Response to consultation on draft Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and ML/TF risk factors
Go back
This definition implies that EBA would classify video technology as non-face to face and that video Identification as not considered equivalent to face- to- face. This constitutes a significant change to the current practice in multiple jurisdictions, where video Ident processes are treated as face to face identification and regular CDD measures are being applied for business relationships established via this identification channel.
The determination of video identification as non-face to face, means that this identification method must be classified as a risk increasing factor and consequently require the application of EDD measures. This would lead to a massive and inappropriate increase of EDD cases to be handled, causing an immense additional workload on business relationships where de facto no increased risk exists. This would especially not improve the robustness of the AML programs of the institutions in scope of the Guidelines and could rather negatively impact the quality and outcome of EDD measures to be applied including regarding those business relationships that in deed represent a higher risk.
Hence, we ask to remove video technologies from the definition of non-face to face relationships or to explicitly highlight video identification as reliable form of non-face to face channel (like e.g. for the e-ID or e-Signature). This is especially important due to the COVID-19 crisis which makes remote identification processes a necessity for most financial institutions.
In addition there is a lack of focus on actually review and practical application of patterns/typologies and investigative methods. The Guideline may be too basic to actually identify sophisticated financial crime.
4.13: Firms should be allowed to use the beneficial ownership registers as the only data source
4.31: reference should be made to electronic means that not only provide a high level of assurance under Regulation (EU) 910/2014 but that have been also notified as electronic identification scheme in accordance to art. 9 of this regulation. Furthfermore, it should be specified that even the use of an advanced electronic signature, that does not require the holder to be identified by a QTSP in accordance to art. 24 Regulation (EU) 910/2014, does not of itself give rise to increased ML/TF risk.
4.49: It would be preferable if EBA could assess commercially available PEP lists (even better: EBA distributes these lists)
The relation of effectiveness versus regulatory obligations in these Guidelines do not reflect the actual challenges of firms.
In addition the biggest area of concern for financial institutions are the rise of money mules created from social engineered, stolen, faked identities. This concern is not reflected in the Guideline and should be considered to be added in detail to the Guideline, as this is an industry-wide effort to solve.
9.10 (a) clarification of “electronic signature” needed; to be considered an adequate safeguard, the certificate shall be even if a qualified certificate was not issued by a qualified trust service provider.
9.10 (b) reliance on third party’s CDD measures should be independent of the duration of the relationship between the firm and the third party (otherwise: indirect barrier for new entrants in the market)
Question 1: Do you have any comments with the proposed changes to the Definitions section of the Guidelines?
Definition e) ‘Non-face to face relationships or transactions’ means any transaction or relationship where the customer is not physically present, that is, in the same physical location as the firm or a person acting on the firm’s behalf. This includes situations where the customer’s identity is being verified via video-link or similar technological means.This definition implies that EBA would classify video technology as non-face to face and that video Identification as not considered equivalent to face- to- face. This constitutes a significant change to the current practice in multiple jurisdictions, where video Ident processes are treated as face to face identification and regular CDD measures are being applied for business relationships established via this identification channel.
The determination of video identification as non-face to face, means that this identification method must be classified as a risk increasing factor and consequently require the application of EDD measures. This would lead to a massive and inappropriate increase of EDD cases to be handled, causing an immense additional workload on business relationships where de facto no increased risk exists. This would especially not improve the robustness of the AML programs of the institutions in scope of the Guidelines and could rather negatively impact the quality and outcome of EDD measures to be applied including regarding those business relationships that in deed represent a higher risk.
Hence, we ask to remove video technologies from the definition of non-face to face relationships or to explicitly highlight video identification as reliable form of non-face to face channel (like e.g. for the e-ID or e-Signature). This is especially important due to the COVID-19 crisis which makes remote identification processes a necessity for most financial institutions.
Question 2: Do you have any comments on the proposed amendments to Guideline 1 on risk assessment?
2.21 (f): Using a service provider is an outsourced activity that needs to be assessed and monitored; but it should not, in itself, establish a risk factor.Question 3: Do you have any comments on the proposed amendments to Guideline 2 on identifying ML/TF risk factors?
We think that there should be further explanation in terms of the impact of tech/data has on the identification of ML/TF risk. A key factor in the identification of ML/TF has become the effective utilization of tech advancements. This needs to be considered and become a core tenet of an effective structure against ML/TF.In addition there is a lack of focus on actually review and practical application of patterns/typologies and investigative methods. The Guideline may be too basic to actually identify sophisticated financial crime.
Question 4: Do you have any comments on the proposed amendments and additions in Guideline 4 on CCD measures to be applied by all firms?
Our recommendation is to also add further granularity and explanation on the extended data points that exist such as IP-Address, Geolocation and Device ID. In addition, there should be further clarification of what constitutes high risk activity and high risk industries in context of CDD/EDD. The focus is still too large on country-based risk, which has been not the most prevalent indicator of potential financial crime activity.4.13: Firms should be allowed to use the beneficial ownership registers as the only data source
4.31: reference should be made to electronic means that not only provide a high level of assurance under Regulation (EU) 910/2014 but that have been also notified as electronic identification scheme in accordance to art. 9 of this regulation. Furthfermore, it should be specified that even the use of an advanced electronic signature, that does not require the holder to be identified by a QTSP in accordance to art. 24 Regulation (EU) 910/2014, does not of itself give rise to increased ML/TF risk.
4.49: It would be preferable if EBA could assess commercially available PEP lists (even better: EBA distributes these lists)
Question 5: Do you have any comments on the amendments to Guideline 5 on record keeping?
No CommentQuestion 6: Do you have any comments on Guideline 6 on training?
Our recommendation is also to add unusual/suspicious behavior as this also covers internal fraud as well as all possible activity in affected firms.Question 7: Do you have any comments on the amendments to Guideline 7 on reviewing effectiveness?
Based on the recent Wolfsberg Paper and the overall importance of this subject this Guideline should be expanded to better highlight for affected parties how effectiveness is measured. All the Guidelines prior should be brought together in this one. Being effective as a firm means in our opinion to deploy the right technical foundation with the required expertise in the trained staff acting in a regulatory environment that is focusing on effective measures to prevent financial crime, which can include measures such as concrete suspicious activity reporting Guidelines.The relation of effectiveness versus regulatory obligations in these Guidelines do not reflect the actual challenges of firms.
Question 8: Do you have any comments on the proposed amendments to Guideline 8 for correspondent banks?
No Comment.Question 9: Do you have any comments on the proposed amendments to Guideline 9 for retail banks?
Apart from the other points mentioned above, our proposed amendments here are focused on the increased risk of non-face-to-face relationships. Due to the utilization of technology in verification the ability to detect fraudulent behaviour is much higher than with traditional face-to-face identification. The key in our opinion is to highlight the necessary steps to ensure high quality non-face-to-face identification, which has to include the utilization of the digital ID and compilation of internal as well as external data points.In addition the biggest area of concern for financial institutions are the rise of money mules created from social engineered, stolen, faked identities. This concern is not reflected in the Guideline and should be considered to be added in detail to the Guideline, as this is an industry-wide effort to solve.
9.10 (a) clarification of “electronic signature” needed; to be considered an adequate safeguard, the certificate shall be even if a qualified certificate was not issued by a qualified trust service provider.
9.10 (b) reliance on third party’s CDD measures should be independent of the duration of the relationship between the firm and the third party (otherwise: indirect barrier for new entrants in the market)