, if a customer takes out a risk insurance, the purpose is to insure the customer’s life and the intended nature is the agreed premiums to be paid in accordance with the agreement.

Article 25 a) concerns verifying the legitimacy of the destination of funds, and Article 25 b) concerns aspects of transactions passing through an account. As a life insurance contract is not an account where funds flow through from/to third parties, these provisions are not suitable for insurance companies.

Article 32

It is very much welcomed and absolutely necessary that there will be a transition period regarding the application of Article 23 (1) of the AMLR for existing customers. However, the wording in Article 32 is incomplete.

On the one hand, the reference to Article 23 (1) of the AMLR is missing, on the other hand it should be clarified that the RTS on customer due diligence measures should not apply earlier than the AMLR. Since the application date of the AMLR is the 10th July 2027, the transition period will end for high risk customers on the 10th of July 2028 and for the other risk classes on the 10th of July 2032 and for low-risk customers in life insurance sector on event-driven basis (see answer to question 6).

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

SDD shall be in general possible for lower risk factors, i.e., with regard to customer risk factors such as government agencies, publicly listed entities and their majority owned subsidiaries, or domestic organisations funded by governments, as indicated in Annex II (1) AMLR.

We would welcome details on whether simplified measures can be applied in the KYC update. In some cases, where the client has barely any operations with the entity and presents no risk factors, the update may be based on certain triggers, such as restarting activity or exceeding certain thresholds, rather than every five years. It would be interesting to have more details on the situations in which simplified DD can be applied.

In our view, there should be special accounts for lawyers, notaries, and similar professionals, similar to the provisions in Austria's FMA-Anderkonten-Sorgfaltspflichten-Verordnung, which explicitly outlines simplified due diligence measures.

Question 8: Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 24 – Additional information on the customer and the beneficial owners

Exceeding Level 1 requirements – need for a proportionate, risk-based approach

Article 24 draft RTS should be read in conjunction with Article 34 (4) AMLR, which states that ‘in cases of higher risk … obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures…’. Appropriate measures which obliged entities may take are then set out in points (a) to (g) of that paragraph.

From this, it is clear that the co-legislators intended obliged entities to follow a proportionate, risk-based approach, tailored to the specific circumstances of each situation. It is also clear that list of measures is illustrative, and it was not intended that all the measures set out be undertaken in every case.

The approach set out in the draft RTS is however very different. The use of ‘shall’ and ‘at least’ in Article 24 is very prescriptive and is not in keeping with the approach chosen by the co-legislators.

We therefore request that the text be amended to make clear that obliged entities may tailor the measures they take, in accordance with the risk-based approach, and do not have to take the measures set out in Article 24 in circumstances where careful analysis leads them to conclude that such measures are not necessary.

Requirement to verify the authenticity and accuracy of information

Article 24 (a) draft RTS states that the additional information obliged entities obtain on the customer and the beneficial owners shall ‘enable the obliged entity to verify the authenticity and accuracy of the information on…[etc]’.

It is not within the power of obliged entities to verify such information to the level of certainty that the text of the draft RTS suggests. We therefore suggest that this requirement would be better set out with language requiring that where necessary, obliged entities take reasonable steps to verify, validate via independent and reliable sources or check the plausibility of the relevant information, rather than verification in the sense of Articles 22 (6) and (7) AMLR.

Scope of investigations and information collection

The requirement in Article 24 (b) draft RTS to obtain information to enable the obliged entity to assess the reputation of the customer and the beneficial owner is unclear. In general, reputational risk is a separate risk category that sits outside of AML obligations. We therefore request that it be removed from the RTS, or at least, be the subject of an adverse media / information search and not full reputational risk assessment.

Request for removal / clarification of ‘past’ business activities

The term ‘past’ business activities in Article 24 (c) draft RTS is vague. It is unclear how far into the past obliged entities would have to perform such an assessment, or the limits of what would and would not be deemed relevant. We therefore recommend that it be deleted from the Article. If this is not accepted, we request that the RTS at least clarify the scope and relevance of ‘past’ activities, as well as whether it is intended to relate to adverse news screening (in which case, guidance would be required to assist with risk rating of the age and seriousness of the negative news).

Risk of clash with tipping off prohibition

The requirement in Article 24 (d) draft RTS when criminal activity is suspected to obtain additional information on relatives and close associates could clash with the prohibition against tipping off. While it may be appropriate (and expected) for a PEP, it would be highly unusual – and likely serve as a warning – in other circumstances. As with other aspect of the draft, it also appears to have been written with retail banking in mind, and is less appropriate for wholesale contexts.

If this requirement is taken forward, we request that the RTS clarify how obliged entities may apply this requirement in the wholesale context, and how they may comply with the provision without breaking the tipping off prohibition.

Potential focus on retail business

The requirement in Article 24 (d) draft RTS appears to have been drafted with retail business in mind. It may not however be practical for wholesale contexts, where obtaining information on a beneficial owner's family members could involve multiple layers below the client entity in the ownership chain.

We therefore request that the RTS clarify how the requirement should be interpreted for entities in the wholesale sector and specify how this information is to be collected.

Article 25 – Additional information on the intended nature of the business relationship

Exceeding Level 1 requirements – need for a proportionate, risk-based approach

Article 25 draft RTS should be read in conjunction with Article 34 (4) AMLR, which states that ‘in cases of higher risk … obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures…’. Appropriate measures which obliged entities may take are then set out in points (a) to (g) of that paragraph.

The approach set out in the draft RTS is however very different. The use of ‘shall’ and ‘at least’ in Article 25 is very prescriptive and is not in keeping with the approach chosen by the co-legislators. We therefore request that the text be amended to make clear that obliged entities may tailor the measures they take, in accordance with the risk-based approach, and do not have to take the measures set out in Article 25 in circumstances where careful analysis leads them to conclude that such measures are not necessary.

Requirement to verify legitimacy of the destination of funds and expected number (etc.) of transactions

Article 25 (1) (a) and (b) draft RTS states that the additional information obliged entities obtain on the intended nature of the business relationship shall enable them to ‘verify the legitimacy of the destination of funds’ and ‘verify the legitimacy of the expected number, size, volume and frequency of transactions that are likely to pass through the account, as well as their recipient’.

Clarification on information sources

The suggestion in Article 25 (1) (a) that the information obliged entities are to obtain ‘may include information from authorities and other obliged entities’ raises questions as to whether this language allows or expects firms to approach former or other banks of the client to enquire about customer behaviour and products.

We request that the RTS clarify whether this language is intended to create an expectation that obliged entities reach out to other entities for EDD – and whether there is an obligation for obliged entities to respond to such requests.

Article 25 (1) lit a “a. enable the obliged entity to verify the legitimacy of the destination of funds, which may include information from authorities and other obliged entities;”

we suggest that the EBA delete this added part.

Risk-based approach for SMOs identified as beneficial owners

We request that the RTS clarify that where SMOs are identified as beneficial owners, gathering detailed information on such individuals should be conducted in accordance with the risk-based approach. This will ensure that due diligence efforts are proportionate to the actual risk posed.

Impact on transaction processing

We note that that conducting due diligence on a transaction-by-transaction basis is likely to lead to delays in fast payments, increased costs, and a reduction in operational efficiency. Noting that EU authorities are working to increase the speed of payments – and are setting requirements for banks and other payment service providers to this end – we request that the RTS consider the consistency of requirements set by the official sector and take account of other policy ambitions which seek to benefit the EU economy.

Article 26 – Additional information on the source of funds, and source of wealth of the customer and of the beneficial owners

Exceeding Level 1 requirements – need for a proportionate, risk-based approach

Article 26 draft RTS should be read in conjunction with Article 34 (4) AMLR, which states that ‘in cases of higher risk … obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures…’. Appropriate measures which obliged entities may take are then set out in points (a) to (g) of that paragraph.

The approach set out in the draft RTS is however very different. The use of ‘shall’ in Article 26 is very prescriptive and is not in keeping with the approach chosen by the co-legislators. We therefore request that the text be amended to make clear that obliged entities may tailor the measures they take, in accordance with the risk-based approach, and do not have to take the measures set out in Article 26 in circumstances where careful analysis leads them to conclude that such measures are not necessary.

Requirement to verify that the source of funds or source of wealth is derived from lawful activities

Article 26 draft RTS states that the additional information obliged entities obtain on the source of funds, and source of wealth of the customer and of the beneficial owners, shall enable them ‘to verify that the source of funds or source of wealth is derived from lawful activities’.

Focus on retail business

The possibilities set out in Article 26 (1) (a) to (g) appear largely to be focused on retail banking. Most of the documentation listed is unlikely to be appropriate for the wholesale context.

We note the potentially broad scope of the term ‘any other authenticatable documentation’ in (g). In a wholesale banking context, however, a credible and comprehensive source of wealth narrative may often be corroborated through publicly available information, such as reputable media publications. Additionally, where a client has a long-standing relationship with the obliged entity – typically exceeding ten years – detailed notes from the Accountable Client Owner (ACO), or their delegate, may serve as sufficient evidence, provided they include appropriate narrative, rationale, and context demonstrating the ACO’s knowledge of the client.

We therefore recommend that the RTS be amended to clarify this or, alternatively, that the list be removed and replaced with the substance of (g).

Paper-based requirements vs. digitalisation

The draft requirements appear to emphasise paper-based process, with reference to ‘certified copies’ or documents ‘signed by the employer’. This appears to be at odds with the EU’s efforts to reduce bureaucracy and promote digitalisation through various omnibus laws.

Wholesale banks support these efforts, and note the positive impact on the environment and improved security the shift to digital documentation will offer. With this in mind, we request that the RTS consider other EU policy ambitions, including expected omnibus legislation seeking to promote digitalisation.

Applicability to SMOs as beneficial owners

Source of wealth checks for SMOs where these are treated as quasi (fictitious) beneficial owners would not be appropriate in this context, would infringe on the privacy of the individuals in question, and would not advance the fight against financial crime.

We therefore request that the RTS clarify that source of wealth checks are not required for SMOs.

Art. 27 – Additional information on the reasons for the intended or performed transactions and their consistency with the business relationship

Exceeding Level 1 requirements – need for a proportionate, risk-based approach

Article 27 draft RTS should be read in conjunction with Article 34 (4) AMLR, which states that ‘in cases of higher risk … obliged entities shall apply enhanced due diligence measures, proportionate to the higher risks identified, which may include the following measures…’. Appropriate measures which obliged entities may take are then set out in points (a) to (g) of that paragraph.

The approach set out in the draft RTS is however very different. The use of ‘shall’ and ‘at least’ in Article 27 is very prescriptive and is not in keeping with the approach chosen by the co-legislators. We therefore request that the text be amended to make clear that obliged entities may tailor the measures they take, in accordance with the risk-based approach, and do not have to take the measures set out in Article 27 in circumstances where careful analysis leads them to conclude that such measures are not necessary.

Requirement to verify the accuracy of the information for why the transaction was intended or conducted

Article 27 (a) draft RTS states that the additional information obliged entities obtain on the reasons for the intended or performed transactions and their consistency with the business relationship shall enable them to ‘verify the accuracy of the information for why the transaction was intended or conducted including the legitimacy of its intended outcome’.

Clarity of expectations and terms

It is unclear how obliged entities should validate the ‘customer’s turnover’, or whether ‘assets representing higher risks’ (both in Article 27 (b) draft RTS) is intended to mean assets domiciled in or coming from high risk third countries. We request that the RTS clarify the intended meaning and expectations related to and arising from these terms.

We also note the use of the term ‘intermediaries’ in Article 27 (c) draft RTS. We request that the EBA clarify whether this term is intended to refer to transaction execution, and thus to payment service providers (which are not always known and not relevant for ML/TF), or to intermediaries in the broader economic sense.

Requirement to assess ‘legitimacy’

Article 27 (a) draft RTS suggests that obliged entities should verify the ‘legitimacy of [a transaction’s] intended outcome’. Article 27 (c) draft RTS suggests that obliged entities should verify ‘the legitimacy of the parties involved’.

An activity may be lawful or unlawful, and obliged entities rightfully look for evidence of any activity that may be unlawful. It is not however for obliged entities to take a view on whether a transaction is ‘legitimate’. We therefore request that the word be removed, or amended (perhaps to ‘legality’ or ‘lawfulness’), to clarify the EBA’s intentions.

Requirement to obtain a deeper understanding – potential clash with tipping off prohibition

The requirement in Article 27 (d) draft RTS to obtain a deeper understanding of the customer or the beneficial owner, including of relatives or close associates, is unlikely to be relevant in the wholesale context. Any outreach to this end could also serve as a warning – and thus risk breaching the tipping off prohibition.

If this requirement is taken forward, we request that the RTS clarify that wholesale entities should proceed according to the risk-based approach and explain how obliged entities may comply with the provision without breaking the tipping off prohibition.

Suggested alternative

We propose two alternatives for Article 27. In the first instance, we propose new text to set out requirements more in keeping with the risk based approach which take into account that what is complex or unusual depends on the particular circumstances of the obliged entity, the customer, and the situation at hand:

Article 27 – Additional information or assessment on the reasons for the intended or performed transactions and their consistency with the business relationship.

The additional information obliged entities obtain on the reasons for the intended or performed transactions and their consistency with the business relationship, in accordance with Article 34(4) point (d) of Regulation (EU) 2024/1624 shall enable the obliged entity to:

determine the transaction activity and whether this activity is consistent with the expected behaviour for this customer or category of customers
determine whether transactions that are assessed by the obliged entity to be complex or unusually large follow a suspicious pattern without any apparent economic or lawful purpose

Question 9: Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article 28 – Screening of customers

Alignment with EBA work already produced and implemented

We recommend that the points that the EBA covers in Articles 28 and 29 draft RTS be aligned with existing EBA Guidelines on internal policies, procedures, and controls to ensure the implementation of Union and national restrictive measures under Regulation (EU) 2023/1113 (EBA/GL/2024/15).

Focus on Relevant Screening

Article 28 draft RTS requires screening of customers and ‘all the entities or persons which own or control such customers’. This could suggest screening all intermediary layers between the UBO and the customer. This would not lead to effective use of scarce resource.

We request that screening be limited to relevant layers, such as the direct shareholder and the ultimate parent entity, or based on a percentage of ownership. This approach would focus efforts on meaningful control and ownership and would be in keeping with the risk-based approach evident in the Level 1 text.

Article 28 of the draft RTS states that obliged entities shall apply screening measures to their customer and to ALL the entities or persons which own or control such customers. However, based on Article 20(1)(d) of Regulation (EU) 2024/1624, not ALL owners need to be screened, but only insofar to confirm that not 50% are owned by sanctioned persons. Therefore, we would suggest clarifying and amending Article 28 of the draft RTS that not ALL owners (e.g., with minority shares) need to be screened (e.g., if information is not available).

Article 29 – Screening requirements

Alignment with EBA work already produced and implemented

Consistency of terms

We note that Recital 3 draft RTS refers to the ‘transcription’ of names, which we interpret to be broad in scope, and that Article 29 (a) draft RTS refers to the ‘transliteration’ of names, which we interpret to refer to the conversion of text from one script to another.

Similarly, Article 29 (a) draft RTS refers to ‘trade names’, whereas Articles 1 and 18 refer to ‘commercial name’ and ‘registered name’.

If particular nuances are intended in this Article, we request that the RTS clarify these.

Clarity on screening requirements

Article 29 (a) draft RTS requires screening of first names, surnames, and date of birth for natural persons. Noting that date of birth is not always included in listings of sanctioned persons, we request that the RTS clarify whether the date of birth should be used in the screening match process, or only in alert management to confirm true hits. We suggest that it may be preferable to remove date of birth from initial screening requirements.

Importance of maintaining acceptability of transliteration

We note that Article 29 (1) (a) and (b) require names to be screened ‘…in the original and/or transliteration of such data…’. We interpret the use of ‘and/or transliteration’ to mean that transliterated forms can be used for screening and the use of original forms (in non-western scripts) is not required to comply with this Article.

For banks with international clients, the names of customers are frequently not in non-Latin scripts in the native language. In such cases, the banks’ systems record only the Latin transliteration. Different transliteration variants (e.g Aleksey or Aleksej for the Russian name Алексей) are covered by fuzzy logic in the screening process. Furthermore, external list providers such as Worldcheck or Bloomberg usually provide several transliteration variants to be screened against. If one were to require the screening of customer names in their original literation, an extensive and costly adaptation of the core banking system and an extension of the screening software would be necessary.

Screening customer names in their original literation is therefore neither required nor (given the significant additional efforts and costs) proportionate. As stated above, capturing the customer's name in its transliteration is sufficient to ensure the detection of a sanctioned customer. The capture of different transliteration variants is ensured through fuzzy logic and extended sanctions list delivered by external providers.

In reviewing this Article, we request that the EBA maintain the ability to fulfil the requirement through screening transliterated names and do not amend to require screening solely in the original script.

Compatibility with Single Euro Payment Area instant screening

Article 29 (c) draft RTS sets a minimum standard that may not be compatible with the SEPA Instant Payments Regulation, which requires immediate and frequent screening (at least once a day). We therefore request that the reference to ‘undue delay’ in Article 29 (d) draft RTS be further defined to align with SEPA Instant Payments Regulation requirements.

On a broader note, and although beyond the scope of this consultation, we request that the Commission work towards aligning the Instant Payment Regulation and sanctions requirements as stipulated in other legal sources. This alignment would ensure consistency and efficiency in compliance processes across different regulatory frameworks.

No obligation for UBOs to inform of change of residency / nationality

Article 29 (c) (iii) draft RTS requires that obliged entities screen their customers and beneficial owners regularly, at least in the following situations:

[…]

iii. if significant changes occur in the customer due diligence data of an existing customer, or beneficial owner, such as but not limited to change of name, residence, or nationality or change of business operations.

UBOs (and SMOs) by extension) are under no obligation to inform banks of a change of residency or nationality. This requirement introduces a complexity that is unhelpful. We therefore request that the specific examples cited be removed.

Definition of beneficial ownership

A literal reading of Article 29 (a) (iv) draft RTS may exclude screening of related parties (e.g., directors) other than beneficial owners. We request that the RTS provide a clear definition of ‘beneficial ownership’ in this context to ensure comprehensive screening.

Re-drafting suggestions

Given the points above, we propose that the text be amended as follows:

Article 29 draft RTS (selected)

‘(a)(i). in the case of a natural person: all the first names and surnames, in the original and/or transliteration of such data; and date of birth;

…

(a)(iv). in the case of a legal person: beneficial ownership information, in accordance with Article 51 Regulation (EU) 2024/1624.

…

(c) (iii) if significant changes occur in the customer due diligence data of an existing customer, or beneficial owner, such as but not limited to change of name, residence, or nationality or change of business operations.

(d). ensure the screening as well as the verification is performed using updated targeted financial sanctions lists without undue delay in accordance with Regulation (EU) 2024/886."

Article 29c.i. of the draft RTS states that screening of customers and beneficial owners should at least take place, among other situations, before performing an occasional transaction. We would like to highlight that in case of daily screening of the customer base an additional screening before a transaction is being performed does not significantly increase the likelihood of identifying a sanctioned person.

Article 29c.iii. The draft RTS states that screening of customers and beneficial owners should at least take place if significant changes occur in the customer due diligence data of an existing customer, or beneficial owner, such as but not limited to a change of name, residence, or nationality or a change of business operations. We would kindly ask to clarify what is meant by “significant changes”. We would like to highlight that in case of many designations, for example, neither the nationality nor the business operations are stated in the targeted financial sanctions lists. In light of that, also a change of these parameters cannot constitute a “significant change”, and, therefore, Article 29c.iii. of the draft RTS should be limited to “change of name” (e.g., a renewed screening of the customer with updated nationality does not bring any benefit, if the nationality is not stated in the targeted financial sanctions list in the first place).

Question 10: Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Article. 30 – Risk reducing factors

Varying weight to be attributed to factors

We request that the EBA provide clarification as to which of the listed factors can be considered sufficiently consequential when present alone, and which should be combined with others.

For the factors listed, we make the following comments:

we suggest either that this should be considered in combination with a rule guaranteeing the non-accumulation of transactions, or at least, that that this should not be considered as sufficient when present as a single factor
[no comment]
it is unclear how the absence of charge is thought to lower the risk.
this should not be considered as sufficient when present as a single factor
this should not be considered as sufficient when present as a single factor
there is no incentive to have an exemption after the KYC has already been completed
this should not be considered as sufficient when present as a single factor (consider for example the risk posed by an instrument with a coupon with a very high value and a time limit)
this should not be considered as sufficient when present as a single factor
there is no incentive to have an exemption after the KYC has already been completed
if electronic money is created, it will only be valid at EU level. Inconsistent under the exemption
this should not be considered as sufficient when present as a single factor.

Question 11: Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)? If you do not agree, please explain your rationale and provide evidence of the impact this section would have, including the cost of compliance, if adopted as such?

Art. 31 – Electronic identification means and relevant qualified trust services

Clarification regarding use of electronic means in a face-to-face context

Electronic identification means can also be used for the verification of the customer in a face-to-face context. We request that this be made explicit in this article.

Article 31 (1) and Annexe I: Are not all of the customer´s full names and surnames required as defined in Section 1, Article 1 (1)? Please specify.

Question 1: Do you any have comments or suggestions regarding the proposed list of indicators to classify the level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

In our view, Article 1 para h, k should be aligned as much as possible with SREP process.

Question 2: Do you have any comments or suggestions on the proposed classification of the level of gravity of breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

No comments.

Question 3: Do you have any comments or suggestions regarding the proposed list of criteria to be taken into account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please explain your reasoning.

It should be clarified that general mitigating factors as stipulated in criminal law are applicable in addition to those factors listed in Art 3.

It should also be explicitly listed as a mitigating factor that should lead to a decrease of the level of pecuniary sanctions if the natural or legal person held responsible proactively engages in financial crime-related PPP models and other initiatives to improve the effectiveness and efficiency of AML/CFT on national or supranational level, e.g. cooperation with the supervisor and/or the FIU to clarify regulatory requirements, to improve processes and standards or the AML/CFT-related cooperation between public and private sector.

Question 4: Do you have any comments or suggestions of addition regarding what needs to be taken into account as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article 4(6) of the draft RTS)? If so, please explain.

no comments

5a: restrict or limit the business, operations or network of institutions comprising the obliged entity, or to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

no comments

5b: withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU) 2024/1640?

no comments

5c: require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU) 2024/1640?

no comments

Question 6: Which of these indicators and criteria could apply also to the non-financial sector? Which ones should not apply? Please explain your reasoning.

no comments

Question 7: Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards the naturals persons that are not themselves obliged entities and in particular as regards the senior management as defined in AMLR? If so, please provide your suggestions.

no comments

Question 8: Do you think that the draft RTS should be more granular and develop more specific rules on factors and on the calculation of the amount of the periodic penalty payments and if yes, which factors should be included into the EU legislation and why?

no comments

Question 9: Do you think that the draft RTS should create a more harmonised set of administrative rules for the imposition of periodic penalty payments, and if yes, which provisions of administrative rules would you prefer to be included into EU legislation compared to national legislation and why?

no comments

Name of the organization

Austrian Federal Economic Chamber, Division Bank and Insurance