AAnti Money Laundering

The EBA draft on the AML package – Change is the only constant

The EBA draft on the AML package – Change is the only constant 1
0
Shares
0
0
0
0
0
0

On 6 March 2021, the European Banking Authority (EBA) opened a consultation on draft Level 2 texts under the AML Regulation and the 6th EU Money Laundering Directive. This article presents the drafts and the next steps.

1. The Commission’s consultation drafts and call for advice

The so-called AML package, consisting of the AML Regulation, the 6th Money Laundering Directive and the AMLA Regulation, provides for a large number of authorisations to adopt delegated regulations (Regulatory Technical Standards – RTS). Such RTS substantiate the more abstract requirements of the AML Regulation, the 6th EU Money Laundering Directive and the AMLA Regulation. The RTS are issued by the Commission and apply immediately in all member states after publication in the Official Journal of the EU, without the need for transposition. The majority of the AML package provides that the newly established AMLA will prepare drafts of such RTS and submit them to the Commission for adoption (see, for example, Art. 16 (4) (1) AML-R: ‘The AMLA shall develop draft regulatory technical standards and submit them to the Commission for adoption by 10 July 2026.

Since the AMLA is currently only in set up stage, the Commission instructed the EBA in March 2024, as part of a call for advice, to prepare draft RTS and submit them to the Commission. The EBA is now complying with this instruction by presenting the draft RTS.

2. Content of the draft RTS

The EBA is presenting four RTS for consultation:

a) Draft RTS on the determination of the inherent and residual risk of obliged entities (Art. 40 (2) 6th Anti-Money Laundering Directive)

The risk-based approach applies not only to obliged entities but also to supervisory authorities. Article 40 (1) of the 6th Money Laundering Directive stipulates that national supervisory authorities shall apply a risk-based approach in the performance of their supervisory activities. The intensity and frequency of on-site investigations, for example, should be based on the obliged entities’ risk profile.

The draft RTS contain proposals for the methodology for determining the risk profile of the obliged entities. The EBA proposal amounts to a risk analysis by the supervisory authority of each individual obliged entity. The proposal sets out in detail which data points should be determined to assess the inherent risk and the security measures implemented. The EBA proposes that the supervisory authorities should derive an individual risk profile for each obliged entity from these data points (see Article 4 of the draft RTS on the assessment of the inherent and residual risk profile of obliged entities under Article 40(2) of the AMLD). The risk profile should be determined in a largely automated manner. The consultation draft contains an appendix with a form that should be used for this purpose.

If adopted in its current form, the draft could be a welcome tool for obliged entities. For example, it explicitly mentions the data points to be collected to determine the effectiveness of the safeguards (see Section B Annex I).

b) Draft RTS on risk assessment of credit and financial institutions directly supervised by the AMLA (Article 12(7) of the AMLA Regulation)

The AML package introduces direct supervision of obliged entities by a European authority for the first time. It is true that the EBA has already been granted a few powers for the financial sector. However, this did not involve direct supervision of obliged entities. In the future, the AMLA will directly supervise a group of 40 credit institutions, financial institutions and groups of credit and financial institutions (Art. 5 (2) of the AMLA Regulation). These obliged entities are determined on a risk-based and geographical basis, depending on the markets in which the credit institutions or financial institutions in question offer their products and services. Thus, only those institutions or groups of institutions that

  • operate in at least six member states (cross-border or through a branch) (Art. 12 (1) AMLA-R) and
  • whose inherent risk profile is ‘high’ (Art. 13 (1) AMLA-R) are considered.

The EBA draft contains two specifications: Firstly, the EBA proposes a procedure for determining the risk profile of the obligated parties in question (Art. 2 et seq. Draft RTS on the risk assessment for the purpose of selection of credit institutions, financial institutions and groups of credit and financial institutions for direct supervision under Article 12(7) of the AMLAR). Secondly, the draft contains a proposal for determining the scope of transactions in the case of cross-border offers (Art. 1 of the Draft RTS on the risk assessment for the purpose of selection of credit institutions, financial institutions and groups of credit and financial institutions for direct supervision under Article 12 (7) of the AMLAR). The EBA proposes here that a relevant offering in a member state should have either 200,000 customers or a transaction volume of over EUR 50,000,000.

c) Draft RTS on customer due diligence (Art. 28(1) AML Regulation)

One of the most significant changes for the obligated parties resulting from the AML package is the revision of the customer due diligence requirements, which are currently set out in sections 10 et seq. In the future, the requirements will be set out directly in the AML Regulation, in particular in Art. 24 et seq. The main purpose of the due diligence rules in the AML Regulation is to harmonise the KYC procedure within the Union (see, for example, recital 52 of the AML Regulation). According to Art. 28, the AMLA is to develop RTS to further specify the KYC procedure (‘RTS CDD’).

Overall, the EBA proposal contains only a few new elements. Articles 1-4 of the RTS CDD contain specifications regarding the data to be requested as part of the KYC. This may require adjustments to be made to data storage. Article 6 contains provisions on remote identification. Here, the RTS CDD essentially provides for the recognition of eIDAS-compliant procedures as permissible procedures if they have a level of protection of at least ‘substantial’ (Article 6 (1) RTS CDD). In addition, the use of the eID wallet is permissible. The draft RTS provides a list of necessary data points in the appendix. The video identification procedure, which is widespread in Germany, will probably also continue to be permitted. However, the consultation draft is unclear on this point. Alternative identification procedures are only to be permitted if an eIDAS-compliant procedure is not available or […] cannot reasonably be expected to be provided […].

The RTS CDD also contain rules on simplified customer due diligence measures (Article 33 of the AML Regulation). Here, the draft RTS merely specify the minimum data to be obtained in the case of low risk and the sources on the basis of which identification is permissible (Articles 18 et seq. RTS CDD). Overall, the AML Regulation significantly reduces the scope for facilitating customer relationships where the risk is low. The CDD RTS do not significantly facilitate the permissible measures here.

The RTS provide for a simplification in the handling of inventory data. Various obliged entities and associations had noted that it would not be economically feasible to update all KYC data by the date of application of the AML Regulation. The EBA has addressed this issue and provides for a transitional period in Art. 32 Subsec. 2 of the consultation draft, which is based on the risk assessment of the business relationship. Since the maximum time frame for updating customer data will be five years in the future (Art. 26 (2) AML Regulation), the KYC data of existing customers must also be updated to the standard provided for in the AML Regulation after five years at the latest.

The link between the areas of regulation on the prevention of money laundering and terrorist financing on the one hand and the implementation of restrictive measures on the other is new for the obliged entities. The AML Regulation stipulates for the first time that obliged entities must check whether customers are subject to targeted financial sanctions. The RTS CDD contain specifications regarding the extent to which, by which procedures and on which occasions a check must be carried out to determine whether a customer is subject to possible sanctions. For example, automated screening solutions should generally be used. However, in exceptional cases, the EBA also considers manual screening to be sufficient (Art. 29 lit. a) RTS CDD). The new rules are likely to be relevant primarily for obliged entities outside the financial sector. Obligated entities in the financial sector are subject to their own, usually stricter requirements, such as those set out in Art. 5d of the SEPA Regulation (‘Instant Payments Regulation’).

It is difficult to understand why the EBA has chosen a ‘principle-based approach’ when developing the RTS. This is in contrast to the objective of harmonising the KYC procedure, as pursued under the AML Regulation and the EBA’s reasoning.

d) RTS draft on administrative measures and periodic penalty payments

The last draft of RTS presented by the EBA relates to the possible fines, administrative measures and periodic penalty payments for infringements of the provisions of the AML Regulation or the Funds Transfers Regulation, as provided for in Article 53 of the 6th Money Laundering Directive, that the competent supervisory authorities may impose. Art. 53 para. 10 of the 6th AMLD provides that the AMLA RTS should develop indicators for classifying the severity of infringements, criteria to be taken into account when determining the amount of administrative fines or the application of administrative measures, and a method for imposing periodic penalty payments, including their frequency.

In its draft, the EBA explicitly points out that, in its view, the current practice of sanctioning violations is inadequate. For example, more than half of the competent supervisory authorities have no internal guidelines for setting fines. The EBA therefore proposes a catalogue of criteria for determining, in particular, the seriousness of the misconduct. Furthermore, the draft contains provisions for taking into account the behaviour of the person to be sanctioned, such as post-offending behaviour after the infringement has been discovered.

3. Next steps

The EBA is accepting comments on the drafts on its website until 6 June 2025. After evaluating the drafts, the EBA is expected to make the final drafts available to the Commission in October. The Commission will then adopt the final acts as delegated regulations.

0
0

Till Christopher Otto is a lawyer at Annerton law firm in Frankfurt am Main. He advises credit, financial services and payment institutions on all aspects relating to the German Banking Act (KWG), Securities Trading Act (WpHG), Payment Services Supervision Act (ZAG) and Anti-Money Laundering Act (GwG).

Sebastian Glaab is a lawyer and partner at Annerton in Frankfurt am Main. He has extensive knowledge, particularly in the areas of money laundering prevention (editor of the AMLA commentary "Zentes/Glaab"), securities compliance, MaRisk compliance and sanctions, and is very familiar with the practice due to his 12 years of work as a compliance officer and money laundering officer in an internationally active credit institution. Sebastian Glaab is a regular speaker at specialist lectures and events in the financial environment.



By continuing, you accept our privacy policy.
You May Also Like