Response to consultation on RTS on CCP to strengthen fight against financial crime

Go back

Question 1: Do you agree with the criteria for a requirement to appoint a Central Contact Point (CCP)? In particular, • do you agree that it is proportionate to require the appointment of a CCP where - the number of establishments is equal to, or exceeds, ten; or - the amount of electronic money distributed and redeemed, or the value of the payment transactions executed by such establishments is expected to exceed EUR 3 million per financial year or has exceeded EUR 3 million in the previous financial year? If you do not agree, clearly set out your rationale and provide supporting evidence where available. Please also set out at what level these thresholds should be set instead, and why. • do you agree that Member States should be able to - require all institutions, or certain categories of institutions, to appoint a CCP where this is commensurate with the ML/TF risk associated with the operation of these institutions’ establishments on the Member State’s territory; and - empower competent authorities to require an institution to appoint a CCP where they have reasonable grounds to believe that the establishments of that institution present a high money laundering and terrorist financing risk, even if the criteria in Article 3 (1) and (2) of these draft RTS are not met. If you do not agree, clearly set out your rationale and provide supporting evidence where available.

It is important to recognize the rationale for these RTS. It is to ensure that Member States only require the appointment of a CCP that is “proportionate” to the money laundering and terrorist financing risk, and that Member States adopt a “consistent” approach. When setting and then implementing these criteria we need to make sure that EBA and Member States take into account the risks mentioned in the Supra National Risk Assessment drafted by the European Commission.
Please could you provide details of the risk assessment supporting the proposed criteria/thresholds?

It would be helpful if the EBA were to clarify the concept of establishment as depending on the Member States this could be interpreted in a different way.

We agree with the principle of CCP but it is crucial that EBA provides also guidance to Member States on the form of the CCPs as different approach will be detrimental for the single market and for competition. The principle of the CCP should not lead Member States to establish obligations similar to those of locally authorized entities.

We understand that EBA is not mandated by the level 1 text to opine on the form of the CCP; however, EPIF would encourage the EBA to set out some guidance as to the form the CCP should take in order to avoid a situation where host countries reintroduce requirements that have already been imposed in the home country, thus destroying the benefits of passporting and the single market. It would be counter to the intention of the legislation for the member states to introduce a ‘form’ requirement that stated that the CCP has to be a legal/corporate entity.

Further it is clear that the demarcation between ‘form’/‘function’ and criteria for appointment is not as clear as it might be. There is room for manoeuvre for the EBA to set out helpful guidance on function that may have implications for ‘form’

EPIF also want to avoid over-reach by the Member States. Member States should not be able, for example, to require any corporate structure that would create a tax liability in country. We also want to avoid over-reach by the Member States. Member States should not be able, for example, to require any corporate structure that would create a tax liability in country. In addition, we would be concerned if the RTS on CCPs were to unintentionally lead to more compliance people being required in each country and country-by-country regulation

The EBA seems to be of the opinion that it is not mandated by the Level 1 text to opine on the form of the CCP. EPIF does not necessarily share this assessment. At a minimum, it would be helpful for the EBA to at least issue guidance in this area so as to promote more cross-border certainty for industry.

More importantly, EPIF will seek to get further legal certainty as to the EBA’s competences in the Level 1 text. In this regard we feel encouraged by an important recent precedent.

We understand that during the last Council Working Group meeting of the 5th AML Members States agreed to change the Level 1 text of the 4th AML Directive (the Level 1 text you are basing yourself on) in order to extend the mandate of the EBA so is able take into account current FATF guidance. We would hope the European Parliament will follow suit.

The form the CCP will take is critical as it determines the scope and costs associated with compliance. There is a danger that the fundamental right to provide services cross border is undermined if MS have unfettered freedom as to how the CCP should be set up. For example, some in-country requirements would risk triggering tax liabilities and consequently would not only damage the single market concept but could deter cross border provision of services. As with the EBA RTS on SCA, results orientated approach would be preferable, whereby the PI is tasked with regulatory compliance but can decide on how to best to achieve this, as explained further below.
• Level playing field: If a MS chooses to have CCPs, it shall oblige all issuers of electronic money and payment service providers (‘obliged entities’) established in its territory so as not to distort competition between the obliged entities in that market and to avoid regulatory arbitrage.
Also, FinTech companies providing services on a cross border digital basis should be brought within the provisions. Otherwise, PIs with an agent structure are discriminated against. It would act as a significant disincentive to provide cross-border services with physical locations. It is recognised by FATF and the UN that it is desirable to have a regulated remittance sector rather than to drive monies under-ground, and the measures should reflect this overall goal.
• Geographical flexibility: As long as the obliged entities provide a contact person/point which possesses the necessary capability and knowledge of local AML/CFT requirements to each host country competent authority, the intended purpose of Article 45 (9) has been addressed. From an EU Single Market and a proportionality perspective, it should not be made mandatory to have the CCP physically located in the host country, as long as it is ensured that the CCP is available to meet with local authorities upon request at a reasonable notice. The CCP for a given host country could for instance be physically located in a neighboring Member State and thus serve as CCP for more than one country (e.g. regional centres of excellence).
• Language flexibility: the CCP should be allowed to communicate with home and host state regulators in English in order to facilitate information sharing within the EU supervisory community. Passporting notifications and other PSD related communication (e.g. agent notifications) between supervisory authorities are already done in English, so there is an established practice to be built upon.
• Affiliation: the CCP should not be required to be directly employed by the obliged entity as this would stand in conflict with market practices of EU wide operating groups whereby certain functions are being outsourced to affiliated group entities or third parties (such as temporary personnel placement providers, unaffiliated agents, professional service firms, etc.). Again, we would recommend a results orientated approach, with companies having the ability to achieve the result in the most efficient way possible.

Question 2: Do you agree that the functions a CCP must always have are necessary to ensure that • the CCP can ensure, on the appointing institutions’ behalf, establishments’ compliance with the host Member State’s AML/CFT requirements? • Facilitate supervision by the host Member State’s competent authorities? If you do not agree, please explain which functions you think the CCP should have, and why.

As to the functions, the requirements should be proportionate keeping the principle of CCP and not matching the requirements of the Home State Country which would be contradictory with the passporting rights. For example, providing data cannot be done immediately, asking for immediate information would dramatically increase the costs for infrastructure and IT creating duplication of the systems and ultimately changing the business models. EBA should introduce a provision limiting the Members States discretion and reminding the passporting rights.

As to the personal liability, the primary purpose of the CCP should be to facilitate communication and compliance. The CCP should not have any personal liability as this is merely a contact point. Liability should remain with the entity’s pre-approved control functions (directors and senior management). The CCP set up should respect the spirit of the PSD. . It is also clear under AMLD4 that any RTS obligation imposing personal liability would be disproportionate and ultra vires

“Article 45.9.: … to appoint a central contact point in their territory to ensure, on behalf of the appointing institution, compliance with AML/CFT rules and to facilitate supervision by competent authorities, including by providing competent authorities with documents and information on request. “

“Recital 50:
Where Member States require issuers of electronic money and payment service providers which are established in their territory in forms other than a branch and the head office of which is situated in another Member State, to appoint a central contact point in their territory, they should be able to require that such a central contact point, acting on behalf of the appointing institution, ensure the establishments' compliance with AML/CFT rules.
They should also ensure that that requirement is proportionate and does not go beyond what is necessary to achieve the aim of compliance with AML/CFT rules, including by facilitating the respective supervision.”


On-site inspection of the agents established in the host Member State:
- the Payment Institution itself, as part of its authorisation and license conditions, will manage offsite and onsite audits. PSD2 Art 5(1)(l) says that as part of the authorisation process the Payment Institution must provide a “description of the applicant’s structural organisation, including, where applicable, a description of the intended use of agents and branches and of the off-site and on-site checks that the applicant undertakes to perform on them at least annually, as well as a description of outsourcing arrangements, and of its participation in a national or international payment system”.
- The CCP should be able to manage country level reporting to the regulator but it is not necessary for the CCP to conduct its own additional offsite or onsite audits or investigations. An attempt to impose an on-site inspection requirement would realistically lead to host country structures involving teams of people – again deviating significantly from the single market goal and fundamentally changing the cost structure of business (and therefore the incentives to conduct busines cross border). It would also stop the Payment Institution from developing centres of excellence whose task it is to conduct the annual checks.
o Member States are left with broad discretion to add in requirements for CCPs. The functionality should be ring-fenced to the extent possible, as MSs have indicated their readiness to go back to regulating on national lines, in disregard for the home/host structure set up under PSD2. Furthermore, a stated aim of the RTS is harmonization – if the MSs are given discretion to add functionality, this aim cannot be achieved as it will undoubtedly lead to an uneven playing field.

Question 3: Do you agree that CCPs should be required to fulfil one or more of the additional functions in Article 6 of these draft RTS where this is commensurate to the ML/TF risk associated with the operation of establishments other than a branch on the host Member State’s territory? If you do not agree, clearly set out your rationale and provide supporting evidence where available. Please also set out whether you think that these additional functions should be core functions instead, and if so, why.

o The principles above mentioned are also applicable to respond to this question.
o Member States are left with broad discretion to add in requirements for CCPs. The functionality should be ring-fenced to the extent possible, as MSs have indicated their readiness to go back to regulating on national lines, in disregard for the home/host structure set up under PSD2. Furthermore, a stated aim of the RTS is harmonization – if the MSs are given discretion to add functionality, this aim cannot be achieved as it will undoubtedly lead to an uneven playing field.

EPIF is very clear that any additional functions should be very strictly commensurate and proportionate with the level of risk.

The risk is that introducing too many additional functions again risks fragmenting the single market and the principle of passporting by providing for a multiplicity of regulators rather than allowing for companies to operate and benefit from the single market.
As discussed in the EBA Hearing of 21 April, the current wording does not ring fence MS discretion, but is drafted in a way that would allow Member States to add functionality. We would advise to delete this and replace it with review wording (see below) or significantly tightened:
• Instead of giving Member States discretion to add functionality for the CCP, the EBA should set up a review procedure after 6 months or 1 year on the scope and suitability of the tasks of the CCP.
• If this is not possible, the RTS should make it clear that MSs may only in very exceptional circumstances, and in cooperation with the EBA, add functionality. CCPs should not be required to execute operational compliance tasks – companies should be allowed to continue to organize this in the most efficient way possible. The current wording specifically allows for operational compliance tasks to be added and we would advise that this should be deleted.

Question 4: What level of resource (financial and other) would be required to comply with these RTS? Please differentiate between one-off (set-up) costs and ongoing (running) costs. When providing your answer, please consider that the ESAs’ mandate in Article 45(10) of Directive (EU) 2015/849 does not extend to determining the form a CCP should take.

At this stage, we can’t provide an indication on the level of resource as the two issues raised, the form of the CCP and the functions, will be key to make this assessment.

As currently drafted, this RTS places a very significant financial burden on companies that are within scope. It would be contrary to the principle of passporting, the single market and subsidiarity to provide for RTS that require businesses to replicate the same workforces in every country in which they operate. Further it would prove detrimental to their ability to compete in the global marketplace of payment services.
Given that the EBA has indicated that the majority of companies are out of scope, it is also clear that the RTS will impact competitiveness of companies that are in scope. Having a first rate compliance organization will no longer be a competitive advantage – it will be a significant mandated cost that causes companies to struggle to be as competitive as companies out of scope.

At this stage, we can’t provide an indication on the level of resource as the two issues raised, the form of the CCP and the functions, will be key to make this assessment.

As currently drafted, this RTS places a very significant financial burden on companies that are within scope. It would be contrary to the principle of passporting, the single market and subsidiarity to provide for RTS that require businesses to replicate the same workforces in every country in which they operate. Further it would prove detrimental to their ability to compete in the global marketplace of payment services.

Given that the EBA has indicated that the majority of companies are out of scope, it is also clear that the RTS will impact competitiveness of companies that are in scope. Having a first rate compliance organization will no longer be a competitive advantage – it will be a significant mandated cost that causes companies to struggle to be as competitive as companies out of scope.

Name of organisation

European Payments Industry Federation EPIF