EBF_041372 6 July 2020

EBF RESPONSE TO THE EBA REVISED DRAFT GUIDELINES ON ML/TF RISK FACTORS

Introductory remarks / Cover note / Key messages

With the urgent need to improve the effectiveness of the European AML/CFT framework as a background, focusing on risk mitigation and cooperation between all actors of the AML/CFT ecosystem, the European Banking Federation (EBF), which is the voice of European banks, welcomes EBA’s work for the revisions of its Guidelines on Money Laundering/ Terrorist Financing Risk Factors (GLs) and the opportunity which is offered to stakeholders to comment on these revised GLs.As a preliminary remark, we would like to emphasize the need for EBA to provide clarifications of the legal requirements under the 4th and 5th AML Directives, without going beyond this EU legal framework.We have provided detailed answers to the EBA questionnaire, but would like to highlight 8 messages which are pivotal in our comments and plead for:

- Practicality and proportionate, principle-based and risk-based approach (RBA)- Supervisory convergence- Ensuring beneficial ownership transparency based on appropriate tools and requirements- RBA to the treatment of Politically Exposeed Persons (PEPs)- RBA in relation to High Risk Third Countries (HRTC)- Equivalence of third countries- Financial inclusion- Proportinality of controls on correspondent banking relationships

1

1. Practicality and proportionate, principle-based and risk-based approach

Over-emphasis on a rule-based approach to AML/CFT can undermine implementation of FATF Recommendations and result in financial exclusion and damage to correspondent banking and global payment systems. For instance, mandatory requirements for enhanced due diligence (EDD) should therefore be carefully targeted to address the specific ML/TF risks they are meant to mitigate, in terms of both the scope of EDD triggers and the mandated EDD steps. We welcome the acknowledgement in the EU Action Plan of the need for an EU-level supervisor “to contribute to mitigating risks from third countries by developing appropriate risk mitigating measures for obliged entities depending on the type and severity of deficiencies” and call on the EBA to provide guidance that aligns with this statement by driving true risk management.

More clarity and consistency would be needed so that the expectations for banks are clear and the requirements can be effectively implemented in practice. Sometimes it seems as if the reality of banking has been lost sight of, namely that many banks have a customer portfolio of several million customers and therefore many complex and overlapping processes. This reality means that without clear and consistent risk-based guidelines in the area of anti-money laundering banks will struggle to automate and run these processes digitally, which should be a common goal in order to improve both efficiency and effectiveness, and minimise non-value adding activity. Without such guidelines there will be additional effort for banks, which could lead to de-risking measures as effort and costs will be disproportionate to the underlying risk and commercial opportunities. This derisking would achieve exactly the opposite of what the EBA actually wants from our point of view.

2. Supervisory convergence We would like to stress the utmost importance that the further regulatory work on Risk Factor GLs and the effective application

of the risk-based approach (RBA) principles by Banks will be heavily dependent on the active role of EBA in the field of supervisory convergence guidance for NCAs, avoiding the risks and costs for Banks arising from divergent and disproportional understandings and position by NCAs in the domestic application of this framework and ensuring the needed level of harmonization and “minimum common supervisory standards” to be applicable to UE-Banks.

Business-wide assessments expectations may differ from one regulator to another. It would be useful to provide a template that would be used as a standard across the EU.

3. Ensuring beneficial ownership transparency based on appropriate tools and requirements

2

As regards the provisions for beneficial ownership transparency, the EBF considers that the 5AMLD provisions for beneficial ownership discrepancy can support the development of a more effective regime, as an interim measure towards national authorities developing effective, risk-based mechanisms to verify, analyse and challenge the beneficial ownership information submitted to their registers. In the absence of a true and dynamic understanding of the threat, and the absence of intelligence-led analysis of the data with meaningful reporting to law enforcement, discrepancy reporting risks becoming a non-value adding administrative task, rather than a meaningful tool in combatting ML/TF. However, the current discrepancy reporting obligation needs to be targeted carefully to avoid undermining the efficient functioning of the market, and to support the interconnection of national beneficial ownership register, harmonisation of national definitions and wider work towards global beneficial ownership transparency.

Further guidance should be provided on how firms can identify material anomalies and contradictions, to minimise the displacement of compliance resources into low-value ‘tick-the-box’ reporting of non-material discrepancies. This guidance should confirm that the mandatory discrepancy reporting obligations are limited to the establishment of new business relationships and that, while the reporting of a discrepancy should be considered as part of a firm’s risk assessment, it does not in itself prevent onboarding of the customer.

It is important to ensure a flexible approach on how and when firms implement the discrepancy reporting obligations, including through Simplified Due Diligence, flexibility on documents and timing, reliance on other obliged entities and use of outsourced third parties.

Risk factor and customer due diligence (CDD) measures related to beneficial ownership: As the benefical owner is not the customer of the firms, the information to be obtained on the beneficial ower cannot be the same as those to be obtained on the customer. The question that could arise is that of the application of the FAFT recommendation 10 which requires that banks do not enter into a relationship or terminate the business relationship where banks cannot apply the appropriate level of CDD measures.

Actually, risk associated with beneficial owner should only be considered with the view to addressing FAFT recommendation 24, namely to prevent the misuse of legal persons for money laundering or terrorist financing. We would like to emphasize that the AML EU Directives only require banks to take reasonable measures to verify the identity of beneficial owners, and request that this flexibility is retained in the EBA guidelines.

4. RBA to the treatment of Politically Exposed Persons (PEPs)

3

We support a risk-based approach to the treatment of PEPs. Further guidance, on the basis of existing frameworks (e.g. 2012 FATF guidance on laundering of the proceeds of corruption, existing national guidelines) would be needed on PEP-specific risk factors to support a risk-based approach to the extent of EDD measures. This risk-based approach should include both the frequency and the extent of the ongoing monitoring and regular review of PEP relationships.

5. RBA in relation to High Risk Third Countries (HRTC)

A clear interpretation of the concept of transaction in 5AMLD and in Article 18a of 4AMLD is needed, as well as clear guidance setting the conditions (e.g. existing business relationships versus occasional transactions) under which the comprehensive enhanced due diligence obligations apply. In our view, only transactions involving a high-risk third country that are commissioned outside an existing business relationship are covered. Only for this constellation of the so-called occasional transaction does the application of the comprehensive enhanced due diligence obligations make sense, since only to this extent is there a regulatory gap. There is so far a very fragmented approach across the EEA. We ask that this be clearly set out in the EBA Risk Factor Guidelines.

Further guidance should be provided to confirm that branches or subsidiaries of banking Groups themselves based in HRTC are not required to apply the mandatory EDD measures to their domestic business relationships and may apply a more flexible risk-based approach. In addition to concerns of operational viability and disproportionality, it seems duplicative to mandate these EDD requirements for offshore offices which are already applying more stringent Group level requirements than required by local law. Allowing a more flexible risk-based approach for the domestic business relationships of branches or subsidiaries within HRTCs is consistent with the fundamental policy aim of protecting the integrity of the EU internal market, and a similarly differentiated approach has been taken in other areas of Union law. For example, the EU's Financial Regulation and the European Fund for Sustainable Development Regulation prohibits international financial institutions and national promotionial and development banks from entering into relationships with entities established in HRTCs when carrying out financial operations supported by the EU budget. However, there is an exemption from this prohibition when the action is physically implemented in the HRTC exclusively for the purpose of financing a project in the same jurisdiction.

6 Equivalence of third countries

As set out in point 2.12, “5AMLD does not recognise the equivalence of third countries and EU member states lists of equivalent jurisdictions are no longer being maintained”. However, the concept of equivalent third countries has not disappeared in the Directives nor in national law (for example, articles 26; article 28; articles 39.4 and article 39.5 of the 4AMLD) nor in GL.

For example :

4

- GL 8.9 b) : The respondent is based in a third country that has AML/CFT requirements not less robust than those required by Directive (EU) 2015/849

- GL 9.5 c) : Transactions must be carried out through an account in the customer’s name at a credit or financial institution that is subject to AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849.

- GL 16.9 b) : the customer is a firm subject to AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849.

- GL 16.11 b) : The fund can be purchased and redeemed only through a firm subject to AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849.

- GL 16.15 f) : requiring that the first payment is made through a payment account held in the sole or joint name of the customer with an EEA-regulated credit or financial institution or a regulated credit or financial institution in a third country that has AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849

- GL 16.20 a): The financial intermediary is subject to AML/CFT obligations in an EEA jurisdiction or in a third country that has AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849.

We believe that the objective of harmonising regulation at European level on this subject can only be achieved if a list of equivalent third countries is provided by EBA or by the Commission to the private sector.

Should this request not be accepted, we propose that the wording of the GLs be made more explicit by replacing the term " not less robust than" by “equivalent.” We understand, indeed, how to assess the equivalence of requirements but not their robustness.

We ask, also, for an harmonisation and a simplification of the GL.

Indeed, sometimes GLs ask firms to evaluate the robustness of AML/CFT controls, regime, CDD.

For example :

- GL 8.7 a) : the respondent’s AML/CFT controls are not less robust than those required by Directive (EU) 2015/849;

5

- GL 4.64 b) i) : requiring the first payment to be carried out through an account verifiably in the customer’s name with a bank subject to CDD standards that are not less robust than those set out in Chapter II of Directive (EU) 2015/849

- GL 9.9 : Countries associated with the transaction have an AML/CFT regime that is not less robust than that required under Directive (EU) 2015/849 and are associated with low levels of predicate offences.

- GL 9.18 : The customer is a firm that is subject to AML/CFT obligations in an EEA state or a third country with an AML/CFT regime that is not less robust than that required by Directive (EU) 2015/849, and is supervised effectively for compliance with these requirements.

Sometimes, GLs ask firms to evaluate the effectiveness of the legal system, the supervision,

For example :

- GL 2.10 a) : Where the funds used in the business relationship have been generated abroad, the level of predicate offences to money laundering and the effectiveness of a country’s legal system will be particularly relevant.

- GL 2.10 c) : Where the customer is a credit or financial institution, firms should pay particular attention to the adequacy of the country’s AML/CFT regime and the effectiveness of AML/CFT supervision.

- GL 4.4 : When complying with their obligation under Article 8 of Directive 2015/849 to obtain approval for their AMLCFT policies controls and procedures from their senior management, firms should ensure that senior management have access to sufficient data, including the firm's business-wide MLTF risk assessment, to take an informed view on the adequacy and effectiveness of these policies and procedures and in particular their CDD policies and procedures.

We suggest to adopt a similar wording in all these case and which could be understood by firms. We suggest to use the term “equivalent to the 2015/859 directive.

7. Financial inclusion

Financial inclusion: we fully support financial inclusion and welcome the proposed guidelines’ recognition that innovations in technology can partly or fully offset the risks of non-face-to-face interaction with the customer. However, the EBA guidelines

6

places too imprecise requirements on banks by asking them to balance the needs of financial inclusion with the need to mitigate ML/TF risks. Moreover, the need of financial inclusion do not exclude the obligation to know the origin of customers' funds or the economic justification of the transactions carried out. It is the responsibility of the national or European authorities to expressly define the exceptions to the AML regulation.

We also point out that this guideline is in contradiction with article 14.4 of 5AMLD whereby obliged entities shall not establish a business relationship if it is unable to comply with the customer due diligence requirements laid down in article 13.Furthermore, we believe it is important to treat financial inclusion issues differently at the domestic and international levels. When a European bank sets up a branch or subsidiary in a country where there is less banking than in Europe, it may be difficult to apply EU regulations in these countries, not because local law prevents it, but rather because local law and customs are different. For example, identity may not necessarily be proven by presentation of proof of identity.

8. Proportinality of controls on correspondent banking relationships

While we welcome the provisions detailed in the sectorial guideline on correspondent banking, EBF considers that due diligence to be performed on respondent institution’s AML/CFT controls go far beyond what article 19 of 5AMLD expect from firms. On-site visits may not be carried out between competing banks for reasons relating in particular to the respect of competition rules and business secrecy. Firms may not take the place of the supervisor. The same observation is made with respect to procedures and policies. Moreover, considering that the correspondent does not obtain detailed information on individual customers of the respondent, sample testing requirements are not realistic.

7

Question 1: Do you have any comments with the proposed changes to the Definitions section of the Guidelines?

It is suggested to provide definitons for “correspondent banking relationship” and “respondent banking relationship” in line with AMLD and FATF definitions.

GL Section - Paragraph Proposal for amendment JustificationDefinitions12 e): “Non-face to face relationships or transactions’ means any transaction or relationship where the customer is not physically present, that is, in the same physical location as the firm or a person acting on the firm’s behalf. This includes situations where the customer’s identity is being verified via video-link or similar technological means.”

“Non-face to face relationships or transactions’ means any transaction or relationship where the customer is not physically present, that is, in the same physical location as the firm or a person acting on the firm’s behalf. This may includes situations where the customer’s identity is being verified via video-link or similar technological means, depending on national regulation.

For the FATF (paragraph 87 of the FAFT guidance on digital ID : https://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/Guidance-on-Digital-Identity.pdf), face to-face interactions (business relationship and transactions) are considered to occur in-person—meaning the parties to the interaction/transaction are in the same physical location and conduct their activities by physical interaction. FAFT notes that some jurisdictions consider video identification to be face-to-face interaction.Non-face-to-face interactions are considered to occur remotely—meaning the parties are not in the same physical location and conduct activities by digital or other non-physically-present means, such as mail or telephone. They do not include the case of a person acting on the firm’s behalf.It is indeed essential to recognise that video-identification may in some jurisdictions be treated as presenting the same inherent risks as face-to-face identification where the video identification process is subject to certain safeguards such as electronic means of identification, relevant trusted services within the meaning of Regulation (EU) N° 910/2014 (e-Idas) or any other secure, electronic or remote identification process regulated, recognised, approved or accepted by the national authorities concerned (annex III, point 2.c modified by the 5AMLD). Simply stating that a technology solution can never reach the level of a face-to-face identification largely reduces incentives for the introduction and adoption of advanced and more reliable

8

technologies for such purposes.

The inherent risks between non-face to face relationships and non-face to face transactions are different.

We suggest to align the EBA definition with the FAFT definition.

12 j): “‘Risk appetite’ means the level of risk a firm is prepared to accept.”

Supervisory authorities may use the terms “risk appetite” and “risk tolerance” either as synonyms, or as having different meanings. We would therefore suggest EBA to provide clarifications of these terms.

Need for more clarity.

Proposal for addition. According to the consultation document, “Guidelines 1.26-1.27 are based on paragraph 17 in the original Risk Factors Guidelines. They clarify that firms should identify relevant risk factors to obtain a holistic view of the risk both at the beginning and throughout the life of the business relationship, or before carrying out an occasional transaction”

Our understanding is that the concept of “holistic view” may be interpreted as meaning that one risk factor should not be considered in isolation.

In this respect, we note in the EBA GL that:Isolated risk factors do not necessarily move a business relationship or occasional transaction into a higher or lower risk category. (page 64 of draft revision)

Firms should take a holistic view of the ML/TF risk factors they have identified that, together, will determine the level of money laundering and terrorist financing risk associated with a business relationship or occasional transaction. As part of this assessment, firms may decide to weigh factors differently depending on their relative importance (para 31 of current version)

9

The overall risk posed is the outcome of competing factors, not any single feature of the product.

In any case,’holistic’ is descriptive and it might even be preferable to abstain from using it. Instead, we kindly ask EBA to clearly specify what is expected of the regulated entities in this regard.

Question 2: Do you have any comments on the proposed amendments to Guideline 1 on risk assessment?

Considering the divergences in the existing local guidelines, the proposed Guideline on business-wide risk assessments will be likely helpful in harmonising practises and achieving an effective dialogue with the different supervisors.

GL Section - Paragraph Proposal for amendment JustificationGeneral considerations1.2 a): “To comply with their obligations set out in Directive (EU) 2015/849, firms should assess: a) the ML/TF risk to which they are exposed as a result of the nature and complexity of their business (the business-wide risk assessment);”

“[…] a) the ML/TF risk to which they are exposed as a result of the nature and complexity of their business (the business-wide risk assessment), obtaining a holistic view;”

Article 8 of Directive (EU) 2015/849 states that obliged entities should take appropriate steps to identify and assess the risk of money laundering and terrorist financing. EBA’s guidelines refer to business-wide assessment without a clear definition of business-wide assessment. For an international Financial Institution, activities are organised by business covering several entities in various countries and across different lines of business. A business-wide assessment can therefore be understood as including different products, customer segments and supplier and partnership relationships. Moreover, it seems that the local guidance on business-wide risk assessments differs across Members States.

10

Some clarity should also be given on GL 1.19 whereby the business-wide risk assessment should be used to inform the level of initial customer due diligence that they will apply in specific situations and to particular types of customers, products, services and delivery channel.

We suggest to use the same wording as in 5AMLD e.g. assessment at entity level and to illustrate how business-wide assessment can inform the level of initial DD..

We miss some clarity of what is meant by a holistic view and in which cases these additional CDD measures have to be appliedWe would appreciate some examples of what is expected on this matter.

1.3: “When assessing the overall level of residual ML/TF risk associated with their business and with individual business relationships or occasional transactions, firms should consider both, the level of inherent risk, and the quality of controls and other risk mitigating factors.”

Regarding consideration 1.3, we propose considering the inclusion of the resulting assessment (e.g. accept, avoid or mitigate);

Guideline 1: Risk assessments: key principles for all firms1.4: “Firms should record and document their business-wide risk assessment, as well as any changes made to this risk assessment in a way

It would be welcome if EBA could provide further guidance regarding the recording and minimum record keeping, to avoid divergences among national regulators.

Many banks are subject to supervision from more than one national supervisors. At the same time, different supervisors may have different views on how recording of risk assessments should be made. In addition, the previous text used the following wording: “Firms must keep their

11

that makes it possible for the firm, and for competent authorities, to understand how it was conducted, and why it was conducted in a particular way.”

risk assessment up to date and under review” , which is narrower and means banks have an obligation to keep an audit trail and document the process. It would be helpful to get further guidance on minimum record keeping requirements (e.g. when a group-wide risk assessment should be considered sufficiently granular).

1.5: “Firms that are credit institutions and investment firms should also refer to the EBA’s internal governance guidelines in this context.”

Need for clarity. Please make reference to those parts of the Internal Governance Guidelines that are referred to.

1.9 b) i) b): “The systems and controls firms should put in place to identify emerging risks include […]: b) Processes to ensure that the firm regularly reviews relevant information sources, including those specified in guidelines 1.28 to 1.30 , and in particular […]: i. In respect of individual risk assessments […], b. media reports that are relevant to the sectors or jurisdictions in which the firm is active.

“The systems and controls firms should put in place to identify emerging risks include […]: b) Processes to ensure that the firm regularly reviews relevant information sources in line with a risk-based approach, including those specified in guidelines 1.28 to 1.30 , and in particular […]: i. In respect of individual risk assessments […], b. media reports that are relevant to the sectors or jurisdictions in which the firm is active. b. open source reporting that is material to the risk profile of the sectors or jurisdiction in which the firm is active.

Firms should be able to apply a risk-based approach to adverse media screening, as it is not proportionate for them to conduct adverse media screening on all customers. This seems to be suggested by 1.16 (proportionality) but the current draft is at risk of misinterpretation and inconsistent application by regulatory authorities.

Considering media reports as always being relevant information source seems to be inappropriate in respect of individual risk assessments. Media reports may be based on rumors and are often less reliable than other open source reporting (e.g. by public authorities or academic bodies).

In addition, from data protection and privacy perspectives both the reliability assessment of a media source and the use and processing of that data in compliance with a manner that would satisfy the requirements under the GDPR would be extremely challenging. Consulting the EDPS

12

could possibly be a means to address this issue. The recent work conducted on this question by the Wolfsberg Group could also be exploited.

1.12: “To this end, firms should identify and assess the ML/TF risk associated with the products and services they offer, the jurisdictions they operate in, the customers they attract and the transaction or delivery channels they use to service their customers.”

“To this end, firms should identify and assess the ML/TF risk associated with the products and services they offer, the jurisdictions they operate in, the customers they attract and the transaction and/ or delivery channels they use to service their customers.”

The terms ‘transaction’ and ‘delivery channel’ may coexist and are not mutually exclusive.

Proportionality1.16: “The steps a firm takes to identify and assess ML/TF risk across its business must be proportionate to the nature and size of each firm. For example, small firms that do not offer complex products or services and that have limited or purely domestic exposure may not need a complex or sophisticated risk assessment.”Implementation1.17: “Firms should make their business-wide risk assessment available to competent authorities ; Take steps to ensure that staff understand the business-wide risk assessment, and how it affects their daily work in line with Article 46 (1) of Directive (EU) 2015/849; and inform senior management about the results of their business-wide risk assessment, and ensure that senior

It would be helpful if the Guideline could further specify the expectations on firms to appropriately act upon the update of a business-wide risk assessment. It may be interpreted as all measures, at all levels, which the firm takes to mitigate risk should be justified by one document. As the statement is rather wide by nature, clarity on the types of “procedures” which, at a minimum, merits an update/review following the business-wide risk assessment would be very helpful; similar to the new guidelines 1.12-1.14 which specify the sources of information firms should use to inform their business-wide risk assessment.

In addition, similar to the FATF Guidance on Risk Assessment (February 2013) Section 1.4, we believe that this Guideline could expand to cover who is the user of the ML/TF risk assessment.

Providing clarity on the procedures a firm should update will have a direct impact on the firm’s ability to appropriately act upon the results of its business-wide risk assessment. For example, the Guideline does not mention the link between the business-wide risk assessment and the efficient allocation of resources.

Business-wide risk assessments should primarily meet the needs of the regulators and the firms’ senior management. Operational staff are not the primary users of the business-wide risk assessment, however they will benefit from the results via e.g. the firms’ awareness and/or

13

management is provided with sufficient information to understand, and take a view on, the risk to which their business is exposed.”Linking the business-wide and individual risk assessments1.18: “Firms should use the findings from their business-wide risk assessment to inform their AML/CFT policies and procedures. Firms should ensure that their business-wide risk assessment also reflects the steps taken to assess the ML/TF risk associated with individual business relationships or occasional transactions and their ML/TF risk appetite.”

targeted training.

Question 3: Do you have any comments on the proposed amendments to Guideline 2 on identifying ML/TF risk factors?

General Remarks It should be highlighted, especially with regard to sections 2.3 and 2.9 (but also other sections of the Risk Factor GLs) that the available information on the customer’s beneficial owner’s behaviour is limited (this individual is not the bank’s customer). We would like to propose to amend 2.3 and to include the following: “where the firm becomes aware of this”. Firms generally will not always easily receive information on this, potentially giving rise to data protection breaches.As examples, we would like to draw your attention to the following guidelines:a) Guideline 2.3 c) as well as Guideline 2.6 refer to risks related to the beneficial owner`s nature and behaviour. It is challengingfor Firms to get information in this regard, even if this requirement refers to the “nature of business” and “transaction behaviour” which is unclear from our point of view. The same applies with regard to Guideline 2.4., in particular to 2.4.a)-c). Firms may quite often struggle to establish if a beneficial owner is associated with such sectors.

14

b) According to Guideline 2.6 j) the expectation of EBA seems to be that Firms always determine the customer`s and beneficial owner`s source of wealth or source of funds and not only – in compliance with the requirements of 4th & 5th AML Directive – on a risk-based basis and when explicitly required by the AML Directives. From a data protection angle the requirement of Guideline 2.6 j) is hardly practicable as no sufficient legal grounds exist which allow Firms to ask for these information. As a consequence, it should be clarified for which clients the source of funds and the source of wealth should be captured and to what extent. c) Guideline 2.7 is too broad when reference is made to the beneficial owner and any close personal or even professional links to certain persons. Firms will generally find it challenging to obtain such information, in particular regarding persons with whom beneficial owners have a professional link. We do not consider that firms should be required to identify professional or personal links with certain countries as part of standard CDD measures. Current practice is that firms may seek to identify professional and personal links with certain countries but only on an exceptional and risk based basis.

GL Section - Paragraph Proposal for amendment JustificationCustomer risk factors2.3: “When identifying the risk associated with their customers, including their customers’ beneficial owners, firms should consider the risk related to: a) the customer’s and the customer’s beneficial owner’s business or professional activity; b) the customer’s and the customer’s beneficial owner’s reputation; and c) the customer’s and the customer’s beneficial owner’s nature and behaviour, including whether this could point to increased TF risk.”2.6: “The following risk factors may be relevant when identifying the risk associated with a customer’s or beneficial owner’s nature and behaviour; firms should note that not

“When identifying the risk associated with their customers, including, where they become aware of it, their customers’ beneficial owners, firms should consider the risk related to: a) the customer’s and the customer’s beneficial owner’s business or professional activity; b) the customer’s and the customer’s beneficial owner’s reputation; and c) the customer’s and the customer’s beneficial owner’s nature and behaviour, including whether this could point to increased TF risk.”

“The following risk factors may be relevant when identifying the risk associated with a customer’s or, where relevant according to a risk-based approach, beneficial owner’s nature and behaviour; firms should

Identification of the risk factor associated with the customer should be distinguished from the identification of the risk factor associated with the beneficial owner.

As the beneficial owner is not the customer of the firms, the information to be obtained on the beneficial owner cannot be the same as obtained on the customer.

Indeed, the firm does not have direct contact with the beneficial owner. Hence, there is a risk that the information sought may not be obtained. The question that could arise is that of the application of the FAFT recommendation 10 which requires that banks do not enter into a relationship or terminate the business relationship where banks cannot apply the appropriate level of CDD measures.

Actually, risk associated with beneficial owner should only be considered with the

15

all of these risk factors will be apparent at the outset; they may emerge only once a business relationship has been established […]”

note that not all of these risk factors will be apparent at the outset; they may emerge only once a business relationship has been established […]”

view to addressing FAFT recommendation 24, namely to prevent the misuse of legal persons for money laundering or terrorist financing. We would like to emphasize that AML EU Directives only require banks take reasonable measures to verify beneficial owners.

Morevover, it is unclear whether the wording “customer and the customer’s beneficial owner’s nature and behaviour” refers to the “nature of business” and “transaction behaviour”. In any event, it is nearly impossible for firms to get information in this regard. The same applies with regard to Guideline 2.4, in particular to 2.4. a)-c). In particular, more clarity is required as to how can firms establish if a beneficial owner is associated with such sectors.

Firms generally will not receive information on this kind of risk and commonly have no legal grounds for obtaining this information, potentially giving rise to data protection breaches.

2.4 e): “Does the customer have political connections, for example, are they a Politically Exposed Person (PEP), or is their beneficial owner a PEP? Does the customer or beneficial owner have any other relevant links to a PEP, for example are any of the customer’s directors PEPs and, if so, do these PEPs exercise significant control over the customer or

“Does the customer have political connections, for example, are they a Politically Exposed Person (PEP), or is their beneficial owner a PEP? Does the customer or beneficial owner have any other relevant links to a PEP, for example are any of the customer’s directors PEPs and, if so, do these PEPs exercise significant control over the customer or beneficial owner? Where a customer or their beneficial owner is a PEP,

A general PEP check of Directors (beyond the already defined PEP positions in public institutions) should be avoided as it would be disproportionate to the risk. Directors that aren’t otherwise beneficial owners will not have the required level of control to use the customer for laundering the proceeds of corruption, and, as such, screening these directors against PEP lists will be non-value adding activity. The proposed amendment

16

beneficial owner? Where a customer or their beneficial owner is a PEP, firms must always apply EDD measures in line with Article 20 of Directive (EU) 2015/849.”

firms must always apply EDD measures in line with Article 20 of Directive (EU) 2015/849 and perform their PEP checks according to the relevant regulations.”

is meant to clarify that only directors exercising significant control over the customer or beneficial owners are required to be screened against PEPs lists.

2.5 a): “The following risk factors may be relevant when identifying the risk associated with a customer’s or beneficial owners’ reputation: a) Are there adverse media reports or other relevant sources of information about the customer, for example are there any allegations of criminality or terrorism against the customer or the beneficial owner? If so, are these reliable and credible? Firms should determine the credibility of allegations on the basis of the quality and independence of the source of the data and the persistence of reporting of these allegations, among other considerations. Firms should note that the absence of criminal convictions alone may not be sufficient to dismiss allegations of wrongdoing.”

“Firms should take a risk-based approach to adverse media screening. The following risk factors may be relevant when identifying material risk associated with a customer’s or beneficial owners’ reputation:

Firms should be allowed to take a risk based approach to adverse media screening, as most customers will not have a high enough public profile to generate a useful media footprint.

Note that 4.64a of the EBA guidelines suggests that adverse media screening is an EDD measures.

2.5(b)”Has the customer, beneficial owner or anyone publicly known to be closely associated with them had their assets frozen due to administrative or criminal proceedings or allegations of terrorism or terrorist financing? Does the firm have reasonable grounds to suspect that the customer or beneficial owner or anyone publicly

”Is the firm aware of specific red flags regarding the beneficial owner? For example, has the customer, beneficial owner or anyone publicly known to be closely associated with them had their assets frozen due to administrative or criminal proceedings or allegations of terrorism or terrorist financing? Does the firm have specific and reasonable grounds

Firms will not always know who is ‘closely associated with the beneficial owner, unless there is relevant adverse media. These guidelines need to clearly state that they apply when a firm becomes aware of such red flags and that there is not an expectation that firms ask all UBOs for such information (which is disproportionate).

17

known to be closely associated with them has, at some point in the past, been subject to such an asset freeze?”

to suspect that the customer or beneficial owner or anyone publicly known to be closely associated with them has, at some point in the past, been subject to such an asset freeze?”

2.6. j): “Can the customer’s or beneficial owner’s source of wealth or source of funds be easily explained, for example through their occupation, inheritance or investments? Is the explanation plausible?”

“Where applicable (i.e. inside business relationship with high risk clients only, where there has only been a plausibility check and/or from independent credible resources) can the customer’s or beneficial owner’s source of wealth or source of funds be easily explained, for example through their occupation, inheritance or investments? Is the explanation plausible?”

The requirements of guideline 2.6 j) need to be further defined to support practicality and proportionality. It should be clarified for which clients the source of funds and the source of wealth should be captured and to what extent.

This requirement should be commensurate with paragraphs 4.50 a) (“Take adequate measures to establish the source of wealth and the source of funds to be used in the business relationship…”), 12.7 (“… understanding of the client’s source of wealth”) and be distinct from the EDD situation described under 4.64 b) ii and 12.8 “In some cases, where the risk associated with the relationship is particularly high, verifying the source of wealth and the source of funds may be the only adequate risk mitigation tool.”

2.7 b): ”When identifying the risk associated with a customer’s or beneficial owner’s nature and behaviour, firms should pay particular attention to risk factors that, although not specific to terrorist financing, could point to increased TF risk, in particular in situations where other TF risk factors are also present.

“b) Is the customer or the beneficial owner a person who is publicly known to be under investigation for terrorist activity or has been convicted for terrorist acticity, or are they known to have close personal or professional links to such a person (for example, because they are in a relationship or

Guideline 2.7 is too broad when reference is made to the beneficial owner and any close personal or even professional links to certain persons. We do not consider that firms should be required to identify professional or personal links with certain countries as part of standard CDD measures. Current practice is that firms may seek to identify professional and

18

To this end, firms should consider at least the following risk factors: b) Is the customer or the beneficial owner a person who is publicly known to be under investigation for terrorist activity or has been convicted for terrorist acticity, or are they known to have close personal or professional links to such a person (for example, because they are in a relationship or otherwise live with such a person)?”

otherwise live with such a person)?”b) Is the customer or the beneficial owner a person who is publicly known to be under investigation for terrorist activity or has been convicted for terrorist activity, or are they known to have close personal or professional links to such a person (for example, because they are in a relationship or otherwise live with such a person)?”

personal links with certain countries but only on an exceptional basis.

Investigations are rarely publicly known and, if so, not always accurate. Hence, the question arise of how deal with the risk of defamation in the event of erroneous information; the respect for the presumption of innocence.

Further, given the diversity of possible sources of information, it will be difficult, if not impossible, to prove that due diligence has been carried out.

In any case, firms need to consider the rehabilitation character of penalities. Therefore customers that have been convicted for terrorist activity must not be considered “high risk” ad infinitum.

As an alternative, EBA could perhaps consult the EDPS about. This decision should not be left to the regulated entities.

2.9 c): “the jurisdictions to which the customer and beneficial owner have relevant personal or business links, or financial or legal interests.”

“the jurisdictions to which the customer and beneficial owner have relevant business links, or financial or legal interests.”

The term “legal interest” is not sufficiently clear; we suggest to delete. In addition, as outlined above, it may be difficult in practice to ascertain relevant personal or business links, in particular with respect to the customer’s beneficial owner.We also consider that the term “personal…links” is not sufficiently clear and could lead to assigning an individual a higher risk according to their nationality, ethnicity, religion, etc, which could be discriminatory.

19

2.10 a): “Firms should note that the nature and purpose of the business relationship, or the type of business, will often determine the relative importance of individual country and geographical risk factors. For example: a) Where the funds used in the business relationship have been generated abroad, the level of predicate offences to money laundering and the effectiveness of a country’s legal system will be particularly relevant.”

“Firms should note that the nature and purpose of the business relationship, or the type of business, will often determine the relative importance of individual country and geographical risk factors. For example: a) Where the funds used in the business relationship have been generated abroad, the level of predicate offences to money laundering and the effectiveness of a country’s legal system will be particularly relevant.”

Firms can be expected to cover knowledge about the countries of origin or destination of the funds, but firms cannot sufficiently cover knowledge about all those countries in which clients generate funds. We suggest deleting the wording "generated" by "from or to" as it seems disproportionate.

2.11 b): “Risk factors firms should consider when identifying the effectiveness of a jurisdiction’s AML/CFT regime include: b) Does the country’s law prohibit the implementation of group-wide policies and procedures and in particular are there any situations in which the Commission delegated Regulation (EU) 2019/758 should be applied ? 15”

Proposal for amendment b) Does the country’s law prohibit the implementation of group-wide policies and procedures and in particular are there any situations in which the Commission delegated Regulation (EU) 2019/758 should be applied ? 15”

Local obstacles to the application of group-wide policies and procedures should only be assessed when the group plans to set up a branch or subsidiary in a foreign country. This assessment is not required to evaluate the country risk associated with transactions carried out by a customer.

In addition, please note that the footnote referred to is missing.

20

2.14 a): “Risk factors firms should consider when identifying a jurisdiction’s level of transparency and tax compliance include: a) Is there information from more than one credible and reliable source that the country has been deemed compliant with international tax transparency and information sharing standards? Is there evidence that relevant rules are effectively implemented in practice? Examples of possible sources include reports by the Global Forum on Transparency and the Exchange of Information for Tax Purposes of the Organisation for Economic Co-operation and Development (OECD), which rate jurisdictions for tax transparency and information sharing purposes; assessments of the jurisdiction’s commitment to automatic exchange of information based on the Common Reporting Standard; assessments of compliance with FATF Recommendations 9, 24 and 25 and Immediate Outcomes 2 and 5 by the FATF or FSRBs; assessments conducted with regard to the EU list of non-cooperative jurisdictions for tax purposes; and IMF assessments (e.g. IMF staff assessments of offshore financial centres).”

“[…] a) Is there information from more than one credible and reliable source Organisation for Economic Co-operation and Development (OECD) reports that the country has been deemed compliant with international tax transparency and information sharing standards? Is there evidence that relevant rules are effectively implemented in practice? Examples of possible sources include reports by the Global Forum on Transparency and the Exchange of Information for Tax Purposes of the Organisation for Economic Co-operation and Development (OECD), which rate jurisdictions for tax transparency and information sharing purposes; assessments of the jurisdiction’s commitment to automatic exchange of information based on the Common Reporting Standard; assessments of compliance with FATF Recommendations 9, 24 and 25 and Immediate Outcomes 2 and 5 by the FATF or FSRBs; assessments conducted with regard to the EU list of non-cooperative jurisdictions for tax purposes; and IMF assessments (e.g. IMF staff assessments of offshore financial centres).”

Regarding the assessment of a jurisdiction’s level of transparency, the credibility of the source used should be considered, rather than the amount of sources. Given the convergence between the OECD Common Reporting Standard (transposed in EU Law through the Directive on Administrative Assistance - DAC2) and the EU AML/KYC, we suggest that the OECD as a singular source for said assessment and the EU list of non cooperative jurisidictions for tax purposes should be considered wholly adequate sources and that there is no need for additional sources.

2.14 c): “Has the jurisdiction put in place reliable and accessible

2.14 c): “Has the jurisdiction put in place reliable and accessible beneficial ownership

Further guidance is required for competent authorities on how they should ensure

21

beneficial ownership registers?” registers?” – this guideline should be addressed to competent authorities, with further guidance on steps they should take (e.g. as provided at 4.27 below).

reliable and accessible beneficial ownership registers. Regulated firms are not in a position to judge between inconsistent national approaches to implementation of 4AMLD and 5AMLD, but the EBA has a leadership role in promoting more effective and consistent approaches.

From the European banking sector perspective, what is important is the quality (completeness, accuracy and timeliness) and accessibility of beneficial ownership information, which is required for customer due diligence purposes. Publicity does not necessarily guarantee quality, however, so it is important that national authorities establish their own checks to ensure accurate and up-to-date information. In addition, banks should be allowed to rely on publicly verified UBO registers’ data for KYC purposes.

Products, services and transactions risk factors 2.17 b): “Risk factors firms should consider when identifying the risk associated with a product, service or transaction’s transparency include: […]b) To what extent is it possible for a third party that is not part of the business relationship to give instructions, for example in the case of certain correspondent banking relationships?”

It would be helpful to clarify with the help of examples what kind of scenarios are meant by Guideline 2.17 b).

Need for clarity.

2.18 b): “Risk factors firms should consider when identifying the risk

It would be much appreciated if EBA could provide examples for what is meant with

22

associated with a product, service or transaction’s complexity include: […]

To what extent do products or services allow payments from third parties or accept overpayments where this is would not normally be expected? Where third party payments are expected, does the firm know the third party’s identity, for example is it a state benefit authority or a guarantor? Or are products and services funded exclusively by fund transfers from the customer’s own account at another financial institution that is subject to AML/CFT standards and oversight that are comparable to those required under Directive (EU) 2015/849?”

the term “accept overpayments” in the context of Guideline 2.18 b).

Delivery channel risk factors 2.21 a) i): “When assessing the risk associated with the way in which the customer obtains the products or services, firms should consider a number of factors including: a) whether the customer physically present for identification purposes. If they are not, whether the firm i) considered whether there is a risk that the customer may have sought to avoid face-to-face contact deliberately for reasons other than convenience or incapacity;”

It would be helpful to clarify that this Guideline only applies where a face-to-face channel is available to the customer, and where the specific circumstances of the customer make it potentially unusual or suspicious that they have declined a face-to-face meeting. In today’s digital world, an increasing number of customer meetings are taking place in other channels than IRL. We suggest that it should not be a tick-the-box requirement to always consider this as suspicious. Please also specify that video identification is a face-to-face identification.

Need for clarity.

2.21 d) e): “When assessing the risk associated with the way in which the customer obtains the products or services, firms should consider a

Clarification to what is meant with “tied agents” and “independent agents” in Guideline 2.21 d) and e) would be highly appreciated. In this context reference is

Need for clarity.

23

number of factors including: […]d) whether the customer has been introduced through a tied agent, that is, without direct firm contact, and to what extent the firm can be satisfied that the agent has obtained enough information so that the firm knows its customer and the level of risk associated with the business relationship; e) whether independent or tied agents are used, to what extent they are involved on an ongoing basis in the conduct of business, and how this affects the firm’s knowledge of the customer and ongoing risk management”

made to Articles 25-28 of 4AMLD, where the concept of the reliable third parties is clearly defined. It remains unclear to what extent such agents fit into this concept.

24

Question 4: Do you have any comments on the proposed amendments and additions in Guideline 4 on CDD measures to be applied by all firms?

GL Section - Paragraph Proposal for amendment JustificationNot addressed in Section 4. Further guidance regarding article 13 (1) of

the Money Laundering Directive which requires “When performing the measures referred to in points (a) and (b) of the first subparagraph, obliged entities shall also verify that any person purporting to act on behalf of the customer is so authorised and identify and verify the identity of that person”

Section 4 of the EBA guidelines is silent on the obligation contained within article 13 (1) of the Money Laundering Directive.

It would be extremely helpful if the guidance could provide further detail in respect of the obligation to identify and verify any person purporting to act on behalf of the customer, and what this requirement means in practice for Financial Institutions.

The requirement to ID&V any person purporting to act on behalf of a customer has been subject to much debate and legal consideration.

4.3: “They should also ensure that their AML/CFT policies and procedures are readily available, applied, effective, and understood by all relevant staff.”

It is advisable to specify this wording further and to provide examples of how this requirement could be ensured (e.g. trainings).

Need for clarity.

4.7. a), b): “Firms should set out clearly, in their policies and procedures, a) who the customer and, where applicable, beneficial owner is for each type of customer and category of products and services, and whose identity has to be verified for CDD purposes. Firms should

“Firms should set out clearly, in their policies and procedures, a) who the customer and, where applicable, beneficial owner is for each type of customer and category of products and services, and whose identity has to be verified for CDD purposes. Firms should refer to the sectoral guidance in Title II of

We believe that the wording of Guideline 4.7. a) is too narrow. In practice, setting out the customer and beneficial owner for each type of customer/products/services will depend on the specific context at hand.

Please keep in mind that the CDD requirements under the EU AMLD focus on

25

refer to the sectoral guidance in Title II of these guidelines, which has further detail on the identification of customers and their beneficial owners; what constitutes an occasional transaction in the context of their business. b) Firms should clearly define at what point a series of one-off transactions amount to a business relationship, rather than an occasional transaction, taking into consideration factors such as the frequency or regularity with which the customer returns for occasional transactions, and the extent to which the relationship is expected to have, or appears to have, an element of duration. Firms should note that the monetary threshold in Article 11 (b) of Directive (EU) 2015/847 is relevant only to the extent that it triggers an absolute requirement to apply CDD measures; a series of occasional transactions can be a business relationship even where that threshold is not reached;”

these guidelines, which has further detail on the identification of customers and their beneficial owners; what constitutes an occasional transaction in the context of their business. b) Firms should clearly define at what point a series of one-off transactions amount to a business relationship, rather than an occasional transaction, taking into consideration factors such as the frequency or regularity with which the customer returns for occasional transactions, and the extent to which the relationship is expected to have, or appears to have, an element of duration. Firms should note that the monetary threshold in Article 11 (b) of Directive (EU) 2015/847 is relevant only to the extent that it triggers an absolute requirement to apply CDD measures; a series of occasional transactions can be a business relationship even where that threshold is not reached;”

the customer and generally not on products nor services a customer uses. While this could be sensibly done for specific customer groups (e.g. funds), establishing such a requirement for all customer groups is difficult and from our point of view disproportionate. We propose to broaden the wording accordingly. Regarding 4.7 (b), financial institutions in some Member States lack regulatory guidance in this respect. In our opinion, this is an issue that should be addressed to regulatory authorities rather than firms.

Financial inclusion4.9: “Firms should carefully balance the need for financial inclusion with the need to mitigate ML/TF risk.”

Please provide further clarity. Balancing the need for financial inclusion with the need to mitigate ML/TF risk is a difficult balance that banks today are doing their best to manage. It would be more helpful to get clearer guidance as to where to draw the line between inclusion and financial crime prevention. In accordance with paragraphs 4.9. and 4.10. to meet the target of financial inclusion, in the case where a customer will have legitimate and credible reasons for

26

being unable to provide traditional forms of identity documentation, firms will need to consider mitigating ML/TF risk in other ways, including by offering only basic financial products and services to customer. This is not allowed by the EU AML Directives nor the Directive (EU) 2014/92 of 23 July 2014 on the comparability of fees related to payment accounts, payment account switching and access to payment accounts with basic features. Moreover, article 16.4 of the latter provides that “Member States shall ensure that credit institutions refuse an application for a payment account with basic features where opening such an account would result in an infringement of the provisions on the prevention of money laundering and the countering of terrorist financing laid down in Directive 2005/60/EC.”Reading this part together with paragraph 2.6. l) GLs that the requirement for a basic account applies only to customers who meet the risk appetite set by the financial institution, it is not entirely clear and may be subject to different interpretations.. Therefore we kindly ask for more clarity in the GLs as regards this particular issue. In case the minimum KYC requirements are not covered, we suggest regulatory authorities to indicate the specific measures that should be applied, e.g. documentation that should be provided. Financial inclusion should not be based solely on financial institutions’ risk appetite.

27

4.10: “As part of this, firms should put in place appropriate and risk-sensitive policies and procedures to ensure that their approach to applying CDD measures does not result in unduly denying legitimate customers access to financial services. Where a customer has legitimate and credible reasons for being unable to provide traditional forms of identity documentation, firms should consider mitigating ML/TF risk in other ways, including by:a) Adjusting the level and intensity of monitoring in a way that is commensurate to the ML/TF risk associated with the customer, including the risk that a customer who may have provided a weaker form of identity documentation may not be who they claim to be; and b) Offering only basic financial products and services, which restrict the ability of users to abuse these products and services for financial crime purposes. Such basic products and services may also make it easier for firms to identify unusual transactions or patterns of transactions, including the unintended use of the product; but it is important that any limits be proportionate and do not unreasonably or unnecessarily limit customers’ access to financial products and services.”

“[…] Where a customer private individual has legitimate and credible reasons for being unable to provide traditional forms of identity documentation, firms should in exceptional cases consider mitigating ML/TF risk in other ways, including by:”

*****

Need for clarity and alignment with existing rules.

4.10 should only be applicable to private individuals and only in exceptional cases. Corporates should always be obliged to provide valid documentation. In some countries private individuals do as a rule have means of secure identification. There may be temporary exceptional cases (theft, accident) where this is not possible. Difficulties may also be due to immigration of individuals coming from jurisdictions where ID systems are not so secure or where the individual did not manage to bring his ID into the country. It is already a difficult balance for banks to know when to allow these customers in, while securing that society is not put at risk by financial crime or terrorist financing. Moving additional burden over from authorities, who should be the guarantor of identity, to banks, is not helpful. If a bank would consider opening up the financial system further to unknown individuals, it is the responsibility of the national or European authorities to expressly define the exceptions to the AML regulation.

Indeed, we understand the objectives of financial inclusion, but we do not understand how the AML/CFT risks could be considered less significant in this type of situation.

Paragraph 4.10 requires firms not to unduly deny legitimate customers access to financial services, however firms’ risk

28

appetite needs to be taken into consideration. It should be reminded that firms still need to be profit-making entities. Increasing regulatory requirements for certain types of customers will lead to increasing costs/expenses. Therefore a cost-effectiveness analysis will finally indicate if firms are further providing services to high risk clients.

As regards point b, if a bank has obtained enough KYC information to onboard a client, it also has the right of access to a payment account with basic features, according to art. 16 Payment Account Directive. In addition, art 13.1 AML Directive states that customer due diligence shall comprise: “identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source”. If it is not possible to verify a person’s identity on the basis of documents, data or information obtained from a reliable and independent source, the bank must refuse the provision of banking services, in line with art 14.4. This is a legislative requirement and all exception should be prescribed by law.

Beneficial owners4.12: “When discharging their obligations set out in Article 13(1)(b) of Directive (EU) 2015/849 to understand the customer’s ownership and control structure firms should

“When discharging their obligations set out in Article 13(1)(b) of Directive (EU) 2015/849 to understand the customer’s ownership and control structure firms should take at least the followings steps :

It is disproportionate to require firms to ask the customer who their beneficial owns are because this information is also available through other routes (such as SWIFT registry for Correspondent Banking).

29

take at least the followings steps : a) Firms should ask the customer who their beneficial owners are; b) Firms should document the information obtained. c) Firms should then take all necessary steps to verify the information: to achieve this, firms should consider using beneficial ownership registers where available. d) Steps b) and c) should be applied on a risk-sensitive basis.”

a) Firms should ask the customer who their beneficial owners are Obtain information on who the beneficial owners are by consulting the UBO register where available;b) Firms should document the information obtained on a risk-based approach, document and verify such information. c) Firms should then take reasonable measures all necessary steps to verify the information: to achieve this where necessary, firms should may consider using available beneficial ownership registers as a complementary source of information where available.. d) Steps b) and a) to c) should be applied on a risk-sensitive basis.”

The MLDs do not require obliged entities to use beneficial ownership registers to verify beneficial ownership – indeed, they prevent sole reliance on these registers for this purpose. In addition, until competent authorities verify information submitted to beneficial ownership registers these registers will be unreliable and it would be disproporate to require obliged entities to justify why they did not use this information.

If asking who the customer’s beneficial owners is, is a prescriptive requirement, and the customer may provide information in that regard, making the obligation to document that information become risk-sensitive seems disproportionate.If a customer provides information, it is to the benefit of the obliged entity to document such information, as it enhances the knowledge of the customer and allows for a better assessment of the customer’s risk profile. Verifying the information that has been received and documented with regard to the beneficial owners can and should be a risk-sensitive requirement for an obliged entity. Therefore, if a customer’s risk profile necessitates the verification of information, this information would need to have been documented for such purposes. Hence, it is suggested that all steps (a to c) be applied on a risk based approach, which means that they will not be applied systematically (hence the removal of “at

30

least”).Beneficial ownership registers4.13: “Firms should be mindful that using information contained in beneficial ownership registers does not, of itself, fulfil their duty to take adequate and risk-sensitive measures to identity the beneficial owner and verify their identity. Firms may have to take additional steps to identify and verify the beneficial owner, in particular where the risk associated with the business relationship is increased or where the firms has doubts that the person listed in the register is not the ultimate beneficial owner.”

It would be helpful to clarify which additional steps to identify and verify the beneficial owner should be taken other than using information contained in beneficial ownership registers.In addition, the revised GLs should provide guidance on the new beneficial ownership discrepancy reporting obligations under 5AMLD Article 14(1) (to collect proof of registration or an excerpt of the register) and Article 30(4) (to report any discrepancies they find between the beneficial ownership information available in the central registers and the beneficial ownership information available to the firm).

Need for clarity.

While the beneficial ownership discrepancy reporting obligation is a stand-alone obligation it will in practice be implemented through firms’ CDD procedures. From an operational point of view, we would like to caution against exacerbating this obligation by requiring firms to establish a totally separate and low-value process to make up for the lack of public sector checks.

Firms should be authorised to take a flexible approach to how and when they implement the discrepancy reporting obligations and this is particulary important given the varieties in implementating this reporting obligation across the EEA.

Control through other means4.14: “The requirement to identify, and verify the identity of, the beneficial owner relates only to the natural person who ultimately owns or controls the customer. However, firms must also take reasonable measures to understand the customer’s ownership and control structure.”

“The requirement to identify, and take reasonable measures to verify the identity of, the beneficial owner relates only to the natural person who ultimately owns or controls the customer. also entails taking However, firms must also take reasonable measures to understand the customer’s ownership and control structure.”

We propose to amend Guideline 4.14 in such a way as to link understanding the customer’s ownership and control structure and the obligation to identify and take reasonable measures to verify the beneficial owner. A proposal would be: “The requirement to identify, and take reasonable measures to verify the identity of, the beneficial owner also entails taking reasonable measures to understand the customer’s ownership and control structure.”

4.15: “The measures firms take to understand the customer’s ownership and control structure should be sufficient so that the firm can be reasonably satisfied that it

“[…] In particular, firms should be satisfied that, a) the customer’s ownership and control structure is not unduly complex or opaque;

Firms can not exhaustively assess if customers complex/opaque ownership and control structures have a legitimate legal or economic reason. We suggest to delete this sentence as it seems to be

31

understands the risk associated with different layers of ownership and control. In particular, firms should be satisfied that, a) the customer’s ownership and control structure is not unduly complex or opaque;b) or complex or opaque ownership and control structures have a legitimate legal or economic reason.”

b) or complex or opaque ownership and control structures have a legitimate legal or economic reason.”

disproportionate.

Further guidance is required on the definition of ‘legitimate legal or economic reason’. In assessing the purpose of a business relationship, firms cannot exhaustively assess whether a customer’s ownership and control structures have a legitimate legal or economic reason. Customer Due Diligence (CDD) requires firms to assess the purpose of a business relationship to understand and address the ML/TF risk, but this should not become an excuse for regulators to offload responsibility for monitoring company formations.

4.17: “Firms should pay particular attention to persons who may exercise ‘control through other means’. Examples of ‘control through other means’ firms should consider include, but are not limited to: a) control without direct ownership, for example through close family relationships, or historical or contractual associations; b) using, enjoying or benefiting from the assets owned by the customer; c) responsibility for strategic decisions that fundamentally affect the business practices or general direction of a legal person.”

“Firms should pay particular attention to persons who may exercise ‘control through other means’, when applicable […].”

The current wording is too broad. The GLs need to stress that ‘control through other means’ needs only to be assessed if the circumstances of the individual case rise indications for ‘control through other means’. In addition, we would like to point out that these references to a beneficial owner imply a higer standard of due diligence in what is read to be all cases. This does not work harmoniously with derogations of Simplified Customer Due Diligence, where a firm may adjust the extent, type and timing of measures applied. The drafting should be amended to state (where identified, or where such information is made available to the firm as part of CDD), otherwise the risk factors imply that additional questions

32

should be asked to identify whether risk factors exist in all cases, rather than reacting to risk factors identified as part of CDD measures and proportionately asking additional questions on a risk-based approach.

Identifying the customer’s senior managing officials4.20: “Firms should resort to identifying the customer’s senior managing officials as beneficial owners only if:a) They have exhausted all possible means for identifying the natural person who ultimately owns or controls the customer; b) Their inability to identify the natural person who ultimately owns or controls the customer does not give rise to suspicions of ML/TF; and c) They are satisfied that the reason given by the customer as to why the natural person who ultimately owns or controls the customer cannot be identified is plausible.”

Proposal for amendement

4.20: “Firms should resort to identifying the customer’s senior managing officials as beneficial owners only if:a) They have exhausted all possible means for identifying the natural person who ultimately owns or controls the customer; b) Their inability to identify the natural person who ultimately owns or controls the customer does not give rise to suspicions of ML/TF; and c) They are satisfied that the reason given by the customer as to why the natural person who ultimately owns or controls the customer cannot be identified is plausible.”

Further guidance is required on when firms should consider that they have exhausted ‘all possible means’ to identify beneficial owners. We consider that ‘all possible means’ should be sensitive to risk and will only require bespoke corporate intelligence investigations for the most complex and material transactions.Further guidance is required on how firms can take reasonable measures to verify the identity of senior managing officials (understood as the person responsible for managing the corporate customer). We would like to point out that the requirements under Guideline c) do not correspond to the text of the 4AMLD. Please avoid expanding the scope of legal obligations through these guidelines. We suggest to delete Guideline 4.20 (c).

4.21: “When deciding which senior managing official, or which senior managing officials, to identify as beneficial owner, firms should consider who has ultimate and overall responsibility for the customer and take binding decisions on the customer’s behalf.”

It is not clear whether Guideline 4.21 refers to the so-called “fictitious beneficial owner”; clarification would be highly appreciated. If so, we kindly ask EBA to keep in mind that within Europe different guidance was issued regarding the question if all members of senior managing officials must be identified as fictitious beneficial owners or if it is sufficient to identify just one.

Need for clarity.

33

Shall the last part of Guideline 4.21 “… firms should consider ….” be a selection criterion for who is the fictitious beneficial owner if a company has several senior managing officials?I would be useful to define the concept of “Senior Managerial Official”

Identifying the beneficial owner of a public administration or a state-owned enterprises

4.24: “In those cases, and in particular where the risk associated with the relationship is increased, for example because the state-owned enterprise is from a country associated with high levels of corruption, firms should take risk-sensitive steps to establish that the person they have identified as the beneficial owner is properly authorised by the customer to act on the customer’s behalf.”

Proposal for amendment4.24: “In those cases, and in particular where the risk associated with the relationship is increased, for example because the state-owned enterprise is from a country associated with high levels of corruption, firms should take risk-sensitive steps to establish that the person senior managing official they have identified as the beneficial owner is properly authorised by the customer to act on the customer’s behalf.”

It is unclear what EBA’s expectations towards firms are in this context. Usually, a beneficial owner does not have authority to act on the customer’s behalf. It is suggested to clarify whether the requirement refers only to the so-called “fictitious beneficial owner”. From our point of view, there is no similar requirement in 4AMLD and 5AMLD.

4.25: “Firms should also have due regard to the possibility that the senior managing official may be a PEP. Should this be the case, firms must apply EDD measures to that senior managing official in line with Article 18 of Directive (EU) 2015/849, and assess whether the extent to which the PEP can influence the customer gives rise to increased ML/TF risk and whether applying EDD measures to the customer may be

“Firms should also have due regard to the possibility that the senior managing official may be a PEP. Should this be the case and the official acts as private individual, firms must apply EDD measures to that senior managing official in line with Article 18 of Directive (EU) 2015/849, and assess whether the extent to which the PEP can influence the customer gives rise to increased ML/TF risk and whether applying EDD measures to the customer may be necessary.”

Guideline 4.25 requires firms to undertake EDD measures to that senior managing official if the said individual is a PEP. Please note that the due diligence measures are taken with regard to the Customer (as outlined in Article 18 of Directive (EU) 2015/849).

EDD will be applied on the PEP if they are also a customer in their own right. The obligation on firms with respect to the SOE is that they consider where the PEP

34

necessary.” increases the level of risk and take appropriate risk-based measures– there is no absolute requirement under the Directive to apply EDD on the PEP (indeed, this will typically be disproportionate where the UBO is only a PEP because of their role vis-à-vis the SOE).We support a risk-based approach to PEPs and agree that a legal entity should not be treated as a PEP-related entity and subject to EDD just because it has a PEP as a senior managing official.

When firms have exhausted all possible means to identify the beneficial owner and therefore resort to identifying the senior managing official, we do not consider that EDD measures should apply to all senior managing officials just because they are PEPs, as this would expand the scope of legal CDD obligations through these guidelines.There may be exceptional cases where the senior managing official exercises ultimate control over the legal entity, and therefore be the beneficial owner. In these exceptional cases the PEP status of the senior managing official would be relevant to the treatment of the corporate customer.

When financial institutions offer financial products, incl. accounts, to public administration or a state-owned enterprise, there is no need to look at the managing officials of public administration or state-owned enterprise as PEPs in those

35

organisations.

As budget, direct expenses of public administrations and companies, as well as actions of senior managing officials are supervised from the state side, there is no need for such due diligence measures as for ones in case of private companies. Therefore we kindly ask to review the current approach regarding senior management officials of public administrations and state-owned enterprises being PEPs and apply mandatory requirement of EDD only in those cases when they are opening accounts as private persons or are a senior managing officials, UBOs, legal owners of a private legal entities.

Evidence of identity

4.26: “Firms must verify their customer’s identity and, where applicable, beneficial owners’ identity, on the basis of reliable and independent information and data, whether this is obtained remotely, electronically or in documentary form.”

“Firms must verify their customer’s identity and, where applicable, beneficial owners’ identity, on the basis of reliable and independent information and data, whether this is obtained remotely, electronically or in documentary form. A risk-based methodology, as per art. 13(1)(a) and (b) 4AMLD”

Article 13(1)b 4AMLD does not require banks to identify the UBO on the basis of independent information at all times, but rather on a risk-based methodology. Consequently, we propose outlining the requirements for the customer and UBO as set out in 4.26 separately, in accordance with article 13(1)a and b.

4.27: “Firms should set out in their policies and procedures which information and data they will treat as reliable and independent for CDD purposes. As part of this, firms should consider

“Firms should set out in their policies and procedures which information and data they will treat as reliable and independent for CDD purposes. As part of this, firms should consider, among others

The information provided on independence and reliability is helpful. However, we would suggest to amend this so as to create a non-exhaustive list on which firms may rely on in determining reliability and independence. This will provide financial actors with additional flexibility concerning

36

a) What makes data or information reliable. Firms should consider different degrees of reliability, which they should determine based on

i) the extent to which the customer had to undergo certain checks to obtain the information or data provided;

ii) the official status, if any, of the person or institution that carried out those checks;

iii) the level of assurance associated with any digital ID system used; and

iv) the ease with which the identity information or data provided can be forged.

b) What makes data or information independent. Firms should consider different degrees of independence, which they should determine based on the extent to which the person or institution that originally issued or provided the data or information:

i) is linked to the customer through direct personal, professional or family ties; and

ii) could have been unduly influenced by the customer.

In most cases, firms should be able to treat government-issued information or data as providing the highest level of independence and reliability.”

the acceptable sources to be used for identity and verification.

Non-face to face situations Proposal for amendment Need for consistency and clarity.

37

4.29 – 4.31: “To perform their obligations under Article 13(1) of Directive (EU) 2015/849 and paragraph 88, where the business relationship is initiated, established, or conducted in non-face to face situations or an occasional transaction is done in non-face to face situations, firms shoulda) take adequate measures to be satisfied that the customer is who he claims to be; and b) assess whether the non-face to face nature of the relationship or occasional transaction gives rise to increased ML/TF risk and if so, adjust their CDD measures accordingly. When assessing the risk associated with non-face to face relationships, firms should have regard to the risk factors set out in paragraph.

Where the risk associated with a non-face to face relationship or an occasional transaction is increased, firms should apply EDD measures in line with paragraphs 105 and following. Firms should consider in particular whether enhanced measures to verify the identity of the customer or enhanced ongoing monitoring of the relationship would be appropriate.

Firms should have regard to the fact that the use of electronic means of identification does not of itself give rise to increased ML/TF risk, in particular where these electronic means provide a high

4.29 – 4.31: “To perform their obligations under Article 13(1) of Directive (EU) 2015/849 and paragraph 88, where the business relationship is initiated, established, or conducted in non-face to face situations or an occasional transaction is done in non-face to face situations, firms shoulda) take adequate measures to be satisfied that the customer is who he claims to be; and b) assess whether the non-face to face nature of the relationship or occasional transaction gives rise to increased ML/TF risk and if so, adjust their CDD measures accordingly. When assessing the risk associated with non-face to face relationships, firms should have regard to the risk factors set out in paragraph.

Where the risk associated with a non-face to face relationship or an occasional transaction is increased, firms should apply EDD

measures in line with paragraphs 105 and following. Firms should consider in particular whether enhanced measures to verify the identity of the customer or enhanced ongoing monitoring of the relationship would be appropriate.

Firms should have regard to the fact that the use of electronic means of identification

Enhance Due Diligences

Whereas we welcome guidelines 4.29 – 4.31, we would like to highlight that in some Member States firms are required to perform EDD if the identification occurs “from afar”.

In addition, we would like to highlight that non-face to face situations are not in themselves considered to be a high risk factor. “Non-face-to-face business relationships” is only an example of a potentially higher-risk situation in undertaking CDD. Indeed, in terms of the fight against money laundering and terrorist financing, identification and verification of identity is the main challenge in entering into a non-face to face relationship. Apart from that, AML/CFT risks are not different for the same customer depending on whether he is on a face to face relationship or not.

By the way, some national supervisory authorities have issued guidance on video-identification stating that it is recognised as a face-to-face identification and that this does not give rise to the need to perform EDD.

Furthermore, we stress that the 5AMLD (article 1.8) does not require that the electronic means of identification have a high level of assurance under Regulation

38

level of assurance under Regulation (EU) 910/2014.”

does not of itself give rise to increased ML/TF risk, in particular where these electronic means provide a high level a sufficient level of assurance under Regulation (EU) 910/2014 according to national regulations.”

(EU) 910/2014.

Occasional transaction

Pursuant to Article 11 of the 4AMLD, only certain types of occasional transactions give rise to the implementation of CDD.

We propose that the GL clarifies that “occasional transaction” means transactions covered by article 11 of the 4AMLD or gives examples of occasional transactions that could be conducted remotely.

Using innovative technological means to verify identity4.34: “[…] They should be clear about their relationship with the innovative solution provider (e.g. whether it is an outsourcing relationship, or whether the use of the innovative solution constitutes a form or reliance on a third party as per Section 4 of Directive (EU) 2015/849), and take sufficient steps to be satisfied that the innovative solution provider […]:b) accesses and uses a sufficient range of data from different sources and across time, having regard to the following elements in particular i. electronic evidence based on a customer’s passport is unlikely to be sufficient in a non-face to face context without accompanying checks to ensure that the customer is who they

“b) accesses and uses a sufficient range of data from different sources and across time, with a sufficient assurance level within the meaning of Regulation (EU) 910/2014 and taking into account- when relevant- the EBA Guidelines on outsourcing arrangements.” having regard to the following elements in particular i. electronic evidence based on a customer’s passport is unlikely to be sufficient in a non-face to face context without accompanying checks to ensure that the customer is who they say they are, and that the document has not been tampered with; and ii. a single data source or a single point in time is unlikel€y to be enough to meet verification standards in most situations; unless iii. mitigation measures with regard to identification (e.g. additional PIN requirement for

Using innovative technological means is allowed by the 5AMLD as long as these means comply with e-IDAS Regulation. The need for more flexibility in how obliged entities perform non face-to-face onboarding procedures has been highlighted by the COVID-19 context.

39

say they are, and that the document has not been tampered with; and ii. a single data source or a single point in time is unlikely to be enough to meet verification standards in most situations”

non-face to face identification) are in place, decreasing the residual risk without additional separate checks.

Establishing the nature and purpose of the business relationshipGuidelines 4.38 and 4.39

It would be helpful to clarify that the measures/ steps taken by firms to understand points 4.38 and 4.39 can be achieved by other methods than just collecting information from the customer as part of CDD. For example, in some circumstances it may be possible for a firm to define the acceptable purpose and nature of its relationships within its own terms & conditions and fair usage policies, in agreement with its customers or to take nature and purpose as ‘self-evident’ (e.g. a residential mortgage).

Need for clarity.

4.38 b) and d): “[…] Firms should at least take steps to understand […]:b) Why the customer has chosen the firm’s products and services; […]d) How the customer will be using the firm’s products and services;”

[…] Firms should at least take steps be in a position to understand […]:b) Why the customer has chosen the firm’s products and services;

Information about why or how the customer has chosen a product and service should be required if such information is not obvious from the choice of the product/service itself and following a risk-based approach, e.g. taking into consideration the customer’s risk level.

In most circumstances, 4.38b will add no value; it is also over and above the Direct and should therefore be deleted. A more proportionate approach would be to limit 4.38b to situations where the customer is based overseas and/or where there are relevant red flags and, even then,

40

the answer will commonly be self-evident (e.g. markets); this approach aligns with 4.64a(ii) i.e. a possible EDD measures is to obtain information “on why the customer is looking for a specific product or service, in particular where it is unclear why the customer’s needs cannot be met better in another way, or in a different jurisdiction”

4.38 c): “The value and sources of funds that will be flowing through the account;”

“c) The value and sources of funds that will be flowing through the account, when necessary;”

We suggest to align with wording with the legislative provision of art. 13(1) 4AMLD. Collecting information with regard to the value and source of funds that will be flowing through the account is solely required on a risk based basis.

4.38 d) and f): “d) How the customer will be using the firm’s products and services;[…] f) What constitutes ‘normal’ behaviour for this customer or category of customers.”

“d) How the customer will be using the firm’s products and services The anticipated value of funds used for the business relationship;[…] f) What constitutes ‘normal’ behaviour for this customer or category of customers.”

Guideline 4.38 (d) seems too extensive; expanding this requirement to all customers will highly likely result in data protection issues.

Guideline 4.38 (f) seems too unclear, we suggest EBA to delete or to provide further guidance about their expectations, in terms of examples. Please note that in practice, Firms must convert such requirements into clear instructions for the employee of 1Lod.

4.41 d): “SDD measures firms may apply include but are not limited to: […]

d) adjusting the frequency of CDD updates and reviews of the business relationship, for example carrying these out only when

“d) adjusting the frequency of CDD updates and reviews of the business relationship, for example carrying these out only when, according to a risk-based approach, trigger events occur such as the customer looking to take out a new product or service that results in increased risk or when a

The usage of new products and services may be considered as a trigger event only on a risk-based approach, e.g., if a customer opens a second or third account or wants to have a securities deposit.

41

trigger events occur such as the customer looking to take out a new product or service or when a certain transaction threshold is reached; firms must make sure that this does not result in a de facto exemption from keeping CDD information up-to-date.”

certain transaction threshold is reached; firms must make sure that this does not result in a de facto exemption from keeping CDD information up-to-date.”

4.46 c): “Directive (EU) 2015/849 lists specific cases that firms must always treat as high risk:where a firm maintains a business relationship or carries out a transaction involving high-risk third countries;”

“c) where a firm maintains a business relationship or carries out a occasional transactions involving high-risk third countries, following a risk-based approach;”

Need for clarity.

4.48 “When putting in place risk-sensitive policies and procedures to identify PEPs, firms should have regard to the list of prominent public functions published by the Commission pursuant to Article 20a(3) of Directive (EU) 2015/849 and ensure that holders of these functions are identified. This list applies to prominent functions in the EU; when determining how to identify PEPs from third countries, firms should instead refer to the list of functions in Article 3(9) of Directive (EU) 2015/849 and adjust this list on a case-by-case basis.”

“…adjust this list on a case-by-case basis, taking account of how prominence and associated AML risk will vary between different government and political structures”

Further guidance is requested on how to adjust the list of functions in Article 3(9) of 4AMLD with regards to PEPs from third countries which may materially have different governmental and political structures in place – e.g. the level of prominence afforded to a “Member of Parliament” in Europe is materially different to other countries such as People’s Republic of China.

4.49: “Firms that use commercially available PEP lists should ensure that information on these lists is up to date and that they understand the limitations of those lists. Firms should take additional measures where necessary, for example in situations

“Firms that use commercially available PEP lists should ensure that information on these lists is up to date and that they understand the limitations of those lists. Firms should take additional measures where necessary, for example in situations

Guideline 4.49 does not meet the practical circumstances/needs. Many European supervisory authorities have now recognised that firms (banks) fulfil their PEP-screening obligation when they use standard/common PEP lists. In our opinion, this current view represents an appropriate

42

where the screening results are inconclusive or not in line with the firm’s expectations.”

where the screening results are inconclusive or not in line with the firm’s expectations.”

balance between the needs of practice and effective anti-money laundering measures. We ask that the practical needs not be lost sight of and – as a consequence - that Guideline 4.49 is deleted. It is also unclear when or under what conditions screening results are to be classified as “inconclusive” or what is specifically meant by the prerequisite “not in line with the firm`s expectations”. More clarity and conciseness in the use of legal terms would be much appreciated.

Politically exposed persons4.50 a): “Firms that have identified that a customer or beneficial owner is a PEP must always: a) Take adequate measures to establish the source of wealth and the source of funds to be used in the business relationship in order to allow the firm to satisfy itself that it does not handle the proceeds from corruption or other criminal activity. The measures firms should take to establish the PEP’s source of wealth and the source of funds will depend on the degree of high risk associated with the business relationship. Firms should verify the source of wealth and the source of funds on the basis of reliable and independent data, documents or information where the risk associated with the PEP relationship is particularly high.”

“Firms that have identified that a customer or beneficial owner is a PEP must always may:”

We support a risk-based approach to PEPs, including the measures taken to establish the PEP’s source of wealth and source of funds. Guideline 4.50 (a) refers to measures to verify the source of wealth/source of funds information for higher risk PEPs, however, legislation does not require firms to verify this information (neither for mandatory EDD for PEP relationships nor for risk-based EDD). As a general comment, we consider that over-emphasis on a rules-based approach to AML/CFT can undermine implementation of FATF Recommendations and result in financial exclusion and damage to correspondent banking and global payment systems. Mandatory requirements for EDD should therefore be carefully targeted to address the specific ML/TF risks they are meant to mitigate, in terms of both the scope of EDD triggers and the mandated EDD steps.

In addition, it would be helpful to include

43

guidance as to what drives a higher risk PEP-connected relationship vis-a-vis a lower risk PEP-connected relationship, including commensurate measures in each case.

4.50 b) and c): “Firms that have identified that a customer or beneficial owner is a PEP must always:b) Obtain senior management approval for entering into, or continuing, a business relationship with a PEP. The appropriate level of seniority for sign-off should be determined by the level of increased risk associated with the business relationship, and the senior manager approving a PEP business relationship should have sufficient seniority and oversight to take informed decisions on issues that directly impact the firm’s risk profile. c) When considering whether to approve a PEP relationship, senior management should base their decision on the level of ML/TF risk the firm would be exposed to if it entered into that business relationship and how well equipped the firm is to manage that risk effectively.”

Proposal for amendmentThese requirements not meet the need of practitioners. We kindly ask EBA to redraft 4.50 b) and c) and we propose : b) Obtain senior management approval for entering into, or continuing, a business relationship with a PEP. The appropriate level of seniority for sign-off should be determined by the level of increased risk associated with the business relationship, and the senior manager approving a PEP business relationship should have sufficient seniority and oversight to take informed decisions on issues that directly impact the firm’s risk profile.

Persons qualified to make a decision to enter into or maintain such a business relationship may delegate this responsibility to a person who has a sufficiently high level of authority in relation to the risks associated with the business relationship. The delegation may be nominative or functional.

Need for consistency with existing common practice

Article 20 of the 4AMLD states that With respect to transactions or business relationships with politically exposed persons, firms shall apply additional measures including obtaining senior management approval for establishing or continuing business relationships with such persons.

In practice, senior management has duties and responsibilities in all areas of the bank's management. He cannot therefore carry them out personally and has recourse to delegations.

44

4.50 d): “Apply enhanced ongoing monitoring of both transactions and the risk associated with the business relationship. Firms should identify unusual transactions and regularly review the information they hold to ensure that any new or emerging information that could affect the risk assessment is identified in a timely fashion. The frequency of ongoing monitoring should be determined by the level of high risk associated with the relationship.”

“[…] Firms should identify unusual transactions and regularly review the information they hold to ensure that any new or emerging information that could affect the would trigger review of the risk assessment is identified in a timely fashion or wider review of the business relationship. The frequency of ongoing monitoring should be determined by the level of high risk associated with the relationship.”

Requiring that ongoing monitoring and regular review should identify ‘any new or emerging information that could affect the risk assessment’ is in our view disproportionate. We support a risk-based approach to the treatment of PEPs. Further guidance is required on PEP-specific risk factors to support a risk-based approach to the extent of EDD measures. Examples of such higher and lower risk factors are provided by the 2017 FCA guidance on the treatment of PEPs and by the 2012 FATF guidance on laundering of the proceeds of corruption. We consider that this risk-based approach should include both the frequency and the extent of the ongoing monitoring and regular review of PEP relationships.

4.52.: Firms should ensure that the measures they put in place to comply with the Directive (EU) 2015/849 and with these guidelines in respect of PEPs do not result in PEP customers unduly being denied access to financial services.

Firms should ensure that the measures they put in place to comply with the Directive (EU) 2015/849and with these guidelines in respect of PEPs do not result in PEP customers unduly being denied access to financial services.

This GL contains an indirect accusation that firms may unfairly exclude PEPs from access to certain financial services. This accusation is unfounded. We ask for the removal of the GL.

High risk third countries4.53 – 4.55: “When entering into a business relationship or transaction involving high risk third countries as

4.54. Firms should apply assess if the measures listed in guideline 4.53 should be applied regarding the circumstances of the relationship or

We welcome the introduction of Guidelines regarding high-risk third countries, that are helpfully clarifying the 5AMLD requirements.

45

set out in Article 9(2) of Directive (EU) 2015/849, firms should ensure that they apply at a minimum, the EDD measures set out in Article 18 a(1) and, where applicable, the measures set out in Article 18 a(2) of Directive (EU) 2015/849.4.54. Firms should apply the measures listed in guideline 4.53 and should adjust the extent of these measures on a risk-sensitive basis.4.55. A business relationship or transaction always involves a high risk third country if a) the funds were generated in a high risk third country; b) the funds are received from a high risk third country; c) the destination of funds is a high risk third country;d) the firm is dealing with a natural person or legal entity resident or established in a high risk third country; ore) the firm is dealing with a trustee established in a high risk third country or with a trust governed under the law of a high risk third country.”

the transaction and should adjust the extent of these measures on a risk-sensitive basis.4.55. A business relationship or transaction always involves a high risk third country if a) the funds were generated in a high risk third country; b) the funds are received from a high risk third country; c) the destination of funds is a high risk third country;d) the firm is dealing with a natural person or legal entity resident or established in a high risk third country; ore) the firm is dealing with a trustee established in a high risk third country or with a trust governed under the law of a high risk third country.”

Definition of high risk third countries

As a general comment, we consider that over-emphasis on a rules-based approach to AML/CFT can undermine implementation of FATF Recommendations and result in financial exclusion and damage to correspondent banking and global payment systems. This would be contrary to the stated objective that the 5AMLD regime for HRTCs is not to decrease legitimate payment flows. Mandatory requirements for EDD should therefore be carefully targeted to address the specific ML/TF risks they are meant to mitigate, in terms of both the scope of EDD triggers and the mandated EDD steps.

That is why the definition of high-risk third countries should not be broader than the Directive provides for.

EDD and risk sensitive basis

Guideline 4.55 seems to imply that for each transaction involving high risk jurisdictions EDD should be applied, whereas 4.54 implies that 4.55 should be applied in conjunction with 4.54 and 4.53, thus be linked specifically to those business relationships and incidental transactions that should reasonably be considered to trigger EDD’s rather than all transactions going to and from high risk jurisdictions.

46

We consider that the proposed guideline 4.55 is unclear and disproportionate in its guidance on which business relationships and transactions will ‘involve’ HRTCs.

In particular, we do not consider that the HRTC location of funds generation, origin, destination or transit should, in itself, trigger EDD.

Such an extensive interpretation of the term “Involvement of a high risk third country” in Guideline 4.55 can lead to banks pursuing a complete de risking strategy and no longer entering into or executing any business relationship/transaction involving a high-risk third country. This would be contrary to the stated objective that the 5AMLD regime for HRTCs is not to decrease legitimate payment flows.

In addition, this reads as if it would mean any payment made directly/indirectly inbound/outbound involving a high risk third country would mean the referent customer would be high risk requiring EDD. This will likely create a significant increase in international firm`s high risk client base across the EU, targeting Firm`s resources in a way which may not be risk-based in all instances. This appears to read like a rules-base requirement, contradicting the risk-based approach. We suggest to amend “transaction” to “occasional transaction” for clarity on clear EDD trigger

47

requirements for firms, on a risk-based approach.

We suggest to amend “transaction” to “occasional transaction” for clarity on clear EDD trigger requirements for firms, on a risk-based approach. We also suggest to amend the definition for business relationships or transactions as ‘involving’ a HRTC by focusing on 1) A customer is resident in, incorporated in, having their principle place of business in, or having their principle regulatory authority in a HRTC; or2) An ‘occasional transaction’ where either the payer or payee is resident in, incorporated in, has their principle place of business in, or has their principle regulatory authority in a HRTC.

More specifically:

- Regarding trigger a)

The trigger related to the location of funds generation should only be taken into account by the bank(s) through which the funds are transiting.

- Regarding triggers b) and c)

Such requirements would only be feasible in practice if banks were allowed to introduce thresholds. Otherwise, even the smallest transaction would trigger EDD.

48

4.56: “When performing CDD measures or during the course of a business relationship, firms should ensure that they also apply the EDD measures set out in Article 18 a(1) and, where applicable, the measures set out in Article 18 a(2) of Directive (EU) 2015/849, where firms determine that a) the transaction passes through a high risk third country, for example because of where the intermediary payment services provider is based; or b) a customer’s beneficial owner is established in a high risk third country.”

Proposal for amendment. - Trigger b)

We do not consider that the HRTC location of the beneficial owner should, in itself, trigger EDD. While firms may take such factors into account for their risk assessment, we consider that such broad interpretations of the scope for mandatory EDD would be disproportionate and would result in significant adverse impacts for financial inclusion, correspondent banking and the global payment systems. For example, a company established and trading in the EU may have a UBO resident in a high risk third country; the source of funds will be the EU and, as such, the mandatory application of EDD on the customer relationship will be disproportionate. As a general principle, given that the HRTC regime has been established to protect the EU market, the source of funds is a more effective measure for identifying risk and applying EDD, not residency.Moreover, we would like to emphasize that the 5AMLD do not require to collect the address of the beneficial owner, though this may occur as a by-product of verifying identity.It should also be noted that 4.56 b) goes beyond what national legislation sometimes requires from obliged parties,

49

since this high risk factor is restricted to the customer level.

- Trigger a)

In particular, it is not clear why the intermediary payment service providers (IPSPs) being in a HRTC should result in mandatory EDD being applied (4.56a). IPSPs play an extremely limited role in the payment and neither the payer nor the payee will control the routing of their payment instruction. Additionally, this risk factor seems to be contrary to the stated objective that the 5AMLD regime for HRTCs is not to decrease legitimate payment flows.

Moreover, Guideline 4.56 a) is difficult to perform in practice, as knowledge about which countries a transaction passes is not always fully apparent. Additionally, many countries have limited the application of the transaction involving high risk third countries to occasional transactions.

4.57: “Notwithstanding guidelines 4.54 and 4.56 firms should carefully assess the risk associated with business relationships and transactions where a) the customer maintains close personal or professional links with a high risk third country; or b) beneficial owner(s) maintain(s) close

Proposal for amendment.Please also provide clarifications in the definition of “personal or professional links”. We would suggest definitions based on financial links.

We consider that these guidelines are replaced with a new definition, based on financial links.

Guideline 4.57 makes reference to firms carefully assessing the risk associated with business relationships and transactions where the customer/beneficial owner of the customer maintains close personal or

50

personal or professional links with a high risk third country. c) In those situations, firms should take a risk-based decision on whether or not to apply the measures listed in Article 18a) of Directive (EU) 2015/849, EDD measures, or regular CDD measures.”

professional links with a high risk third country. This provision is impossible to implement unless firms become aware of this information (by accident). Additionally, no definition of “close personal/professional links” is provided. This could thus be interpreted to refer to relatives, friends etc. The same applies to professional links. We do not consider that professional or personal links to HRTCs should, in themselves, trigger EDD.We do not consider that firms should be required to identify professional or personal links with certain countries as part of standard CDD measures. Current practice is that firms may seek to identify professional and personal links with certain countries but only on an exceptional basis, such as where specifically relevant to assessing the purpose of a high risk business relationship.We also consider that there is a clear risk that requiring firms to identify such links as part of standard CDD measures could lead to discriminatory treatment on the basis of ethnicity,nationality, religion, etc (including mistaken perceptions of ethnicity,nationality or religion, etc). As noted above, the source of funds is a more effective measure for identifying risk and applying EDD, not residency or personal/professional links.We suggest the final GLs to avoid requiring firms to process more personal information than is required for compliance with the 5MLD regime for HRTCs.

51

We also consider that there is a clear risk that requiring firms to identify such links as part of standard CDD measures could lead to discriminatory treatment on the basis of ethnicity, nationality or religion (including mistaken perceptions of ethnicity, nationality, religion, etc).

Unusual transactions4.61: “These EDD measures should be sufficient to help the firm determine whether these transactions give rise to suspicion and must at least include: a) taking reasonable and adequate measures to understand the background and purpose of these transactions, for example by establishing the source and destination of the funds or finding out more about the customer’s business to ascertain the likelihood of the customer making such transactions; and b) monitoring the business relationship and subsequent transactions more frequently and with greater attention to detail. A firm may decide to monitor individual transactions where this is commensurate to the risk it has identified.”

“These EDD measures should be sufficient to help the firm determine whether these transactions give rise to suspicion and must at least include: a) taking reasonable and adequate measures to understand the background and purpose of these transactions, for example by establishing the source and destination of the funds or finding out more about the customer’s business to ascertain the likelihood of the customer making such transactions; and b) monitoring the business relationship and subsequent transactions more frequently and with greater attention to detail. A firm may decide to monitor individual transactions where this is commensurate to the risk it has identified.”

This guideline is inconsistent with certain court rulings (e.g.court decision of ‘OLG Frankfurt’).

Other high-risk situations 4.62: “In all other high risk situations, firms should take an informed decision about which EDD measures are appropriate for each high-risk situation. The appropriate type of EDD, including the extent of the

Need for clarity. We suggest to provide further details (examples) with regard to additional information to be determined.

52

additional information sought, and of the increased monitoring carried out, will depend on the reason why an occasional transaction or a business relationship was classified as high risk.”4.64 a): “EDD measures firms should apply may include: a) Increasing the quantity of information obtained for CDD purposes: i) Information about the customer’s or beneficial owner’s identity, or the customer’s ownership and control structure, to be satisfied that the risk associated with the relationship is well understood. This may include obtaining and assessing information about the customer’s or beneficial owner’s reputation and assessing any negative allegations against the customer or beneficial owner. Examples include:a) information about family members and close business partners […]”

Need for consistency with data protection rules.

“[…] a) information about family members and close business partners if the latter are PEPs […]”

Guideline 4.64 (a) requires to consider information about family members and close business partners. Having regard to data protection requirements, we suggest the guidelines to stress that such information is relevant if the family member/close business partner is a PEP.

Transaction monitoring4.74: “[…] Firms should in any case determine:a) Which transactions they will monitor in real time, and which transactions they will monitor ex-post. As part of this, firms should determine which high-risk factors, or combination of high-risk factors, will always trigger real-time monitoring. Firms should ensure that transactions associated with higher ML/TF risk are monitored in real time wherever possible, in particular where the risk associated with the business

“[…] Firms should ensure that transactions associated with higher ML/TF risk are may be monitored in real time wherever possible, in particular where the risk associated with the business relationship is already increased; […]As part of this, firms should determine which high-risk factors, or combination of high-risk factors, will always trigger real-time monitoring. Firms should ensure may apply real time monitoring to that transactions associated with higher ML/TF risk are

Real time monitoring

It should be noted that currently, the market standard with respect to AML transaction monitoring clearly leans towards ex-post monitoring. The practical application of real time monitoring is very resource-consuming. The proposal to include real-time monitoring as a tool for higher-risk transactions (4.74 and 8.25) is in practice not realistic today. We believe that these GLs should be amended to be more

53

relationship is already increased; […]In addition to real time and ex-post monitoring of individual transactions, and irrespective of the level of automation used, firms should regularly perform ex-post reviews on a random sample taken from all processed transactions to identify trends that could inform their risk assessments, and to test the reliability and appropriateness of their transaction monitoring system.

monitored in real time wherever possible, in particular where the risk associated with the business relationship is already increased; […]In addition to real time and ex-post monitoring of individual transactions, and irrespective of the level of automation used, firms should regularly perform ex-post reviews on a random sample taken from all processed transactions to identify trends that could inform their risk assessments, and to test the reliability and appropriateness of their transaction monitoring system.

aspirational than mandatory. While ‘real time’ monitoring may be appropriate in order to protect vulnerable customers (e.g. from push-payment scams), expansion to other circumstances would greatly impair payment flows and slow down economic activity; any such move must therefore be targeted, subject to legal clarity (e.g. PSD) and based on an assessment of the threat and unintended consequences.

Transaction Monitoring for AML purposes monitors a number of customer behaviours and their transactions over varying time periods normally daily, weekly and monthly. Therefore, it is not always possible to determine potentially suspicious activity from a single transaction, as it is dependent on the specific circumstance or scenario that has generated the alert. When considering the potential volumes involved, the design and implementation of appropriate technical solutions for automated real time monitoring for AML purposes will be a significant undertaking for any financial institution. There is an aspiration in the industry to have sophisticated real-time, intelligent monitoring, but today an automatic system that would halt transactions if indicators show potential suspicion could either cause harmful disruption in payment flows (if the net is too tight) or be of no use (if the net is too loose). In addition, real time monitoring for certain

54

high risk factors or combination of high risk factors may result to real time monitoring for all kind of clients regardless of their risk rating.

Ex post review on a random sampleEx post reviews on a random sample could be useful to test the reliability and appropriateness of their transaction monitoring system but, they cannot identify trends that the ex-post controls could not themselves identify.

These controls should be based on a sample of alerts generated and not on transactions processed.

Question 5: Do you have any comments on the amendments to Guideline 5 on record keeping?

GL Section - Paragraph Proposal for amendment Justification5.1 c): “For the purpose of Articles 8 and 40 of the AMLD, firms must keep records at least of […]c) Transactions.”

“For the purpose of Articles 8 and 40 of the AMLD, firms must keep records at least of […]c) Transactions outside existing business relationships.”

Need for clarity.

Question 6: Do you have any comments on Guideline 6 on training?

GL Section - Paragraph Proposal for amendment Justification

55

6.2 c): “As part of this, and in line with guidance contained in Title I, firms should take steps to ensure that staff understand […]c) How to recognise suspicious or unusual transactions, and how to proceed in such cases.”

“ c) How to recognise suspicious or unusual transactions or activities, and how to proceed in such cases.”

Is it a conscious decision to only include transactions and not also activities?

6.3: “Firms should ensure that AML/CFT training is a) Relevant to the firm and its business; b) Tailored to staff and their specific roles; c) Updated regularly; and d) Effective.

Need for clarity. It would be helpful to explain how to tailor training to staff and their specific roles, specially in bog firms where there are a lot of specialization and a great variety of roles.

Question 7: Do you have any comments on the amendments to Guideline 7 on reviewing effectiveness?

GL Section - Paragraph Proposal for amendment Justification7.1.: Firms should regularly assess the effectiveness of their approach to AML/CFT and determine the frequency and intensity of such assessments on a risk-sensitive basis, taking into account the nature and size of their business and the level of ML/TF risk to which they are exposed. 7.2.: Firms should consider whether an independent review of their approach may be warranted or

Suggest deletion and replacement with cross-reference to relevant ambitions in the AML Action Plan (e.g. to improve effectiveness through public-private partnerships) and to relevant work by FATF and other relevant AML/CFT bodies (e.g. the Wolfsberg Group).

Effectiveness is a core topic for driving a true risk based, effective and proportionate AML/CTF regime. The EBA needs to consider the effectiveness of their guidance on combatting ML/TF, informed by the supranational risk assessment and, both when drafting the guidance and on an ongoing basis. We cannot assume that compliance with the Directive and the guidance will effectively and (efficiently)

56

required. combat ML/TF.Firms cannot meaningfully assess ‘effectiveness’ unless there is a feed-back loop from regulatory authorities and law enforcement on the performance of the regime.As such, the EBF should call for 7.1 and 7.2 to be deleted and instead cross-refer to the AML Action Plan, including support for public-private partnership. Suggest also referencing FATF and Wolfsberg’s work on effectiveness, stating that any requirement on firms to assess effectiveness cannot be made independently of assessments at international and local levels (not least, that the EBA has not defined ‘effectiveness’)

7.2: “Firms should consider whether an independent review of their approach may be warranted or required.”

It would be helpful to clarify which is the independent review mentioned in this paragraph and when is required.

Need for more clarity.

Question 8: Do you have any comments on the proposed amendments to Guideline 8 for correspondent banks?

The EU AMLD definition goes further than just correspondent banking. Could the scope of the guidance cover other correspondent relationships, in and amongst financial institutions, and, for the purpose of securities transactions, we would welcome guidance on correspondent trading relationships and correspondent securities relationships. The guidance should also make clear, that as per FATF standards outlining the risk-based approach, there is no expectation or requirements for KYCC. On-site visits may not be carried out between competing banks for reasons relating in particular to the respect of competition rules and business secrecy. Firms may not take the place of the supervisor. Moreover, considering that the correspondent does not obtain detailed information on individual customers of the respondent, sample testing requirements are not realistic.

57

GL Section - Paragraph Proposal for amendment Justification8.5: “The following factors may contribute to reducing risk:a) The relationship is limited to a SWIFT Risk Management Application (RMA) capability, which is designed to manage communications between financial institutions. In a SWIFT RMA relationship, the respondent, or counterparty, does not have a payment account relationship. b) Banks are acting in a principal-to-principal capacity, rather than processing transactions on behalf of their underlying clients, for example in the case of foreign exchange services between two banks where the business is transacted on a principal- to-principal basis between the banks and where the settlement of a transaction does not involve a payment to a third party. In those cases, the transaction is for the own account of the respondent bank. The transaction relates to the selling, buying or pledging of securities on regulated markets, for example when acting as or using a custodian with direct access, usually through a local participant, to an EU or non-EU securities settlement system.”

Delete 8.5 a) as a risk factor for EDD. The final GLs should clarify that RMA-only relationships may be treated differently from correspondent banking relationships per se, as 5AMLD states that "correspondent relationships do not include one-off transactions or the mere exchange of messaging capabilities".Under the revised definition of ‘correspondent banking’ in the 5AMLD, SWIFT-RMA messaging relationships aren’t correspondent relationships. As such, this form of relationship isn’t a ‘lower risk’ correspondent bank – it is out of scope of correspondent banking EDD requirements.

8.6.: The following factors may The following factors may contribute to There is no obligation to check whether the

58

contribute to increasing risk (…) The respondent’s management or ownership includes PEPs, in particular where a PEP can exert meaningful influence over the respondent, (…)

increasing risk (…) The respondent’s management or ownership includes PEPs, in particular where a PEP can exert meaningful influence over the respondent, (…)

management is a PEP.

Country or geographical risk factors8.8 a) v): “The following factors may contribute to increasing risk:a) The respondent is based in a jurisdiction associated with higher ML/TF risk. Firms should pay particular attention to those jurisdictions […]:v) without effective AML/CFT supervision.”

Further guidance would be useful to clarify how can a bank assess in practice whether the respondent is subject to non-effective AML/CFT supervision (e.g. through external reports).

Need for more clarity.

8.8 b): “The respondent conducts significant business with customers based in a jurisdiction associated with higher ML/TF risk.”

We suggest to define the term “significant business” with customer based in a jurisdiction associated with higher ML/TF risk.

Need for more clarity.

Respondents based in non-EEA countries 8.17 a) : “[…] This should include taking steps to understand and risk-assess the nature of respondent’s customer base, if necessary by asking the respondent about its customers, and the type of activities that the respondent will transact through the correspondent account.”

“[…] This should include taking steps to understand and risk-assess the nature of respondent’s customer base, if necessary by asking the respondent about its customers groups (e.g. retail customers, institutional customers), and the type of activities that the respondent will transact through the correspondent account.”

It should be highlighted in the GLs that correspondents are not required to determine information about invididual customers of the respondent, but costumer groups (e.g. retail customers, institutional customers).

8.17 c): “Assess the respondent institution's AML/CFT controls. This implies that the correspondent should carry out a qualitative assessment of

Assess the respondent institution's AML/CFT controls. This implies that the correspondent should carry out a qualitative assessment of the respondent’s AML/CFT

Need for more clarity. On-site visits may not be carried out between competing banks for reasons relating in particular to the respect of

59

the respondent’s AML/CFT control framework, not just obtain a copy of the respondent’s AML policies and procedures.In line with the risk-based approach, where the risk is especially high and in particular where the volume of correspondent banking transactions is substantive, the correspondent should consider on-site visits and/or sample testing to be satisfied that the respondent’s AML policies and procedures are implemented effectively.”

control framework, not just obtain a copy of the respondent’s AML policies and procedures.In line with the risk-based approach, where the risk is especially high and in particular where the volume of correspondent banking transactions is substantive, the correspondent should consider on-site visits and/or sample testing to be satisfied that the respondent’s AML policies and procedures are implemented effectively.”

competition rules and business secrecy. Firms may not take the place of the supervisor.The same observation is made with respect to procedures and policies.Moreover, considering that the correspondent does not obtain detailed information on individual customers of the respondent, sample testing requirements are not realistic.

8.17 d): “Article 19 of Directive (EU) 2015/849 requires correspondents to take risk-sensitive measures to:d) Obtain approval from senior management, as defined in Article 3(12) of Directive (EU) 2015/849 before establishing new correspondent relationships and where material new risks emerge, such as because the country in which the respondent is based is designated as high risk under provisions in Article 9 of Directive (EU) 2015/849. The approving senior manager should not be the officer sponsoring the relationship and the higher the risk associated with the relationship, the more senior the approving senior manager should be. Correspondents should keep senior management informed of high-risk correspondent banking relationships and the steps the correspondent takes to manage that risk effectively.”

“[…] d) Obtain approval from senior management, as defined in Article 3(12) of Directive (EU) 2015/849 before establishing new correspondent relationships and where material new risks emerge, such as because the country in which the respondent is based where the respondent has its principal regulatory authority is designated as high risk under provisions in Article 9 of Directive (EU) 2015/849. […]”

Need for more clarity.

60

8.17 e) “Document the responsibilities of each institution. If not already specified in its standard agreement, the correspondents should conclude a written agreement including at least the following:”

For new business relationships, document the responsibilities of each institution. If not already specified in its standard agreement, the correspondents should conclude a written agreement including at least the following: For example:

Guideline 8.17 e should only be required for new business relationships and the subheading e i) to e iv) should be examples rather than mandatory requirements.Certain restrictions to the service can be imposed during the KYC process or the ongoing monitoring and are usually communicated via Swift messages instead of a formal written agreement.

Respondents established in high-risk third countries, and correspondent relationships involving high risk third countries8.20: “Correspondents should determine which of their relationships involve high-risk third countries, identified pursuant to Article 9(2) of Directive (EU) 2015/849.”8.21: “Correspondents should also, as part of their standard CDD measures, determine the likelihood of the respondent initiating transactions involving high-risk third countries, including because a significant proportion of the respondent’s own customers maintain relevant professional or personal links to high-risk third countries.”

Please clarify what is the level of involvement mentioned in guideline 8.20 and to what extent it goes beyond what is mentioned in 8.21.

In addition, Guideline 8.21 requires firms to determine the likelihood of the respondent initiating transactions involving high-risk third countries because a significant proportion of the respondent’s own customers maintain relevant professional or personal links to high-risk third countries. This is not feasible in practice since aside from the information provided by the respondent directly (through questionnaires, etc.), this would be KYCC. We suggest that the Guideline provides further details with regard to factors to be considered and “risk classification”. For example, is it enough to ask the question to the respondent directly and to rely on its response?

Need for more clarity. As a general comment, we consider that over-emphasis on a rules-based approach to AML/CFT can undermine implementation of FATF Recommendations and result in financial exclusion and damage to correspondent banking and global payment systems. This would be contrary to the stated objective that the 5AMLD regime for HRTCs is not to decrease legitimate payment flows. Mandatory requirements for EDD should therefore be carefully targeted to address the specific ML/TF risks they are meant to mitigate, in terms of both the scope of EDD triggers and the mandated EDD steps. We support a risk-based approach to EDD on correspondent banking relationships. However, this should focus on the respondent’s general risk exposure and mitigating control framework, and not require correspondent banks to conduct Know Your Customer’s Customers (KYCC).We do not consider that professional or personal links to HRTCs should, in

61

themselves, trigger EDD. These guidelines should not extend the scope of legal requirements.We do not consider that firms should be required to identify professional or personal links with certain countries as part of standard CDD measures. Current practice is that firms may seek to identify professional and personal links with certain countries but only on an exceptional basis, such as where specifically relevant to assessing the purpose of a high risk business relationship. We consider that there is a clear risk that requiring firms to identify such links as part of standard CDD measures could lead to discriminatory treatment on the basis of ethnicity or nationality (including mistaken perceptions of ethnicity or nationality).

8.23: “Unless the correspondent has assessed ML/TF risk arising from the relationship with the respondent as particularly high correspondents should be able to comply with the requirements in Article 18a(1) by applying Article 13 and 19 of Directive (EU) 2015/849.”

Further guidance is required on how firms can support financial inclusion through a proportionate and risk-based approach to EDD measures for correspondent banking in relation to HRTCs.

We support a risk-based approach to EDD measures in relation to correspondent banking, including in relation to HRTCs. Where a respondent is assessed to be exposed to exceptionally high ML/TF risk, we consider that firms may still choose to establish a correspondent banking relationship by mitigating this risk through their EDD correspondent banking measures and/or through supplementary risk-based EDD measures.

Respondents established in high-risk third countries, and correspondent relationships involving high risk third countries

8.24: “To discharge their obligation

According to European legislation the determination of source of wealth/source of funds is required for certain types of customers only. In addition, if a bank cannot establish the

We suggest to amend this Guideline for consistency with the existing framework.

In addition, we consider that the drafting of the guidelines should be clarified to confirm

62

under Article 18a (1)(c) of Directive (EU)2015/849, correspondents should apply guideline 8.17(c) c) and take care to assess the adequacy of the respondent’s policies and procedures to establish their customers’ source of funds and source of wealth and carrying out onsite visits or sample-checks, or asking the respondent to provide evidence of the legitimate origin of a particular customer’s source of wealth or source of funds, as required.”

source of funds/ source of wealth for its customer (respondent), it seems rather disproportionate to be required to do so for the customer’s customer.

that, for natural persons, ‘established in’ should be interpreted as ‘being resident’ and not just born in or a citizen of that country. We also consider that for financial firms, ‘established in’ should be interpreted as ‘the country where the respondent has its principal regulatory authority’.

8.25 c): “Requiring increased and more intrusive monitoring. Real-time monitoring of transactions is one of the EDD measures banks should consider in situations where the ML/TF is particularly increased. As part of this, correspondents should consider maintaining an ongoing dialogue with the respondent to develop a better understanding of the risks associated with the correspondent relationship and facilitate the rapid exchange of meaningful information, if necessary.”

8.25 c): “Requiring increased and more intrusive monitoring. Real-time monitoring of transactions is one of the EDD measures banks should may consider in situations where the ML/TF is particularly increased. As part of this, correspondents should consider maintaining an ongoing dialogue with the respondent to develop a better understanding of the risks associated with the correspondent relationship and facilitate the rapid exchange of meaningful information, if necessary.”

Enhanced monitoring is part of the mandatory EDD steps required for PEPs and is one of the risk-based EDD steps that firms will consider to mitigate other higher ML/TF risk situations. However, real-time monitoring is not the only type of enhanced monitoring (e.g. it is not explicitly required by 4AMLD article 20(b)(iii) as part of mandatory EDD for PEPs).The proposal to include real-time monitoring as a tool for higher-risk transactions (4.74 and 8.25) is in practise not realistic today. We believe that these GLs should be amended to be more aspirational than mandatory. Transaction Monitoring for AML purposes monitors a number of customer behaviours and their transactions over varying time periods normally daily, weekly and monthly. Therefore, it is not always possible to determine potentially suspicious activity

63

from a single transaction, as it is dependent on the specific circumstance or scenario that has generated the alert. When considering the potential volumes involved, the design and implementation of appropriate technical solutions for automated real time monitoring for AML purposes will be a significant undertaking for any financial institution. There is an aspiration in the industry to have sophisticated real-time, intelligent monitoring, but today an automatic system that would halt transactions if indicators show potential suspicion could either cause harmful disruption in payment flows (if the net is too tight) or be of no use (if the net is too loose).

64

Question 9: Do you have any comments on the proposed amendments to Guideline 9 for retail banks?

GL Section - Paragraph Proposal for amendment JustificationEnhanced customer due diligence9.13 b): “ Where the risk associated with a business relationship or occasional transaction is increased, banks must apply EDD measures. These may include: […]b) Identifying, and verifying the identity of, other shareholders who are not the customer’s beneficial owner or any natural persons who have authority to operate an account or give instructions concerning the transfer of funds or the transfer of securities.”

We kindly suggest to clarify/ amend Guideline 9.13 b). Please also define the legal basis for the requirement to identify and verify the identity of other shareholders who are not the customer`s beneficial owner. It also remains unclear why this requirement (if it were necessary) should be limited to retail banks.

Need for clarity and consistency with existing legal obligation, without imposing additional regulatory requirements.

Pooled accounts9.16: “Where a bank’s customer opens a ‘pooled account’ in order to administer funds that belong to the customer’s own clients, the bank should apply full CDD measures, including treating the customer’s clients as the beneficial owners of funds held in the pooled account and verifying their identities.”

Please provide more clarity as per the definition and requirements for “pooled accounts”.

Some members are concerned that the requirements for ‘pooled accounts’ are disproportionate for customers such as care homes and local councils that manage the funds of people in care. Some members also seem to have difficulties in interpreting the definition and requirements for ‘pooled accounts’ specifically as they relate to accounts held by payment service providers that are used to transfer payments from a buyer (payer) to a merchant (payee). In the latter situation, the buyers’ payments pass through the payment

65

services provider’s account but are automatically transmitted further to the next recipient in accordance with the buyers’ original instructions. This particular situation that technically falls under the requirements for ‘pooled account’, may be specifically excluded from the scope of these requirements.The requirement in Guideline 9.16 to verify the identity of the customer`s clients as the beneficial owners of funds held in the pooled account is not feasible in practice. In the case of pooled accounts, there are often several hundred beneficial owners who are constantly changing. The requirement to identify them regularly and/or verify their identity is hardly feasible. In more detail:

- As SiDD cannot be applied to customers that are not subject to the Directive, the guidance imposes more onerous requirements on lower risk situations. This is disproportionate and will have an impact on access to banking for customers such as care homes and local councils that manage the funds of people in care.

- The significant increased costs for firms to identify and verify the personal identity of all persons whose funds are held in the PCA will result in such products being pulled from sale; thus increasing costs and complexity for customers who will

66

subsequently have to manage a large number of designated accounts.

- There is inconsistency between the approach towards PCAs and correspondent banking; FATF has clearly stated that there is no requirement for firms to apply CDD on a respondent’s own customers, but the EBA’s guidance mandates that firms apply CDD on the customer’s own customers when providing a PCA (event though PCAs are generally lower risk than correspondent banking).

- The true threat posed by PCAs is that the account holder (solicitor, accountant etc.) is a professional enabler. Making firms identify and verify the persons whose funds are held in the PCA does nothing to detect or prevent professional enablers from abusing such products (given that the firm is entirely dependent on information provided by the customer as to whose funds are in the account). As such, the guidance significantly increases administrative burden for legitimate businesses but has no AML/CTF value.

9.18 c): “However, to the extent permitted by national legislation, where the risk associated with the business relationship is low and

Please keep in mind that no legal requirement to perform KYCC exists.

Need for consistency.

67

subject to the conditions set out below, a bank may apply SDD measures provided that: […]c) The ML/TF risk associated with the business relationship is low, based on the bank’s assessment of its customer’s business, the types of clients the customer’s business serves and the jurisdictions the customer’s business is exposed to, among other considerations;”9.18 e) – 9.19 a): “[…] e) the bank has taken risk-sensitive steps to be satisfied that the customer will provide CDD information and documents on its underlying clients that are the beneficial owners of funds held in the pooled account immediately upon request, for example by including relevant provisions in a contract with the customer or by sample-testing the customer’s ability to provide CDD information upon request. 9.19: Where the conditions for the application of SDD to pooled accounts are met, SDD measures may consist of the bank: a) identifying and verifying the identity of the customer, including the customer’s beneficial owners (but not the customer’s underlying clients);”

“[…] e) the bank has taken risk-sensitive steps to be satisfied that the customer will provide CDD information and documents on its underlying clients that are the beneficial owners of funds held in the pooled account immediately upon request, for example by including relevant provisions in a contract with the customer. In borderline cases, the bank may consider sample-testing the customer’s ability to provide CDD information upon request.

If the bank is satisfied and has contractually agreed to receive information about the beneficial owners upon first request, then there should be no expectation for further sample-testing. From our point of view, the requirement to include a provision in a contract with a customer stating that the customer will provide CDD information and documents on its underlying clients as beneficial owners of a pooled account upon first request should typically be sufficient. Guideline 9.19. e) should be amended accordingly.

Customers that offer services related to virtual currencies

“Firms should take into account the fact that apart from providers engaged in exchange services between virtual

It is suggested to clarify the scope of the term “virtual currencies”. Payment tokens only? Is EBA opting out deliberately digital

68

9.20: “Firms should take into account the fact that apart from providers engaged in exchange services between virtual currency and fiat currencies and Custodian Wallet Providers which are obliged entities under Directive (EU) 2015/849, the issuing or holding of virtual currencies remains largely unregulated in the EU and this increases the ML/TF risks.”

currency, as defined by Directive (EU) 2015/849, and fiat currencies and Custodian Wallet Providers which are obliged entities under Directive (EU) 2015/849, the issuing or holding of virtual currencies and more broadly virtual assets remains largely unregulated in the at EU level and this increases the ML/TF risks and the lack of a level playing field.”

assets like equity, commodity, hybrid assets? Is a risk based classification intended or is the guideline meant equal for all mentioned types of virtual assets? Does EBA follow in this respect a technology neutral approach? Are there any EBA provisions for peer-to-peer transactions? Does EBA intend to issue type specific provisions on the handling/mitigation of risks related to the different providers and services (issuances of crypto-assets, exchanges, trading platforms, custody providers)? Do firms rely on the FAFT guidance for a RBA to virtual assets and virtual assets providers)?

More generally, further guidance is required for regulated virtual currency businesses themselves (i.e. not in terms of customer risk factors but as sectoral guidance). It is increasingly important to fill the current gap in guidance given the proposal in the Commission’s AML Action Plan to harmonise the scope of EU regulation with FATF on this issue.

9.23: “To ensure that the level of ML/TF risk associated with such customers is mitigated, banks should not apply simplified due diligence measures. At a minimum as part of their CDD measures, firms should: a) Enter into dialogue with the customer to understand the nature of the business and the ML/TF risks it poses; b) In addition to verifying the identity of

“To ensure that the level of ML/TF risk associated with such customers is mitigated, banks should not apply simplified due diligence measures. At a minimum As as part of their CDD measures, firms should may, following a risk-based approach: a) Enter into dialogue with the customer to understand the nature of the business and

We do not consider that there should be a blanket prohibition on simplied due diligence for virtual currency business customers that have been assessed to be low risk. While virtual currencies generally pose heightened risks this is also the case for sectors such as money service businesses and armaments, where simplified due diligence may be possible. In our view, additional due diligence or

69

the customer’s beneficial owners, carry out due diligence on senior management to the extent that they are different, including consideration of any adverse information ;c) Understand the extent to which these customers apply their own customer due diligence measures to their clients either under a legal obligation or on a voluntary basis.d) Establish whether the customer is registered or licensed in an EEA Member State, or in a third country, and take a view on the adequacy of that third country’s AML/CFT regime; e) Finding out whether businesses using ICOs in the form of virtual currencies to raise money are legitimate and, where applicable, regulated.

the ML/TF risks it poses; b) For higher risk relationships, In addition to verifying the identity of the customer’s beneficial owners, carry out consider due diligence on senior management to the extent that they are different from the customer’s beneficial owners, including consideration of any adverse information. Such due diligence is not required where the customer is listed on a regulated market and/or regulated in an equivalent jurisdiction;

c) Understand the extent to which these customers apply their own customer due diligence measures to their clients either under a legal obligation or on a voluntary basis.d) Establish whether the customer is registered or licensed in an EEA Member State, or in a third country, and take a view on the adequacy of that third country’s AML/CFT regime; e) Finding out whether businesses using ICOs in the form of virtual currencies to raise money are legitimate and, where applicable, regulated.

adverse media checks should be required on senior management of virtual currency businesses, only as part of risk-based EDD. For example, if a virtual currency business is listed on a regulated market and/or regulated in an equivalent jurisdiction then such EDD should not be required, as already addressed through fit-and-proper checks and licensing, etc.

Further guidance is required on the adequate measures that firms should take in response to privacy-enhancing features of some virtual currencies and exchanges. In addition, we believe that further guidance and recommendations could also be directed towards virtual currency businesses on how they can support proportionate and effective risk assessment and CDD in relation to privacy-enhancing features.

Question 10: Do you have any comments on the proposed amendments to Guideline 10 for electronic money issuers?

70

GL Section - Paragraph Proposal for amendment Justification10.4 b) ii): “The following factors may contribute to increasing risk: […]b) Funding method: the product can be […]ii) funded with payments from unidentified third parties;”10.6. e): “The following factors may contribute to increasing risk: […]

The product is not used for the purpose it was designed for, for example it is used overseas when it was designed as a shopping centre gift card.”

It is not certain whether all the scenarios mention are in fact realistic. E.g. please refer to the increasing risk factor under Guideline 10.6 e). How shall a shopping centre gift card be used overseas? How shall an e-money product be funded with payments form unidentified third parties (Guideline 10.4 b), ii.)?

Need for clarity.

Customer Due Diligence measures10.11. b): “Firms should apply CDD measures to: […] b) Additional card holders. Where products are linked to multiple cards, firms should establish whether they have entered into one or more business relationships, and whether additional card holders could be beneficial owners.”

It would be helpful to clarify when the existence of additional card holders could be an indicator of having entered into more than one business relationship or that these additional card holders could be beneficial owners.In addition, it is not clear why it is required to identify wether the card holder could be beneficial owner.

Need for more clarity.

Customer due diligence measures10.14 a) and d): “Examples of the types of monitoring systems firms should put in place include: a) transaction monitoring systems that detect anomalies or suspicious patterns of behaviour, including the unexpected use of the product in a way for which it was not designed; the firm may be able to disable

It is unclear how a transaction monitoring system can detect unexpected use of the e-money product in a way for which it was not designed; please clarify to what scenarios the text is referring to. Please also define what is meant by “on-chip control”.In addition, it is not sure whether monitoring

Need for clarity.

71

the product either manually or through on- chip controls until it has been able to satisfy itself that there are no grounds for suspicion; […]d) systems that identify whether the product is used with merchants dealing in goods and services that are associated with a high risk of financial crime;”

systems exist, that can identify if a product is used with merchants dealing in goods and services that are associated with a high risk of financial crime (d).

72

Question 11: Do you have any comments on the proposed amendments to Guideline 11 for money remitters?

The country of an IP address might be a factor for fraud prevention, but it is not by itself a factor that leads on it’s own to a higher ML/TF risk. Please refrain from extending EDD requirements also to cases where an IP address of an HRCT is used.

GL Section - Paragraph Proposal for amendment JustificationCountry or geographical risk factors11.11 a): “The following factors may contribute to increasing risk: a) The payer or the payee is located , or the transaction is executed from an IP address, in a jurisdiction associated with higher ML/TF risk. Firms should pay particular attention to jurisdictions known to provide funding or support for terrorist activities or where groups committing terrorist offences are known to be operating, and jurisdictions subject to financial sanctions, embargoes or measures that are related to terrorism, financing of terrorism or proliferation.”

“[…] a) The payer or the payee is located , or the transaction is executed from an IP address, in a jurisdiction associated with higher ML/TF risk. Firms should pay particular attention to jurisdictions known to provide funding or support for terrorist activities or where groups committing terrorist offences are known to be operating, and jurisdictions subject to financial sanctions, embargoes or measures that are related to terrorism, financing of terrorism or proliferation.”

The country of an IP address might be a factor for fraud prevention, but it is not by itself a factor that leads on it’s own to a higher ML/TF risk. Please refrain from extending EDD requirements also to cases where an IP address of an HRCT is used.

11.13 c): “Firms should in any case put in place:c) systems to permit as far as possible the establishment of the source of funds and the destination of funds;

c) systems to permit as far as possible the establishment of the source of funds and the destination of funds;

We suggest to delete this point. This requirement is impossible and would again expand existing legal obligations towards KYCC.

73

Question 12: Do you have any comments on the proposed amendments to Guideline 12 for wealth management?

GL Section - Paragraph Proposal for amendment JustificationProduct, service and transaction risk factors12.4 b), d) and g): “The following factors may contribute to increasing risk: […]b) very high-value transactions; […]d) lending (including mortgages) secured against the value of assets in other jurisdictions, particularly countries where it is difficult to ascertain whether the customer has legitimate title to the collateral, or where the identities of parties guaranteeing the loan are hard to verify; […]g) cross-border arrangements where assets are deposited or managed in another financial institution, either of the same financial group or outside of the group, particularly where the other financial institution is based in a jurisdiction associated with higher ML/TF risk. Firms should pay particular attention to jurisdictions with higher levels of predicate offences, a weak AML/CFT regime or weak tax transparency standards.”

Please clarify the term “very high-value transaction”.

From an AML perspective it is not clear why the fact that it is difficult to ascertain whether a customer has legitimate title to a collateral be a risk-increasing factor (d). We recommend to delete this requirement. Why shall the fact, that assets are deposited or managed in another group entity be a risk-increasing factor (g)? Banks are obliged to ascertain group wide unified AML/TF standards.

Need for clarity.

Enhanced customer due diligence12.8 a): “To comply with Article 18a in respect of relationships or

Please clarify when the requirement to obtain “more information about clients” is fulfilled, as well as the expectations towards

Need for clarity.

74

transactions involving high-risk third countries, firms should apply the EDD measures set out in this regard in Title I. a) Obtaining and verifying more information about clients than in standard risk situations and reviewing and updating this information both on a regular basis and when prompted by material changes to a client’s profile. Firms should perform reviews on a risk-sensitive basis, reviewing higher risk clients at least annually but more frequently if risk dictates. These procedures may include those for recording any visits to clients’ premises, whether at their home or business, including any changes to client profile or other information that may affect risk assessment that these visits prompt.”

banks in this context.

75

Question 13: Do you have any comments on the proposed amendments to Guideline 13 for trade finance providers?

GL Section - Paragraph Proposal for amendment JustificationTransaction risk factors13.10: “The following factors may contribute to increasing risk:[…] c) Copy documents are used in situations where original documentation would be expected, without reasonable explanation.d) There are significant discrepancies in documentation, for example between the description of the type, quantity or quality of goods in key documents (i.e. invoices, insurance and transport documents) and actual goods shipped, to the extent that this is known.”

“The following factors may contribute to increasing risk:[…]c) Copy documents are used in situations where original documentation would be expected, without reasonable explanation.d) There are significant discrepancies in documentation, for example between the description of the type, quantity or quality of goods in key documents (i.e. invoices, insurance and transport documents) and actual goods shipped, to the extent that this is known.”

We suggest to delete these points. Financial institutions do not inspect actual goods. Alternatively, the caveat ‘to the extent that this is known’ should be expanded to ensure future interpretation is not misconstrued.

13.10 g): “The following factors may contribute to increasing risk:[…] g) The agreed value of goods or shipment is over- or under-insured or multiple insurances are used.”

“The following factors may contribute to increasing risk:[…] g) The agreed value of goods or shipment is over- or under-insured or multiple insurances are used.”

We suggest to delete this point. Financial institutions are not in a position to determine over or under insurance.

Alternatively, the caveat should be added ‘to the extent that this is known’. i.e. where the level of insurance appears unreasonable given the nature of the goods.

Additionally we recommend that the ‘multiple insurances’ factor remains with the caveat ‘to the extent that this is known’.

76

13.10 l) The goods traded are destined to an embargoed country, to a prohibited end user, or in support of a prohibited end-user

The goods traded are destined to an embargoed country, to a prohibited end user or in support of a prohibited end-user

Further guidance is required on the definition of ‘prohibited end-user’.

Enhanced customer due diligence13.20: “In other higher risk situations, banks must also apply EDD. As part of this, banks should consider whether performing more thorough due diligence checks on the transaction itself and on other parties to the transaction (including non-customers) would be appropriate.”13.21: “Checks on other parties to the transaction may include: a) Taking steps to better understand the ownership or background of other parties to the transaction, in particular where they are based in a jurisdiction associated with higher ML/TF risk or where they handle high-risk goods. This may include checks of company registries and third party intelligence sources, and open source internet searches. b) Obtaining more information on the financial situation of the parties involved.”

“[…] As part of this, banks should consider whether performing more thorough due diligence checks on the transaction itself and if possible, on other parties to the transaction (including non-customers) would be appropriate.”13.21: “Checks on other parties to the transaction may include: a) Taking steps to better understand the ownership or background of other parties to the transaction, in particular where they are based in a jurisdiction associated with higher ML/TF risk or where they handle high-risk goods. This may include checks of company registries and third party intelligence sources, and open source internet searches. b) Obtaining more information on the financial situation of the parties involved.”

Point b expands AML obligations to the “other party” of a trade finance transaction including ownership and background, as well as the financial situation. Such a requirement seems rather disproportionate and far beyond the regulations of the AML Directive, as there is usually no business relationship to the “other party” of a trade finance transaction. Collecting the proposed information about the other parties in the transaction, which could be the customer’s customers, would be challenging and in many cases impossible. Trade Finance is typically a complex multi-party operation in which the bank receives documents regarding the export/import transaction (bills of lading, invoices, packing lists etc.) and checks whether they comply with the agreed terms and international standards. Collecting information regarding also the other parties in the transaction, besides the customer of the bank, would increase the complexity and be very time-consuming.

13.22: “Checks on transactions may include: […] b) using professional judgement to consider whether the pricing of goods makes commercial sense, in particular in relation to traded commodities for which

“Checks on transactions may include: a) using third party or open source data sources, for example the International Maritime Bureau (for warning notices, bills of lading, shipping and pricing checks) or shipping lines’ free container tracking

The draft GLs propose that checks on transactions may include using professional judgement to consider whether the pricing of goods makes commercial sense and checking that the weights and volumes of goods being shipped are consistent with

77

reliable and up-to-date pricing information can be obtained;”

service to verify the information provided and to check that the purpose of the transaction is legitimate;b) where reliable and relevant price indices are available, using proessional judgement on a risk-based approach to consider whether the pricing of goods is materially anomalous without a commercial rationale using professional judgement to consider whether the pricing of goods makes commercial sense, in particular in relation to traded commodities for which reliable and up-to-date pricing information can be obtained;c) b) checking that the weights and volumes of goods being shipped are consistent with the shipping method.”

the shipping method. In our view, a more proportional approach is needed.

78

Question 14: Do you have any comments on the proposed amendments to Guideline 14 for life insurance undertakings?

GL Section - Paragraph Proposal for amendment Justification

79

Question 15: Do you have any comments on the proposed amendments to Guideline 15 for investment firms?

GL Section - Paragraph Proposal for amendment Justification15.1: “Investment firms should consider when providing or executing investment services or activities as defined in point (2) of Article 4(1) of Directive (EU) 2014/65 the following risk factors and measures alongside those set out in Title I of these guidelines. The sectoral guideline 12 may also be relevant in this context.”

“ […] The sectoral guideline 12 may also be relevant in this context. To the extent that investment firms do business with (parties related to) high risk jurisdictions, Guideline 15 should read in alignment with art. 18a 5AMLD.”

For more consistency.

15.5 “15.5. The following factors may contribute to increasing risk:

c) The customer’s business, for example the customer’s funds are derived from business in sectors that are associated with a higher risk of financial crime, such as construction, pharmaceuticals and healthcare, the arms trade and defence, the extractive industries or public procurement.”

15.5. The following factors may contribute to increasing risk:

c) The customer’s business, for example the customer’s funds are derived from transactions that closely match specific typologies for grand corruption, as set out in FATF and other authoritiative studies on business in sectors that are associated with a higher risk of financial crime, such as construction, pharmaceuticals and healthcare, the arms trade and defence, the extractive industries or public procurement.

The examples of high-risk industries related to construction, pharmaceuticals and healthcare is very broad. In our experience, these industries are mainly exposed to ABC risk and will only impact risk assessment with regards to PEPs and in relation to specific typologies.

80

Question 16: Do you have any comments on the proposed amendments to Guideline 16 for providers of investment funds and the definition of customer in this Guideline?

At least funds that are publicly traded should be exempted. In any case, the guidelines seems too general and do not take into account the responsibilities of the various players according to the distribution scheme, particularly when the asset manager does not have access to investors.

GL Section - Paragraph Proposal for amendment Justification16.1: “The provision of investment funds can involve multiple parties, such as the fund manager, appointed advisers, the depositary and sub-custodians, registrars and, in some cases, prime brokers. Similarly, the distribution of these funds can involve parties such as tied agents, advisory and discretionary wealth managers, platform service providers and independent financial advisers.”

[…] Similarly, the distribution of these funds can involve parties such as tied agents, advisory and discretionary wealth managers, platform service providers and independent financial advisers. To the extent that providers of investment funds do business with (parties related to) high risk jurisdictions, Guideline 16 should read in alignment with art. 18a 5AMLD.”

For more consistency.

16.3. Investment funds may be used by persons or entities for ML/TF purposes:

a)Retail funds are often distributed on a non-face-to-face basis; access to such funds is often easy and relatively quick to achieve, and holdings in such funds can be transferred between different parties.

16.3. Investment funds may be used by persons or entities for ML/TF purposes: a) Retail funds are often distributed on a non-face-to-face basis; access to such funds is often easy and relatively quick to achieve, and holdings in such funds can be transferred between different parties.

It is not that easy to invest in and redeem a retail fund, in the sense of escaping AML obligations. The transfer of holdings requires that both parties are identified and go through watchlist screening.

81

b) Alternative investment funds, such as hedge funds, real estate and private equity funds, tend to have a smaller number of investors, which can be private individuals as well as institutional investors (pension funds, funds of funds). Funds that are designed for a limited number of high-net-worth individuals, or for family offices, can have an inherently higher risk of abuse for ML/TF purposes than retail funds, since investors are more likely to be in a position to exercise control over the fund assets. If investors exercise control over the assets, such funds are personal asset-holding vehicles, which are mentioned as a factor indicating potentially higher risk in Annex III to Directive (EU) 2015/849.

b) Alternative investment funds, such as hedge funds, real estate and private equity funds, tend to have a smaller number of investors, which can be private individuals as well as institutional investors (pension funds, funds of funds). In this case, fFunds that are designed for a limited number of high-net-worth individuals, or for family offices, can have an inherently higher risk of abuse for ML/TF purposes than retail funds, since investors are more likely to be in a position to exercise control over the fund assets. If investors exercise control over the assets, such funds are personal asset-holding vehicles, which are mentioned as a factor indicating potentially higher risk in Annex III to Directive (EU) 2015/849.

This paragraph should only apply to those AIFs with a small number of investors – it is unlikely that in the case of AIFs sold to a large number of investors any of those would solely exercise control over the fund.

16.7: The following factors may contribute to reducing the risk associated with the fund:b) The fund is open to small-scale investors only, with investments capped.

Need for clarification : The GL 16.7 b) seems contrary to the GL 16.5 a) whereby “The following factors may contribute to increasing the risk associated with the fund : The fund is designed for a limited number of individuals or family offices, for example a private fund or single investor fund

16.12: The following factors may contribute to increasing risk: a) The customers’ or beneficial owners’ funds have been generated in jurisdictions associated with higher ML/TF risk, in particular those associated with higher levels of predicate offences to money laundering.

a) The customers’ or beneficial owners’ funds have been generated located in jurisdictions associated with higher ML/TF risk, in particular those associated with higher levels of predicate offences to money laundering.

Firms can be expected to cover knowledge about the countries of origin or destination of the funds, but firms cannot sufficiently cover knowledge about all those countries in which clients generate funds. We suggest deleting the wording "generated" by "from or to" as it

82

seems disproportionate16.15: In the situations described in guidelines 16.14 (a) and (b), examples of EDD measures a fund or fund manager should apply in high-risk situations include:f) requiring that the first payment is made through a payment account held in the sole or joint name of the customer with an EEA-regulated credit or financial institution or a regulated credit or financial institution in a third country that has AML/CFT requirements that are not less robust than those required by Directive (EU) 2015/849;

Proposal for amendment f) requiring that the first payment is made through a payment account held in the sole or joint name of the customer with an EEA-regulated credit or financial institution or a regulated credit or financial institution in a third country that has AML/CFT requirements that are not less robust which impose requirements equivalent than those required by Directive (EU) 2015/849

83

Question 17: Do you have any comments on the additional sector-specific Guideline 17 on crowdfunding platforms?

GL Section - Paragraph Proposal for amendment Justification17.5 : The CSP should take into account the following risk factors as potentially contributing to reduced risk:

a) The CSP requires that funds for investment, redemption, lending, or repayment are verifiably drawn from, or sent to, an account held in the customer’s sole or joint name at a credit institution or financial institution, or a payment institution authorised under Directive (EU) 2015/2366, subject to AML/CFT requirements not less robust than those required by Directive (EU) 2015/849.

Need for clarification : GL 17.5 (a) seems to create a form of reliance on banks that does not exist in interbank relations. If our understanding is good, we would like GL to clarify the basis of this reliance and what justifies it.

17.5 f): The CSP does not allow the creation of multiple accounts on the crowdfunding platform.

Need for clarification : GL 17.5 f) limits the business model of CSPs even though it is true that money laundering schemes can be facilitated by the creation of several accounts by the same person under straw men names or shell companies. We propose that GL 17.5 (f) be reworded so that it does not have perverse effects.

Customer due diligence17.16: “CSPs that rely on credit institutions or financial institutions to collect funds from or transfer funds to

CSPs must not rely on credit institutions or financial institutions to satisfy themselves that these credit institutions or financial institutions have put in place appropriate

Need for more clarity.

84

customer, should refer to the distribution channel risk factors in Title I and in particular, satisfy themselves that these credit institutions or financial institutions have put in place appropriate customer due diligence measures.”

CDD measures if there is not an agreement between them to delegate the application of CDD measures. They should have the same obligations as other obliged entities. If this is not the intended meaning of this paragraph, please explain more in detail.

Question 18: Do you have any comments on the additional sector-specific Guideline 18 on account information and payment initiation service providers?

As a general comment, we propose that the GL 18 distinguish between the requirements for PSIPs and those for AISPs.

Indeed, their situation are really different:

- AISPs only aggregate accounts and don't handle any transactions. - PSIPs, on the other hand, are only involved in a particular payment transaction.

GL Section - Paragraph Proposal for amendment Justification18.1. When applying this Guideline, firms should have regard to the definitions referred to in point 18 and 19 of Article 4 of Directive (EU) 2015/2366 in accordance with which: a) a payment initiation service provider (PISP) is a payment service provider pursuing payment initiation services; b) an account information service provider (AISP) is a payment service provider offering account information services

It appears that the guideline applies without distinction to PISPs and AISPs.

It should however be noted that, in practice, market players offering AIS only or on a stand alone basis will have a substantially different risk analysis compared to those operators that also include PIS in their offering.

Guideline 18, as currently proposed, does not reflect this reality (e.g., cf. response to

85

paragraph 18.13).18.2: “Firms should take into account that despite PISPs and AISPs being obliged entities under Directive (EU) 2015/849, the inherent ML/TF risk associated with them is limited due to the fact that :a) PISPs, although being involved in the payment chain do not execute themselves the payment transactions and do not hold payment service user’s (PSU) funds;b) AISPs are not involved in the payment chain and do not hold payment service user’s funds.”

It would be useful to amend the text of the GLs so as to support various models of TPP service provision and be future-proofed to encourage innovation and manage emerging ML/TF risks.Moreover, further guidance is required on a wider range of models, including where existing credit institutions and payment service providers offer TPP services, and where PISPs contract with merchants to provide dedicated e-commerce facilities. Further sectoral guidance could be provided on how PISPs, AISPs and credit institutions can comply with their wider financial crime requirements (e.g. financial sanctions screening and suspicious activity reporting). Inherent ML/TF risk will vary according to the model of TPP service provision.

As a general observation, these draft GLs seem directed at a particular model of PISP and AISP / Third Party Provider (TPP) service provision (e.g. assuming that there is an enduring business relationship and that PISP or AISP do not hold payment service users’ funds). A ‘one-size-fits-all’ approach (e.g. in respect of imposing the same ongoing CDD and transaction monitoring on all TPPs, regardless of the services they are providing) could risk pushing smaller players out of the market and therefore reducing competition.The final guidelines should not privilege any one model of TPP service provision and be future-proofed to support innovation and manage emerging ML/TF risks. For example, PISP technical specifications in certain countries restrict the availability of data relevant for CDD (e.g. in the UK, based on the Open Banking Implementation Entity’s technical specifications a pure PISP will receive data on currency, amount of the transaction, classification of transaction and in certain instances the shipping address from the merchant). These data restrictions can mean that there is insufficient information for such PISPs to conduct CDD on the payment user, to have an ongoing business relationship with the payment user, or to connect future transactions by the same payment user in order to identify linked transactions.

86

Measures 18.8: “The customer is:a) For PISPs: the customer is the natural or legal person who holds the payment account and request the initiation of a payment order from that account the (Payment service user).b) For AISPs: the customer is the natural or legal person who has the contract with the AISP. This can be the natural or legal person who holds the payment account(s).”

Further guidance is required on how PISPs should determine whether there is an enduring business relationship and how AISPs and PISPs should seek to identify linked transactions.

We understand that the current interpretation of the customer for AML/CFT purposes may vary between models of TPP service provision. For example, credit institutions providing TPP services to their customers will typically treat the payment service user as the customer, while the Electronic Money Association has proposed that the customer will often be the merchant that a PISP contracts with to provide e-commerce facilities. This variety of interpretation complicates cross-industry collaboration to facilitate innovate and address ML/TF risks. Challenges to cross-industry collaboration have previous arisen with regards to credit institutions and money service businesses, but these were arguably less complicated as both sectors interpreted the customer to be the payment service user. Variety of interpretation may be related to the variety and evolution of TPP service provision models. For some of these models, CDD on the payment service user will have already been conducted by credit institutions and payment service providers offering TPP services to their customers, while in other models PISPs contracting with a merchant may not have an enduring business relationship with the payment service providers using the merchant’s e-commerce site.Access to information relevant to CDD will also vary between models of TPP service

87

provision (e.g. information on the payment service user, purpose and nature of an enduring business relationship or occasional transaction, indications of linked transactions, etc). As noted above, These data restrictions can mean that there is insufficient information for such PISPs to conduct CDD on the payment user, to have an ongoing business relationship with the payment user, or to connect future transactions by the same payment user in order to identify linked transactions.

18.11 etc. : “Monitoring: As part of their CDD processes, PISPs and AISPs should ensure that their AML/CFT systems are set up in a way that alerts them to unusual or suspicious transactional. Even without holding significant information on the customer, PISPs and AISPs should use their own, or third party typologies, to detect unusual transactional activity. [… ]”

We propose to align Guideline 18 with existing frameworks for PISPs and AISPs to avoid duplications and overlaps. Moreover, access to information relevant to CDD (including ongoing CDD and transaction monitoring) will vary between models of TPP service provision (e.g. information on the payment service user, purpose and nature of an enduring business relationship or occasional transaction, indications of linked transactions, etc). Further guidance is required on how PISPs should seek to identify linked transactions.

Sector-specific Guideline 18 requires PISPs and AISPs to monitor unusual or suspicious transactional activity. However, we consider that AISPs and PISPs should not be required to conduct monitoring in the same way as Account Servicing Payment Service Providers (ASPSPs).Transactional activity is performed only in case of payment initiation and such activity is already monitored; the ASPSP of the payment service user (PSU)has AML/CFT systems in place to monitor the payment flow. The ASPSP is also in control of data, who/what the PSU is (because the ASPSP services the PSU account) and data of payment details as well as the payee (potentialy the ultimate beneficiary). Furthermore, we consider that monitoring of all the visible PSU activity wouldrequire AISPs to adapt their systems and processes to read and analyse statements of the PSU made available to the ASPSP. This would be

88

extremly expensive, time consuming, and it would achieve little reduction in ML/TF risk. This disproportionate cost and friction could lead to refusal of provision of AIS service by market participants at all, which would contradict to the goal of PSD2 to foster competition in banking and payment markets.

We consider that PISP and AISP monitoring should be focused on identifying where open banking may contribute to ML/TF risks, and should not extend into monitoring wider PSU activity. Examples could include monitoring for indications of unauthorised access. In this way monitoring can support PISP and AISP comply with AML/CFT obligations, such as by identifying linked transactions and relevant triggers for ongoing due diligence and enhanced due diligence.

Customer due diligence18.13: “Pursuant to Article 13 of Directive (EU) 2015/849 each time an account is added, the AISP should ask the customer whether the account is his own account, a shared account, or a legal entity’s account to which the customer has a mandate to access (eg: an association, a corporate account).”

The subjected entities offering AIS services on a stand alone basis will have a substantially different risk analysis compared to those companies who also include PIS services in their offering. In that framework, AISPs have a particular concern with regard to the requirement made in point 18.13 of the proposed guidelines. It is to be questioned what purpose aims to be achieved by this provision.1. For the services offered by an AISP the

89

information that would be obtained through such a request will not have any impact on the risk qualification of the customer. There is no higher or lower risk involved in obtaining access to an ‘own account’, a ‘shared account’ or one of a ‘legal entity’.  If the account is indeed accessible for the customer (on the basis of the Strong Customer Authentication (‘SCA’) as required by the ASPSP holding the account), there is nothing to question or increase the risk in providing that customer the relevant account information.

2. Moreover, as the customer is using the SCA of the ASPSP in order to access a certain account, it is technically not possible for the AISP to verify the validity of this SCA for a particular account.  If the AISP is made aware of the fact that the account is not the customer’s own account, but the account of a relative, or a legal entity, this will not enable a better detection of potential money laundering activities on this account on the basis of an AIS service only.

3. Finally, it has to be highlighted that there is no possibility for the AISP to verify and validate the information that would be provided by the customer in answer to such a question.  There is no trusted source on the exact name of the holder of an account and the ASPSP does not provide this information through their API.  Consequently, the AISP would have to rely

90

on the information provided by the customer while such information could be intentionally wrong.

We therefore respectfully request the suppression of guideline 18.13 in order not to create obligations that are difficult to implement while in practice they will not lead to better ways of combating money laundering and/or terrorism financing.

Simplified customer due diligence18.15: “Firms should always know the name of their customer. PISPs and AISPs and may consider applying SDD such as:a) Relying on the source of funds as evidence of the customer’s identity where the payment account details of the customer are known, and the payment account is held at an EEA-regulated payment service provider;b) Postponing the verification of the customer’s identity to a certain later date after the establishment of the relationship. In that case, firms should ensure that their policies and procedures set out at what point CDD should be applied;c) Assuming the nature and purpose of the business relationship;”

We support the expectation that firms providing TPP services should always know the name of their customer.It would be useful if EBA could provide some guidance on SDD notably:

- Clarifying the practical implications for credit institutions and PSPs

- Supporting anti-fraud controls- Supporting effective and holistic

AML/CFT controls across the wider regulated financial services sector, while avoiding discrepancies.

We consider that guidance on SDD should not create a new form of CDD reliance (as per Articles 25-27 of 5AMLD) for AISPs and PISPs without clarifying the practical implications for credit institutions and payment service providers. We consider that it is critical to the effectiveness of the overall regime that relying TPPs remain ultimately responsible for the CDD.

We consider that guidance on SDD should support anti-fraud controls as part of a secure Open Banking environment. Further guidance should be provided on how AISPs and PISPs can identify unauthorised or fraudulent access to the payment account, including unauthorised or fraudulent payment initiation.We consider that guidance on SDD should support effective and holistic AML/CFT controls across the wider regulated sector and avoid creating opportunities for inappropriate regulatory arbitrage. Further

91

guidance is required on at what point CDD should be applied to ensure alignment with similar SDD thresholds and time limits applied by credit institutions and payment service providers.We consider that SDD assumptions about the nature and purpose of the business relationship will impact on the approach to ongoing CDD and transaction monitoring. Further guidance is required to ensure that SDD assumptions about the business relationship do not undermine monitoring for linked transactions and breaches of other SDD thresholds and time limits.

Question 19: Do you have any comments on the additional sector-specific Guideline 19 on currency exchanges?

GL Section - Paragraph Proposal for amendment Justification

92

Question 20: Do you have any comments on the additional sector-specific Guideline 20 on corporate finance?

As regards the provisions of Guideline 20.7, we note that firms are required to assess the integrity of directors, shareholders and other parties with significant involvement in the customer’s business and the corporate finance transaction. We would like to highlight that this is not workable in practice since this information is not obtained as part of on-boarding or customer review.

GL Section - Paragraph Proposal for amendment JustificationCustomer and beneficiary risk factors20.3. a): “Where offering corporate finance services, firms should take into account the following risk factors as potentially contributing to increased risk:a) the ownership of the customer is opaque: for example, where ownership or control is vested in other entities such as trusts or Securitisation special purpose entity (SSPE);…c) where there is no evidence the customer has received a mandate or a sufficiently senior management approval to conclude the contract”

“[…] a) the ownership structure of the customer is opaque with no reasonable business reason: for example, where ownership or control is vested in other entities such as trusts or Securitisation special purpose entity (SSPE);…c) where there is no evidence that the firm has doubts concerning whether the customer has received a mandate or a sufficiently senior management approval to conclude the contract”

For more clarity.

For 20.3 c), firms may complete CDD but not enter into a mandate or engagement letter until some time after the commencement of the relationship. In such cases, firms should be allowed to take a risk-based approach on whether to obtain another form of evidence confirming the customer’s agreement to the relationship with the firm prior to the signing of the mandate, provided that the firm is satisfied that those individuals with whom it is dealing have authority to represent the customer.

20.3 c): where there is no evidence the customer has received a mandate or a sufficiently senior management approval to conclude the contract;

Proposal for amendment c) where there is no evidence the customer has received a mandate or a sufficiently senior management approval to conclude the contract;

This GL aims to manage a legal and operational risk and not a money laundering risk. We propose to delete the paragraph.

93

20.3 d): There are few independent means of verification of the customer’s identity

Need for clarification : Could GLs provide examples of situations that are being addressed?

20.3 e): misconduct such as securities fraud or insider trading is suspected: in such case, the assets themselves could be considered the proceeds of crime and liaison with the authorities is necessary.

Need for clarification about “liaison with the authorities is necessary”. Are we talking about suspicious transaction reports to financial intelligence units?

20.5 a): “The customer is: a) a legal person subject to enforceable disclosure requirements that ensure that reliable information about the customer’s beneficial owner is publicly available, for example public companies listed on stock exchanges that make such disclosure a condition for listing;”

No amendment, only highlight. It should be highlighted that this requirement is not always known to the firm. Additionally, there is no definition of “associated with”. This wording is too broad.

20.5: Where offering corporate finance services, firms should take into account the following risk factors as potentially contributing to increased risk:

a) the customer or their beneficial owner is based in, or associated with, jurisdictions associated with higher ML/TF risk. Firms should pay particular attention to jurisdictions with high levels of corruption.

Proposal for amendment :

Where offering corporate finance services, firms should take into account the following risk factors as potentially contributing to increased risk:

a) the customer or their beneficial owner is based in, or associated with, jurisdictions associated with higher ML/TF risk. Firms should pay particular attention to jurisdictions with high levels of corruption.

Firms are not obliged to identify the address of the beneficial ower nor its relations with jurisdictions associated with higher ML/TF risks. It would be a very heavy operational constraint. Additionally, the wording “associated with” is too broad.

94

Enhanced customer due diligence20.7 a): “Where the risk associated with a business relationship or an occasional transaction is increased, firms should apply EDD measures such as beneficial ownership, and in particular any links the customer might have with politically exposed persons, and the extent to which these links affect the ML/TF risk associated with the business relationship;a) Additional checks on customers’ ownership and control structure, beneficial ownership, and in particular any links the customer might have with politically exposed persons, and the extent to which these links affect the ML/TF risk associated with the business relationship;”

Proposal for amendment“Where the risk associated with a business relationship or an occasional transaction is increased, firms should apply EDD CDD measures such as beneficial ownership such as beneficial ownership, and in particular any links the customer might have with politically exposed persons, and the extent to which these links affect the ML/TF risk associated with the business relationship; […]”

Need for more clarity.Establishing beneficial ownership is a measure that relates to CDD, rather than a measure specific to EDD.Additionally, it seems that the sentence is not complete (should apply CDD measures such as beneficial ownership…). Beneficial ownsership is not a CDD measure.

Regarding the expression “any links the customer migh have with politically exposed persons”, we suggest that GL use the definition set out in article 3.11 of the 4 AMLD : “persons known to be close associates” which means: (a) natural persons who are known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a politically exposed person; (b) natural persons who have sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person.

In the end, please amend the GL so as to clarify the kind of “additional checks” envisaged.

20.7 b): “Assessments of the integrity of directors, shareholders, and other

Proposal for amendment It is very difficult for a bank to assess the integrity of the mentioned persons and this

95

parties with significant involvement in the customer’s business and the corporate finance transaction;”

“Assessments of the integrity of directors, shareholders, and other parties with significant involvement in the customer’s business and the corporate finance transaction;”

is not under the AMLD.

20.7 c): “Verification of the identity of other owners or controllers of a corporate entity;”

Verification of the identity of other owners or controllers of a corporate entity;”

This GL seems disproportionate and constitutes a significant operational burden that is not based on AMLD provisions.

20.7 e): “Establishing the financial situation of the corporate client;”

e): “Establishing the financial situation of the corporate client;”

With regard to corporate finance products financial institutions regularly assess the financial situation of the corporate client. However, those documents shall not be part of the CDD documentation.

20.7 f): Use of non-documentary forms of evidence, such as meetings with credible persons who know the individuals in question; such as bankers, auditors or legal advisors. Firms should consider if this evidence is sufficient to demonstrate that the customer has correctly represented their personal and financial circumstances. Where non-documentary evidence of this sort is used, a record setting out the basis on which decisions were reached should be kept

Need for clarification Who is the individual referred to?How are credible persons identified and what could be their responsibilities?

20.7 i): “When taking part in securities’ issuance, the firm should seek to protect its own reputation by confirming that third-parties

“When taking part in securities’ issuance, the firm should seek to protect its own reputation by confirming assessing that third-parties participating in selling

Firms should be required to perform an assessment of third party customer due diligence in cases of selling securitization instruments or transactions to investors.

96

participating in selling securitisation instruments or transactions to investors have sufficient customer due diligence arrangements of their own in place.”

securitisation instruments or transactions to investors have sufficient customer due diligence arrangements of their own in place.”

97

For more information:

Roger Kaiserr.kaiser@ebf.eu

Dagmara Gawronskad.gawronska@ebf.eu

About the EBF

The European Banking Federation is the voice of the European banking sector, bringing together 32 national banking associations in Europe that together represent a significant majority of all banking assets in Europe, with 3,500 banks - large and small, wholesale and retail, local and international – while employing approximately two million people. EBF members represent banks that make available loans to the European economy in excess of €20 trillion and that reliably handle more than 400 million payment transactions per day. Launched in 1960, the EBF is committed to a single market for financial services in the European Union and to supporting policies that foster economic growth.

www.ebf.eu @EBFeu

98