Circular CSSF 23/842  
Adoption of the revised  
guidelines, by the EBA, on  
money laundering and terrorist  
financing risk factors –  
complement of Circular CSSF  
21/782  
Circular CSSF 23/842  
Adoption of the revised guidelines, by the EBA, on money  
laundering and terrorist financing risk factors – complement of  
Circular CSSF 21/782  
This circular shall apply to credit and financial institutions as defined in Article 1(3) and (3a) of Title I  
of Chapter 1 of the Law of 12 November 2004 on the fight against money laundering and terrorist  
financing, as amended.  
Luxembourg, 16 October 2023  
Ladies and Gentlemen,  
The purpose of this circular is to inform you that the CSSF, in its capacity as competent authority,  
applies the European Banking Authority (“EBA”) guidelines amending (ref. EBA/GL/2023/03)  
(“amending Guidelines”) the EBA Guidelines on customer due diligence and the factors credit and  
financial institutions (“professionals”) should consider when assessing the money laundering and  
terrorist financing (“ML/TF”) risks associated with individual business relationships and occasional  
transactions (“Guidelines on ML/TF risk factors”) under Articles 17 and 18(4) of Directive (EU)  
2015/849 (EBA/GL/2021/02), published on 31 March 2023. Consequently, the CSSF has integrated  
the amending Guidelines into its administrative practice and regulatory approach with a view to  
promoting supervisory convergence in this field at European level.  
1. The Guidelines  
Indeed, following the publication, in January 2022, of an Opinion of the EBA on “de-risking”1, which  
assessed the scale of de-risking in the EU, and the impact of the professionals’ decisions to refuse  
to enter into or to terminate business relationships with individual customers or categories of  
customers associated with higher ML/TF risks, among which not-for-profit organisations (NPOs),  
and the European Commission’s request to the EBA to issue new guidelines on the steps institutions  
should take to facilitate access to financial services by NPOs, the EBA prepared dedicated amending  
guidelines (EBA/GL/2023/03) regarding customers that are NPOs. These have now been added as  
an annex to the Guidelines on ML/TF risk factors and are referred to under Guideline 2 (Identifying  
ML/TF risk factors – Customer risk factors), paragraph 2.7.(d) of the main body of the Guidelines  
on ML/TF risk factors, as amended.  
The purpose of the annex is to support the professionals in their understanding of the specificities  
of prospective or existing customers that are NPOs. Thus, they clarify the steps that the professionals  
should undertake to get a good understanding of how an individual NPO is set up and operates and  
what factors the professionals should consider when assessing the ML/TF risk associated with a  
business relationship with customers that are NPOs.  
1
Opinion of the European Banking Authority on ‘de-risking’ – CSSF  
CIRCULAR CSSF 23/842  
2/3  
 
The Guidelines are annexed to this circular and are also available on the EBA’s website at:  
https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Guideline  
s/2023/1054143/Amending%20GLs%20to%20the%20RFGLs%20in%20relation%20to%20NPOs.p  
df  
The consolidated version of the Guidelines on ML/TF risk factors (EBA/GL/2021/02), as amended, is  
available on the EBA’s website at:  
https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Guideline  
s/2023/EBA-GL-2023-03/1061654/Guidelines%20ML%20TF%20Risk%20Factors_conslidated.pdf  
This circular complements Circular CSSF 21/782.  
2. Scope of application  
This circular shall apply to credit and financial institutions as defined in Article 1(3) and (3a) of Title I  
of Chapter 1 of the Law of 12 November 2004 on the fight against money laundering and terrorist  
financing, as amended.  
3. Date of application  
The Guidelines introducing the annex are applicable as of 3 November 2023.  
Claude WAMPACH  
Marco ZWICK  
Jean-Pierre FABER  
Director  
Director  
Director  
Françoise KAUTHEN  
Director  
Claude MARX  
Director General  
Annex  
EBA/GL/2023/03 – Guidelines amending Guidelines EBA/2021/02 on customer  
due diligence and the factors credit and financial institutions should consider  
when assessing the money laundering and terrorist financing risk associated  
with individual business relationships and occasional transactions (‘The ML/TF  
Risk Factors Guidelines’) under Articles 17 and 18(4) of Directive (EU)  
2015/849  
CIRCULAR CSSF 23/842  
3/3  
EBA/GL/2023/03  
31 March 2023  
Final Report  
Guidelines  
amending Guidelines EBA/2021/02 on customer due diligence and  
the factors credit and financial institutions should consider when  
assessing the money laundering and terrorist financing risk  
associated with individual business relationships and occasional  
transactions (‘The ML/TF Risk Factors Guidelines’) under Articles 17  
and 18(4) of Directive (EU) 2015/849  
FINAL REPORT ON GUIDELINES AMENDING THE ML/TF RISK FACTORS GUIDELINES IN RELATION TO NPO  
Contents  
1. Executive summary  
3
4
2. Background and rationale  
3. Guidelines  
6
1.Compliance and reporting obligation  
2. Subject matter, scope and definitions  
3. Implementation  
8
9
9
4. Guideline on customers that are NPOs  
4. Accompanying documents  
9
13  
2
FINAL REPORT ON GUIDELINES AMENDING THE ML/TF RISK FACTORS GUIDELINES IN RELATION TO NPO  
1. Executive summary  
De-risking refers to decisions made by credit and financial institutions to refuse to enter into or to  
terminate business relationships with individual customers or categories of customers associated  
with higher money laundering and terrorist financing (ML/TF) risk.  
In January 2022, the EBA published an Opinion on the scale and impact of de-risking in the EU.1 This  
Opinion identified the main drivers of de-risking and the negative impact unwarranted de-risking  
can have on customers, including not-for-profit organisations (NPOs). It also highlighted the steps  
competent authorities and co-legislators should take to address unwarranted de-risking and  
mitigate its negative impact.  
The European Commission welcomed the EBA’s Opinion and asked the EBA to issue guidelines on  
the steps institutions should take to facilitate access to financial services by those categories of  
customers that the EBA’s analysis had highlighted as particularly vulnerable to unwarranted de-  
risking, in particular NPOs.  
These guidelines amend the Guidelines on ML/TF risk factors (EBA/GL/2021/02) and consist of an  
annex that sets out factors credit and financial institutions should consider when assessing the  
ML/TF risks associated with a business relationship with customers that are NPOs.  
Through these guidelines, the EBA fosters a common understanding by institutions and AML/CFT  
supervisors of effective ML/TF risk management practices and contribute to mitigate the adverse  
impact of de-risking on human relief efforts.  
Next steps  
The guidelines will be translated into the official EU languages and published on the EBA website.  
The deadline for competent authorities to report whether they comply with the guidelines will be  
two months after the publication of the translations. The guidelines will apply three months after  
publication in all EU official languages.  
1 EBA/Op/2022/01  
3
 
FINAL REPORT ON GUIDELINES AMENDING THE ML/TF RISK FACTORS GUIDELINES IN RELATION TO NPO  
2. Background and rationale  
.2.1 Background  
1. In January 2022, the EBA published an Opinion on de-risking.2 It assessed the scale of de-risking  
in the EU, and the impact of credit and financial institutions’ decisions to refuse to enter into or  
to terminate business relationships with individual customers or categories of customers  
associated with higher money laundering and terrorist financing (ML/TF) risks. The EBA found  
that, across the EU, de-risking affected a variety of customers or potential customers of  
institutions, including not-for-profit organisations (NPOs). The EBA made clear that de-risking of  
entire categories of customers, without due consideration of individual customers’ risk profiles,  
may be unwarranted and a sign of ineffective ML/TF risk management.  
2. The publication of the EBA Opinion on de-risking led the European Commission to ask the EBA  
to issue new guidelines on the steps institutions should take to facilitate access to financial  
services by NPOs.3 This coincided with the outbreak of the war in Ukraine, which further  
demonstrated the adverse impact of de-risking on humanitarian relief.  
3. To respond to the Commission’s request, the EBA prepared a dedicated annex on customers  
that are NPOs, which will be added to the Guidelines on ML/TF risk factors (EBA/GL/2021/02).  
4. The EBA consulted the public on a version of these guidelines between 6 December 2022 and 6  
February 2023. It received 25 responses.  
.2.2 Rationale  
5. The EBA is aware of reports that NPOs have faced difficulties in accessing financial services.  
These difficulties can lead to delays in programme delivery, and in some cases, the wind-down  
of programmes of NPOs. The EBA found in its Opinion on de-risking that the main drivers of  
credit and financial institutions’ decisions to de-risk NPOs or to restrict some of the services  
provided to them appeared to be related to institutions’ reluctance to service customers with  
links to jurisdictions that are associated with higher ML/TF risks or risks of breaching sanction  
regimes. The EBA also noted that institutions’ decisions to de-risk NPOs appeared to be related  
to the perceived complexities of their set-up and associated difficulties in obtaining the requisite  
customer due diligence (CDD) information.  
6. To address these issues, the EBA proposes to add an annex to the Guidelines on risk factors. This  
annex will clarify the steps that institutions should undertake to get a good understanding of  
how an individual NPO is set up and operates, as well as the factors credit and financial  
2 EBA/Op/2022/01  
3 ARES(2022)1932799  
4
 
FINAL REPORT ON GUIDELINES AMENDING THE ML/TF RISK FACTORS GUIDELINES IN RELATION TO NPO  
institutions should consider when assessing the ML/TF risks associated with a business  
relationship with customers that are NPOs. By clarifying regulatory expectations, the annex aims  
at supporting credit and financial institutions in their understanding of the specificities of  
prospective or existing customers that are NPOs.  
5
FINAL REPORT ON GUIDELINES AMENDING THE ML/TF RISK FACTORS GUIDELINES IN RELATION TO NPO  
3. Guidelines  
6
 
EBA/GL/2023/03  
31 March 2023  
Guidelines  
amending Guidelines EBA/2021/02 on customer due diligence and  
the factors credit and financial institutions should consider when  
assessing the money laundering and terrorist financing risk  
associated with individual business relationships and occasional  
transactions (‘The ML/TF Risk Factors Guidelines’) under Articles 17  
and 18(4) of Directive (EU) 2015/849  
FINAL REPORT ON GUIDELINES AMENDING THE ML/TF RISK FACTORS GUIDELINES IN RELATION TO NPO  
1. Compliance and reporting obligations  
Status of these guidelines  
1. This document contains guidelines issued pursuant to Article 16 of Regulation (EU) No  
1093/20104. In accordance with Article 16(3) of Regulation (EU) No 1093/2010, competent  
authorities and credit and financial institutions must make every effort to comply with the  
guidelines.  
2. Guidelines set the EBA view of appropriate supervisory practices within the European  
System of Financial Supervision or of how Union law should be applied in a particular area.  
Competent authorities as defined in Article 4(2) of Regulation (EU) No 1093/2010 to whom  
guidelines apply should comply by incorporating them into their practices as appropriate  
(e.g. by amending their legal framework or their supervisory processes), including where  
guidelines are directed primarily at institutions.  
Reporting requirements  
3. According to Article 16(3) of Regulation (EU) No 1093/2010, competent authorities must  
notify the EBA as to whether they comply or intend to comply with these guidelines, or  
otherwise with reasons for non-compliance, by [dd.mm.yyyy]. In the absence of any  
notification by this deadline, competent authorities will be considered by the EBA to be  
non-compliant. Notifications should be sent by submitting the form available on the EBA  
website with the reference ‘EBA/GL/2023/03. Notifications should be submitted by  
persons with appropriate authority to report compliance on behalf of their competent  
authorities. Any change in the status of compliance must also be reported to EBA.  
4. Notifications will be published on the EBA website, in line with Article 16(3).  
4 Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a  
European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing  
Commission Decision 2009/78/EC, (OJ L 331, 15.12.2010, p.12).  
8
 
FINAL REPORT ON GUIDELINES AMENDING THE ML/TF RISK FACTORS GUIDELINES IN RELATION TO NPO  
2. Subject matter, scope and definitions  
Definitions  
5. For the purposes of the amending guidelines, the following definition is added:  
Not-for-profit organisations  
A not-for-profit organisation is a legal person or  
arrangement or an organisation that primarily engages in  
raising or disbursing funds for purposes such as charitable,  
religious, cultural, educational, social or fraternal  
purposes.  
3. Implementation  
Date of application  
6. These guidelines will apply three months after publication in all EU official languages.  
4. Guideline on customers that are NPOs  
Guideline 2. 7(d) is replaced by the following:  
2.7.(d) Where the customer is a not-for-profit organisation (NPO), the firms should apply the  
criteria set out in the annex.  
The following annex is added:  
Annex: Customers that are NPOs  
1. When assessing the risk profile of a customer or prospective customer that is an NPO for the  
first time, firms should ensure that they obtain a good understanding of the NPO’s governance,  
how it is funded, its activities, where it operates and who its beneficiaries are. Not all NPOs are  
9
     
FINAL REPORT ON GUIDELINES AMENDING THE ML/TF RISK FACTORS GUIDELINES IN RELATION TO NPO  
exposed in a similar way to ML/TF risk, and firms should take risk-sensitive measures to  
understand:  
a) who controls the customer and who its beneficial owners are. As part of this, firms should  
identify the NPO’s trustees or equivalent, its governing body and any other individual who  
has control or influence over the NPO. For this purpose, firms should refer to information  
such as the legal status of the NPO, a description of the NPO’s governance set-up and/or a  
list of the legal representative(s).  
b) how the NPO is funded (private donations, government funds, etc.). For this purpose, firms  
should refer to information about the donor base, funding sources and fundraising  
methods, such as annual reports and financial statements.  
c) what the objectives of the customer’s operations are. For this purpose, firms should refer  
to information such as the customer’s mission statement, a list of its programmes and  
associated budgets, activities, and services delivered.  
d) which categories of beneficiaries benefit from the customer’s activities (for example,  
refugees, legal entities that receive assistance through the services of the NPO or similar).  
Documentation gathered for this purpose may include mission statements or campaign-  
related documents.  
e) what transactions the NPO is likely to request, based on its objectives and activity profile,  
including payment of staff or providers posted abroad, and the expected frequency, size,  
and geographical destination of such transactions. For this purpose, firms should refer to  
information such as organisational charts, explanations of the organisational structure of  
the NPO, a list of jurisdictions where the staff is paid and the number of employees to be  
paid in each of them.  
f) where the NPO conducts its programmes and/or operations, in particular whether the NPO  
conducts its activities only at domestic level, or in other jurisdictions associated with higher  
ML/TF risks and in high-risk third countries. For this purpose, firms should refer to  
information such as a list of all programmes, activities and services delivered by the NPO,  
as well as a list of geographical locations served, including its headquarters and operational  
areas. Firms should also assess, for the purposes of Guideline 8, whether the NPO’s  
transactions are likely to involve the execution of payments with a third-country institution.  
Risk factors  
2. When identifying the risk associated with customers that are NPOs, firms should consider  
at least the following risk factors and assess them on a risk-sensitive basis:  
Governance and exertion of control  
a) Does the NPO have a legal status under national law or the national law of another Member  
State? Is there any documentation that sets out its modalities of governance and identifies  
the NPO’s trustees, members of the governing body or any other individuals who exert  
control over the NPO?  
10  
FINAL REPORT ON GUIDELINES AMENDING THE ML/TF RISK FACTORS GUIDELINES IN RELATION TO NPO  
b) Does the legal structure of the NPO require, for its set up, the demonstration of the  
management capability of its treasurer or managers?  
c) Does the legal structure of the NPO require the annual disclosure of financial statements?  
Reputation/adverse media findings  
d) To what extent is it difficult for firms to establish the good reputation of the NPO and its  
managers? Is there a good reason why this may be difficult, for example because the NPO  
has been established only recently, for instance in the last 12 months?  
e) Has the NPO been linked by relevant, reliable and independent sources to extremism,  
extremist propaganda or terrorist sympathies and activities?  
f) Has the NPO been involved in misconduct or criminal activities, including ML/TF-related  
cases, according to relevant, reliable and independent sources?  
Funding methods  
g) Is the NPO’s funding transparent and accountable or difficult to trace? Does it publicly  
document its funding sources and are these subject to external audits?  
h) Do the NPO’s funding methods carry ML/TF risks? Does it rely entirely or largely on cash  
donations, crypto assets or crowdfunding? Or are the NPO’s sources of funds channelled  
through the payments system?  
i) Is the NPO funded partly or largely by private donors or donors from jurisdictions  
associated with higher ML/TF risks or high-risk third countries identified as having strategic  
deficiencies in their AML/CFT regime?  
Operations in jurisdictions associated with higher ML/TF risks and high-risk third countries  
j) Does the NPO operate or deliver assistance in jurisdictions associated with higher ML/TF  
risks (as assessed based on risk factors presented in Title I of these guidelines) or in high-  
risk third countries (as identified by the Commission pursuant to Article 9(2) of Directive  
(EU) 2015/849) or in conflict zones?  
k) In such situations, does the NPO rely on third parties or intermediaries to perform its  
activities and is it able to explain the nature of the discharge? In this context, is the NPO  
able to monitor and have adequate oversight of the discharge by these third parties?  
l) Is the business relationship with the NPO likely to involve the execution of transactions with  
a respondent institution located in jurisdictions associated with higher ML/TF risks or in  
high-risk third countries?  
11  
FINAL REPORT ON GUIDELINES AMENDING THE ML/TF RISK FACTORS GUIDELINES IN RELATION TO NPO  
3. Firms should also consider at least the following factors that may contribute to reducing  
risks:  
a) The roles and responsibilities of the NPO’s governing body and its managers are clearly  
documented.  
b) The NPO is legally required to annually disclose its financial statements or to issue an annual  
report that identifies the sources of funds, the main purpose of the NPO’s activities and the  
categories of beneficiaries of its programmes.  
c) The NPO can demonstrate it is or has been subject to independent reviews or external  
audits.  
d) The NPO has a good public reputation according to relevant, reliable and independent  
sources.  
e) The NPO receives fundings from governments, supranational or international organisations  
that are not associated with high-risk third countries or with jurisdictions with higher ML/TF  
risks, and the source of its funds can be clearly established.  
f) The NPO does not have any links with high-risk third countries, or if it has, the NPO can  
demonstrate that it has taken appropriate steps to mitigate the ML/TF risks (for instance,  
with the designation of staff responsible for AML/CFT compliance or the design of  
procedures to identify the NPO’s categories of beneficiaries and assess the ML/TF risks  
associated therewith).  
g) The NPO’s activities and beneficiaries do not expose it to higher ML/TF risks.  
h) The NPO only delivers assistance and support to individuals through direct material help,  
such as providing IT equipment or medical devices.  
4. In the event the NPO is conducting activities in jurisdictions subject to EU or UN sanctions,  
firms should establish whether the NPO benefits from any provisions related to humanitarian  
aid and derogations in EU/UN financial sanctions regimes, such as humanitarian exemptions or  
derogations. When deciding how to service these customers and in accordance with their own  
asset freezing obligations, firms should obtain evidence that provide reasonable assurance that  
the NPO conducts its activities in these jurisdictions in line with the exemptions provided in the  
regime, or that it benefits from a derogation granted by a relevant competent authority.  
5. For initial screening purposes and throughout the business relationship once it is  
established, firms should take the steps necessary to understand how the NPO operates and  
conducts its operations. Firms that are likely to have NPO customers, for example because they  
provide money transfer services or current account services, should consider establishing a  
dedicated contact point for this specific category of customers to have a good understanding of  
the way the sector is set up and operates.  
12  
FINAL REPORT ON GUIDELINES AMENDING THE ML/TF RISK FACTORS GUIDELINES IN RELATION TO NPO  
4. Accompanying documents  
.4.1 Cost-benefit analysis / impact assessment  
As per Article 16(2) of Regulation (EU) No 1093/2010 (EBA Regulation), any guidelines and  
recommendations developed by the EBA must be accompanied by an impact assessment (IA),  
which analyses ‘the potential related costs and benefits’.  
This analysis presents the IA of the main policy options included in this consultation paper on the  
draft guidelines amending Guidelines EBA/GL/2021/02 (‘the ML/TF Risk Factors Guidelines’ or  
‘RFGLs’) on customer due diligence and the factors credit and financial institutions should consider  
when assessing the money laundering and terrorist financing risk associated with individual  
business relationships and occasional transactions under Articles 17 and 18(4) of Directive (EU)  
2015/849 (‘The Draft Guidelines amending the RFGLs’ or ‘The Draft Guidelines’).  
The IA is at a high level and qualitative in nature.  
A. Problem identification and background  
In January 2022, the EBA published an Opinion on de-risking in which it assessed the scale and  
impact of de-risking in the EU5. De-risking in this context refers to decisions by credit and financial  
institutions to refuse to enter into or decisions to terminate business relationships with individual  
customers or categories of customers associated with higher money laundering and terrorist  
financing (ML/TF) risks. The EBA found that, across the EU, de-risking affected a variety of  
customers or potential customers of institutions. The EBA made clear that de-risking of entire  
categories of customers, without due consideration of individual customers’ risk profiles, may be  
unwarranted and a sign of ineffective ML/TF risk management.  
This Opinion led the European Commission to ask the EBA in a letter dated March 2022 to issue  
guidelines to ‘broaden the scope of such guidelines beyond the interaction of AML and Payment  
Accounts Directive (PAD) requirements, such as the de-risking related to the non-profit sector’. The  
Draft Guidelines are related to the non-profit sector.  
Following the Commission’s request, the EBA assessed existing EBA guidance, in particular its ML/TF  
RFGLs, which were revised in March 2021. The EBA performed a gap analysis to establish how best  
to respond to the Commission’s request without duplicating existing provisions. On this basis, the  
EBA recognised that several aspects would indeed benefit from further regulatory clarifications, as  
it pointed out in its Opinion on de-risking. In particular, the EBA assessed that one area in which  
new guidance would be necessary is the area related to NPO customers. That is because NPOs,  
5 Opinion of the European Banking Authority on ‘de-risking’, EBA/Op/2022/01.  
13  
 
FINAL REPORT ON GUIDELINES AMENDING THE ML/TF RISK FACTORS GUIDELINES IN RELATION TO NPO  
which are legal entities, are not covered by the rights provided by Directive 2014/92/EU (the  
Payment Accounts Directive).  
As such, following this gap analysis and to respond to the Commission’s request without duplicating  
existing provisions, the EBA, having consulted with the competent authorities that are responsible  
for the AML/CFT supervision of financial institutions, is proposing to add an annex to the ML/TF  
RFGLs, focusing on customers that are NPOs (‘The draft Guidelines amending the RFGLs’).  
B. Policy objectives  
The draft Guidelines amending the RFGLs aim to support credit and financial institutions in their  
understanding of the specificities of prospective or existing customers that are NPOs and in their  
assessment of the ML/TF risks associated with such customers.  
The draft guidelines amending the RFGLs, therefore, clarify the steps that institutions should take  
to get a good understanding of how an individual NPO is set up and operates, as well as the factors  
they should consider when assessing the ML/TF risks associated with a business relationship with  
customers which are NPOs. This is key to ensuring that financial institutions assess the risks  
associated with NPOs in an efficient and comprehensive manner and determine the types of  
transactions that will be expected in the course of the business relationship in order to avoid delays  
in transfers of funds, for instance.  
C. Options considered, assessment of the options and preferred options  
Section C presents the main policy options discussed and the decisions made by the EBA during the  
development of the Draft Guidelines amending the RFGLs. The advantages and disadvantages, as  
well as potential costs and benefits from the qualitative perspective of the policy options and the  
preferred options resulting from this analysis are outlined.  
Add a specific section for NPO  
The difficulties faced by NPOs in accessing financial services have been highlighted by several  
international reports.6  
These difficulties were also reported to the EBA during the series of information gathering exercises  
that it conducted in 2020-2021, in which NPOs raised the fact that they experienced obstacles to  
accessing financial services, such as the being unable to open bank account or facing extensive  
delays in cash transfers in certain high-risk jurisdictions. NPOs also indicated to the EBA that the  
reason for these difficulties was a stricter and risk-adverse application by the institutions of the  
AML/CFT requirement. On the other hand, some institutions reported to EBA that they indeed  
6 FATF, COMBATING THE ABUSE OF NON-PROFIT ORGANISATIONS (RECOMMENDATION 8) 2015; NYU Paris EU Public  
Interest Clinic, Bank De-Risking of Non-Profit Customers, 2021  
14  
FINAL REPORT ON GUIDELINES AMENDING THE ML/TF RISK FACTORS GUIDELINES IN RELATION TO NPO  
refused to provide financial services to NPOs because it was often difficult for them to understand  
their business model and structure, which can be very complex.  
Based on these observations, two options have been envisaged by the EBA:  
Option 1a: Adding a section in the RFGLs to guide institutions on conducting their due diligence  
of customers that are NPOs.  
Option 1b: Not adding a section in the RFGLs to guide institutions on conducting their due  
diligence of customers that are NPOs.  
As detailed in the EBA’s Opinion on de-risking, one of the main reasons mentioned by institutions  
for de-risking NPOs is that it is difficult to understand the NPOs’ structures and business models.  
Another key driver of the de-risking of NPOs is the fact that some of them have operations in high-  
risk jurisdictions. De-risking of NPOs has several consequences. For example, NPOs may struggle to  
access a bank account in order to operate or face difficulties in transferring funds in certain  
jurisdictions where the NPO operates. This has an impact on NPOs’ activities and the delivery of  
their programmes.  
In view of these challenges, which are very specific to this group of customers, the EBA saw merits  
in drafting guidelines dedicated to NPOs as part of the RFGLs. It should be stressed that NPOs’  
activities are essential for providing support and relief not only within the EU, but also across the  
globe. This includes the delivery of humanitarian aid in the context of war or natural disasters, as  
well as medical assistance and the provision of basic services to populations in need. While  
international reports highlight the fact that NPOs can be abused for terrorist financing purposes,  
not all NPOs are exposed to these risks, and the extent to which these risks can materialise varies  
greatly across NPOs. ML/TF risks associated with customers that are NPOs must therefore be  
carefully assessed.  
For the institutions, such individual risk assessment would require additional time to understand  
the business model of each NPO, thus incurring costs. However, this additional time would be  
compensated by the proposed new section in the RFGLs that provides guidance on the risk factors  
to consider when dealing with customers that are NPOs. Similarly, the EBA’s proposition to  
encourage financial institutions to have a dedicated contact point for NPOs, even though this could  
potentially incur initial costs in terms of resources and training, would facilitate and speed up this  
process and thus decrease related costs in the long term.  
Finally, costs will be exceeded by the reputational gain for the financial sector from serving a sector  
that is not for profit and whose aim is to provide support to populations in need. This will  
compensate for the often low level of financial income resulting from NPO relationships.  
For all these reasons, Option 1a has been chosen as the preferred option.  
15  
FINAL REPORT ON GUIDELINES AMENDING THE ML/TF RISK FACTORS GUIDELINES IN RELATION TO NPO  
D. Conclusion  
The development of the Draft Guidelines amending the RFGLs is necessary to provide specific  
support to institutions for the due diligence of NPOs, which often have a very complex structure  
and business model. These new guidelines will improve the due diligence process required at the  
onboarding stage and in the course of the business relationship, and ultimately will help to improve  
the social impact of credit and financial institutions. The costs associated with more granular,  
tailored customer due diligence policies and procedures will be more than offset by the afore-  
mentioned benefits. Hence, these new guidelines should achieve their objective of providing better  
and fairer access to financial services with acceptable costs.  
.4.2 Feedback on the public consultation  
The EBA consulted the public on the draft proposal contained in this paper. The consultation period  
lasted for two months and ended on 6 February 2023. 24 responses were received, of which 20  
were published on the EBA website. Respondents came from various backgrounds: credit and  
financial institutions, representatives of NPOs and representatives of NPO umbrella organisations.  
Several industry bodies made similar comments, or the same body repeated its comments in  
response to different questions. In such cases, the comments and the EBA analysis are included in  
the feedback table where the EBA considers appropriate.  
Changes to the draft guidelines have been incorporated as a result of the responses received during  
the public consultation. The amendments mainly clarify that:  
information should be provided in relation to categories of beneficiaries, not the  
beneficiaries themselves  
when identifying the risk associated with customers that are NPOs, firms should do this on  
a risk-sensitive basis  
where an NPO receives funds from government, supranational or international  
organisations that are not linked with high-risk third countries or jurisdictions associated  
with higher ML/TF risks, this may be considered as a factor that reduces ML/TF risk  
Some amendments have also been made to improve alignment with the EBA’s Guidelines on ML/TF  
risk factors.  
The following table presents a summary of the key points and other comments arising from the  
consultation, the analysis and discussion triggered by these comments, and the actions taken to  
address them if deemed necessary.  
16  
Final report Guidelines amending the ML/TF risk factors guidelines in relation to NPOs  
Summary of responses to the consultation and the EBA’s analysis  
Amendments to the GLs on ML/TF risk factors: Do you have any comments regarding the proposed annex on NPOs as part of the GLs on ML/TF risk  
factors?  
Guideline  
Summary of responses received  
EBA analysis  
Amendments to  
the proposal  
General comment A respondent recommended that the EBA could consider add- Given that Directive (EU) 2015/849 (AMLD) does not contain the require- None  
ing a legal entity identifier as a full requirement for customer ment for firms to obtain legal entity identifiers (LEIs), the EBA does not re-  
due diligence.  
quire their usage in these Guidelines either.  
General comment Several respondents recommended that the EBA should add These guidelines are primarily addressed to firms. Competent authorities None  
an extra section to the annex addressed to national compe- should use these guidelines when assessing the adequacy of firms’ risk as-  
tent authorities (NCAs) about communication with NPOs.  
sessments and AML/CFT policies and procedures. The EBA has already cov-  
ered CAs’ engagement with the NPO sector and its interaction with firms,  
in particular as part of the report on de-risking that it published in January  
2022.  
General comment One respondent said that it is unlikely that NPOs take out life These guidelines should be applied on a risk-sensitive basis. This means that None  
insurance policies for investment purposes. The respondent in lower-risk situations, firms can apply simplified due diligence (SDD)  
is therefore of the view that due diligence measures as de- measures in line with the general provisions and sectoral guidance in these  
scribed in the annex would not be proportionate.  
guidelines.  
General comment One respondent claimed that the due diligence process re- Due diligence is a requirement of the AMLD, and Article 11 requires entities None  
quired at the onboarding stage of NPOs was unreasonable subject to the directive to apply customer due diligence measures when  
and in conflict with Article 16 EU Charter of Fundamental establishing a business relationship, including with NPOs.  
Rights, which recognises the freedom to conduct a business.  
Definitions  
One respondent asked the EBA to clarify the difference be- The EBA has aligned its definition of NPOs with the one used by the FATF.  
tween NPOs and NGOs.  
None  
17  
Final report Guidelines amending the ML/TF risk factors guidelines in relation to NPOs  
Amendments to the GLs on ML/TF risk factors: Do you have any comments regarding the proposed annex on NPOs as part of the GLs on ML/TF risk  
factors?  
Paragraph 9  
Several respondents noted that not all information and docu- Paragraph 9 is already clear that ‘not all NPOs are exposed in a similar way None  
mentation listed in the paragraph is necessary in all cases and to ML/TF risk’ and that firms should take ‘risk-sensitive measures’ to under-  
that the need to obtain them in line with a risk-based ap- stand the NPO’s governance, how it is funded, its activities, where it oper-  
proach should be recognised. A suggestion was therefore to ates, and who its beneficiaries are.  
change should refermentioned in 9a) to f) into may refer.  
Paragraph 9  
Several respondents said that the types of information about The EBA agrees with the comments and has amended the guidelines as fol- Amendment of Par-  
the beneficiaries that can be requested by credit and financial lows:  
institutions should be clarified. It was indicated that humani-  
agraph 1.d. and 1.e.  
[paragraph 1.d. of the final version] which categories of beneficiaries ben-  
tarian organisations cannot share the list of individual benefi-  
ciaries with banks as they operate in accordance with Inter-  
national Humanitarian Law, which states that they must pro-  
vide assistance based on people’s needs alone, without dis-  
tinction. Similar concerns were raised in relation to NPOs’  
staff, as the required list of staff may endanger these persons  
if they are based in conflict zones for instance. The respond-  
ents also felt that sharing such details with banks would raise  
data protection concerns.  
efit from the customer’s activities (e.g. refugees, legal entities that receive  
assistance through the services of the NPO or similar) who the beneficiar-  
ies of the customer’s activities are. Documentation gathered for this pur-  
pose may include mission statements or campaign-related documents.  
1.e. what transactions the NPO is likely to request, based on its objectives  
and activity profile, including payment of staff or providers posted abroad,  
and the expected frequency, size, and geographical destination of such  
transactions. For this purpose, firms should refer to information such as or-  
ganisational charts, explanations of the organisational structure of the  
NPO, a list of jurisdictions where the staff is paid and the number of em-  
ployees to be paid in each of them. staff and beneficiaries for each of its  
activities.  
The new drafting also alleviates concerns over data protection issues.  
Paragraph 10  
Several respondents were of the view that the risk factors The EBA is of the view that the risk factors listed in this paragraph are all Amendment of par-  
listed in paragraph 10 do not need to be considered in all relevant to establish a risk profile. However, the EBA agrees that the level agraph 2  
cases. For instance, to establish the risk profile of newly es- of details to identify each of the risk factors should be determined following  
tablished or small NPOs, there may not be a need to assess a risk-based approach. Therefore, to clarify this further, the EBA has  
their reputation and obtain evidence of their management amended the guidelines as follows:  
capability or annual reports/financial statements. A sugges-  
[Paragraph 2 of the final version] When identifying the risk associated with  
tion was to redraft the start of paragraph 10 as follows: The  
customers that are NPOs, firms should consider at least the following risk  
18  
Final report Guidelines amending the ML/TF risk factors guidelines in relation to NPOs  
Amendments to the GLs on ML/TF risk factors: Do you have any comments regarding the proposed annex on NPOs as part of the GLs on ML/TF risk  
factors?  
following risk factors may be relevant to consider when iden- factors and assess them on a risk-sensitive basis. consider at least the fol-  
tifying the risk associated with clients that are NPOs.’  
lowing risk factors  
Paragraph 10 a.,  
b. and c.  
One respondent asked for a more precise and framed defini- Guideline 2.5. of the general section of the Guidelines on ML/TF risk factors, None  
tion of good reputation’.  
to which the Guidelines on NPOs are annexed, provides a list of risk factors  
that may be relevant when identifying the risk associated with a customer’s  
reputation.  
(Governance and  
exertion of con-  
trol)  
Another respondent was of the view that a lack of legal status  
should not be considered an increased risk for ML/TF, as  
within certain contexts registration may not be possible due Regarding the second comment related to legal status, the EBA notes that  
to reasons such as a lack of state mechanisms to legalise it would be unlikely that a credit or financial institution would agree to  
NGOs, laws that ban the registration of NPOs, politically mo- serve an NPO without any legal status. NPOs are legal entities, and this sta-  
tivated restrictions on some NPOs and concerns about secu- tus requires formalised set-ups in the EU.  
rity. Less established yet credible NPOs may also have fewer  
Regarding the third comment, the EBA is of the view that this aspect is cov-  
resources to comply with the burdensome registration re-  
ered in paragraph 11.f. of the guidelines, which specifies the factors that  
quirements.  
would decrease the risks associated with an NPO.  
Several respondents suggested adding a section that recom-  
mends reviewing the due diligence and risk management pro-  
cedures that NPOs have in place and considering the risk mit-  
igants NPOs operating in higher-risk jurisdictions have put in  
place to reduce or manage risk.  
Paragraph 10.e  
(Reputation/ad-  
verse media find-  
ings)  
Several respondents were concerned that these paragraphs Guidelines 1.29 to 1.32 of the general section of the Guidelines on ML/TF None  
did not account for the fact that NPOs can be the target of risk factors, to which the Guidelines on NPOs are annexed, provide exam-  
smear campaigns, even by the governments of the jurisdic- ples of sources of information that can be used to identify ML/TF risk. The  
tions in which they operate. In this context, the terms ‘rele- guidelines are clear that firms should refer to information from a variety of  
vant, reliable and independent’ may not be sufficiently clear sources and should not normally rely on only one source to identify ML/TF  
and should be better contextualised.  
risk. Potential sources include information from civil society, such as cor-  
ruption indices and country reports, and information from credible and re-  
liable open sources, such as reports in reputable newspapers.  
Paragraph 10.f.  
Several respondents were of the view that the focus of these To clarify this paragraph and to align it with the amendment introduced in Amendment of par-  
guidelines should be on (predicate offences to) ML and TF. paragraph 10.e., paragraph 10.f. is amended as follows: agraph 2.f.  
19  
Final report Guidelines amending the ML/TF risk factors guidelines in relation to NPOs  
Amendments to the GLs on ML/TF risk factors: Do you have any comments regarding the proposed annex on NPOs as part of the GLs on ML/TF risk  
factors?  
(Reputation/ad-  
verse media find-  
ings)  
[Paragraph 2.f. of the final version]: … has the NPO been involved in mis-  
conduct or criminal activities, other crimes, including ML/TF-related activ-  
ities, according to relevant, reliable and independent sources?  
Paragraph  
10.g.,h.,i. (Fund-  
ing methods)  
In relation to crypto assets and crowdfunding referred to in The EBA is of the view that the transparency of NPOs’ funding methods and None  
10.h., several respondents requested further clarification as sources of funds is a prerequisite to assessing ML/TF risks. In this context,  
to why this is different to the risk profiles of other customers funds obtained through crowdfunding or in the form of crypto assets carry  
receiving funds from similar sources.  
specific risks, in particular in relation to the risks arising from the borderless  
situation and anonymity these allow. Sectoral Guideline 17 of the Guide-  
lines on ML/TF risk factors has more details on this point. The Guidelines on  
ML/TF risk factors will also be amended to include a sectoral guideline for  
crypto assets service providers (CASPs).  
Paragraph 10.k.  
Paragraph 11  
One respondent was of the view that the use of third parties The guidelines recognise that third parties or intermediaries may be used None  
or intermediaries is a standard approach in humanitarian by NPOs. The guidelines specify that in such situations, it is nevertheless  
work. Therefore this should not be viewed as a higher risk fac- expected that an NPO is able to explain the nature of contractual perfor-  
tor.  
mance and how it can monitor it.  
Several respondents recommended that sectoral self-regula- The EBA recognises that representational and self-regulatory organisations None  
tion, which can include measures that help mitigate risk (in- can play a role in the protection of the sector against a range of abuses.  
cluding understanding of TF risk itself), should be recognised However, as their set-ups and level of independence can vary across juris-  
(Factors that de-  
crease the ML/TF  
risks)  
as a risk-decreasing factor.  
dictions, the EBA does not consider they can be considered on their own  
as decreasing the risk of misuse by terrorist groups.  
Another respondent also suggested that one category of  
NPOs that could be considered as presenting a low risk is the As regards the second comment, the EBA notes that NPOs engaged in ‘ex-  
NPOs that engage in expressive activities and not in raising or pressive activities’ are not immune to ML/TF risks. Guideline 10.f. is clear  
disbursing funds.  
that if an NPO can be linked to extremism, extremist propaganda or terror-  
ist sympathies, this should be considered as a risk-increasing factor.  
Paragraph 11.e.  
Several respondents asked for further clarification to reflect The EBA has amended the paragraph as follows:  
the diversity of donors and suggested specifying that funding  
Amendment of par-  
agraph 3.e.  
3.e. [of the final version] The NPO receives funds from government, supra-  
national or international organisations that are not associated with high-  
20  
Final report Guidelines amending the ML/TF risk factors guidelines in relation to NPOs  
Amendments to the GLs on ML/TF risk factors: Do you have any comments regarding the proposed annex on NPOs as part of the GLs on ML/TF risk  
factors?  
received from governments from high-risk third countries risk third countries or with jurisdictions with higher ML/TF risks, and the  
should not be considered as a risk-reducing factor.  
source of funds can therefore be clearly established.  
Paragraph 11.f.  
Other respondents have stated that NPOs should not be ex- To reflect this point and ensure consistency with the amendment in para- Amendment of par-  
pected to screen their beneficiaries, as these would be con- graph 10, the EBA has amended the paragraph as follows:  
agraph 3.f.  
trary to humanitarian law.  
3.f. [of the final version] The NPO does not have any links with high-risk  
third countries, or if it has, the NPO can demonstrate that it has taken ap-  
propriate steps to mitigate the ML/TF risks (for instance, with the designa-  
tion of staff responsible for AML/CFT compliance or the design of proce-  
dures to identify the NPO’s categories of beneficiaries and assess the ML/TF  
risks associated therewith).  
Paragraph 11.h.  
A respondent said that humanitarian assistance is not limited The use of cash carries inherent risks and cannot be considered as a method None  
to material support and that evidence has shown that cash presenting low ML/TF risks. While the EBA recognises that cash assistance  
assistance can be the most effective method to respond to is an important means to provide humanitarian assistance, it is also of the  
some humanitarian needs. In the respondent’s view, banks view and in line with the FATF that when cash is used, it should be done  
should understand that cash assistance can be the best appropriately and in line with international and national laws and regula-  
method to respond to people’s needs and they should con- tions, including cash declaration and/or cash disclosure requirements to  
sider the risk management and due diligence process that an promote greater transparency and accountability of the funds.  
organisation has in place when providing cash assistance.  
Paragraph 12  
Several respondents noted that this paragraph could say The EBA notes that there are no standardised types of evidence across the None  
more about what kind of evidence a financial institution EU that can be requested from NPOs to demonstrate they benefit from any  
might be able to obtain, and how, to get assurance that an provisions related to humanitarian aid and derogations in EU/UN financial  
NPO is operating within the scope of an applicable exemption sanctions regimes, such as humanitarian exemptions or derogations. Re-  
(Activities in juris-  
dictions subject to  
EU or UN sanc-  
tions)  
from the sanctions regime.  
garding EU sanctions, the EBA notes that firms can refer to the factsheet  
issued by the European Commission outlining the most common rules and  
procedures in place in different Member States when assessing requests  
and granting humanitarian derogations under EU sanctions regulations.  
In addition, when sanctions are issued, for example by the EU or the UN,  
there are some areas of derogations that are published for the purpose of  
humanitarian interventions and that apply to all NPOs. These derogations  
are made public so that credit and financial institutions can also consult  
21  
Final report Guidelines amending the ML/TF risk factors guidelines in relation to NPOs  
Amendments to the GLs on ML/TF risk factors: Do you have any comments regarding the proposed annex on NPOs as part of the GLs on ML/TF risk  
factors?  
them. The European Commission’s Directorate General for civil protection  
and humanitarian aid operations has further information on this point.  
Paragraph 13  
Some respondents recommended that the contact points re- Paragraph 9 of the guidelines already provides that firms should ensure that None  
ferred to in paragraph 13 should receive training to gain ade- they obtain a good understanding of the NPO’s governance, how it is  
(contact point for  
NPOs)  
quate knowledge of NPOs’ structures and contexts.  
funded, its activities, where it operates, and who its beneficiaries are. The  
EBA is of the view that it should be for firms to decide how best to ensure  
this.  
22