The revised Guidelines published by the European Banking Authority (EBA) on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions (ML/TF Risk Factors Guidelines) are applicable as of 26 October 2021. The following article summarises what firms1 should now pay attention to.
For more information about the consultation paper that led to this final version of the ML/TF Risk Factors Guidelines, please refer to the relevant article of Frank Müller on our blog.
I. Why revising the original ML/TF Risk Factors Guidelines?
As a reminder, the original ML/TF Risk Factors Guidelines (JC/2017/37) have been published in 2017 in the form of joint Guidelines by the three European Supervisory Authorities2.
Since then, the applicable legislative framework in the EU has changed with the entry into force of the fifth anti-money laundering directive (AMLD5)3. Indeed, AMLD5 introduced several changes that warranted a review of the original Guidelines to ensure their ongoing accuracy and relevance, particularly in relation to the provisions on enhanced customer due diligence and high-risk third countries.
Moreover, new ML/TF risks such as the use of innovative solutions for customer due diligence purposes or terrorist financing risk factors have emerged.
Thus, it has been decided to update the original Guidelines to ensure their ongoing relevance and accuracy, and to support firms’ compliance efforts when it comes to fighting money laundering and countering terrorist financing.
II. What are the key additions/amendments operated by the ML/TF Risk Factors Guidelines?
We have summarized some of the key points of the revision below:
a) New sectors covered
First, it can be noted that the structure has not changed with a first Title containing general guidelines applying to all firms and a second Title containing sector-specific guidelines applying to the relevant sector-specific firms.
One major addition is related to these sector-specific guidelines that have been extended by the following sectors:
- regulated crowdfunding platforms;
- payment initiation service providers (PISPs) and account information service providers (AISPs);
- currency exchange offices;
- corporate finance
It should be noted here that risks factors described in each sectorial guideline are not to be considered as exhaustive, meaning that firms should take a holistic view of the risk associated with a specific situation and that isolated risk factors do not necessarily move a business relationship or occasional transaction into a higher or lower risk category.
b) Limited inherent ML/TF risk associated with PISPs and AISPS
In the ML/TF Risk Factors Guidelines, the EBA acknowledges that the inherent ML/TF risk associated with PISPs and AISPs is limited. However, EU law currently defines PISPs and AISPs as obliged entities. As a sort of compromise, the ML/TF Risk Factors Guidelines state that “In most cases, the low level of inherent risk associated with these business models means that simplified due diligence will be the norm”4.
Interestingly, the ML/TF Risk Factors Guidelines also state that when it comes to the data sets available to AISPs and PISPs, and where data that might be of importance for AML/CFT purposes is not available to AISPs and PISPs in the context of the second payment service directive “the Guidelines do not require that AISPs and PISPs pro-actively request such information”5.
c) New guidance
The ML/TF Risk Factors Guidelines include additional guidance, notably on the identification of beneficial owners, the use of innovative solutions to identify and verify customers’ identities, and how financial institutions should comply with legal provisions on enhanced customer due diligence related to high-risk third countries.
d) Non-face-to-face interactions
The ML/TF Risk Factors Guidelines now contain a section dedicated to non-face-to-face situations6, a topic that has of course gained more relevance during the pandemic where new technologies for identification and verification purposes were increasingly used.
In this context, it may be highlighted that according to the ML/TF Risk Factors Guidelines, the use of electronic means of identification does not itself give rise to increased ML/TF risk, which however does not prevent firms from being prepared to demonstrate to their competent authority that the use of a particular innovative solution is appropriate7.
III. What are the next steps to be considered by firms?
As outlined before, the Original Guidelines will be repealed and replaced by the ML/TF Risk Factors Guidelines upon the date of their application which will be the 26th of October 2021.
In this regard, firms should implement the ML/TF Risk Factors Guidelines in the framework of the preparation/review/application of their internal policies linked to ML/TF, also by considering the following takeaways:
Scope of application: firms should apply the changes to both future business relationships and existing customers appropriately, as risk assessment and mitigation is an ongoing process and professionals must ensure any new controls apply to both existing and new customer categories.
Non-exhaustive character: firms should bear in mind that the factors and measures described in ML/TF Risk Factors Guidelines are not exhaustive and that they should consider other factors and measures as appropriate.
Enhancement of tax crime understanding: according to the EBA, It is key for supervisors and firms to enhance their understanding of tax crimes and the risks related thereto, as there are substantial similarities between the techniques used to launder the proceeds of crimes and to commit tax crimes. In this regard, firms should notably consider the reports of EBA and/or ESMA on dividend arbitrage trading schemes (Cum-Ex/Cum-Cum schemes).
Financial inclusion and de-risking: The EBA notes that firms no longer need to discontinue services to entire customer categories they associate with a higher ML/TF risk (the so-called de-risking). Instead, financial institutions should balance the need for financial inclusion with the need to mitigate and manage ML/TF risk. The ML/TF Risk Factors Guidelines should help firms achieve this balance.
Finally, firms may want to verify how their competent supervisory authority will integrate the ML/TF Risk Factors Guidelines into their regulatory approach8, which can be done inter alia by consulting EBA’s compliance table.
 Credit institutions and financial institutions as defined in Article 3(1) and (2) of Directive (EU) 2015/849
 the European Securities and Markets Authority (ESMA), the European Insurance and Occupational Pensions Authority (EIOPA) and the EBA
 Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU
 Section 18.10 of the ML/TF Risk Factors Guidelines
 Section 21 of Final Report of the EBA on the ML/TF Risk Factors Guidelines
 Sections 4.29 to 4.37 of the ML/TF Risk Factor Guidelines
 Sections 4.31 and 4.36 of the ML/TF Risk Factor Guidelines
 In Luxembourg, the ML/TF Risk Factors Guidelines have been adopted b way of Circular CSSF 21/782. In Germany, there has been no statement yet.
Cover picture: Copyright © Anatoly