Primary tabs

European Banking Federation

PLEASE SEE ALSO THE EBF COMMENTS IN THE ENCLOSED FILE

I. GENERAL REMARKS

1. Scope of the draft ESA RTS

The scope of the draft European Supervisory Authorities RTS (RTS) is not sufficiently clear.
The definition of the scope, i.e. the “third countries” whose laws may lead to the need to follow the RTS appear to be different in the Executive Summary, the Preamble and the draft Delegated Regulation text. The draft Delegated Regulation Text, the Executive Summary and the Preamble should be coherent. It should further be coherent with the definition in Art. 45 (3) Directive (EU) 2015/849:
‘Member States shall ensure that where obliged entities have branches or majority-owned subsidiaries located in third countries where the minimum AML/CFT requirements are less strict than those of the Member State, their branches and majority-owned subsidiaries located in the third country implement the requirements of the Member State, including data protection, to the extent that the third country's law so allows’.

And take sufficiently into account Art. 8 (3) and (4) of Directive (EU) 2015/849:
1) “Member States shall ensure that obliged entities have in place policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified at the level of the Union, the Member State and the obliged entity. Those policies, controls and procedures shall be proportionate to the nature and size of the obliged entities”.
2) “The policies, controls and procedures referred to in paragraph 3 shall include: (a) the development of internal policies, controls and procedures, including model risk management practices, customer due diligence, reporting, record-keeping, internal control, compliance management including, where appropriate with regard to the size and nature of the business, the appointment of a compliance officer at management level, and employee screening.”

This being said, it would be necessary for the RTS draft to establish:
o The requirements to be considered when comparing the regulation of the parent company and the third country to determine if the regulation of the third country establishes measures equivalent to the European Regulation. Questions arise as to whether the requirements to be compared are those set out in the European Directive, or whether, on the contrary, the requirements as transposed to the local rules of the member country.
o What aspects and to what level of detail should the group-wide policies and procedures be analyzed in order to determine that certain country’s law does not permit the implementation of the mentioned policy or procedure:
- From the reading of articles 4 and following of the RTS draft, it could be understood that the requirements to compare are those related to the five operations for which the RTS establishes additional rules (individual risk assessment, access to information of customers, operations transfer of data to Member States and recording of data). However, it would be desirable to clarify the level of detail required in the comparison that should be made.
- Whether the comparison should be made at the general obligation level (is there a KYC policy?) or at a specific obligation level (is there a KYC policy with the same requirements as those laid down in European or local regulations? i.e., the identification of the beneficial owner above a certain percentage).

Regarding the present inconsistency of the RTS “third country” definition:
According to the Executive Summary, point 2, the RTS should apply to “third countries” in circumstances where a group operates branches or majority-owned subsidiaries in:
3) “a third country whose law does not permit the implementation of group-wide AML/CTF policies and procedures”; “and”
4) “in situations where the ability of competent authorities to supervise the group's compliance with the requirements of Directive (EU) 2015/849 is impeded because competent authorities do not have access to relevant information held at branches or majority-owned subsidiaries in third countries”.
Again, both alternatives are mentioned in paragraph 3 and 4 of the introductory remarks. It remains unclear, whether these requirements are to be understood cumulative or alternative.
In contrast, according to Article 1 the RTS defines the scope of the RTS only to be applicable with regard to third countries
“where a third country's law prevents the implementation of group-wide policies and procedures […]”.
This definition of the scope of the RTS in Article 1 corresponds to the definition of the particular third countries the RTS is meant to address according to Article 2 (2) of the RTS:
“a country other than a Member State where the country's law does not permit the implementation of some or all of the group-wide policies and procedures credit institutions have put in place to comply with Directive (EU) 2015/849”.
Article 5 (1) of the RTS further refers to third countries
“whose law prohibits or restricts the sharing or processing of customer data for AML/CTF purposes within the group”.
This appears to be an entirely new definition of the scope of the RTS that is neither compatible with the definition of the scope in Article 1 and Article 2 of the RTS. It is the same with regard to Article 6, 7 and 8 of the RTS.
We understand that it has been European Supervisory Authorities’ intention for the RTS to apply to such third countries that are:
- not Member States of the EU; and
- whose law stipulates a legal impediment to a certain behavior explicitly required under AML/CFT standards as prescribed by Directive (EU) 2015/849.

We kindly ask the European Supervisory Authorities and ultimately the Commission to reflect the intent of Directive 2015/849 - which seems so far the truest transposed in Art. 2 (2) of the RTS - coherently in the Executive Summary, the Preamble and the Draft Delegated Regulation Text.
More generally, the definition in Art. 2 (2) of the RTS seems to encompass a too wide range of countries. With regard to a proportional burden on obliged entities countries “other than a Member State” should only be regarded countries that do not show in a list of countries that fulfill an equivalent AML/CFT standard. Such a “white” list, established by the EU-Commission, is ever more necessary in the light of the foreseen additional legal scrutiny requirements intended to be imposed on obliged entities by the draft RTS.
Other uncertainties arise when analyzing the definition of ‘third country’ that is set out in article 2 of the RTS:
- Definition of ‘third country’: a country in which its local law does not permit the implementation of some or all of the group-wide policies and procedures to manage the ML/TF risk: the RTS draft does not sufficiently explain what is to be understood with the expression ‘law does not permit the implementation of some or all of the group-wide policies and procedures’. The term ‘does not permit’ could indeed be understood in a number of alternative ways. It could notably be interpreted in a way that the local rule ‘does not permit’ the implementation of a corporate policy or procedure (e.g. what if the corporate policy requires custody of the client information for 10 years but the local law only allows for a maximum of two years?). However, it would be advisable for the RTS to establish in greater detail the criteria for interpreting this impediment in order to apply the general and additional measures provided for in the regulation.

2. Additional measures

a) Overcoming of legal impediments by customer consent
All Articles of Section 3 (“Additional measures”) require, among other things, to determine if consent from customers and, where applicable, the customers' beneficial owners may be apt to overcome an eventual legal impediment in a third country. We would like to stress that such a process of determination will usually need some time for a proper legal assessment. In addition, the implementation of such “consent requirement” will be extremely time-consuming and expensive. In consequence it might lead to de risking a reduction of banking services to and with those third countries as well as to inefficiencies in the risk management program.
Regarding the idea that legal impediments could potentially be overcome by customer consent we would like to stress that there might be legal obstacles to that procedure as far as the legal impediment stems from national data protection/banking secrecy laws. According to data protection and/or banking secrecy law – customers consent must be provided on a voluntary basis. Such voluntary nature would be undermined if in the absence of consent an existing business relationship risks termination to comply with the RTS.

b) Mitigation measures
(where customer consent does not suffice)
The mitigation measures described in the respective paragraphs 2 of Article 4, 5, 6 and 8 seem to be disproportionate, in particular in as far as they appear oblige to apply at least one of the mitigation measures mentioned as examples.
Particularly disproportionate seems to be the requirement to restrict the nature and type of financial products and services provided by a branch/subsidiary in the third country to those that present a low AML/TF risk. For example, even foreign payment transactions would be affected. Any kind of limitation of foreign payment transactions is not sustainable and would hinder the free movement of capital.
The requirement that other entities of the same group should not rely on customer due diligence measures carried out by a branch/subsidiary established in a third country, but instead carry out customer due diligence on any customer seems excessive. The mere fact that the implementation of group-wide policies and procedures in its entirety in a third country are not possible due to local legal impediments does not necessarily mean that the branch/subsidiary’s onboarding process generally has not been compliant with the EU AML/CFT standard of Directive (EU) 2015/849.
The requirements in Article 4 (3), Article 5 (3) and Article 6 (3) to close down some or all of the operations provided by any branch/subsidiary established in a third country is incompatible with the entrepreneurial freedom of decision-making and particularly disproportionate as a mitigation measure.
The RTS should explicitly clarify that credit institutions may take these decisions if they seem it necessary and according to their own risk assessment.

c) Other questions
We also list hereafter a number of additional questions raised by our members:
• Credit institutions or financial institutions inform the competent authority of the home Member State “without delay” where there is a third country’s law that does not permit the application of group-wide policies and procedures (articles 4, 5, 6, 7 and 8): we do not understand why the information need to be provided without delay. An information once a year seems more appropriate.
• Art. 3 c) ‘senior management’ approval is to be obtained; does ‘senior management’ refer to senior management locally or on group level?
• Art 4.1) first sentence: ‘necessary adequately to identify’ should read ‘necessary to adequately identify’.
• Art 4.2 a) higher-risk business should read high risk business.
• Art 4.2 c) ‘low ML/TF risk’ should read ‘acceptable ML/TF risk. Following the fact this is dependent of risk appetite of the financial institution.
• Art 4.2 general) why no onsite checks or independent audits suggested to manage ML/TF risks similar to Art 5.2 c)?
• Art 4.4) why last part not phrased same as 5.4)?
• Art 4.4) difference between ‘risk based’ and ‘risk-sensitive’?
• Art 5.1 a) gap analysis should follow implementation of Global CDD standards.
• Art 5.3) why not phrased similar to Art 4.3) with sub categories a – c)?
• Art 6.1) earlier used ‘within the Group’ versus ‘with other entities in their group’? When information is not to be shared within the Group the information mentioned under Art 6.1 a) cannot be shared either.
• Art 6.1 b) why included when relevant information is shared with senior management?
• Art 7.1 c) why this paragraph included here and not under Art 5.2 c)?
• Art 7.1 d) why not include a ‘iv) aggregated statistical data providing an overview of the circumstances that gave rise to suspicion’?
• Art 8.2) why not including a similar paragraph as in art. 6.3 here?

Answer to question 1:
The scope of the draft RTS is unclear (see general remarks above) and needs to be further specified.
The requirements in Article 4 (3), Article 5 (3) and Article 6 (3) to close down some or all of the operations provided by any branch/subsidiary established in a third country is incompatible with the entrepreneurial freedom of decision-making and particularly disproportionate as a mitigation measure.
The RTS should explicitly clarify that credit institutions may take these decisions if they seem it necessary and according to their own risk assessment.
Furthermore, we doubt whether the ESA has been delegated such a far-reaching authority under Directive 2015/849.
Yes, we agree.
In general, the actions envisaged in Article 3 seems to be excessive.
We consider more appropriate to put the responsibility on intermediaries, allow them to evaluate the risk case by case and - based on their evaluation - allow them to undertake different actions they consider adequate to mitigate the risk.
Furthermore, the wording does not appear to be sufficiently clear with regard to Art. 3 letter b). Whilst the wording states:
“ensure that the risk referred to in letter (a) is reflected appropriately in their group wide AML/CFT policies and procedures”
we understand that it is meant that:
“the risk referred to in letter (a) is reflected appropriately in their locally applicable AML/CFT policies and procedures”
We would like to kindly ask the European Supervisory Authorities and ultimately the Commission to reflect our understanding accordingly in the wording of the provision.
No, we do not agree. Please be informed insofar also referred to our general remarks above.
With regard to the consent requirement we would like to additionally draw your attention to the fact that is rather impossible for credit institutions to obtain consent from beneficial owners. Even where customer consent theoretically could be used to overcome a legal impediment it must be noted, again, that collecting customers' consent would be very time-consuming, slow and expensive. This may also result in inefficiencies in the risk management program.
The further mitigation measures seem disproportionate, as stated above in more detail.
No, we do not agree.
If you do not agree, please explain and provide evidence where possible.
While acknowledging that information sharing strengthens AML risk, this does not mean that non-sharing implies necessarily such an AML risk to significantly limit or even block operations in those countries.
Please see also our remarks above.
In addition, we would like to draw your attention to the fact that even within the EU the sharing and procession of customer data within a group is restricted in certain countries under their local legislation (e.g., Poland, Czech Republic, Slovakia or Luxembourg). This is primarily due to the legal requirements in connection with banking secrecy (and not necessarily only because of the local data protection law).
No, we do not agree. Please be informed insofar also referred to our general remarks above.
Yes, we agree. According to our understanding Article 7 only refers to aggregated data. Hence, customer-related data are not affected.
No, there are no other scenarios the RTS should address.
In particular, are there any policies and procedures in Article 8 of Directive (EU) 2015/849 where the implementation of a third country’s law might prevent the application of group-wide policies and procedures?
Please explain and provide examples where possible.

Within the short time frame available and because of the uncertainties about the scope of the RTS (as pointed out above) it is not possible to carry out a full legal analysis of different foreign judicial systems.
It further is dubious whether it should be left to the credit institutions to conduct such an analysis on their own. Credit institutions lack the necessary legal expertise being essential for such analysis. There would also be a danger that different credit institutions reach diverging assessments/evaluations.
Consequently, the aim of the RTS to establish a harmonized approach to identifying and managing AML/TF risks and, subsequently, the desired level playing field would in fact not be reached (insofar, please refer to section 3.3 of the RTS).
Based on these facts, it should be up to the supervisory authorities to conduct proper legal analysis and provide the credit institutions attuned and EU wide coherent results and guidance.
Furthermore, we consider disproportionate the provisions under paragraph, 2, letter b) that provides that intermediaries have to ensure “that their branches or majority-owned subsidiaries that are established in the third country restrict the nature and type of financial products and services provided to those that present a low ML/TF risk and have a low impact on the group’s ML/TF risk exposure”; moreover, a clarification on what are considered “low risk products” is needed.
No, we do not agree.

In particular,
• do you agree that there are relatively few countries where the implementation of the law prevents the application of group-wide policies and procedures?
Please provide the names of third countries, if any, and the nature of the impediment you have identified.
Within the short time frame available and because of the uncertainties about the scope of the RTS (as pointed out above) it is not possible to carry out a full legal analysis. Please be also referred to our answer to Question 8 above.

• do you agree that Option 3, whereby the draft RTS distinguish between different situations where a third country’s law prevents the application of group-wide AML/CFT policies and procedures is the most proportionate option?
For the implementation of group-wide policies and procedures clear guidelines/requirements are necessary which can be met worldwide.
Please note that credit institutions need a legal basis in order to justify the data transfer and data exchange within an international group. In many jurisdiction processing of customer data/ sharing of customer data within a group is generally allowed if there is a statutory provision enabling such communication. Such statutory provision is considered as an adequate justification of any kind of data processing/information sharing and may prevail (local) data protection and/or banking secrecy requirements. Hence, clear legal provisions are necessary.
Referring to clear RTS and the requirement to implement a group-wide AML policy pursuant to Directive (EU) 2015/849 credit institutions could argue that any information sharing and/or data processing within the group shall be done for the purposes of prevention of money laundering and terrorism. In many jurisdiction worldwide this should likely result in an adequate justification of an exemption of local data protection and banking secrecy law. Additionally, the objective of the RTS is to establish a harmonized approach to identifying and managing the AML/TF risk credit institutions are exposed to (please refer to sections 3.3 of the RTS). Clear requirements are essential in order to achieve this goal.

If you do not agree, please explain and provide evidence where possible. Please also explain which approach you would prefer, and why.

Clear legal requirements are necessary. It would be much more difficult to enforce unspecified requirements in the individual countries where a credit institution has established branches or a subsidiary. Every credit institution itself would need to further refine the requirements pursuant to the RTS. Consequently, the interpretation of the RTS would differ from credit institution to credit institution. The harmonized approach to identifying and managing AML/TF risks and, subsequently, the desired level playing field would in fact not be reached. Additionally, the implementation of the RTS would require an enormous amount of work within the credit institutions that would be disproportionate.
Roger Kaiser
+3225083711