EBA/CP/2025/04

06/03/2025

Consultation Paper

Proposed Regulatory Technical Standards in the context of the

EBA’s response to the European Commission’s Call for advice on

new AMLA mandates

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

Contents

1. Responding to this consultation

3. Background and rationale

3.1 Background

5

3.2 The EBA’s approach

4. Draft regulatory technical standards

16

4.1 Draft RTS on the assessment of the inherent and residual risk profile of obliged entities under

Article 40(2) of the AMLD

16

4.2 Draft RTS on the risk assessment for the purpose of selection of credit institutions, financial

institutions and groups of credit and financial institutions for direct supervision under Article 12(7) of

the AMLAR

26

4.3 Draft RTS under Article 28(1) of the AMLR on Customer Due Diligence

34

4.4 Draft RTS under Article 53(10) of the AMLD6 on pecuniary sanctions, administrative measures

and periodic penalty payments

54

5. Accompanying documents

63

5.1 Draft cost-benefit analysis / impact assessment – RTS under Article 40(2) of the AMLD on the

assessment of obliged entities’ risk profile

63

5.2 Draft cost-benefit analysis / impact assessment – RTS under article 12(7) of the AMLA Regulation,

on the methodology for selecting credit institutions, financial institutions and groups of credit and

financial institutions to be directly supervised by the AMLA

69

5.3 Draft cost-benefit analysis / impact assessment – RTS under Article 28(1) AMLR on Customer Due

Diligence

73

5.4 Draft cost-benefit analysis / impact assessment – RTS under Article 53(10) of the AMLD6 on

pecuniary sanctions, administrative measures and periodic penalty payments

75

79

5.5 Overview of questions for consultation

6. Annexes

84

2

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

1. Responding to this consultation

The EBA invites comments on all proposals put forward in this paper and in particular on the specific

questions summarised in 5.2.

Comments are most helpful if they:

▪

respond to the question stated;

indicate the specific point to which a comment relates;

contain a clear rationale;

provide evidence to support the views expressed/ rationale proposed; and

describe any alternative regulatory choices the EBA should consider.

Submission of responses

To submit your comments, click on the ‘send your comments’ button on the consultation page

by 06.06.2025. Please note that comments submitted after this deadline, or submitted via other means

may not be processed.

Publication of responses

Please clearly indicate in the consultation form if you wish your comments to be disclosed or to be

treated as confidential. A confidential response may be requested from us in accordance with the

EBA’s rules on public access to documents. We may consult you if we receive such a request. Any

decision we make not to disclose the response is reviewable by the EBA’s Board of Appeal and the

European Ombudsman.

Data protection

The protection of individuals with regard to the processing of personal data by the EBA is based on

Regulation (EU) 1725/2018 of the European Parliament and of the Council of 23 October 2018. Further

information on data protection can be found under the Legal notice section of the EBA website.

3

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

2. Executive Summary

On 12 March 2024¹, the EBA received a Call for Advice (CfA) from the European Commission on certain

draft regulatory technical standards (RTSs) under the new EU AML/CFT framework. The EBA’s response

to the CfA will inform the work of the new AML/CFT Authority (AMLA).

The CfA covers inter alia the following mandates:

–

The mandate, under Article 40(2) of Directive (EU) 2024/1640, to develop draft RTS on the

assessment and classification of the inherent and residual risk profile of obliged entities and

the frequency at which such profile must be reviewed.

–

The mandate, under Article 12(7) of Regulation (EU) 2024/1620 (AMLAR), to develop draft RTS

on the risk assessment for the purpose of selection for direct supervision.

The mandate, under Article 28(1) of Regulation (EU) 2024/1624 (AMLR), to develop draft RTS

on customer due diligence (CDD).

The mandate, under Article 53(10) of AMLD6, to develop draft RTS on pecuniary sanctions,

administrative measures and periodic penalty payments.

This Consultation Paper includes the EBA’s proposals for the draft RTSs mentioned above. They address

supervisors and obliged entities that fall within the EBA’s remit. When putting together its proposals,

the EBA was guided by the principles of a proportionate, risk-based approach that can be applied

effectively by financial institutions and their AML/CFT supervisors and is conducive to limiting the cost

of compliance where possible.

Next steps

This Consultation Paper is published for a three-month period. During this time, the EBA will consult

the European Data Protection Supervisor (EDPS) on these mandates on the basis of Article 57(1)(g) of

the Regulation (EU) 2018/1725 (EUDPR) and the European Data Protection Board.

The EBA will consider feedback to this consultation when preparing its response to the European

Commission, which it will submit on 31 October 2025.

¹https://www.eba.europa.eu/sites/default/files/2024-03/2d15a537-adaa-49ce-8b2a-

54467772dfb6/CfA%20RTSs_GL%20EBA_fin_rev.pdf

4

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

3. Background and rationale

3.1 Background

1. On 12 March 2024, the EBA received a Call for Advice (CfA) from the European Commission (EC) on

certain draft regulatory technical standards (RTSs) under the future EU AML/CFT framework. The

EBA’s response to the CfA will inform the work of the new AML/CFT Authority (AMLA).

2. The CfA includes a mandate under Article 12(7) of Regulation (EU) 2024/1620 (AMLAR) on the risk

assessment for the purpose of selection for direct supervision and a mandate under Article 40(2) of

Directive (EU) 2024/1640 (AMLD6) on the methodology for assessing the inherent and residual risk

profile of obliged entities.

3. The CfA also includes a mandate under Article 28(1) of Regulation (EU) 2024/1624 (AMLR) on

customer due diligence (CDD) and a mandate under Article 53(10) of AMLD6 on pecuniary

sanctions, administrative measures and periodic penalty payments.

4. In addition, the EC asked the EBA to consider possible guidance on the base amounts for pecuniary

sanctions under Article 53(11) of the AMLD6 and on the minimum requirements for group-wide

policies under Article 16(4) of the AMLR.

3.2 The EBA’s approach

5. The EBA’s work on the call for advice is guided by five principles:

•

A proportionate, risk-based approach;

A focus on effective, workable outcomes;

Technological neutrality;

Maximum harmonisation across supervisors, Member States and sectors;

Limiting disruption by building on existing EBA standards where possible, whilst aligning with

global AML/CFT benchmarks;

6. The proposed drafts RTSs focus on the financial sector. In line with the European Commission’s

request, the EBA’s response to the Call for Advice will highlight which aspects of the draft RTSs

could also be relevant for the non-financial sector. The intention is to minimise divergence across

sectors and Member States to the extent that this is possible.

7. In drafting this consultation paper, the EBA obtained input and feedback from national supervisors.

It also liaised closely with the European Commission, ESMA, EIOPA and the ECB and built on his own

work including the findings from AML/CFT implementation reviews, the data collected through the

AML/CFT database EuReCA, and the work on AML/CFT colleges.

8. In addition, the EBA engaged with the following stakeholders:

5

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

a. The EBA’s Banking Stakeholder Group.

9. The private sector during a roundtable that took place on 24 October 2024 with 120

representatives that had been nominated by EU financial sector trade associations from all

EU/EEA Member States. In parallel, seven supervisors hosted similar roundtables at a

national level.

b. The FIU Platform.

c. The European Data Protection Supervisor (EDPS) and the European Data Protection Board

(EDPB).

10. In regards to possible guidance on the base amounts for pecuniary sanctions under Article 53(11)

of the AMLD6 and on the minimum requirements for group-wide policies under Article 16(4) of

the AMLR, the EBA will provide a response based on information held by the EBA or contained in

existing regulatory instruments. Because this response will draw on existing requirements, it is

not subject to public consultation.

3.2.1 The draft RTS on the assessment of the inherent and residual risk profile of obliged

entities

11. Article 40 of the AMLD requires supervisors to apply a risk-based approach to AML/CFT

supervision. Under a risk-based approach, supervisors are required to adjust the frequency and

intensity of supervision based on the ML/TF risk profile of each entity. This means that supervisors

must understand the ML/TF risks present in their Member State, and how these risks affect

obliged entities within their scope in light of each entity’s business model, operation and customer

base.

12. Article 40, paragraph 2, of the AMLD requires AMLA to develop a common methodology that all

supervisors will use to assess the level of ML/TF risks to which obliged under their supervision are

exposed. As part of this, AMLA must set out in a draft RTS the benchmarks and methodology

supervisors will apply to assess and classify the inherent and residual risk profile of each obliged

entity and the frequency at which such risk profile must be reviewed.

Rationale

13. The methodology proposed by the EBA comprises three steps, namely:

a. Assessing each obliged entity’s level of exposure to inherent ML/TF risks and classifying its

inherent risk profile in one of the following categories: low risk (1), medium risk (2),

substantial risk (3), or high risk (4).

b. Assessing the quality of the AML/CFT controls put in place by the obliged entity to address

these risks and classifying the obliged entity in one of the following categories on the basis

of this assessment: very good quality of controls (A), good quality of controls (B) moderate

quality of controls (C), or poor quality of controls (D).

c. Assessing the level of exposure to ML/TF risks to which the obliged entity remains exposed

after taking into account the quality of its AML/CFT control framework and classifying its

6

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

residual risk profile on the basis of this assessment in one of the following categories: low

risk (1), medium risk (2), substantial risk (3), or high risk (4).

14. The EBA proposes that the assessment of inherent risks and the quality of controls would be

performed based on an automated scoring system, with a possibility to adjust the scores based

on duly justified considerations. More specifically:

a. The overall inherent risk score could be adjusted to the extent that this is necessary to reflect

national specificities or specific insights obtained by supervisors in the course of their

supervisory activities.

b. The scores assigned to certain sets of controls indicators could be adjusted, to the extent that

this is warranted based on the outcome of supervisory activities carried out in relation to the

obliged entity.

15. An automated scoring system would then combine the obliged entity’s inherent risk score and

controls quality score to produce its residual risk score. Since the residual risk score would

represent the inherent risk score as mitigated by the obliged entity’s AML/CFT control framework,

the residual risk score could not be greater than the inherent risk score.

16. Findings from the EBA’s AML/CFT implementation reviews, Opinions on ML/TF risk and a 2023

stocktake of supervisors’ approaches to assessing entity-level ML/TF risk suggest that supervisors’

approaches to assessing ML/TF risk vary significantly in terms of quality and scope. This can

hamper AML/CFT supervision and undermines efforts to develop a common understanding of

ML/TF risks at the level of the EU as results are not comparable. It also creates costs for financial

institutions that operate on a cross-border basis. For example, feedback obtained by the EBA

during its AML/CFT implementation reviews and the 2024 private sector roundtable suggests that

divergent approaches by supervisors mean that financial institutions that operate on a cross‐

border basis have to report on the same risks in different Member States using different formats

and timelines.

17. The rationale underpinning the EBA’s proposal is to ensure that supervisors’ entity-level ML/TF

risk assessment methodologies are consistent across Member States, with comparable outputs

going forward. They should reliably inform supervisors’ strategies and inspection plans, and help

them target their resources on those institutions that present the highest ML/TF risk. The

proposed approach should also ensure that the cost of compliance with the new requirements

does not exceed what is strictly necessary to achieve this goal.

18. The EBA therefore proposes that:

19. The draft RTS introduces a single set of data points that all supervisors would be required to

use to establish the aforementioned indicators. An interpretive note will accompany the final

version of the draft RTS to ensure that these data points are understood in the same manner

in all Member States and by all obliged entities. AMLA would not specify how supervisors

collect these data points, because the relevant sources of information may vary from one

Member State to another. For instance, in some cases, supervisors may be able to collect

part of the information from their prudential counterparts or from the local FIU, while in

other cases, they will need to collect all the data from the obliged entities. Supervisors will

7

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

be free to identify and use all the relevant sources of information they have at their disposal.

Lastly, supervisors will still have the option to collect additional information for other

purposes, not directly related to the risk assessment methodology, such as conducting offsite

supervision.

20. When designing the scoring methodology, the EBA tried to favour the use of objective data

over subjective assessment to the extent that it was possible. To fulfil this objective, the

methodology does not leave any room for self-assessment by obliged entity and instead,

relies on objective indicators. In addition, even though some adjustments are possible based

on expert judgment, these adjustments need to be duly justified and are subject to certain

rules and limits, to ensure that they do not introduce an element of discretion.

a. Because risks vary and evolve, risk indicators and weights would not be included in the draft

RTS. Instead, it would be the role of AMLA, in cooperation with national supervisors, to define

the risk indicators and weights for each review cycle and to monitor the effective application

of these indicators by supervisors in all Member States.

b. The draft RTS adjusts the frequency of entity-level risk assessments based on the nature and

size of financial institutions. Under this approach, to have an up-to-date understanding of the

risks to which obliged entities under their supervision are exposed and in line with most

national supervisors’ current practice, supervisors would review the inherent and residual

risk profile of obliged entities once per year unless an institution is very small or carries out

activities that do not justify a yearly review. In those cases, a review could take place once

every three years instead. However, supervisors would be expected to review an entity’s risk

profiles and if necessary, obtain risk assessment data more frequently should risks crystallise

or new information emerge that suggest that the ML/TF risk profiles may no longer be

accurate.

21. The approach proposed by the EBA builds on existing works and standards, such as the EBA’s

Guidelines on ML/TF risk factors of 01 March 2021, the EBA’s Guidelines on risk-based supervision

of 16 December 2021, and the FATF’s Recommendations of February 2012, as amended. For

additional information on options the EBA considered and the rationale underpinning the policy

choices made, please refer to Section 5.

22. The EBA will be testing the proposed methodology using data provided by supervisors and may

as a result adjust the list of data points and the methodology before submitting its response to

the Call for Advice.

3.2.2 The draft RTS on the risk assessment for the purpose of selection of credit

institutions, financial institutions and groups of credit and financial institutions for

direct supervision

23. Article 5(2) of the AMLAR requires AMLA to directly supervise selected obliged entities that are

credit institutions, financial institutions and groups of credit and financial institutions. The

mandate under Article 12(7) of the AMLAR complements the provisions laid down in Article 12 of

the AMLAR in respect of the selection process. It requires AMLA to further specify the following

two stages of the selection process:

8

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

(i) Determining the number of Member States in which an obliged entity operates (either via

establishment or via the freedom to provide services), by defining the minimum activities

obliged entities need to carry out under the freedom to provide services to be considered as

‘operating in a Member State that is different from the one where it is established’ (Article 12

(7)(a) of the AMLAR); and

(ii) Determining the level of risk of each eligible entity, by defining the methodology for classifying

the ML/TF risk profile of an obliged entity as low, medium, substantial or high (Article 12 (7)(b)

of the AMLAR).

Rationale

24. The establishment of an EU AML/CFT authority with direct supervision powers over some obliged

entities constitutes a significant departure from the current regime, where AML/CFT supervision

is performed solely by national supervisors. Nevertheless, under the new legal and institutional

framework, national and supranational approaches remain closely intertwined. The EBA proposes

that AMLA, when selecting entities that will be supervised directly by it, builds on the work of

national authorities where possible to limit disruption and make the operation of the EU’s

AML/CFT supervisory system more efficient.

Minimum activity under the freedom to provide services

25. According to Article 12(1) of AMLAR, credit institutions, financial institutions and groups of credit

and financial institutions that are operating in at least six Member States, including the home

Member State, regardless of whether through the freedom of establishment or the freedom to

provide services, are eligible to be directly supervised by AMLA.

26. A key feature of the freedom to provide services is the possibility to enter new markets without

incurring the administrative and financial commitment that setting up an establishment entails.

As a result, obliged entities often notify to their supervisors of their intention to operate in

another Member State through the freedom to provide services but then do not provide this

service in practice, or provide such services in a way that is not relevant to its overall business.

AMLA should therefore be able to distinguish between those situations where the free provision

of services constitutes a material part of an entity’s business, and situations where it does not.

27. Considering the above, the draft RTS establishes thresholds to determine whether operations

under the freedom to provide services in a Member State are material and count towards the

number of Member States in which the entity is considered to be operating for the purpose of

Article 12 (1) of the AMLAR. These thresholds are based on: (i) the number of customers that are

resident in each Member State were the obliged entity is operating under the freedom to provide

services, which have to be above 20,000; (ii)the total value in Euro of incoming and outgoing

transactions generated by these customers, which have to be above 50,000,000 Euros. The

rationale behind this approach is that it would enable AMLA to focus on the most relevant high

ML/TF risk institutions with the largest geographic footprint.

28. Regarding the number of customers, feedback from private sector representatives at the EBA’s

roundtable suggests that identifying customers that have been acquired under the freedom to

9

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

provide services could be burdensome as not all institutions have at their disposal a breakdown

of all customers onboarded under freedom to provide services per each Member State of

operation. Therefore, the EBA proposes to use the number of customers that are resident in the

Member State where the entity is operating under the freedom to provide services as a proxy.

Regarding the volume of transactions, the aim of having such threshold is to capture situations

where the number of customers that are resident in a certain Member State is limited but where

these customers generate a high volume of transactions.

29. These thresholds are alternative. This means that it is sufficient for an obliged entity to meet just

one of them to be considered as having a material operation under the freedom to provide

services in a certain Member State.

30. The RTS does not define free provision of services for other purpose than determining whether

an entity is to be considered as operating in a certain Member State where it is not established.

The scope of the mandate under article 12(7)a AMLAR does not aim at identifying, under a

qualitative perspective, what kind of activities fall under the perimeter of free provision of services

rather than under other means of activities.

31. An interpretive note will be available in the response to the European Commission to the Call for

advice, to ensure that the data points used to elaborate these thresholds are understood in the

same manner in all Member States and by all obliged entities.

Methodology for the selection

32. Recital (21) of the AMLAR states that, where appropriate, the AMLA should ensure alignment

between the methodology for the risk assessment at the national level and the methodology for

selection. Considering the synergies between the mandate under Article 12(7), point (b) of AMLAR

and that under Article 40(2) of the AMLD6, the EBA proposes that the methodology for the risk

assessment of eligible credit institutions and financial institutions under Article 12(7)(b) of the

AMLAR builds on the methodology for entity-level risk assessment under Article 40(2) of the

AMLD6. Using the same methodology for both risk assessments also limits the operational burden

on the obliged entities and on supervisors that divergent approaches would entail.

33. Key principles underpinning the selection methodology are harmonization and the level playing

field. This presupposes that entity-level risk assessment methodologies are consistent, with

comparable outcomes. Based on that, the possibility to adjust the inherent risk score based on

national specificities or other considerations identified by supervisors has been excluded from this

methodology. Nevertheless, the methodology will allow adjustments of the controls’ quality score

based on supervisory judgment.

34. Due to the divergence of approaches in place currently, including supervisory judgement in the

calculation of the ML/TF controls quality score from the start could affect the comparability of the

scores and, ultimately, the results of the first selection itself. For this reason, the EBA proposes to

introduce a transitional rule according to which for the purpose of the first selection, AMLA will

base its assessment on the automated score resulting from the application of the Art 40(2) AMLD

methodology. According to this rule, manual, supervisory judgement-based adjustments of

controls quality score would only be possible in strictly limited, exceptional circumstances.

10

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

35. As regards the group-wide risk assessment, the draft RTS provides a methodology for the

calculation of the group-wide ML/TF risk score. This methodology is based on an aggregation of

entity - level residual risk scores. This aggregation consists of a weighted average, which reflects

the importance of each entity within the group. The intention is to give due consideration to those

entities that carry a high ML/TF risk and whose operations represent a sizeable part of the group’s

operations. It is to avoid lower-risk entities unduly lowering the group’s overall ML/TF risk score.

36. During the consultation period, the EBA will be testing the proposed methodology using data

provided by supervisors and may refine it before submitting its response to the Call for Advice.

3.2.3 The RTS on Customer Due Diligence

37. Article 28(1) of the AMLR requires AMLA to harmonise customer due diligence requirements by

specifying which information obliged entities must collect to perform standard customer due

diligence (CDD), simplified due diligence (SDD) and enhanced due diligence (EDD). AMLA has to

set out which reliable and independent sources of information obliged entities may use to verify

the identity of natural or legal persons for the purposes of Article 22(6) and (7) of the AMLR.

38. The mandate in Article 28(1) of the AMLR also covers the risk factors associated with features of

electronic money instruments that should be taken into account by supervisors when determining

the extent of the exemption for electronic money under Article 19(7) of AMLR, and the list of

attributes which electronic identification means and relevant qualified trust services referred to

in Article 22(6), point (b) of AMLR, must feature in order to fulfil the requirements of Article 20(1),

points (a) and (b) of AMLR.

39. The mandate in Article 28(1) of the AMLR interacts with other mandates in the AMLR, for example

a mandate for AMLA to issue guidelines on the ML/TF risk factors obliged entities shall take into

account and guidelines on ongoing monitoring of a business relationship and on the monitoring

of the transactions carried out in the context of such relationship. The European Commission did

not ask the EBA for advice on these mandates and they are therefore outside of the scope of this

consultation paper.

Rationale

40. CDD is central to obliged entities’ AML/CFT efforts. Under the current framework, differences in

the national transposition of the AMLD’s CDD requirements and, as a result, divergent

expectations of obliged entities’ CDD efforts by supervisors have led to regulatory arbitrage,

created uneven conditions of competition, and hampered innovation and the cross‐border

provision of financial services. They also exposed the EU’s financial sector to ML/TF risk. To

address this, the AMLR introduces a single AML/CFT rulebook that sets out in detail what obliged

entities in all Member States should do to comply. It therefore constitutes a significant departure

from current EU AML/CFT practices.

41. When drafting the RTS on CDD, the EBA consulted with private sector representatives to

understand the impact the new CDD requirements would have on their businesses and

operations. Representatives suggested that the AMLR’s CDD requirements will have a significant

impact. They also said that the detailed requirements of the AMLR and a prescriptive approach to

11

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

discharging the mandate in Article 28(1) AMLR could further increase the cost of compliance,

without tangible benefits. To mitigate this risk, where this is warranted and to the extent that the

Level 1 requirements permit it, the EBA proposes that the draft RTS follows a principles-based,

risk-based approach that focuses on effective outcomes. In some cases, this means that the

proposed draft RTS remains silent where sufficient detail is provided in the AMLR. It also means

that where possible, and desirable in terms of the overall outcomes, the draft RTS adopts a

principles-based approach in relation to the type and source of information to be collected by

obliged entities but does not list specific documents.

42. Another example relates to the provision in Article 22(6) of the AMLR, which could be read as

suggesting that only tools and solutions that are eIDAS-compliant can be used to verify the identity

of customers in an online context. Electronic identities are not mandatory for individuals or for

legal persons under Regulation (EU) No 910/2014 (the eIDAS Regulation). What is more, certain

customers may be unable to obtain electronic identities, for example because they are not

resident in the EU, or because they are disadvantaged or belong to other vulnerable groups.

Restricting online verification of identity to e-IDAS-compliant solutions only could therefore

exclude certain customers from access to online financial services. To address this, the EBA

proposes that eIDAS tools and solutions be mandatory only to the extent that an eIDAS-compliant

electronic identity it is available and can be reasonably expected to be provided by the customer.

Obliged entities should use alternative, similarly robust means of online verification, in line with

the EBA guidelines on remote onboarding², where customers cannot provide eIDAS-compliant

electronic identity.

43. Finally, in relation to the date at which obliged entities are expected to comply with the new CDD

measures, the AMLR could be read as suggesting that obliged entities will have to comply with it

from 10 July 2027. This would mean that obliged entities would have to apply the new CDD

standards to all existing customers at that date. The EBA acknowledges that it may not be possible

for obliged entities to apply the new CDD standards to all of their existing clients at that date and

therefore proposes that the draft RTS clarifies that obliged entities apply a risk-based approach.

Specifically, when updating CDD information for existing customers, obliged entities would

prioritise higher ML/TF risk business relationships in the first instance. CDD information for other

business relationships, which are not high- ML/TF risk, could be completed at a later date,

provided that obliged entities do not exceed a 5-year transition period.

44. The structure of the draft RTS follows the sequencing of the mandate, focussing first on the CDD,

SDD and EDD measures an obliged entities must take, then on the ML/TF risk factors associated

with features of electronic money instruments that should be taken into account by supervisors

and finally, on the list of attributes which electronic identification means and relevant qualified

trust services must feature in order to fulfil the requirements of Article 20(1), points (a) and (b) of

the AMLR, in the case of CDD, SDD and EDD.

²EBA/GL/2022/15 of 22/11/2022, accessible here:

https://www.eba.europa.eu/sites/default/files/document_library/Publications/Guidelines/2022/EBA-GL-2022-

15%20GL%20on%20remote%20customer%20onboarding/1043884/Guidelines%20on%20the%20use%20of%20Remote%20

Customer%20Onboarding%20Solutions.pdf

12

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

45. To the extent possible, the draft RTS builds on and aligns with existing EBA works and standards,

such as the EBA’s Guidelines on ML/TF risk factors, the EBA Guidelines on remote customer

onboarding and the EBA Guidelines on the implementation of EU and national restrictive

measures.

3.2.4 The RTS on pecuniary sanctions, administrative measures and periodic penalty

payments

46. The mandate in Article 53(10) of AMLD6 relates to enforcement. It covers three aspects: (i) the

indicators to classify the level of gravity of breaches, (ii) the criteria for setting the level of

pecuniary sanctions and applying administrative measures and (iii) the methodology for the

imposition of periodic penalty payments (PePPs). The proposed RTS follows this structure.

Rationale

47. The draft RTS complies with the principle stipulated by the AMLD6 that pecuniary sanctions,

administrative measures and periodic penalty payments may be imposed separately or in

combination. It aims to achieve the highest possible level of harmonisation to ensure that the

same breach of AML/CFT requirements is assessed in the same way by all supervisors in all

Member

States

and

that

the

resulting

enforcement

measure

is

proportionate, effective, and dissuasive.

48. The EBA first stressed the importance of a proportionate, effective, dissuasive and harmonised

approach to enforcement in its 2020 response to the European Commission’s Call for Advice on

the future AML/CFT framework. Progress since then has been limited. For example, the 4th round

of the implementation reviews carried out by the EBA in 2023/2024³showed that, while national

supervisors assessed during that round had taken steps to strengthen their approach to

enforcement, enforcement measures did not always constitute a deterrent, and not all

supervisors were using their powers effectively. Moreover, while most supervisors had taken

some enforcement actions, it was not always clear on what basis they had selected the

supervisory or administrative measures and how they had calculated the value of the fine: this

was because more than half of all supervisors in this round did not have a comprehensive internal

enforcement and sanctioning policy or procedures in place.

49. The need to ensure convergence is also highlighted by the data collected in EuReCA⁴, that contains

information on serious deficiencies identified in financial institutions and the measures

supervisors have taken to address these AML/CFT-related deficiencies. According to EuReCA data,

supervisors’ approaches to enforcement are not aligned. For example, EuReCA’s data underline

that similar breaches by financial institutions in similar situations currently result in different

supervisory responses.

³REPORT ON NCAS’ APPROACHES TO THE SUPERVISION OF BANKS WITH RESPECT TO ANTI-MONEY LAUNDERING AND

COUNTERING THE FINANCING OF TERRORISM (ROUND 4 – 2023/24)

⁴Central database of AML/CFT related information collected by the EBA pursuant to Article 9a (2) of the Regulation (EU) No

1093/2010 and Commission Delegated Regulation (EU) 2024/595.

13

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

50. To address this, the draft RTS sets out a list of common indicators that supervisors will take into

account when assessing the level of gravity of breaches. It also provides that supervisors classify

the level of gravity of a breach in one of four categories of increased severity. The RTS builds on

the policy work already done by the EBA to the extent possible, including the RTS on the central

AML/CFT database (EuReCA)⁵and the Joint ESAs Report on the withdrawal of authorisation for

serious AML/CFT breaches⁶.

51. To ensure a consistent approach to assessing the severity of a breach across Member States, the

draft RTS sets out in Article 2 specific situations in which, when some indicators are met or have

a certain impact on the obliged entity, the breach should be classified in a certain category.

52. For the same reason, the draft also explains the legal effect of the classification of level of gravity

of breaches, clarifying in Article 3 that a breach with a level of gravity classified as category three

or four shall be deemed serious, repeated or systematic in the meaning of Article 55(1) of Directive

(EU) 2024/1640.

53. As regards to the criteria to be taken into account ‘when setting the level of pecuniary sanctions’,

the term ‘level’ is understood as the amount. The draft RTS therefore contains criteria that that

will help competent authorities decide whether to increase or decrease the level of pecuniary

sanctions. They are aligned with the enforcement provisions that apply to AMLA where possible.

54. At the same time, the EBA finds that the draft RTS provides for sufficient flexibility by recognising

that, for enforcement to be effective, supervisors must take into account the context in which the

breach has occurred and therefore, apply supervisory judgement. A specific Recital stresses the

importance of this step. Similarly, to provide for suffient flexblity, the draft RTS do not create a

full classifcation of the breaches and the specific situations set out in the draft RTS do not prevent

supervisors from classifying other breaches in those categories.

55. Regarding the criteria for applying administrative measures, the EBA decided to focus on the most

serious measures listed in Article 56(2) of the AMLD6, i.e. point (f) withdrawal or suspension of

authorisation, point (e) restriction or limitation of business, and point (g) change in governance

structure. To provide for further convergence across the EU, the draft RTS sets out the criteria

supervisors should take into account when considering applying those measures. The policy

objective is to simultaneously trigger a more consistent approach in the way supervisors consider

applying those measures and to ensure that the appropriate criteria are assessed.

56. The draft RTS pays particular attention to the natural persons that are not themselves obliged

entities. This includes senior management and the management body in its supervisory function.

EU trade association representatives suggested during the EBA roundtable in October 2024 that

holding individuals accountable for AML/CFT failures is an important deterrent and, in their view,

an essential part of effective enforcement.

57. Periodic penalty payments (PePPs) are a new enforcement measure in the EU AML/CFT context.

Until now, their use has been limited to a few Members States. The aim of PePPs is to end an

ongoing breach of AML/CFT duties. As a PePP is an enforcement measure and not a sanction, the

⁵Commission Delegated Regulation (EU) 2024/595, OJ L, 2024/595, 16.2.2024.

⁶ESAs 2022 23, 31 May 2022, Joint ESAs report.

14

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

criteria used by supervisors before deciding the amount of the PePP are not the same as criteria

proposed for the imposition of pecuniary sanctions.

58. The EBA’s proposed approach to PePPs takes inspiration from delegated acts issued by the

European Commission and the practice of Members States in which they are already applied. In

line with these examples, the draft RTS covers procedural aspects for the imposition of periodic

penalty payments, e.g. the right to be heard, a limitation period for the collection of PePPs, and

the minimum content of the decision by which a PePP is imposed. It reiterates that unless

stipulated differently, the process of imposition of PePPs shall be governed by national law in

force in the Member State where the periodic penalty payments are imposed and collected.

59. The general principles of administrative law such as rule of law, legality, protection of legitimate

expectations, proportionality, fairness, and right to non-self-incrimination apply to all Union acts

and to any enforcement proceeding.

60. Finally, the draft RTS does not set out how AML/CFT supervisors should cooperate with prudential

supervisors when intending to impose a pecuniary sanction or administrative measure as this is

not part of the mandate of Article 53(10) of AMLD6. Nevertheless, the AMLD6 provides for

cooperation between AML/CFT supervisors and prudential supervisors ⁷and envisages the

development of specific technical standards on the topic of cooperation between supervisors.

⁷See Article 53(9) and Article 55(5) of the AMLD6 and provisions contained in Articles 44 to 51 of the AMLD6.

15

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

4. Draft regulatory technical standards

4.1 Draft RTS on the assessment of the inherent and residual risk

profile of obliged entities under Article 40(2) of the AMLD

COMMISSION DELEGATED REGULATION (EU) No …/..

of XXX […]

supplementing Directive (EU) No 2024/1640 of the European Parliament and of the

Council with regard to regulatory technical standards setting out the benchmarks and

methodology for assessing and classifying the inherent and residual risk profile of

obliged entities, as well as well as the frequency of its revision

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Directive (EU) 2024/1640 of the European Parliament and of the Council of

31 May 2024, on the mechanisms to be put in place by Member States for the prevention of

the use of the financial system for the purposes of money laundering or terrorist financing, and

in particular Article 40, paragraph 2, thereof,

Whereas:

(1)

Directive (EU) 2024/1640 sets out the obligation for Member States to ensure that

competent authorities apply a risk-based approach to supervision. As part of this,

competent authorities should identify and assess all relevant information on the specific

domestic and international risks associated with customers, products and services of the

obliged entities.

(2)

(3)

Pursuant to Article 40(2), of Directive (EU) 2024/1640, AMLA should develop

benchmarks and a methodology to ensure that the inherent and residual risk profiles of

individual obliged entities can be assessed and classified in a consistent manner by all

competent authorities.

To ensure that the risk profile of obliged entities is assessed and classified in a

consistent manner, the assessment and classification of the inherent and residual risk

profile of obliged entities should be conducted on the basis of detailed harmonised

information. This Regulation is not to specify how the data is to be obtained or to cover

16

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

powers and tasks of supervisors in relation to any data collection exercise. Supervisors

may have collected the data either from the obliged entities or external auditors, as part

of their existing supervisory powers, or as part of cooperation and exchanges with other

AML/CFT authorities, prudential supervisors, FIUs or other bodies. Supervisors should

also assess obliged entities based on a set of harmonised indicators which are scored

using the same methodology and combined using the same weighting system to

determine the inherent and residual risk profile of obliged entities.

(4)

Article 40, paragraph 2, of Directive (EU) 2024/1640 requires both the inherent and

residual risk profile of obliged entities to be assessed and classified. Consequently,

supervisors should adopt a three-step approach. Firstly, supervisors should assess and

classify the inherent risk profile of obliged entities based on a set of indicators aimed at

reflecting the level of ML/TF risks to which they are exposed. Secondly, supervisors

should assess the quality of the AML/CFT controls put in place by obliged entities to

mitigate the inherent ML/TF risks to which they are exposed. Lastly, supervisors should

assess and classify the residual risk profile of obliged entities which should reflect the

residual level of ML/TF risk to which obliged entities remain exposed.

(5)

ML/TF inherent risks can stem from different types of risk factors, namely factors

relating to the nature of customers, factors relating to the nature of the services, products

or types of transactions offered, factors relating to the specific distribution channels

used to interact with customers, and factors relating to the geographical areas in which

obliged entities are operating. Similarly, different types of AML/CFT controls can be

identified. It is possible, for instance, to distinguish between the obliged entities’

AML/CFT governance and internal control framework, their ML/TF risk assessment

framework, their AML/CFT policies, procedures and processes, and the AML/CFT

compliance framework of the group to which they belong, where relevant. To structure

the assessment, the inherent risk indicators and controls risk indicators should therefore

each be divided into four categories reflecting the different types of risk factors and

controls mentioned above. Moreover, within each category, some indicators relate to

the same topic and should therefore be grouped into sub-categories. This structure

should be reflected in the methodology by introducing combined scores per sub-

category and per category.

(6)

(7)

The indicators comprising a sub-category will generally not have the same level of risk

significance. Consequently, indicators should be given different weights in the

determination of the combined score attributed to this sub-category. Equally, the sub-

categories comprising a category may have different levels of risk significance and

should also be given different weights in the determination of the combined score per

category.

Some sectors have specificities that affect the level of ML/TF risks to which the obliged

entities operating in these sectors are exposed. These specificities should be reflected

in the methodology by adjusting the list of applicable indicators and the weights given

to these indicators, depending on the sector(s) to which the assessed obliged entities

belong. The assessment of the risks of money laundering and terrorist financing and of

non-implementation and evasion of targeted financial sanctions affecting the internal

market and relating to cross-border activities conducted by the Commission pursuant

17

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

to Article 7 of Directive (EU) 2024/1640 should be used as a source of information to

determine the extent to which adjustments are needed for the different sectors.

(8)

(9)

Similarly, supervisors may possess relevant information suggesting that the obliged

entity’s inherent risk score does not reflect the level of inherent ML/TF risks to which

it is exposed, for instance due to national specificities of their Member States. This

information should be reflected in the methodology by introducing a mechanism

whereby supervisors can adjust the inherent risk score of the relevant obliged entities,

based on duly justified considerations.

ML/TF risks affecting the internal market are constantly evolving. It is therefore key

that the methodology can be adjusted on an ongoing basis to capture these evolutions.

To ensure that this is possible, the precise values and thresholds to be applied to score

each indicator and the precise weights to be given to each indicator, sub-category and

category in the determination of the inherent and residual risk profile of obliged entities

should not be specified in this Regulation. It will be the role of AMLA, in cooperation

with competent authorities, to develop and keep up to date the necessary guidance to

ensure that each competent authority applies the same thresholds and weights.

(10) To ensure that supervisors’ understanding of the ML/TF risks to which obliged entities

are exposed, the inherent and residual risk profile of obliged entities should be reviewed

at least once per year. In the case, however, where the size of the business of an obliged

entity is very small or in the case where the nature of the business does not justify

reviewing the inherent and residual risk profile of the obliged entity every year,

supervisors should be able to review such profile only once every three years, provided

that no major event or development in the management and operations of the relevant

obliged entity has occurred during the three years preceding the assessment.

(11) Where major events or developments in the management and operations of obliged

entities occur, it is key that supervisors assess the impact of these events or

developments on the inherent and residual risk profile

(12) Major events or developments in the management and operations of obliged entities

occur can significantly affect the ML/TF risks to which the relevant obliged entities are

exposed, in a way that justifies a rapid supervisory reaction. Where such events or

developments occur, it is key that supervisors conduct an ad hoc assessment of their

impact on the inherent and residual risk profile of the relevant obliged entities in a

timely fashion.

(13) This Regulation is based on the draft regulatory technical standards submitted by

AMLA to the Commission.

HAS ADOPTED THIS REGULATION:

Article 1 – Definitions

1.

For the purpose of this Regulation, the following definitions shall apply:

(1) ‘Inherent risk’ means the risk that an entity may be used for money laundering and

terrorist financing, given the extent to which the products, services and type of

transactions it offers, the customers it services, the jurisdictions in which it operates

18

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

and the distribution channels it uses to service its customers, affect the traceability

of the funds, the identity of the ultimate beneficial owner, and the ease with which

the legitimacy of the customers’ activity can be ascertained.

(2) ‘Residual risk’ means the risk that an entity may be used for money laundering and

terrorist financing, given the inherent risks to which it is exposed and the quality

of the AML/CFT procedures, systems and controls put in place by the obliged

entity to mitigate these risks.

(3) ‘Weight’ means, in relation to a set of indicators, sub-categories of indicators or

categories of indicators based on which a combined score is determined, the extent

to which each of these items will influence the determination of the combined

score. Indicators, sub-categories and categories with a lower weight will have less

influence on the combined score than indicators, sub-categories and categories with

a higher weight.

Article 2 – Assessment and classification of the inherent risk profile of obliged entities

Supervisors shall apply the following methodology to assess and classify the inherent risk

profile of each obliged entity under their supervision, provided that such obliged entity has

commenced its activities at the latest during the year prior to that where the assessment and

classification takes place:

1.

Supervisors shall attribute a numerical score with decimal places ranging from 1 (lowest

level of risk) to 4 (highest level of risk) based on pre-determined thresholds to all the

inherent risk indicators which are applicable to the relevant obliged entity. These

inherent risk indicators shall be based on the data points mentioned in Annex I, section

A.

2.

Based on the scores attributed to the inherent risk indicators, in accordance with

paragraph 1 above, supervisors shall determine combined scores for all categories of

indicators listed in Annex I, section A, each of which shall be a numerical value with

decimal places ranging from 1 (lowest level of risk) to 4 (highest level of risk).

When determining a combined score per category, supervisors shall apply pre-

determined weights to the different inherent risk indicators comprising the relevant

category. The weights given to these different inherent risk indicators shall reflect their

respective risk significance. The weights shall be expressed as a numerical value

without decimal places ranging from 1 (lowest risk significance) to 5 (highest risk

significance).

3.

Based on the combined scores per category determined in accordance with paragraph 2

above, supervisors shall determine the inherent risk score of the relevant obliged entity,

which shall be a numerical value with decimal places ranging from 1 (lowest level of

risk) to 4 (highest level of risk).

When determining the inherent risk score, the weights given to the different categories

shall be proportional to the risk score attributed to these categories. Categories with a

higher risk score shall have a greater weight than categories that have received a lower

risk score.

19

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

4.

Where the inherent risk score does not adequately reflect the level of ML/TF risks to

which the obliged entity is exposed, due to national specificities or other circumstances

identified by supervisors within the course of their supervisory activities, supervisors

may adjust the inherent risk score accordingly. The adjustment shall be duly justified.

The adjusted score shall not lead to an increase or decrease by more than one category,

in accordance with paragraph 5 below. Where the risk is increased by one category, the

adjusted score shall be set at the minimum value of the corresponding category. Where

the risk is decreased by one category, the adjusted score shall be set at the maximum

value of the corresponding category.

5.

Based on the inherent risk score attributed to the relevant obliged entity in accordance

with paragraphs 3 and 4 above, supervisors shall classify the inherent risk profile of this

obliged entity, in accordance with the following conversion rules:

Score < 1.75: Low risk (1)

1.75 ≤ Score < 2.5: Medium risk (2)

2.5 ≤ Score < 3.25: Substantial risk (3)

Score ≥ 3.25: High risk (4)

Article 3 – Assessment and classification of the quality of AML/CFT controls put in place by

obliged entities

Supervisors shall apply the following methodology to assess and classify the quality of the

AML/CFT controls put in place by each obliged entity under their supervision, provided that

such obliged entity has commenced its activities at the latest during the year prior to that where

the assessment and classification takes place:

1.

Supervisors shall attribute a numerical score with decimal places ranging from 1

(highest level of quality) to 4 (lowest level of quality) based on pre-determined

thresholds to all the controls’ quality indicators which are applicable to the relevant

obliged entity. These controls’ quality indicators shall be based on the data points

mentioned in Annex I, section B.

2.

Based on the scores attributed to the applicable controls’ quality indicators, in

accordance with paragraph 1 above, supervisors shall determine combined scores for

all sub-categories of indicators listed in Annex I, section B, each of which shall be a

numerical value with decimal places ranging from 1 (highest level of quality) to 4

(lowest level of quality).

When determining combined scores per sub-category, supervisors shall apply pre-

determined weights to the different controls’ quality indicators comprising the relevant

sub-category. The weights given to these different controls’ quality indicators shall

reflect their respective risk significance. The weights shall be expressed as a numerical

value without decimal places ranging from 1 (lowest risk significance) to 5 (highest risk

significance).

3.

Where supervisors have a supervisory assessment or an external auditors’ assessment

available that warrants an adjustment of any of the combined scores per sub-category

20

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

attributed in accordance with paragraph 2 above, supervisors shall adjust the score

accordingly.

For the purpose of this paragraph:

a)

a supervisory assessment shall mean any assessment of the effectiveness, or

compliance with AML/CFT legal requirements, of all or part of an obliged

entity’s AML/CFT governance, procedures, systems and controls carried out by

a supervisor within the course of its supervisory activities. This includes but is

not limited to full scope or targeted on-site inspections, thematic off-site

reviews, other off-site analyses, as well as any action taken by supervisors to

assess the adequacy of the corrective measures put in place by an obliged entity

to address findings and/or shortcomings in its AML/CFT procedures, systems

and controls previously identified by the relevant supervisor;

b)

an external auditors’ assessment shall mean any assessment of the effectiveness,

or compliance with AML/CFT requirements, of all or part of an obliged entity’s

AML/CFT governance, procedures, systems and controls carried out by external

auditors or, as the case may be, any expert instructed by a supervisor, and the

outcome of which has been communicated to the supervisor responsible for the

supervision of the relevant obliged entity.

4.

Based on the combined scores per sub-category attributed in accordance with

paragraphs 2 and 3 above, supervisors shall determine combined scores for all

categories of indicators listed in Annex I, section B, each of which shall be a numerical

value with decimal places comprised between 1 (highest level of quality) and 4 (lowest

level of quality).

When determining a combined score per category, supervisors shall apply specific

weights to the sub-categories comprising this category. The weights given to these

different sub-categories shall reflect their respective risk significance. The weights shall

be expressed as a numerical value without decimal places ranging from 1 (lowest risk

significance) to 5 (highest risk significance).

5.

Based on the combined scores attributed to the categories of controls’ quality indicators,

in accordance with paragraph 4 above, supervisors shall determine the controls’ quality

score of the obliged entity, which shall be a numerical value with decimal places

ranging from 1 (highest level of quality) to 4 (lowest level of quality).

When determining the controls’ quality score, the weights given to the different

categories shall be proportional to the quality score attributed to these categories.

Categories that received a lower quality score shall have a greater weight than

categories that received a higher quality score.

6.

Based on the controls’ quality score attributed to obliged entities in accordance with

paragraph 5 above, supervisors shall classify the relevant obliged entity, in accordance

with the following conversion rules:

Score < 1.75: Very good quality of controls (A)

1.75 ≤ Score < 2.5: Good quality of controls (B)

2.5 ≤ Score < 3.25: Moderate quality of controls (C)

21

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

Score ≥ 3.25: Poor quality of controls (D)

Article 4 – Assessment and classification of the residual risk profile of obliged entities

Supervisors shall apply the following methodology to assess and classify the residual risk

profile of each obliged entity under their supervision, provided that such obliged entity has

commenced its activities at the latest during the year prior to that where the assessment and

classification takes place:

1.

Supervisors shall determine the residual risk score of the relevant obliged entity, based

on the inherent risk numerical score and the controls’ quality numerical score attributed

to the relevant obliged entity, in accordance, respectively, to Article 2 and Article 3 of

this Regulation.

2.

Supervisors shall apply the following rules to combine the inherent risk numerical score

and the controls’ quality numerical score in accordance with paragraph 1 above:

a)

Where the numerical controls’ quality score is greater than the numerical

inherent risk score, then the residual risk score shall be equal to the inherent risk

score.

b)

Where the numerical controls’ quality score is lower or equal to the numerical

inherent risk score, then the residual risk score shall be equal to the average of

the inherent risk score and the controls’ quality score.

3.

Based on the residual risk score determined in accordance with paragraphs 1 and 2

above, supervisors shall classify the residual risk profile of the relevant obliged entity,

in accordance with the following conversion rules:

Score < 1.75: Low risk (1)

1.75 ≤ Score < 2.5: Medium risk (2)

2.5 ≤ Score < 3.25: Substantial risk (3)

Score ≥ 3.25: High risk (4)

Article 5 – Timelines and updates of the assessment and classification of the inherent

and residual risk profile of obliged entities

1.

2.

Supervisors shall carry out the first assessment and classification of the inherent and

residual risk profile of obliged entities pursuant to Articles 2, 3 and 4 of this Regulation

at the latest nine (9) months after the date of entry into force of this Regulation.

After the first assessment and classification mentioned in paragraph 1 above,

supervisors shall assess and classify the inherent and residual risk profile of obliged

entities, pursuant to Article 2, 3 and 4 of this Regulation, at least once per year, before

30 September.

3.

By way of derogation from paragraph 2 above, supervisors shall assess and classify the

inherent and residual risk profile of obliged entities, pursuant to Article 2, 3 and 4 of

this Regulation, at least once every three years, where the obliged entity meets any of

the below criteria:

22

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

a)

b)

The total number of full-time equivalent employees employed by the obliged

entity in the relevant Member State is less than or equal to five (5);

The obliged entity does not carry out activities falling within the scope of

Regulation (EU) 2024/1624, other than the following activities:

i.

The activity of insurance intermediary as referred to in Article 2,

paragraph 1, point 6(c), of Regulation (EU) 2024/1624;

ii.

The activity of credit intermediary as referred to in Article 2, paragraph

1, point 6(h), of Regulation (EU) 2024/1624 and/or Article 3, paragraph

3, point (k);

iii.

The activity of insurance undertaking as referred to in Article 2,

paragraph 1, point 6(a), of Regulation (EU) 2024/1624, provided that the

obliged entity does not distribute life insurance contracts or products

other than: (i) contracts or products that cannot be redeemed; (ii)

contracts or products that insure a lender against the death of a borrower;

and (iii) contracts or products the annual premium of which is not above

EUR 1,000 (or the equivalent in national currencies) or the unique

premium of which is not above EUR 2,500 (or the equivalent in national

currencies);

iv.

The activity of investment firm as referred to in Article 2, paragraph 1,

point 6(d), of Regulation (EU) 2024/1624, provided that the obliged

entity does not provide (i) any of the investment services mentioned in

Annex I, section A, points (1), (2), (4), (8) and (9) of Directive (EU)

2014/65, and (ii) any of the ancillary services mentioned in Annex I,

section B, points (1) and (2), of Directive (EU) 2014/65;

v.

The activity of creditor as referred to in Article 2, paragraph 1, point 6(g)

of Regulation (EU) 2024/1624;

vi.

The activities listed in points (2), (3) and (6), of Annex I to Directive

(EU) 2013/36;

c)

d)

The obliged entity is a branch set up by collective investment undertakings

within the meaning of Article 2, paragraph 1, point 6(e), of Regulation (EU)

2024/1624 authorised in a different Member State; or

The residual risk profile of the obliged entity has already been assessed and

classified in accordance with Article 5 of this Regulation at least once and such

residual risk profile was last classified in the low-risk category.

4.

5.

Where major events or developments in the management and operations of obliged

entities occur, supervisors shall conduct an ad hoc assessment and classification of the

inherent and residual risk profile of the relevant obliged entities, at the latest four (4)

months after the supervisor becomes aware of the occurrence of such events or

developments, pursuant to Article 2, 3 and 4 of this Regulation.

When conducting the assessment mentioned in paragraph 4 above, supervisors may

refrain from reviewing the scores attributed to the indicators that are not affected by the

occurrence of the relevant major event or development. Supervisors may also refrain

23

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

from assessing the need to adjust the scores of the controls sub-categories that are not

affected by the occurrence of the relevant major event or development, based on

available supervisory and/or external auditors’ assessment.

6.

For the purpose of paragraph 4 above, major events or developments in the management

and operations shall mean any event or development in the management and operations

of an obliged entity which may lead to a material change in the obliged entity’s inherent

and/or residual risk profile. This includes but is not limited to:

a)

significant changes in the business model of the obliged entity to the extent

where these changes may lead to a material change in the obliged entity’s

inherent and/or residual risk profile;

b)

the identification by the supervisor responsible for the supervision of the obliged

entity of significant weaknesses in the entity's AML/CFT procedures, systems

and/or controls to the extent that these weaknesses may lead to a material change

in the obliged entity’s inherent and/or residual risk profile;

c)

the fact that the obliged entity becomes a significant supervised entity within

the meaning of Article 2, point (16), of Regulation (EU) 468/2014 or becomes

part of a significant supervised group within the meaning of Article 2, point

(22), of Regulation (EU) 468/2014, to the extent that this event may lead to a

material change in the obliged entity’s inherent and/or residual risk profile.

Article 5 – Entry into force

This Regulation shall enter into force on the twentieth day following that day following that

of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels,

For the Commission

The President

[…]

On behalf of the President

[…]

[Position]

24

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

ANNEX I – Data points, sub-categories and categories

Section A – Inherent risk

[See Annex I, Section A, of the Consultation Paper]

Section B – Controls

[See Annex I, Section B, of the Consultation Paper]

25

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

4.2 Draft RTS on the risk assessment for the purpose of selection of

credit institutions, financial institutions and groups of credit and

financial institutions for direct supervision under Article 12(7) of

the AMLAR

COMMISSION DELEGATED REGULATION (EU) …/...

of XXX

on supplementing Regulation (EU) No 2024/1620 of the European Parliament and of the

Council of 31 May 2024 with regard to regulatory technical standards specifying the

assessment methodology of credit institutions, financial institutions and groups of credit

and financial institutions for the purpose of selection for the direct supervision of the

Authority for Anti-money laundering and Countering the Financing of Terrorism

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 2024/1620 of the European Parliament and of the

Council of 31 May 2024, establishing the Authority for Anti-Money Laundering and

Countering the Financing of Terrorism and amending Regulations (EU) No 1093/2010, (EU)

No 1094/2010 and (EU) No 1095/2010, and in particular Article 12(7) thereof,

Whereas:

(1)

In accordance with Regulation (EU) No 2024/1620, a number of obliged entities in the

financial sector shall be directly supervised by the Authority for Anti-Money

Laundering and Countering the Financing of Terrorism (the Authority) to ensure the

consistent and effective supervision of different parts of the same obliged entity. The

selection of these obliged entities takes place in two stages. In the first stage, the

Authority identifies all credit institutions, financial institutions or groups of credit and

financial institutions that are operating in at least six Member States, including the home

Member State, either via establishment or by conducting relevant operations under the

freedom to provide services. In the second stage, the ML/TF risk profile of these entities

is classified, to identify those that present a high residual risk.

(2)

The ability to explore new markets without having to create an establishment in another

Member State is a key feature of the freedom to provide services. In some instances,

entities notify their financial supervisors of their intention to exercise this freedom but

do not start this activity in practice. In other instances, entities exercise this freedom but

it does not represent a major part of their overall operations. Therefore, being

considered eligible for selection might deter some entities from entering new markets.

26

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

Considering the above, materiality thresholds should be established to qualify as

eligible for the selection only those entities with a relevant activity under the freedom

to provide services from an operational perspective. However, where an obliged entity

is already operating in a Member State under establishment, any additional activities

exercised under the freedom to provide services will not need to be assessed against the

materiality thresholds set out in this Regulation.

(3)

The assessment of the minimum activities to be carried out by a credit institution or a

financial institution under the freedom to provide services, whether through

infrastructure or remotely, serves to establish whether it should be considered as

operating in a Member State other than that where it is established for the purpose of

Article 12, paragraph 7, subparagraph (a) of Regulation (EU) No 2024/1620. This

assessment ought to be made based on data that the Authority and financial supervisors

can collect from credit institutions and financial institutions. The threshold and criteria

developed in this Regulation should not be used to define the activity under the freedom

to provide services principle for any other purposes.

(4)

(5)

All entities operating in at least six Member States through establishments or by

conducting relevant operations under the freedom to provide services and whose

residual risk profile is “high” should qualify for direct supervision in accordance with

article 13(1) of Regulation (EU) No 2024/1620.

To reduce the operational burden on obliged entities and financial supervisors and to

ensure alignment between the methodology for the selection of directly supervised

institutions and methodology for assessing the risk profiles of obliged entities in line

with Article 40 (2) of Directive (EU) 2024/1640, the methodology for the selection

should build on the methodology for assessing the risk profiles of obliged entities in

line with Article 40 (2) of Directive (EU) 2024/1640. These risk profiles should be

aggregated for the classification of the group risk profile, at the level of the highest

parent company in the European Union which is a credit or a financial institution.

(6)

(7)

To avoid that, as an effect of the aggregation of the entity-level score, the ML/TF risk

profile of a high ML/TF risk group is unduly reduced because some of its components

have a low risk profile, the group-wide methodology for the purpose of selection should

reflect the relative importance of each entity within the group, in terms of size and risk,

and attribute a higher weight to the most important entities.

It is essential to ensure a full comparability of the outcomes of the selection process.

Given the diversity, under the preceding AML/CFT regime which had been established

by Directive (EU) 2015/849, of approaches adopted by financial supervisors to the

evaluation of the residual risk profile of obliged entities, the methodology applied for

the first round of selection should have different features from the one applied for the

subsequent rounds, where a higher degree of harmonisation is envisaged. Therefore,

some transitional rules should be set, with the objective to limit the possibility of

adjusting the controls’ quality score based on qualitative assessments of the

effectiveness of the entities’ controls. This would ensure a smoother transition to the

application of the full methodology, when the Authority will have been able to foster,

and then ensure, the consistency of supervisory practices.

27

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

(8)

This Regulation is based on the draft regulatory technical standards submitted to the

Commission by the Authority,

HAS ADOPTED THIS REGULATION:

Section I: Minimum activities to be carried out through the freedom to provide services

Article 1 - Materiality thresholds for operations under the freedom to provide services

1.

The activities of a credit institution or a financial institution under the freedom to

provide services in a Member State other than where it is established shall be

considered material for the purposes of meeting the conditions of Article 12(1) of

Regulation (EU) 2024/1620, where:

a) the number of its customers that are resident in that Member State is above

20,000; or

b) the total value in Euro of incoming and outgoing transactions generated by the

customers referred to under letter (a) is above 50,000,000.

2.

Whether the activity of the credit or financial institution meets any of the materiality

thresholds referred to in paragraph 1 points a) and b) shall be determined based on the

data points listed under Annex I, section C.

Section II: Risk assessment

Article 2 - Assessment and classification of the inherent risk at the entity level

The methodology for assessing and classifying the inherent and residual risk profile of credit

and financial institutions as referred to in Article 12 (5) and (6) of Regulation (EU) 2024/1640

as low, medium, substantial or high, shall consist of the following steps:

1.

Attribution of a numerical score with decimal places ranging from 1 (lowest level of

risk) to 4 (highest level of risk) based on pre-determined thresholds to all the inherent

risk indicators that apply to the relevant obliged entity. These inherent risk indicators

shall be based on the data points mentioned in Annex I, section A.

2.

Based on the scores attributed to the inherent risk indicators in accordance with

paragraph 1 above, determination of combined scores for all categories of indicators

listed in Annex I, section A, each of which shall be a numerical value with decimal

places ranging from 1 (lowest level of risk) to 4 (highest level of risk). When

determining a combined score per category, pre-determined weights shall be applied to

the different inherent risk indicators comprising the relevant category. The weights

given to these different inherent risk indicators shall reflect their respective risk

significance. The weights shall be expressed as a numerical value without decimal

places ranging from 1 (lowest risk significance) to 5 (highest risk significance).

3.

Based on the combined scores per category determined in accordance with paragraph 2

above, determination of the inherent risk score of the credit or financial institution,

which shall be a numerical value with decimal places ranging from 1 (lowest level of

28

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

risk) to 4 (highest level of risk). When determining the inherent risk score, the weights

given to the different categories shall be proportional to the risk score attributed to these

categories. Categories with a higher risk score shall have a greater weight than

categories that have received a lower risk score.

4.

Based on the inherent risk score attributed to the credit or financial institution in

accordance with paragraph 3 above, classify the inherent risk profile of this credit or

financial institution, in accordance with the following conversion rules:

Score < 1.75: Low risk (1)

1.75 ≤ Score < 2.5: Medium risk (2)

2.5 ≤ Score < 3.25: Substantial risk (3)

Score ≥ 3.25: High risk (4)

Article 3 - Assessment and classification of the quality of AML/CFT controls

The quality of the AML/CFT controls put in place by each credit or financial institution to

mitigate the inherent risks to which it is exposed shall be included in the assessment and

classification referred to in Article 4 by applying the following sequential steps:

1.

Attribution of a numerical score with decimal places ranging from 1 (highest level of

quality) to 4 (lowest level of quality) based on predetermined thresholds to all the

controls’ quality indicators that apply to the credit or financial institution. These

controls’ quality indicators shall be based on the data points mentioned in Annex I,

section B;

2.

Based on the scores attributed to the applicable controls’ quality indicators, in

accordance with paragraph 1 above, determination of combined scores for all sub-

categories of indicators listed in Annex I, section B, each of which shall be a numerical

value with decimal places ranging from 1 (highest level of quality) to 4 (lowest level of

quality). When determining combined scores per sub-category, pre-determined weights

shall be applied to the different controls’ quality indicators comprising the relevant sub-

category. The weights given to these different controls’ quality indicators shall reflect

their respective risk significance. The weights shall be expressed as a numerical value

without decimal places ranging from 1 (lowest risk significance) to 5 (highest risk

significance).

3.

Where a supervisory assessment or an external auditors’ assessment is available that

warrants an adjustment of any of the combined scores per sub-category attributed in

accordance with paragraph 2 above, the score shall be adjusted accordingly. For the

purpose of this paragraph:

a)

“supervisory assessment” shall mean any assessment of the effectiveness, or

compliance with AML/CFT legal requirements, of all or part of a credit or

financial institution’s AML/CFT governance, procedures, systems and controls

carried out by a supervisor within the course of its supervisory activities. This

includes but is not limited to full scope or targeted on-site inspections, thematic

off-site reviews, other off-site analyses, as well as any action taken to assess the

adequacy of the corrective measures put in place by an obliged entity to address

29

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

findings and/or shortcomings in its AML/CFT procedures, systems and controls

previously identified;

b)

an external auditors’ assessment shall mean any assessment of the effectiveness,

or compliance with AML/CFT requirements, of all or part of a credit or financial

institution’s AML/CFT governance, procedures, systems and controls carried

out by external auditors.

4.

Based on the combined scores per sub-category attributed in accordance with

paragraphs 2 and 3, determination of combined scores for all categories of indicators

listed in Annex I, section B, each of which shall be a numerical value with decimal

places comprised between 1 (highest level of quality) and 4 (lowest level of quality).

When determining a combined score per category, specific weights shall be applied to

the sub-categories comprising this category. The weights given to these different sub-

categories shall reflect their respective risk significance. The weights shall be expressed

as a numerical value without decimal places ranging from 1 (lowest risk significance)

to 5 (highest risk significance).

5.

6.

Based on the combined scores attributed to the categories of controls’ quality indicators,

in accordance with paragraph 4 above, determination of the controls’ quality score of

the credit or financial institution, which shall be a numerical value with decimal places

ranging from 1 (highest level of quality) to 4 (lowest level of quality). When

determining the controls’ quality score, the weights given to the different categories

shall be proportional to the quality score attributed to these categories. Categories that

received a lower quality score shall have a greater weight than categories that received

a higher quality score.

Based on the controls’ quality score attributed in accordance with paragraph 5 above,

classification of the credit or financial institution in one of the following categories, in

accordance with the following conversion rule:

Score < 1.75: Very good quality of controls (A)

1.75 ≤ Score < 2.5: Good quality of controls (B)

2.5 ≤ Score < 3.25: Moderate quality of controls (C)

Score ≥ 3.25: Poor quality of controls (D)

Article 4 - Assessment and classification of the residual risk at the entity level

For the assessment and the classification of the residual risk profile of each credit or financial

institution, the following methodology shall apply:

1.

Based on the inherent risk numerical score and the controls’ quality numerical score

attributed to the credit or financial institution, respectively, in accordance with Article

2 and Article 3, determination of the residual risk score of the credit and financial

institutions by applying the following rules:

a.

where the numerical controls’ quality score is greater than the numerical

inherent risk score, then the residual risk score shall be equal to the inherent risk

score

30

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

b.

where the numerical controls’ quality score is lower or equal to the numerical

inherent risk score, then the residual risk score shall be equal to the average of

the inherent risk score and the controls’ quality score

2.

Depending on the residual risk score of the credit or financial institution, determined in

accordance with paragraph 1, classification of the residual risk profile of the credit or

financial institution as low, medium, substantial or high, in accordance with the

following conversion rule:

Score < 1.75: Low risk (1)

1.75 ≤ Score < 2.5: Medium risk (2)

2.5 ≤ Score < 3.25: Substantial risk (3)

Score ≥ 3.25: High risk (4)

Article 5 - Group-wide risk assessment

1.

2.

The Authority, in collaboration with financial supervisors, shall calculate the group-

wide risk profile of a group of credit or financial institutions, by aggregating the entity-

level residual risk scores of the group’s components.

The aggregation referred to under paragraph 1 shall be based on a weighted averaging

method, with weights proportional to the relevance of each entity within the group and

enhancing the contribution of riskier entities in accordance with the following formula:

1

[ ] [ ]

(∑

)

=1

Where:

N: number of entities in the group

r[i]: residual risk score of entity i

w[i]: weight representing the relevance of entity i within the group

α≥1: parameter to enhance the contribution of risker entities

3.

4.

The relevance of each entity within the group shall be measured in accordance

with the data points listed in Annex I, section A of this Regulation, based on:

(i)

the total number of its customers; and

(ii)

the total amount in Euro of incoming and outgoing transactions; and

(iii) the total amount in Euro of the assets held or managed by the entity.

The result of the aggregation carried out in accordance with the formula under

paragraph 2 shall be converted into a numerical group-wide residual risk score

with decimal places, ranging between 1 (lowest risk) to 4 (highest risk).

31

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

5.

Depending on the residual risk score of the group of credit and financial

institutions, the Authority, in collaboration with financial supervisors, shall

classify the residual risk profile of the obliged entity as low, medium, substantial

or high, in accordance with the following conversion rule:

Score < 1.75: Low risk (1)

1.75 ≤ Score < 2.5: Medium risk (2)

2.5 ≤ Score < 3.25: Substantial risk (3)

Score ≥ 3.25: High risk (4)

6.

The residual risk profile resulting from the application of the methodology set

out in the previous paragraphs shall be the group-wide risk profile of the

assessed group for the purpose of the selection for the direct supervision.

Section III: Final provisions

Article 6 - Transitional provisions

1.

2.

Article 3 point 3 shall not be applied for the assessments of inherent and residual risk

profiles done for the purposes of first round for determining the selected obliged

entities.

By way of derogation from paragraph 1, the Authority, in collaboration with financial

supervisors, may adjust the controls’ quality score, by increasing or decreasing it by

one category, based on on-site inspections outcomes that took place in the two calendar

years before the launch of the assessments, whether this information is relevant for the

classification of the entity’s ML/TF risk profile. Where the risk is increased by one

category, the adjusted score shall be set at the minimum value of the corresponding

category. Where the risk is decreased by one category, the adjusted score shall be set at

the maximum value of that corresponding category.

3.

The adjustment applied in accordance with paragraph 2 of this Article shall always be

duly justified.

Article 7 - Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in

the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels,

32

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

For the Commission

The President

[…]

On behalf of the President

[…]

[Position]

33

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

4.3 Draft RTS under Article 28(1) of the AMLR on Customer Due

Diligence

COMMISSION DELEGATED REGULATION (EU) …/...

of XXX

on supplementing Regulation (EU) 2024/1624 of the European Parliament and of the

Council with regard to regulatory technical standards specifying information and

requirements necessary for the performance of customer due diligence for the purposes

of Article 28(1)

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2024/1624 of the European Parliament and of the Council

of 31 May 2024 on the prevention of the use of the financial system for the purposes of money

laundering or terrorist financing, and in particular Article 28(1), first subparagraph points (a),

(b), (c), (d), and (e) hereof,

Whereas:

(1)

Regulation (EU) 2024/1624 aims for harmonisation of customer due diligence

measures across Member States and obliged entities within the EU. To achieve this,

common parameters are set for the application of risk-based customer due diligence

measures. As part of this, obliged entities are required to apply enhanced due diligence

measures in case of identified higher money laundering (ML) / terrorist financing (TF)

risk situations and may decide to apply simplified due diligence measures in lower

ML/TF risk situations.

(2)

(3)

Obliged entities are required to adjust the customer due diligence measures based on

the ML/TF risk associated with their customers, business relationships or occasional

transactions. This will ensure a proportionate and effective approach.

Obliged entities should collect data and information, for the purposes of identification

and verification of the customer, of a natural person or a legal person, in the same way

in relation to the transcription of the names, addresses, places and nationalities to ensure

comparability across Member States.

(4)

When obliged entities collect information from customers for the purposes of

complying with customer due diligence requirements, that information may not always

involve the collection of documentation. This Regulation specifies the situations where

documentation should be collected.

34

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

(5)

Obtaining data and documents collected as part of the due diligence measures from

independent and reliable sources is key to ensuring that obliged entities can rely on

these sources to know who their customers are. Reliable and independent sources of

information for customers that are not natural persons include, but are not limited to:

statutory documents of the legal entity or legal arrangement required by law including

certificates of incorporations or audited financial statements; the most recent version of

the constitutive documents establishing the legal entity or legal arrangement, including

Memorandum of Association and Articles of Association, or a recent official copy of

these documents issued by the applicable public registers and lists or an unofficial copy

thereof certified by an independent professional or a public authority. In the case of a

trust or similar legal arrangement, that may not be subject to registration, a copy of the

trust deed, or an extract thereof, together with any other document that determine the

exercise of any powers by the trustees or similar administrators, certified by an

independent professional could qualify as reliable and independent sources of

information.

(6)

(7)

Obliged entities should assess the level of reliability and independence of documents

they obtained as part of their customer due diligence process based on certain criteria.

For example, unless it has been issued by a state or public authority, a recent document

may be more reliable than information that dates back several years.

There may be situations where identity documents issued to or held by the customer do

not meet the attributes of an identity card or passport. This could be the case, for

example, where the customer is an asylum seeker. To mitigate the risk of financial

exclusion and unwarranted derisking, the criteria laid down in this Regulation

concerning identification documents should be applied in a way that takes into account

the reason why a legitimate customer may be unable to provide standard

documentation.

(8)

(9)

Obtaining beneficial owner information for all customers that are not natural persons is

essential for complying with anti-money laundering and countering the financing of

terrorism (AML/CFT) requirements and with targeted financial sanctions obligations.

For this reason, consultation of the central registers for information on the beneficial

owners is necessary but not enough to fulfil the verification requirements.

There are legitimate situations whereby the obliged entity may be unable to identify a

natural person as the beneficial owner of its customer. In these situations, Regulation

(EU) 2024/1624 requires the identification of senior managing officials (SMO), instead.

While SMOs are not beneficial owners, for the purposes of identification and

verification measures, obliged entities should collect the same level of information for

SMOs as they do for the beneficial owners.

(10) The identification of SMOs is allowed by Regulation (EU) 2024/1624 only in cases

where the obliged entity has been unable to identify beneficial owners having

“exhausted all possible means of identification” or where “there are doubts that the

persons identified are the beneficial owners”. Finding it difficult to identify the

beneficial owner, for example in cases of complex structures, does not amount to such

‘doubts’ and therefore will not provide a sufficient basis for the obliged entity to

identify the SMOs instead.

35

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

(11) Understanding the purpose and intended nature of a business relationship or occasional

transaction is a key component of the customer due diligence process. This Regulation

specifies how obliged entities should comply with this requirement and sets out which

information they should obtain before entering into business relationships or carrying

out occasional transactions.

(12) Regulation (EU) 2024/1624 requires specific measures to be applied to transactions or

business relationships with politically exposed persons. The focus of this Regulation is

on measures for the identification, by obliged entities, of politically exposed persons,

their family member or person known to be a close associate. These measures are

important because once a politically exposed person is identified, the obliged entity

should apply specific measures in relation to such customer.

(13) In situations where the ML/TF risk is assessed as lower, Regulation (EU) 2024/1624

allows the application of simplified due diligence measures. Simplified due diligence

measures should ease the administrative burden on the obliged entities and on the

customers without increasing the risk of money laundering or terrorist financing.

(14) Minimum requirements for the identification of natural persons in low-risk situations

should mirror the type of information which is usually included in a passport or identity

document.

(15) This Regulation identifies sectors that would, when associated with a low risk of money

laundering or terrorism financing, benefit from specific simplified due diligence

measures. These include situations where a credit institution opens a pooled account for

its customer; and investment funds offering financial services through another financial

institution acting on behalf of its customers, where such services pose a low ML/TF

risk.

(16) Obliged entities need to ensure that their customer information remains up to date. This

includes completing customer identification updates for all customers on a risk-

sensitive basis and within the parameters set out in Article 26(2) of Regulation (EU)

2024/1624. The minimum period of 5 years for updating that information should

start for existing customers with the application date of this Regulation. For customers

representing low ML/TF risks, the frequency of identification updates can be reduced

according to Article 33(1)(b) of Regulation (EU) 2024/1624, without exceeding the

maximum period provided in point (b) of Article 26(2) of that Regulation, and provided

that obliged entities monitor the business relationship for certain trigger events and

signs of change in relevant circumstances. New customers will already have provided

up to date data when establishing the business relationship and their data is to be

updated the latest in 5 years in accordance with Article 26(2) of Regulation (EU)

2024/1624.

(17) In situations where the ML/TF risks are higher, Regulation (EU) 2024/1624 calls for

the application of enhanced due diligence measures to mitigate these risks. Where

obliged entities obtain additional information to meet this requirement, this information

should be of sufficient quality to enable them to verify the authenticity and accuracy of

the information provided. It should also meet the criteria of reliability and

independence.

36

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

(18) Additional information obliged entities obtain for understanding the source of funds

and the source of wealth of the customer and of the beneficial owners in high-risk

situations should enable them to satisfy themselves that the funds and assets used by

the customer and beneficial owner are of legitimate origin.

(19) Customer due diligence measures include a specific requirement for obliged entities to

verify if the customer or the beneficial owner are subject to targeted financial sanctions.

Requirements within this Regulation are limited to measures that obliged entities need

to undertake to satisfy themselves that their customers or beneficial owners are not

sanctioned individuals or sanctioned entities.

(20) Article 19(7) of Regulation (EU) 2024/1624 provides for an exemption in relation to

electronic money for obliged entities from fully or partially applying the customer due

diligence measures indicated in Article 20(1), points (a), (b) and (c) of that Regulation.

To enable supervisors to determine the extent of this exemption, this Regulation

specifies risk factors associated with features of electronic money instruments

contributing to lower risks which should be considered by them.

(21) The use of attributes of electronic identification means and qualified trust services for

customer due diligence purposes should be aligned with the risk of ML/TF posed by

the customer or beneficial owner.

HAS ADOPTED THIS REGULATION:

Section 1: Information to be collected for identification and verification purposes

Article 1 – Information to be obtained in relation to names

1.

3.

In relation to the names and surnames of a natural person as referred to in Article

22(1)(a) point (i) of Regulation (EU) 2024/1624, obliged entities shall obtain all of the

customer's full names and surnames. Obliged entities shall ask the customer to provide

at least those names that feature on their identity document, passport or equivalent.

In relation to the name of a legal entity as referred to in Article 22(1)(b) point (i) of

Regulation (EU) 2024/1624 obliged entities shall obtain the registered name, and the

commercial name where it differs from the registered name.

Article 2 – Information to be obtained in relation to addresses

The information on the address as referred to in Article 22(1) (a) point (iv) and 22(1) (b) point

(ii) of Regulation (EU) 2024/1624 shall consist of the following information: the full country

name or the abbreviation in accordance with the International Standard for country codes (ISO

3166) (alpha-2 or alpha-3), postal code, city, street name, and where available, building number

and the apartment number.

Article 3 – Specification on the provision of the place of birth

The information on the place of birth as referred to in Article 22(1) (a) point (ii) of Regulation

(EU) 2024/1624 shall consist of both the city and the country name.

37

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

Article 4 – Specification on nationalities

For the purposes of Article 22 (1) (a) point (iii) of Regulation (EU) 2024/1624 obliged entities

shall obtain necessary information to satisfy themselves that they know of any other

nationalities their customers may hold.

Article 5 – Documents for the verification of the identity

1.

For the purposes of verifying the identity of the person in accordance with Article 22(6)

(a) and Article 22(7)(a) of Regulation (EU) 2024/1624 a document, in the case of

natural persons, shall be considered to be equivalent to an identity document or passport

where all of the following conditions are met:

a.

b.

it is issued by a state or public authority,

it contains at least all names and surnames, the holder’s date and place of birth

and their nationality,

c.

d.

e.

f.

it contains information on the period of validity and a document number,

it contains a facial image and the signature of the document holder,

it contains a machine-readable zone,

it contains security features and,

g.

it contains, where available, biometric data.

2.

3.

In situations where the customer cannot provide a document that meets the requirements

in paragraph 1 of this article for legitimate reason, a document shall be considered

equivalent to an identity document or passport if it is issued by a state or public authority

and it contains at least all the customer’s names and surnames, place and date of birth,

nationality and a facial image of the document holder.

Obliged entities shall take reasonable steps to ensure that all documents obtained for

the verification of the identity of the person pursuant to Article 22(6)(a) and Article

22(7)(a) of Regulation (EU) 2024/1624, as referred to in paragraph 1 and 2 of this

Article, are authentic and have not been forged or tampered with.

4.

5.

Obliged entities shall take reasonable steps to understand, when original documents are

in a foreign language, their content, including through a certified translation, when

deemed necessary.

For the purposes of verifying the identity of the person referred to in Article 22(6) of

Regulation (EU) 2024/1624, these persons shall provide the obliged entity, with the

original identity document, passport or equivalent, or a certified copy thereof, or in

accordance with Article 6.

Article 6. Verification of the customer in a non face-to-face context

1.To comply with the requirements of Article 22(6) of Regulation (EU) 2024/1624 in a non-

face to face context, obliged entities shall use electronic identification means, which meet the

requirements of Regulation (EU) No 910/2014 with regard to the assurance levels ‘substantial’

or ‘high’, or relevant qualified trust services as set out in that Regulation.

38

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

2. In cases where the solution described in paragraph 1 is not available, or cannot reasonably

be expected to be provided, obliged entities shall acquire the customer’s identity document (or

equivalent) using remote solutions that meet the conditions set out in paragraphs 3-6 of this

Article. Such solutions shall be commensurate to the size, nature and complexity of the obliged

entity’s business and its exposure to ML/TF risks.

3. Before identifying a customer remotely in line with paragraph 2 of this article, the obliged

entity must obtain from the person to be identified their explicit consent. This consent must be

recorded.

4. Obliged entities shall ensure that the solution described in paragraph 2 uses reliable and

independent information sources and includes the following safeguards regarding the quality

and accuracy of the data and documents to be collected:

a. controls ensuring that the person presenting the customer’s identity document

(or equivalent) is the same person as the person on the picture of the document;

b. the integrity and confidentiality of the audiovisual communication with the

person should be adequately ensured; for this reason, only end-to-end encrypted

video chats are permitted;

c. any images, video, sound and data are captured in a readable format and with

sufficient quality so that the customer is unambiguously recognisable;

c. the identification process does not continue if technical shortcomings or

unexpected connection interruptions are detected;

d. the information obtained through the remote solution is up to-date;

e. the documents and information collected during the remote identification

process, which are required to be retained, are time-stamped and stored securely by

the obliged entity. The content of stored records, including images, videos, sound

and data shall be available in a readable format and allow for ex-post verifications.

5. Where obliged entities accept reproductions of an original document, for customers that are

not natural persons, and do not examine the original document, obliged entities shall take steps

to ascertain that the reproduction is reliable. Where available, during the verification process,

obliged entities shall verify the security features embedded in the official document, if any,

such as holograms, as a proof of their authenticity.

6. Obliged entities using remote solutions shall be able to demonstrate to their competent

authority that the remote verification solutions they use comply with this article.

Article 7– Reliable and independent sources of information

When assessing whether a source of information is reliable and independent, obliged entities

shall take risk-sensitive measures to assess the credibility of the source, including the

reputation, official status and independence of the information source, the extent to which the

information is up-to-date, the accuracy of the source, based on whether the information or data

provided had to undergo certain checks before being provided or is consistent with other

sources or over time, and the ease with which the identity information or data provided can be

forged.

39

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

Article 8 – Identification and verification of the identity of the natural or legal persons using

a virtual IBAN

Where a credit or financial institution, other than the issuer of the virtual IBAN and other than

the credit or financial institution servicing the account, provides a natural or legal person a

virtual IBAN for their use, it shall provide to the issuer of the virtual IBAN the information for

identifying and verifying the identity of that natural or legal person using the virtual IBAN

within a time period that enables the credit institution and financial institution servicing the

bank or payment account to fulfil its obligation under Article 22(3) second subparagraph of

Regulation (EU) 2024/1624.

Article 9 – Reasonable measures for the verification of the beneficial owner

The reasonable measures referred to in Article 22(7)(b) of Regulation (EU) 2024/1624

include:

a. consulting public registers, other than the central registers, and other reliable national

systems that contain the information necessary to verify the identity of the person, such

as the residence register, tax register, passport database and the land register; to the

extent that these are accessible to obliged entities; or

b. collecting information from other sources, which may include: third-party sources such

as utility bills in name of the customer or the beneficial owner, up-to-date information

from credit or financial institutions as defined in Article 3(1) and (2) of Regulation (EU)

2024/1624, which confirm that the beneficial owner has been identified and verified by

the respective institution, documents from the legal entity or the legal arrangement

where the beneficial owner is named, and where the identity of the named person is

certified by an independent professional or sources using a combination of public and

private records.

Article 10 – Understanding the ownership and control structure of the customer

1.

For the purposes of understanding the ownership and control structure of the customer

in accordance with Article 20(1) (b) of Regulation (EU) 2024/1624 and in situations

where the customer’s ownership and control structure contains more than one legal

entity or legal arrangement, obliged entities shall obtain the following information:

a.

a reference to all the legal entities and/or legal arrangements functioning as

intermediary connections between the customer and their beneficial owners, if

any;

b.

with respect to each legal entity or legal arrangement within the referred

intermediary connections, the legal form of each legal entity or legal

arrangement, and reference to the existence of any nominee shareholders; the

jurisdiction of incorporation or registration of the legal person or legal

arrangement, or, in the case of a trust, the jurisdiction of its governing law and;

where applicable, the shares of interest held by each legal entity or legal

arrangement, its sub-division, by class or type of shares and/or voting rights

expressed as a percentage of the respective total, where beneficial ownership is

40

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

determined on the basis of control, understanding how this is expressed and

exercised.

c.

information on the regulated market on which the securities are listed, in case a

legal entity in an intermediate level of the ownership and control structure has

its securities listed on a regulated market, and the extent of the listing if not all

the legal entity’s securities are listed on a regulated market.

2.

1.

Obliged entities shall assess whether the information included in the description, as

referred to in Article 62(1)d of Regulation (EU) 2024/1624, is plausible, there is

economic rationale behind the structure, and it explains how the overall structure affects

the ML/TF risk associated with the customer.

Article 11 – Understanding the ownership and control structure of the customer in case of

complex structures

To understand the ownership and control structure of the customer in accordance with

Article 20(1)(b) of Regulation (EU) 2024/1624, obliged entities shall treat an ownership

and control structure as complex where there are two or more layers between the

customer and the beneficial owner and in addition, one of the following conditions is

met:

a.

b.

there is a legal arrangement in any of the layers;

the customer and any legal entities present at any of these layers are registered

in different jurisdictions;

c.

d.

there are nominee shareholders and/or directors involved in the structure; or

there are indications of non-transparent ownership with no legitimate economic

rationale or justification.

2.

3.

If, based on the criteria in paragraph 1, the ownership and control structure is complex,

the obliged entity shall obtain from the customer an organigram in addition to the

information referred to in Article 10(1) of this Regulation.

Obliged entities shall take risk-sensitive measures to satisfy themselves that the

organigram provided is accurate and provides obliged entities with a comprehensive

understanding of the ownership and control structure of the customer.

Article 12 – Information on senior managing officials

In relation to senior managing officials as referred to in Article 22(2) second paragraph of

Regulation (EU) 2024/1624, obliged entities shall:

a.

b.

collect the same information as for beneficial owners; and

verify the identity of senior managing officials in the same way as for beneficial owners.

41

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

Article 13 – Identification and verification of beneficiaries of trusts and similar legal entities

or arrangements

1.

For the purposes of Article 22(4) of Regulation (EU) 2024/1624, the information

obliged entities shall obtain from the trustee, the legal entity or the legal arrangement

include:

a.

a description of the class of beneficiaries and its characteristics, which shall

contain sufficient information to allow the obliged entity to determine whether

individual beneficiaries are ascertainable and shall be treated as beneficial

owners; and

b.

relevant documents to enable the obliged entity to establish that the description

is correct and up-to-date.

2.

1.

Obliged entities shall take risk-sensitive measures to ensure that the trustee, the legal

entity or the legal arrangement provide timely updates, including on specific events that

may lead to beneficiaries previously identified by class or characteristics becoming

ascertainable and thus beneficial owners.

Article 14 – Identification and verification of beneficiaries of discretionary trusts

For the purposes of Article 22(5) of Regulation (EU) 2024/1624 information obliged

entities shall obtain from the trustee of the discretionary trust include:

a.

details on the objects of power and default takers to know if it is a class of natural

or legal persons or if the natural or legal persons are already identified;

b.

relevant documents to enable the obliged entity to establish that these details are

correct and up-to-date.

2.

To comply with paragraph 1, obliged entities shall:

a.

obtain sufficient information about how and in which ways the power of

discretion can be exercised by the trustee(s);

b.

take measures to establish whether trustees have exercised their power of

discretion and appointed one or more beneficiaries from amongst the objects of

power or whether the default takers have become the beneficiaries due to the

trustees’ failure to exercise their power of discretion.

Section 2: Purpose and intended nature of the business relationship or the occasional

transactions

Article 15 – Identification of the purpose and intended nature of the business relationship or

the occasional transactions

For the purposes of Article 20(1)(c) of Regulation (EU) 2024/1624, obliged entities shall take

risk-sensitive measures to determine:

a.

why the customer has chosen the obliged entities’ products and services;

42

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

b.

c.

how the customer plans to use the products or services provided, including the volume

of funds flowing through the account and their source;

whether the customer has additional business relationships with the obliged entity or its

wider group, and the extent to which that influences the obliged entity’s understanding

of the customer and the source of funds; and

d.

where the ML/TF risk is higher, to determine the source of wealth.

Article 16 – Understanding the purpose and intended nature of the business relationship or the

occasional transactions

When obtaining information in accordance with Article 25 of Regulation (EU) 2024/1624,

obliged entities shall take risk-sensitive measures to obtain the following information:

a.

in relation to the purpose and economic rationale of the occasional transaction or

business relationship, obtain information on why the customer has chosen the obliged

entities’ products or services, the value and benefits expected from the occasional

transactions or business relationship or why the transaction will be conducted.

b.

in relation to the estimated amount of the envisaged activities, obtain information on

the estimated amount of funds to be deposited and understand the anticipated number,

size, volume and frequency of incoming and outgoing transactions that are likely to be

executed during the business relationship or occasional transactions as well as the

category of funds that such transactions relate to.

c.

in relation to the source of funds, information on the activity that generated the funds

and the means through which the customer’s funds were transferred, which includes

employment income, including salary, wages, bonusses and other compensation from

employment, pension or retirement funds and government benefits including social

benefits and grants, business revenue, savings, loans and investments income,

inheritance and gifts, sales of assets and legal settlements.

d.

e.

in relation to the destination of funds, information on the expected types of recipient(s),

including information about the jurisdiction where the transactions are to be received,

and intermediaries used.

in relation to the business activity or the occupation of the customer, information on the

customer’s sector, including the industry, operations, products and services, including

whether they are a regulated or an obliged entity or whether they are actively engaged

in business, their key stakeholders, geographical presence, revenue streams and, where

applicable, information on their employment status whether employed, unemployed,

self-employed or retired.

Section 3: Politically Exposed Persons

Article 17– Identification of Politically Exposed Persons

1.

To identify Politically Exposed Persons, a family member or person known to be a close

associate to Politically Exposed Persons in accordance with Article 20(1)(g) of

Regulation (EU) 2024/1624, obliged entities shall:

43

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

a.

b.

identify, before the establishment of the business relationship or the carrying out

of the occasional transaction, if the customer, the beneficial owner of the

customer and, where relevant, the person on whose behalf or for the benefit of

whom a transaction or activity is being carried out, is a politically exposed

person, a family member or person known to be a close associate; and

determine whether existing customers, the beneficial owner of the customer and

where relevant, the person on whose behalf or for the benefit of whom a

transaction or activity is being carried out have become politically exposed

persons, with a frequency determined on a risk-based approach and at least if

significant changes in the customer due diligence data occur, such as the nature

of the customers’ business, employment or occupation; when the obliged entity

has any indications that the customer beneficial owner of the customer and

where relevant, the person on whose behalf or for the benefit of whom a

transaction or activity is being carried out has become a politically exposed

person, a family member or person known to be a close associate; or if changes

in the list of prominent public functions published by the EU Commission

pursuant to Article 43 (5) of the Regulation (EU) 2024/1624 occur.

2.

To comply with paragraph 1 of this article, obliged entities shall put in place automated

screening tools and measures, or a combination of automated screening tools and

manual checks; unless the size, business model, complexity or nature of the business of

the obliged entity allows for manual checks only.

Section 4: Simplified Due Diligence measures

Article 18 – Minimum requirement for the customer identification in situations of lower risk

1.

In situations of lower risk, obliged entities shall obtain at least the following information

to identify the customer and the person purporting to act on behalf of the customer:

a.

for a natural person, all names and surnames; place and full date of birth and

nationalities or, where applicable, statelessness and refugee or subsidiary

protection status;

b.

for a legal entity and other organisations that have legal capacity under national

law, the legal form and registered name of the legal entity including its

commercial name, in case it differs from its registered name; the address of the

registered or official office and the registration number, the tax identification

number or the legal entity identifier where applicable.

2.

Paragraph 1 shall apply also to persons on whose behalf or for the benefit of whom a

transaction or activity is being conducted.

Article 19– Minimum requirements for the identification and verification of the beneficial

owner or senior managing officials in low-risk situations

In situations of lower risk, the obliged entity may consult one of the following sources for the

identification of, and use another sources from the same list under b. or c. for the purposes of

verification of the beneficial owner or the senior managing officials:

44

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

a.

b.

the information registered in the central register or in the company register;

the statement or explanation provided by the customer, including their confirmation

that the data is adequate, accurate and up-to-date, for the purpose of the verification of

the identity of the beneficial owner or the senior managing officials;

c.

any publicly available, reliable sources of information including internet research.

Article 20 – Sectoral simplified measures: Pooled accounts

Where a credit institution’s customer opens a ‘pooled account’ in order for that customer to

hold or administer funds that belong to the customer’s own clients, credit institutions fulfil the

requirement under Article 20(1)(h) of Regulation (EU) 2024/1624 if they are satisfied that the

customer will provide CDD information and documents on its own clients for whom it

maintains the pooled account immediately upon their request, and, provided that:

a.

the customer is an obliged entity that is subject to AML/CFT obligations in an EU

Member State or a third country with an AML/CFT requirements that are not less robust

than those required by Regulation (EU) 2024/1624;

b.

c.

d.

the customer is effectively supervised for compliance with these requirements;

the ML/TF risk associated with the business relationship is low;

the credit institution is satisfied that its customer applies robust and risk-sensitive

customer due diligence measures to its own clients and its clients’ beneficial owners.

Article 21 – Sectoral simplified measures: Collective investment undertakings

When a collective investment undertaking is acting in his own name, but for the benefit of its

underlying investors through another intermediary credit or financial institution, it may fulfil

the requirement under Article 20(1)(h) of Regulation (EU) 2024/1624 by being satisfied that

the intermediary will provide CDD information and documents on the underlying investors

immediately upon their request, and provided that:

a.

the intermediary is subject to AML/CFT obligations in an EU Member State or in a

third country that has AML/CFT requirements that are not less robust than those re

quired by Regulation (EU) 2024/1624;

b.

c.

d.

the intermediary is effectively supervised for compliance with these requirements;

the risk associated with the business relationship is low;

the fund or fund manager is satisfied that the intermediary applies robust and risk-

sensitive CDD measures to its own customers and its customers’ beneficial owners.

Article 22 - Customer identification data updates in low-risk situations

1.

Where, in cases of low ML/TF risk, obliged entities reduce the frequency of customer

identification updates as referred to in Article 33(1) point (b) of Regulation (EU)

2014/162, obliged entities shall monitor the relationship to be satisfied that:

a.

there is no change in the relevant circumstances of the customer;

45

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

b.

c.

no trigger event took place which would require an information update; and

there are no unexpected transactions, or activities that could be inconsistent

with a low-risk relationship.

2.

Obliged entities shall take the measures necessary to ensure that they hold up-to-date

customer identification data at all times, and that they update the information they hold

on customers onboarded before this Regulation applied within 5 years after the

application date of this Regulation.

Article 23 – Minimum information to identify the purpose and intended nature of the business

relationship or occasional transaction in low-risk situations

To identify the purpose and intended nature of the business relationship or occasional

transaction in line with Article 33(1) point (c) of Regulation (EU) 2024/1624, obliged entities

shall, at minimum, take risk-sensitive measures to understand why the customer has chosen the

obliged entities’ products and services, the source of the funds used in the business relationship

or occasional transaction, and how the customer plans to use the products or services provided,

including where applicable the estimated amounts flowing through the account.

Section 5: Enhanced Due Diligence measures

Article 24 - Additional information on the customer and the beneficial owners

The additional information obliged entities obtain on the customer and the beneficial owners

to comply with the enhanced due diligence requirement in Article 34(4) point (a) of Regulation

(EU) 2024/1624, shall, at least:

a.

enable the obliged entity to verify the authenticity and accuracy of the information on

the customer and the beneficial owner or the ownership and control structure of the

customer other than a natural person;

b.

c.

d.

enable the obliged entity to assess the reputation of the customer and the beneficial

owner;

enable the obliged entity to assess the ML/TF risk associated with the customer’s or

beneficial owner’s past and present business activities; and/or

in case the obliged entity has reasonable grounds to suspect criminal activity, enable

the obliged entity to obtain a more holistic view on ML/TF risks by obtaining

information on family members, persons known to be a close associate or any other

close business partners or associates of the customer or the beneficial owner.

Article 25 – Additional information on the intended nature of the business relationship

1.

The additional information obliged entities obtain on the intended nature of the business

relationship, in accordance with Article 34(4) point (b) of Regulation (EU) 2024/1624,

shall, at least:

a.

enable the obliged entity to verify the legitimacy of the destination of funds,

which may include information from authorities and other obliged entities;

46

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

b.

c.

enable the obliged entity to verify the legitimacy of the expected number, size,

volume and frequency of transactions that are likely to pass through the account,

as well as their recipient(s); and/or,

enable the obliged entity to understand the nature of the customer’s or, where

necessary, beneficial owner’s business, which may consist of more information

on the customer's key customers, contracts and business partners or associates

in order to enhance the obliged entities’ understanding of the ML/TF risk

exposure of these relationships.

Article 26 – Additional information on the source of funds, and source of wealth of the

customer and of the beneficial owners -

1.

The additional information obliged entities obtain on the source of funds, and source of

wealth of the customer and of the beneficial owners, in accordance with Article 34(4)

point (c) of Regulation (EU) 2024/1624 shall enable obliged entities to verify that the

source of funds or source of wealth is derived from lawful activities. This information

shall consist of one or more of the following evidence:

a.

in relation to proof of income: tax returns or original or certified copies of recent

pay slips or employment documentation, specifying at least the salary, signed

by the employer or other official income statements,

b.

c.

d.

certified copies of audited accounts, investment documentation or loan

agreements,

in case immovable property, public deeds or abstract from the land or resident

registry,

in case of assets stemming from inheritance, the public official documentation,

for gifts or legal settlements documentation provided by a certified independent

professionals or public authority,

e.

f.

original or certified copy of a grant of probate,

an original or certified copy of contract of sale or written confirmation of sale,

g.

any other authenticatable documentation from independent and reliable sources

providing a high degree of reassurance that the customer’s and beneficial

owners’ source of funds, and source of wealth are not the proceeds of criminal

activity and consistent with the obliged entities’ knowledge of the customer and

the nature of the business relationship.

Article 27 – Additional information on the reasons for the intended or performed transactions

and their consistency with the business relationship

The additional information obliged entities obtain on the reasons for the intended or performed

transactions and their consistency with the business relationship, in accordance with Article

34(4) point (d) of Regulation (EU) 2024/1624 shall at least enable the obliged entity to:

a.

verify the accuracy of the information for why the transaction was intended or

conducted including the legitimacy of its intended outcome;

47

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

b.

assess the consistency of the overall transactions made during the business relationship

with the activities carried out and the customer’s turnover, especially in the case of

economic activities characterised by the use of assets representing higher risks;

c.

d.

assess the legitimacy of the parties involved in the transaction, including any

intermediaries, and their relationship with the customer; and/or

obtain a deeper understanding of the customer or the beneficial owner in case the

obliged entity has reasonable grounds to suspect criminal activity including information

on family members, persons known to be a close associate or any other close business

partners or associates.

Section 6: Targeted Financial Sanctions

Article 28 – Screening of customers

To comply with Article 20(1)(d) of Regulation (EU) 2024/1624, obliged entities shall apply

screening measures to their customers and to all the entities or persons which own or control

such customers.

Article 29 – Screening requirements

For the purposes of Article 28, obliged entities shall:

a.

screen, through automated screening tools or solutions, or a combination of automated

screening tools and manual checks, unless the size, business model, complexity or

nature of the business of the obliged entity allows for manual checks only, at least the

following customer information:

i.

in the case of a natural person: all the first names and surnames, in the original

and/or transliteration of such data; and date of birth;

ii.

iii.

in the case of a legal person: the name of the legal person, in the original and/or

transliteration of such data;

in the case of a natural person, legal person, body or entity: any other names,

aliases, trade names, wallet addresses, where available in the lists of targeted

financial sanctions;

iv.

in the case of a legal person: beneficial ownership information.

b.

c.

in case of a match, check the information under point a) against all available due

diligence information on the customer or on the beneficial owner to determine if a

person is the intended target of the targeted financial sanctions. In case of doubt, the

obliged entity shall refer to all other sources available to them, including public sources

of information, such as registers of owned and controlled entities and the central

registers.

screen their customers and beneficial owners regularly, at least in the following

situations:

48

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

i.

during customer onboarding or before entering into a business relationship or

performing an occasional transaction;

ii.

iii.

when there is a change in any of the existing designations, or a new designation

is made in line with Article 26(4) of Regulation (EU) 2024/1624;

if significant changes occur in the customer due diligence data of an existing

customer, or beneficial owner, such as but not limited to change of name,

residence, or nationality or change of business operations.

d.

ensure the screening as well as the verification is performed using updated targeted

financial sanctions lists without undue delay.

Section 7: Risk factors associated with features of electronic money instruments

Article 30- Risk reducing factors

Supervisors shall consider the following risk reducing factors when determining the extent of

the exemption under Article 19(7) Regulation (EU) 2024/1624:

a.

b.

The payment instrument has low thresholds to limit transaction values;

The payment instrument is funded in a way that the issuer can verify that the funds

originate from an account held and controlled solely or jointly by the customer at an

EEA-regulated credit or financial institution;

c.

d.

The payment instrument is issued at a nominal or no charge;

The payment instrument can be only used to acquire a very limited range of goods or

services;

e.

The payment instrument is valid only in a single Member State provided at the request

of an undertaking or a public sector entity and regulated by a national or regional public

authority for specific social or tax purposes to acquire specific goods or services from

suppliers having a commercial agreement with the issuer;

f.

The low value transactions are executed by an obliged entity that apply customer due

diligence measures and record-keeping requirements laid down in Regulation (EU)

2024/1624;

g.

h.

The payment instrument has a specific and limited duration in which the payment

instrument can be used;

The payment instrument is available only through direct channels which may include

the issuer or a network of service providers and, in case of online or non-face-to-face

distributions, possess adequate safeguards, including electronic signatures, and anti-

impersonation fraud measures;

i.

j.

Distribution is limited to intermediaries that are themselves obliged entities apply

customer due diligence measures and record-keeping requirements laid down in

Regulation (EU) 2024/1624;

The payment instrument is only distributed across or available in the Union;

49

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

k.

1.

The issuer applies adequate tools, including geo-fencing and IP tracking, to restrict

access from, transfers to or receiving funds from non-EU countries.

Section 8: Electronic identification means and relevant qualified trust services

Article 31- Electronic identification means and relevant qualified trust services

The corresponding list of attributes that electronic identification means and qualified

trust services are required to feature in accordance with Article 22(6) point (b) of

Regulation (EU) 2024/1624 in order to fulfil the requirements of Article 20(1) points

(a) and (b) and Article 22(1) of that Regulation, in the case of standard and enhanced

due diligence, is laid down in Annex I. Where simplified due diligence is to be applied,

the electronic identification means and relevant qualified trust services should have the

corresponding attributes laid down in Annex I that allow compliance with Section 4.

2.

3.

Obliged entities may consider additional attributes to assist in the unambiguous

identification and verification of the customer or beneficial owner if justified by the

ML/TF risk associated with the customer or beneficial owner.

Where an electronic identification means or qualified trust service does not possess all

attributes that allow the identification and verification of the customer or beneficial

owner, as required in Article 22(1) of Regulation (EU) 2024/1624 or Section 4 of this

Regulation, the obliged entity shall take steps to obtain and verify the missing attributes

through other means in line with Article 22(6).

4.

Obliged entities may consider putting in place enhanced measures to complement the

mitigation of ML/TF risks, including the use of higher assurance levels or

complementing electronic identification means with qualified trust services.

Article 32 – Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in

the Official Journal of the European Union.

Article 23(1) shall apply to already existing customers and new customers to be onboarded

after the entry into force of this Regulation. For already existing customers the information

referred to in Article 23(1) shall be updated in a risk-based manner but no later than 5 years

after entry into force of this Regulation.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels,

For the Commission

The President

50

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

[For the Commission

On behalf of the President

[Position]

51

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

ANNEX I

Article 22(1)

Minimum corresponding attributes⁸

•

family_name

given_name

birth_date

birth_place

nationality

Other existing attributes covering

statelessness and refugee or subsidiary

protection status (where applicable)

personal_administrative_number

(where applicable)

(a) for a natural person (i) all names and surnames

(ii) place and full date of birth

(iii) nationalities, or statelessness and

refugee or subsidiary protection status

where applicable, and the national

identification number, where applicable

•

resident_country

resident_state

resident_city

resident_postal_code

resident_street

resident_house_number

resident_address

Other existing attributes covering the

tax identification code (where

available)

(iv) the usual place of residence or, if

there is no fixed residential address with

legitimate residence in the Union, the

postal address at which the natural person

can be reached and, where available the

tax identification number

•

current legal name

Other existing attributes covering

legal form

(b) for a legal entity

(i) legal form and name of the legal entity

•

a unique identifier constructed by

the sending Member State in

accordance with the technical

specifications for the purposes of

cross-border identification and

which is as persistent as possible in

time

•

current address

Other existing attributes covering

additional addresses

Other existing attributes covering the

country of creation

Other existing attributes covering the

names of the legal representatives of

the legal entity

Legal Entity Identifier (LEI) (where

available)

VAT registration number or tax

reference number (where available)

(ii) address of the registered or official

office and, if different, the principal place

of business, and the country of creation

•

(iii) the names of the legal representatives

of the legal entity as well as, where

available, the registration number, the tax

identification number and the Legal

Entity Identifier

•

⁸Based on COMMISSION IMPLEMENTING REGULATION (EU) 2024/2977 of 28 November 2024 laying down rules for

the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards person

identification data and electronic attestations of attributes issued to European Digital Identity Wallets

52

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

•

Other existing attributes covering the

registration number (where available)

•

Other existing attributes covering the

names of persons holding shares or a

directorship position in nominee form,

including reference to their status as

nominee shareholders or directors

(iv) the names of persons holding shares

or a directorship position in nominee

form, including reference to their status as

nominee shareholders or directors

53

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

4.4 Draft RTS under Article 53(10) of the AMLD6 on pecuniary

sanctions, administrative measures and periodic penalty

payments

COMMISSION DELEGATED REGULATION (EU) …/...

of XXX

on supplementing Directive (EU) 2024/1640 of the European Parliament and of the

Council with regard to regulatory technical standards specifying indicators to classify

the level of gravity of breaches, criteria to be taken into account when setting the level

of pecuniary sanctions or applying administrative measures and the methodology for

the imposition of periodic penalty payments for the purposes of Article 53(10)

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Directive (EU) 2024/1640 of the European Parliament and of the Council of

31 May 2024 on the mechanisms to be put in place by Member States for the prevention of the

use of the financial system for the purposes of money laundering or terrorist financing,

amending Directive (EU) 2019/1937, and amending and repealing Directive (EU) 2015/849 ,

and in particular Article 53 (10), first subparagraph points (a), (b) and (c) hereof,

Whereas:

(1)

Supervisors need to have a common understanding of the gravity of breaches to ensure

harmonisation across Member States regarding the breaches for which pecuniary

sanctions and administrative measures are imposed. For that purpose, this Regulation

sets out a list of indicators that supervisors should take into account when assessing the

level of gravity of breaches as well as a classification of the level of gravity of breaches

into four categories of increased severity.

(2)

When determining the level of gravity of breaches, and classifying them into the four

categories, supervisors should take into account all applicable indicators and make an

overall assessment of those indicators, using their supervisory judgement, to analyse

whether and to what extent they are met. Similarly, when setting the level of pecuniary

sanctions and applying administrative measures, supervisors should take into account

all applicable criteria and make an overall assessment of those criteria using their

supervisory judgement. This is to ensure convergence and consistency across Member

States while at the same time enabling supervisors to take into account the specific

context in which the breach has occurred. Supervisors should ensure that their

supervisory judgment is coherent and consistent, with comparable outcomes.

54

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

(3)

(4)

To ensure a consistent approach to assessing the severity of a breach across Member

States, this Regulation also sets out specific situations in which, when some indicators

are met or have a certain impact on the obliged entity, the breach should be classified

in a certain category. The specific situations set out in this Regulation do not prevent

supervisors from classifying other breaches in those categories.

An important indicator to assess the level of gravity of breaches is the conduct of the

natural or legal person, including its senior management and management body in its

supervisory function. Supervisors should consider whether a breach was committed

intentionally or negligently. Supervisors should pay particular attention to those

situations where the natural or legal person appears to have had knowledge of the breach

and took no action, or whether they have taken a course of actions directed at generating

the breach.

(5)

Some administrative measures are more severe than others. To ensure a harmonised

approach across Member States, it appears necessary to set out common criteria for

supervisors to take into account when considering the need to apply the more severe

administrative measures which are the ones listed under points (e), (f), and (g) of Article

56(2) of Directive (EU) 2024/1640, including the withdrawal or suspension of the

authorisation.

(6)

(7)

Supervisors should take into account all relevant factors when determining the

appropriate and proportionate amount of periodic penalty payments on obliged entities

and natural persons to compel them to comply with the imposed administrative

measures.

The decision on the imposition of periodic penalty payments should be taken on the

basis of findings which allow the supervisor to conclude that an obliged entity or natural

person has failed within a specified period to comply with an imposed administrative

measure.

(8)

(9)

Decisions to impose periodic penalty payments should be based exclusively on grounds

on which the obliged entity or natural person has been able to exercise its right to be

heard.

The periodic penalty payments imposed should be effective and proportionate, having

regard to the circumstances of the specific case. Supervisors should be in the position

to impose a periodic penalty payment as of the date of the application of the

administrative measure.

(10) For the purposes of ensuring legal certainty, if not stipulated otherwise by this

Regulation, provisions of law applicable in the Member State where the periodic

penalty payment is imposed and collected, should apply.

(11) This Regulation is based on the draft regulatory technical standards submitted to the

Commission by the Authority for Anti-Money Laundering and Countering the

Financing of Terrorism,

HAS ADOPTED THIS REGULATION:

Section 1 Indicators for the classification of the gravity of breaches

55

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

Article 1 - Indicators to classify the level of gravity of breaches

In order to classify the level of gravity of a breach, supervisors shall take into account all of

the following indicators, where applicable:

(a)

(b)

(c)

(d)

the duration of the breach;

the repetition of the breach;

the conduct of the natural or legal person that led or permitted the breach;

the impact of the breach on the obliged entity, by assessing:

i.

whether the breach concerns the entity on its own, whether it has an impact at

the group level or any cross-border impact;

ii.

iii.

the extent to which the products and services and approximate number of

customers are affected by the breach;

the extent to which the effectiveness of the AML/CFT systems, controls and

policies are affected by the breach;

(e)

(f)

the impact of the breach on the exposure of the obliged entity, or of the group to which

it belongs, to money laundering and terrorist financing risks;

the nature of the breach by assessing the AML/CFT requirements to which the breach

is related such as whether the breach is related to internal policies, procedures and

controls of the obliged entity, customer due diligence, reporting obligations or record

retention;

(g)

(h)

whether the breach could have facilitated or otherwise led to criminal activities as

defined in Article 2(1) point 3 of Regulation (EU) 2024/1624;

whether there is a structural failure within the obliged entity with regard to AML/CFT

systems and controls and policies or a failure of the entity to put in place adequate

AML/CFT systems and controls;

(i)

(j)

the actual or potential impact of the breach on the financial viability of the obliged

entity or of the group to which the obliged entity belongs;

the actual or potential impact of the breach:

i.

on the integrity, transparency and security of the financial system of a Member

State or of the Union as a whole, or on the financial stability of a Member State

or of the Union as a whole;

ii.

on the orderly functioning of the financial markets;

(k)

(l)

the systematic nature of the breach;

any other indicator identified by the supervisors.

Article 2 - Classification of the level of gravity of breaches

1.

When classifying the level of gravity of a breach, supervisors shall use four categories

as follows, by increased order of severity: category one, category two, category three,

category four.

56

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

2.

3.

In order to classify the breaches in one of the four categories listed in paragraph 1,

supervisors shall assess whether and to what extent all the applicable indicators of

Article 1 of this Regulation are met. Supervisors may classify under those categories

other breaches that the ones dealt with in paragraphs 3 to 6.

Where for indicators d) and e) of Article 1 there is no direct impact on the obliged entity

or the impact is minor and at the same time the breach has lasted for a short period of

time and has been committed on a non-repetitive basis, and none of the indicators g) to

k) of Article 1 are met, supervisors shall classify the breach as category one.

4.

5.

Where for indicators d) and e) of Article 1 the impact is moderate and none of the

indicator g) to k) of Article 1 are met, supervisors shall classify the breach as category

two.

Where for indicator d) and e) of Article 1 the impact is significant and at the same time

the breach has persisted over a significant period of time or it has occurred repeatedly

or is of a systematic nature, supervisors shall classify the breach at least as category

three.

6.

7.

Supervisors shall classify the breach as category four where for indicator d) and e) of

Article 1 the impact is very significant or where indicator h) is met. They shall also

classify the breach as a category four where for indicator g), the breach has facilitated

or otherwise led to significant criminal activities as defined in Article 2(1) point 3 of

Regulation (EU) 2024/1624 and/or for indicator i) or j) the breach has a significant

impact.

Breaches which are not considered as category three or category four when assessed in

isolation could, when considered in combination, amount to a breach of category three

or four.

Article 3 - Legal effect of the classification of level of gravity of breaches

A breach with a level of gravity classified as category three or four in accordance with Article

2 shall be deemed serious, repeated or systematic in the meaning of Article 55(1) of Directive

(EU) 2024/1640.

Section 2 Criteria to be taken into account when setting the level of pecuniary sanctions

and applying the administrative measures listed under this Regulation

Article 4 Criteria to be taken into account when setting the level of pecuniary sanctions

1.

2.

In addition to the indicators considered as part of the level of gravity of the breach as

set out in Article 1 and 2, supervisors shall, when taking into account the circumstances

referred in Article 53(6) of Directive (EU) 2024/1640, to set the level of pecuniary

sanctions take into account the criteria as specified in paragraphs 2 to 6

The level of pecuniary sanctions shall decrease taking into account all the following

criteria where applicable:

57

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

(a)

(b)

(c)

the level of cooperation of the natural or the legal person held responsible with

the supervisor and whether the natural or the legal person has quickly and

effectively brought the complete breach to the supervisor’s attention or whether

it has actively and effectively contributed to the investigation of the breach

conducted by the supervisor.

the conduct of the natural or the legal person held responsible since the breach

has been identified either by the natural or legal person itself or by the

supervisor, and whether the natural or legal person held responsible has taken

effective and timely remedial actions to end the breach or has taken voluntary

adequate measures to effectively prevent similar breaches in the future.

any other criteria identified by the supervisor.

3.

The level of pecuniary sanctions shall increase taking into account all the following

criteria where applicable:

(a)

the level of cooperation of the natural or the legal person held responsible with

the supervisor and whether it has not cooperated with the supervisor, did not

disclose to the supervisor anything the supervisor would have reasonably

expected, took actions aiming at concealing partially or fully the breach to the

supervisor or at misleading the supervisors.

(b)

the conduct of the natural or the legal person held responsible since the breach

has been identified either by the entity itself or by the supervisor and the absence

of remedial actions or measures taken to prevent breaches in the future;

(c)

(d)

the degree of responsibility of the natural or legal persons held responsible and

whether the breach was committed intentionally;

the benefit derived from the breach insofar as it can be determined and whether

the natural or legal person held responsible has benefited or could benefit either

financially or competitively from the breach or avoid any loss;

(e)

(f)

the losses to third parties caused by the breach, insofar as they can be

determined, the loss or risk of loss caused to customers or other market users;

the previous breaches by the natural or the legal person held responsible and

whether the supervisor has imposed any previous sanction including concerning

a similar breach or has previously requested to take remedial action concerning

an AML/CFT breach, and whether such action has not been taken in the time

requested;

(g)

any other criteria identified by the supervisor.

4.

5.

In addition to the criteria sets out in paragraphs 1 and 2, when setting the level of

pecuniary sanctions for natural persons which are not themselves obliged entities,

supervisors shall take into account where applicable, their role in the obliged entity and

the scope of their functions.

When setting the level of pecuniary sanctions, supervisors shall take into account the

financial strength of the legal person held responsible, including where applicable in

the light of its total annual turnover, information from the financial statements and

58

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

information from prudential authorities on the level of regulatory capital and liquidity

requirements.

6.

When setting the level of pecuniary sanctions, supervisors shall take into account the

financial strength of the natural persons held responsible, including where applicable

its annual income (fixed and variable remuneration).

Article 5 - Criteria to be taken into account when applying the administrative measures listed

under this Regulation

1.

In addition to the indicators considered as part of the level of gravity of the breach as

set out in Article 1 and 2, supervisors shall, when taking into account the circumstances

referred in Article 53(6) of Directive (EU) 2024/1640 in order to decide which type of

administrative measure to impose, take into account the criteria as specified in

paragraphs 2 to 4.

2.

When considering whether to restrict or limit the business, operations or network of

institutions comprising the obliged entity, or requiring the divestment of activities as

referred to in Article 56(2) (e) of Directive (EU) 2024/1640, supervisors shall take into

account all the following criteria where applicable:

(a)

(b)

the gravity is classified in category three or four;

whether such measure would mitigate or prevent the actual impact or potential

impact referring to indicators e), g), i) or j) of Article 1 of this Regulation;

(c)

(d)

(e)

the extent to which the business, operations or network of institutions

comprising the obliged entity are affected by the breach or the potential breach;

the extent to which the measure could have a negative impact on customers or

stakeholders;

any other criteria identified by the supervisor.

3.

When considering whether to withdraw or suspend an authorisation as referred to in

Article 56(2) (f) of Directive (EU) 2024/1640, supervisors shall take into account all

the following criteria where applicable:

(a)

(b)

the gravity is classified in category three or four;

whether such measure would mitigate or prevent the actual impact or potential

impact referring to indicators e), g), i) or j) of Article 1 of this Regulation;

(c)

(d)

the conduct of the natural or legal person held responsible;

whether there is a structural failure within the obliged entity, with regard to

AML/CFT systems and controls and policies or a failure of the entity to put in

place adequate AML/CFT systems and controls;

(e)

any other criteria identified by the supervisor.

4.

When considering the need for a change in the governance structure as referred to in

Article 56(2) (g) of Directive (EU) 2024/1640, supervisors shall take into account all

the following criteria where applicable:

59

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

(a)

(b)

(c)

the gravity is classified in category 3 or 4 ;

the conduct of the natural or legal person held responsible;

the natural or legal person held responsible has not cooperated with the

supervisor or took actions aiming at concealing partially or fully the breach to

the supervisor or at misleading the supervisor, or the absence of remedial actions

since the breach has been identified either by the natural of legal person held

responsible or by the supervisor;

(d)

(e)

the internal policies, procedures and controls put in place by the obliged entity

are ineffective;

any other additional information, where appropriate, including information from

financial intelligence unit, from a prudential supervisor or any other authority

or from a judiciary authority.

Section 3 Methodology for the imposition of periodic penalty payments pursuant to

Article 57 of the AMLD

Article 6 - General provision

1.

2.

Unless otherwise stipulated by this Regulation and Directive (EU) 2024/1640, the

administrative process of imposition and collection of periodic penalty payments as set

out in Article 57 of the Directive (EU) 2024/1640 shall be governed by provisions

stipulated by national law in force in the Member State where the periodic penalty

payments are imposed and collected.

References made to Directive (EU) 2024/1640 shall be construed as references to laws,

regulations and administrative provisions into which Member States shall transpose this

Directive pursuant to Article 78 thereof.

Article 7 - Statement of findings and right to be heard

1.

Before making a decision to impose a periodic penalty payment pursuant to Article 57

of the Directive (EU) 2024/1640 supervisors shall submit a statement of findings to the

natural or legal person held responsible setting out the reasons justifying the imposition

of the proposed periodic penalty payment and the amount to be used for its calculation.

2.

3.

4.

The statement of findings shall set a time limit of up to four weeks within which the

natural or legal person held responsible may make written submissions.

Supervisor shall not be obliged to take into account written submissions received after

the expiry of that time limit for deciding on the periodic penalty payment.

The right to be heard of the natural or legal persons held responsible shall be fully

respected in the proceedings.

60

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

Article 8 - Decision on periodic penalty payments

1.

2.

The decision on the imposition of periodic penalty payments shall be based only on

facts on which the natural or legal person held responsible has had an opportunity to

exercise its right to be heard.

A decision on the imposition of a periodic penalty payment pursuant to Article 57 of

the Directive (EU) 2024/1640 shall at least indicate the legal basis, the reasons for the

decision and the amount that will be used for the calculation of the final accrued amount

of the periodic penalty payment.

3.

When deciding about the amount that will be used for the calculation of the final

accrued amount of the periodic penalty payment the supervisor shall take into account

all the following factors:

a)

the type and the object of the applicable administrative measure that has not

been complied with;

b)

c)

reasons for the non-compliance with the applicable administrative measure;

the losses to third parties caused by the non-compliance with the applicable

administrative measure, as long as they were determined when the applicable

administrative measure has been imposed;

d)

e)

the benefit derived from the non-compliance with the applicable administrative

measure, as long as they were determined when the applicable administrative

measure has been imposed;

the financial strength of the natural or legal person held responsible, as long as

this was determined when the applicable administrative measure has been

imposed.

Article 9 - Calculation of periodic penalty payments

1.

2.

The amount of the periodic penalty payment can be set on a daily, weekly or monthly

basis.

A periodic penalty payment shall be enforced and collected only for the period of non-

compliance with the relevant administrative measure referred to in Article 56(2), points

(b), (d), (e) and (g) of Directive (EU) 2024/1640. The period of non-compliance with

the relevant administrative measure referred to in Article 56(2), points (b), (d), (e) and

(g) of Directive (EU) 2024/1640 has to be determined by the supervisor.

Article 10 - Limitation period for the collection of periodic penalty payments

1.

2.

The collection of the periodic penalty payment shall be subject to a limitation period of

five years. The five years period referred to in paragraph 1 shall start to run on the day

following that on which the decision setting the final accrued amount of periodic

penalty payment to be paid, is notified to the natural or legal person held responsible.

The limitation period for the collection of periodic penalty payments can be interrupted

or suspended in compliance with provisions stipulated by national law in force in the

Member State where the periodic penalty payments are collected.

61

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

Article 11 - Entry into Force and application date

This Regulation shall enter into force on the twentieth day following that of its publication in

the Official Journal of the European Union.

It shall apply from 10 July 2027.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels,

For the Commission

The President

[…]

On behalf of the President

[…]

[Position]

62

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

5. Accompanying documents

5.1 Draft cost-benefit analysis / impact assessment – RTS under

Article 40(2) of the AMLD on the assessment of obliged entities’

risk profile

A. Problem identification

Between 2018 and 2024, EBA staff reviewed the approach to AML/CFT supervision of all supervisors

responsible for supervising the banking sector. The EBA also published three consecutive opinions on

the ML/TF risks to which the European financial sector is exposed. The latest opinion was published

in July 2023. Between 2023 and 2024, EBA staff also carried out a stock take to identify the similarities

and differences between the approaches to the assessment of ML/TF risks developed by supervisors.

It found that there was a very low degree of convergence between the approaches put in place by

supervisors.

This means that supervisors’ entity-level ML/TF risk assessments are not comparable, which impedes

AML/CFT supervisory convergence at the EU level and creates significant costs for institutions that

operate on a cross-border basis. The EBA highlighted this in its 2020 response to the European

Commission’s Call for Advice on the future AML/CFT framework.

B. Policy objectives

The EU co-legislators acted on the EBA’s advice and included specific provisions in the new AML/CFT

legal framework that harmonise supervisors’ approaches to assessing entity-level ML/TF risk and

make comparable outcomes possible. They also mandated AMLA to further specify in a draft RTS the

steps supervisors must take in this regard.

In March 2024, the European Commission asked the EBA to advise it on the content of the RTS to be

developed by AMLA pursuant to Article 40(2) of Directive (EU) 2024/1640.

In accordance with Article 40(2), the draft RTS must set out:

-

The benchmarks and methodology to assess and classify the inherent and residual risk profile

of obliged entities;

-

The frequency at which these risk profiles must be reviewed.

Article 40(2) of Directive (EU) 2024/1640 also specifies that the frequency at which the risk profiles

must be reviewed shall take into account any major events or developments in the management and

operations of the obliged entity, as well as the nature and size of the business.

63

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

C. Baseline scenario

Under the current legislative framework, the rules pertaining to such assessment are not harmonised

at the EU level although common principles exist. These principles are set out in the EBA’s risk-based

supervision guidelines.

D. Options considered

Quantity of data to be collected

To be able to assess and classify the inherent and residual risk profile under their supervision,

supervisors need to collect data from obliged entities and other stakeholders such as prudential

supervisors and FIUs.

Regarding the level of granularity and the quantity of data to be collected from these entities and

other stakeholders when relevant, and taking into account current supervisory practices in EU

Member States, the EBA considered two options:

Option 1a: Collecting an extensive set of data from obliged entities and stakeholders that goes

beyond the data points that are strictly necessary for ML/TF risk assessment purposes.

Option 1b: Limiting data requests from obliged entities and stakeholders to those that are strictly

necessary for ML/TF risk assessment purposes.

Some EU AML/CFT supervisors collect extensive amounts of data to inform their entity-level risk

assessments. For example, in several cases, annual AML/CFT questionnaires contain more than 500

data points.

Collecting an extensive set of data from obliged entities and stakeholders would have the benefit of

providing supervisors with comprehensive information about all aspects of each institution’s

operations and controls environment. On the other hand, evidence from the EBA’s implementation

reviews shows that in most cases, supervisors that obtain extensive data sets do not use all data they

obtain for the assessment and classification of risks. Feedback from the private sector further suggests

that requesting extensive sets of data can create significant costs. As the number of data points

supervisors need, and in practice use, for entity-level ML/TF risk assessment purposes is limited, the

amount of data collected and required under the draft RTS could thus be limited to that strictly

necessary for ML/TF risk assessment purposes. Importantly, limiting data points for ML/TF risk

assessment purposes in this way does not limit supervisors’ right to obtain data for onsite and offsite

AML/CFT supervision purposes.

In the short term, because of the material differences between the systems put in place by

supervisors, the implementation of a harmonised set of data will inevitably lead to changes in the way

supervisors request that data, for example AML/CFT periodic questionnaires. These changes may be

significant and mean that entities and stakeholders may need to adapt their IT infrastructure to collect

and report data that they have not previously collected or reported. However, all participants in the

EBA’s roundtable suggested that the implementation of a harmonised set of data collected could lead

to a decrease of entities and stakeholders’ costs and to more efficiency. For instance, in the medium

to long term, they expected that costs would decrease for entities operating in different Member

64

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

States because the same data would be collected in all Member States. Additionally, they pointed out

that greater harmonisation would be highly beneficial because it was currently difficult to deal with

different interpretations of specific AML/CFT concepts across Member States. Finally, the amount of

data collected for future ML/TF risk assessment purpose will generally be lower than what is currently

collected by the national supervisors. As such, private sector participants strongly supported a move

to a harmonised risk assessment methodology.

Based on the above, the Option 1b has been chosen as the preferred option and the EBA will propose

that supervisors limit the data they collect from obliged entities and stakeholders to that which is

strictly necessary for entity-level ML/TF risk assessment purposes.

Use of automated scores to assess risks relating to the effectiveness of controls

All supervisors use objective indicators and automated scores to assess and classify the inherent risks

to which obliged entities are exposed. As regards the assessment of the quality of the AML/CFT

controls that obliged entities put in place to effectively mitigate these inherent risks, supervisors have

implemented different approaches. Some rely entirely on their staff’s professional judgement, while

others rely on information provided by institutions that feeds an automated controls score. Some

supervisors use a combination of automated scores and supervisory judgement.

In line with supervisors’ current practice, and considering both, the large number of obliged entities

in the EU that need to be assessed and the limited resources supervisors have available to carry out

this assessment, the EBA considers that an automated assessment of inherent risks is necessary. With

regards to the assessment of the quality of controls, the EBA considered three options:

Option 2a: Assessing the quality of controls based entirely on professional judgement.

Option 2b: Assessing the quality of controls based on a two-step process, whereby the control risks

would be first assessed in an automated manner based on objective criteria and then manually

adjusted based on professional judgment where necessary.

Option 2c: Assessing the quality of controls based entirely on an automated score.

Assessing the quality of controls based entirely on professional judgement based on inspection or

offsite supervision findings could make the assessment very pertinent to individual institutions.

Nevertheless, applying professional judgement to all obliged entities would create significant costs

and may require some supervisors to hire additional staff, in particular in situations where they are

responsible for the AML/CFT supervision of a large number of obliged entities (several thousands in

some cases). In addition, the benefits of assessing the quality of AML/CFT controls based on

professional judgement alone may differ from one obliged entity to another as the extent to which

this judgement is reliable would depend on the extent to which the underlying information is

complete and up-to-date; for example benefits could typically be high in cases where an obliged entity

has recently been subject to intrusive supervision (such as on-site inspections) but they will be reduced

where obliged entities have not been subject to such actions. As a result, to be effective and

sufficiently reliable, the steps supervisors would have to take and the resources that they would need

to deploy to keep professional judgements relevant and up-to-date would not be commensurate with

the level of ML/TF risk associated with different entities under their supervision. Finally, until the

65

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

common supervision methodology envisaged by Art 8 of the AMLAR is in place and applied, the bases

on which supervisors arrive at their professional judgement are likely to diverge and make

comparisons between obliged entities from different Member States more difficult.

Assessing the quality of controls automatically addresses those concerns but carries a risk that

mistakes in obliged entities’ submissions or deliberate attempts to frustrate the risk assessment

process may lead to inadequate outcomes. For this reason, supervisors should be able to override

automated controls risk scores using professional judgement. To nevertheless ensure a consistent

approach and comparability of risk scores across EU Member States, such adjustments should be

possible only in specific circumstances and subject to the application of common criteria.

Based on the above, the Option 2b has been chosen as the preferred option and the draft RTS on risk

assessment and classification of the risk profile of obliged entities will request supervisors to follow a

two-step process to assess the quality of the AML/CFT controls, whereby the control risks would be

first assessed in an automated manner based on objective criteria and then manually adjusted based

on professional judgment where necessary.

Level of granularity of the methodology and benchmarks described in the draft RTS

Article 40(2) of Directive (EU) 2024/1640 provides that the draft RTS must set out the benchmarks and

methodology to be used to assess and classify the inherent and residual risk profile of obliged entities

but does not prescribe the extent to which these benchmarks and methodology need to be described.

In this regard, the EBA considered two options.

Option 3a: Providing in the RTS a complete description of the algorithm and benchmarks to be used

to assess and classify the inherent and residual risk profile of obliged entities.

Option 3b: Providing in the RTS a general description of the methodology and completing it with

guidance from AMLA to all supervisors, to ensure a consistent application of the methodology.

A complete description of the algorithm in the RTS would achieve a high level of convergence as the

detail of the methodology would be set out in directly applicable Union law. However, any changes to

the methodology would have to take the form of an amendment to the legal text, which is complex

and takes a long time. Since ML/TF risks are constantly evolving, this would create a risk that

supervisors may be unable to reflect emerging risks in their risk assessment, which could hamper their

ability to discharge their functions effectively. For this reason, it would be highly beneficial to ensure

that the methodology is sufficiently flexible to be adjusted on a continuous basis, as necessary, in such

a way that it can be adapted to existing ML/TF risks. This could be achieved if the methodology was

described in the RTS in more general terms and completed by guidance issued by AMLA, to ensure

that it is applied consistently by all supervisors. Such an approach would allow flexibility to adjust the

model. Finally, the reporting cost for the private sector is likely to be insignificant, as the full list of

data points would be included in the RTS and would be unlikely to change frequently.

Based on the above, the Option 3b has been chosen as the preferred option and the draft RTS on risk

assessment and classification of the risk profile of obliged entities will provide a list of indicators and

a general description of the methodology that will need to be completed with further guidance from

AMLA to all supervisors, to ensure a consistent application of the methodology.

66

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

Frequency of the assessment

Article 40(2) of Directive (EU) 2024/1640 provides that the RTS must set out the frequency at which

risk profiles must be reviewed and adds that such frequency must take into account any major events

or developments in the management and operations of the obliged entity, as well as the nature and

size of the business. Regarding this point, the EBA considered three options.

Option 4a: set out the following frequencies of review:

-

Once every year as the normal frequency;

Once every two years as the frequency applying to obliged entities that are particularly small

or only carry out certain activities justifying a reduced frequency;

-

Ad hoc review, in a timely fashion, in case of a major event or development in the

management and operations of an obliged entity.

Option 4b: set out the following frequencies of review:

-

At least once every year as the normal frequency;

At least once every three years as the frequency applying to certain obliged entities that are

particularly small or carry out only certain activities justifying a reduced frequency;

-

Ad hoc review, in a timely fashion, in the case of a major event or development in the

management and operations of an obliged entity.

Option 4c: set out the following frequencies of review:

-

Once every year as the normal frequency;

Once every two years as the frequency applying to certain obliged entities that are relatively

small or carry out only certain moderately risky activities;

-

Once every three years as the frequency applying to certain obliged entities that are

particularly small or carry out only certain even lower risk activities;

Ad hoc review, in a timely fashion, in the case of a major event or development in the

management and operations of an obliged entity.

The frequency of review should be proportionate to the nature and size of the obliged entities. Based

on the experience of supervisors to-date, to ensure that supervisors have an up to date understanding

of the ML/TF risks to which the obliged entities under their supervision are exposed, the normal

frequency at which risk profiles are reviewed should be once every year. In the case of certain entities,

however, an annual data collection could be costly with limited added value for supervisors, as the

ML/TF risk score may not change significantly over time. This could be the case in particular for very

small obliged entities. This could also be the case for obliged entities that only carry out certain

activities that justify a less frequent review. Reviewing the profile of these obliged entities once every

three years rather than once every two years would therefore lead to a significant reduction of the

cost borne by these obliged entities and by supervisors, without impacting the reliability of the entity’s

ML/TF risk score.

67

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

The EBA also considered whether collecting data and reviewing entities’ risk profiles once every two

years rather than once every three years for lower risk obliged entities would be desirable. Feedback

from supervisors suggests that the benefit to be gained from this approach is limited and that is would

not significantly alter the understanding supervisors have of the level of ML/TF risk to which obliged

entities are exposed, as obliged entities that are likely to benefit from this frequency are likely to be

classified in the lower risk categories and would in any case be supervised with a limited intensity and

at a limited frequency, in line with a risk-based approach. Furthermore, splitting the group of lower

risk entities into two groups, one of which would have its risk profile reviewed once every two years

and the other of which would have its risk profile reviewed once every three years appears to be of

little interest in comparison to the additional costs and layer of complexity it would introduce to the

model. In any case, where major events or significant developments in the management and

operations of an obliged entity are identified, supervisors should review its risk profile ad hoc, as quick

supervisory action may be warranted. The cost of these reviews for supervisors is unlikely to be

significant as the occurrence of these types of events will likely be rare.

Based on the above, the Option 4b has been chosen as the preferred option and the draft RTS on risk

assessment and classification of the risk profile of obliged entities will set out the three following

frequencies of review: (i) Once every year as the normal frequency; (ii) At least once every three years

as the frequency applying to certain obliged entities that are particularly small or carry out only certain

lower risk activities; (iii) Ad hoc review, in a timely fashion, in the case of a major event or development

in the management and operations of an obliged entity.

E. Conclusion

The draft RTS on risk assessment and classification of the risk profile of obliged entities will define the

benchmarks and methodology to assess and classify the inherent and residual risk profile of obliged

entities and set the frequency at which these risk profiles must be reviewed. For obliged entities and

other stakeholders, the draft RTS requirements are not expected to trigger significant costs in the

medium to long term and the main impact in terms of costs will be on supervisors.

The EBA notes that such costs will arise in any case as a result of the move to a common risk

assessment methodology based on provisions in the AMLD6, which clearly request that the draft RTS

“shall set out the benchmarks and a methodology for assessing and classifying the inherent and

residual risk profile of obliged entities, as well as the frequency at which such risk profile shall be

reviewed”. The EBA’s proposed approach nevertheless limits these costs as it reflects the

proportionality principle and it is likely, in the short term, to bring benefits associated with the

harmonisation of certain supervisory practices and in the medium- to long term, to bring benefits in

terms of efficiency savings and reduced costs for reporting entities. Overall, the impact assessment

on the draft RTS suggests that the expected benefits for supervisors, obliged entities and other

stakeholders are higher than the incurred expected costs.

68

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

5.2 Draft cost-benefit analysis / impact assessment – RTS under

article 12(7) of the AMLA Regulation, on the methodology for

selecting credit institutions, financial institutions and groups of

credit and financial institutions to be directly supervised by the

AMLA

A. Problem identificationꢀ

A.1 Eligibility assessment

The AMLA shall treat as eligible those financial sector entities that are operating in six or more

Member States, either through an establishment or through the freedom to provide services.

Operations under the freedom to provide services shall be measured, to assess their relevance.

Considering all operations under the freedom to provide services irrespective of their materiality could

have unintended consequences. For example, it could discourage the exercise of this freedom because

being eligible incurs a fee, in accordance with article 77 of the AMLAR. However, assessing the

materiality of this kind of operations is challenging, as feedback from competent authorities and the

private sector suggests that data to quantify such operations is rarely recorded or available.

A.2 Risk assessment

AMLA shall put together a methodology to assess the ML/TF risk profiles of entities operating in six or

more Member States. This methodology shall ensure a level playing field between all eligible obliged

entities. Furthermore, it shall allow AMLA to assign a group-wide ML/TF risk score in cases where the

obliged entity is a group.

A level playing field is not currently ensured as supervisory approaches have not yet been harmonised,

and competent authorities’ ML/TF risk assessments are likely to differ as a result.

B. Policy objectives

The main objective of the draft RTS is to:

(i)

identify the minimum activities that a credit institution or a financial institution has to carry

out to be considered as operating under the freedom to provide services in a Member State

that is different from the one where it is established. In this regard, to ensure an effective and

proportionate selection process that keeps regulatory burden and cost to a necessary

minimum, the draft RTS defines a materiality threshold beneath which operations under the

free provision of services do not count towards an entity’s presence in another Member State.

(ii)

develop a risk assessment methodology that allows AMLA to assess and classify the inherent

and residual risk profile of eligible credit institutions, financial institutions or group of credit

and financial institutions. To ensure an efficient approach and avoid duplication, this

methodology should build on competent authorities’ entity-level risk assessments under

article 40(2) AMLD6. For the first selection round, to obtain comparable entity-level risk

69

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

assessment outcomes in a context where full harmonization of AML/CFT supervisory practices

is not yet assured, different rules will apply.

C Baseline scenario

Regarding the assessment of the extent to which operations under the freedom to provide services

are material, there is currently no structured reporting of data by obliged entities to their supervisors.

Regarding the risk assessment to inform the selection of directly supervised entities, AML/CFT

supervisory practices are not currently harmonised sufficiently to ensure comparable outcomes. In

addition to that, the elaboration of a group-wide methodology is challenging, considering the need to

reflect in a proper way the overall ML/TF risk of the group, avoiding potential distortions of the final

outcome.

D. Options consideredꢀ

Measurement of the operations under the freedom to provide services

Article 12(7)a of the AMLAR requires AMLA to develop criteria to identify the “minimum activities” to

be exercised under the freedom to provide services. Relying on notifications is unlikely to be a reliable

indicator because it is common for credit or financial institutions to notify their intention to provide

services under the free provision of services to their financial supervisors without commencing this

activity in practice. Furthermore, this activity may not represent a major part of an entity’s overall

operation. Therefore, the EBA considers that a materiality threshold has to be identified. In this regard,

the EBA has considered three different options.

Option 1a: Establishing a single threshold, to measure the number of customers

Option 1b: Establishing thresholds on customers and volumes of transactions, to be met together

Option 1c: Establishing thresholds on customers and volumes of transactions, to be met

alternatively

Putting in place a threshold related to the number of customers under the freedom to provide services

as the sole measure of materiality could eliminate from the selection entities and sectors with a small

number of customers that perform a large number of activities in terms of their frequency and their

value. Basing the materiality assessment on numbers of customers alone is therefore unlikely to be

sufficient in all cases. For the same reason, putting in place a threshold for material volumes of

transactions alone, or cumulative indicators of customer and volume thresholds, could eliminate from

the selection potentially relevant cases. This suggests that setting out metrics on customers and

volumes of transactions and considering them as alternative measures would allow AMLA to capture

all possible ways in which an entity can provide services across borders without an establishment in a

material way.

As regards to the values of the thresholds, the proposed approach is to set it on the number of

customers to 20,000, and volumes of transactions to 50,000,000 Euro per Member State, respectively.

70

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

The advantage of the proposed approach is that is proportionate to the size of an institution and its

financial capacity. This is because being eligible for selection carries a fee, which may

disproportionately affect smaller institutions, especially if they do not present high ML/TF risks.

Based on the above, the Option 1c has been chosen as the preferred option and the draft RTS under

article 12(7) of the AMLA Regulation, on the methodology for selecting credit institutions, financial

institutions and groups of credit and financial institutions to be directly supervised by the AMLA will,

for the purpose of measuring the operations under the freedom to provide services, establish

thresholds on customers and volumes of transactions, to be met alternatively.

Calculation of the residual risk at the entity level

Considering the synergies between the methodology for the selection under Article 12 (7) of the

AMLAR and the methodology for risk assessment under article 40 (2) of the AMLD6, the former should

build on the latter. However, the methodology under Article 40 of the AMLD6 envisages that

competent authorities may apply manual adjustments to the control risk score based on qualitative

assessments of an obliged entity’s internal control system, to the extent that this information is

available to supervisors. Considering the need to ensure the highest degree of comparability of the

results of this risk assessment across Member States, and the current state of convergence of

supervisory practices in the EU, three different options have been considered by the EBA.

Option 2a: Using the same methodology for the RTS under article 12(7) and the RTS under article

40(2) of AMLD6 since the first selection round.

Option 2b: Elaborating two different methodologies, one for RTS under article 12(7) AMLAR and

one for the RTS under article 40(2) of AMLD6.

Option 2c: Using the same methodology for the RTS under article 12(7) AMLAR and for the RTS

under article 40(2) of AMLD6, with limited differences to ensure maximum harmonization and, for

the first round of selection, adopting a divergent approach on the exercise of supervisory judgement

for the determination of the controls quality score.

Having a single methodology in place for article 40(2) of AMLD 6 and article 12(7)(b) of AMLAR would

reduce the reporting burden on obliged entities. On the contrary, choosing an option where two

different methodologies have to be applied, one for the purpose of risk assessment under article 40(2)

AMLD6 and one for the purpose of selection would require eligible obliged entities to provide data

twice, using potentially different datapoints and timelines. This suggests that using the same

methodology for the assessment of ML/TF risk under both, Article 40 of the AMLD6 and Article 12 of

the AMLAR would be preferable from an efficiency and effectiveness perspective. However,

considering the need to ensure a full harmonization and comparable outcomes, some differences are

envisaged with regard the calculation of the inherent risk for the selection methodology.

71

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

Since the level of divergence of current AML/CFT supervisory practices across the EU is likely to lead

to different assessments, by supervisors, of the quality of an entity’s AML/CFT controls, the adoption

of a divergent approach for the first round of selection that minimises the impact of supervisory

judgement on the calculation of that score could lead to more harmonised and comparable outcomes

since the first round.

Based on the above, the Option 2c has been chosen as the preferred option and the draft RTS under

article 12(7) of the AMLA Regulation, on the methodology for selecting credit institutions, financial

institutions and groups of credit and financial institutions to be directly supervised by the AMLA will,

for the calculation of the residual risk at the entity level, use the same methodology for the RTS under

article 12(7) AMLAR and for the RTS under article 40(2) of AMLD6, with limited differences to ensure

maximum harmonization and, for the first round of selection, adopt a divergent approach on the

exercise of supervisory judgement for the determination of the controls quality score.

Risk assessment of groups

Article 12 of the AMLAR requires AMLA to assign a group-wide residual ML/TF risk score in case of

groups of credit and financial institutions. Regarding the computation of this group score, The EBA

considered two options.

Option 3a: Calculating the group score as a weighted average of all group entities’ individual ML/TF

risk scores

Option 3b: Assessing the whole group score as high ML/TF risk in case a certain number of the

group’s entities are high ML/TF risk

Calculating the group ML/TF risk score based on the weighted average of all entities’ individual risk

scores would consider the individual relevance of each of the group’s entities compared to the whole

group. On the other hand, setting a specific numerical threshold for treating the whole group as high

risk in case a specific number of its entities have been assessed as high risk could exclude from the

selection groups where the number of high-risk entities is inferior to the threshold set by the

methodology, but where the high-risk entities significantly impact the group’s operation. In terms of

costs, aligning the selection with the level of operations (which can be correlated with larger financial

strength) should also lead to selecting groups for which high risk is coming from entities with larger

financial strength.

Based on the above, the Option 3a has been chosen as the preferred option and the draft RTS under

article 12(7) of the AMLA Regulation, on the methodology for selecting credit institutions, financial

institutions and groups of credit and financial institutions to be directly supervised by the AMLA will

define the calculation of the group risk score as a weighted average of all group entities’ ML/TF risk

scores.

72

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

E. Conclusion

The draft RTS under article 12(7) of the AMLA Regulation on the methodology for selecting credit

institutions, financial institutions and groups of credit and financial institutions to be directly

supervised by the AMLA will identify the minimum activities to be carried out by a credit institution or

a financial institution for it to be considered as operating under the freedom to provide services in a

Member State that is different from the one in which it is established. It will also include a risk

assessment methodology that allows to assess and classify the inherent and residual risk profile of

credit institutions, financial institutions and groups of credit and financial institutions based on the

methodology national supervisors will apply to assess entity-level ML/TF risk. For obliged entities, the

draft RTS is not expected to create significant costs. The main costs will be borne by competent

authorities and stem to a large extent from underlying requirements in the AMLAR, which state that

the draft RTS has to specify “(a) the minimum activities to be carried out by a credit institution or a

financial institution under the freedom to provide services, whether through infrastructure or remotely,

for it to be considered as operating in a Member State other than that where it is established; (b) the

methodology based on the benchmarks referred to in paragraphs 5 and 6 for classifying the inherent

and residual risk profiles of credit institutions or financial institutions, or groups of credit institutions

or financial institutions, as low, medium, substantial or high”. In the EBA’s view, the draft RTS

requirements are proportionate and limit costs where possible. They also bring benefits in relation to

a consistent and harmonised approach to assessing entity-level ML/TF risk across the EU. Overall,

therefore, the impact assessment on the draft RTS suggests that the expected benefits are higher than

the incurred expected costs.

5.3 Draft cost-benefit analysis / impact assessment – RTS under

Article 28(1) AMLR on Customer Due Diligence

A. Problem identification

Obliged entities in the EU have been required to apply customer due diligence (CDD) since the first

AML directive. Nevertheless, the transposition of those requirements into the national legal order of

Member States was inconsistent and this created gaps in the EU’s AML/CFT defences and additional

costs for obliged entities that operated on a cross-border basis. Regulation (EU) 2024/1624

harmonises how CDD measures are conducted across EU Member States and across obliged entities

within the EU.

B. Policy objectives

The general purpose of this mandate is to further harmonise the way due diligence measures are

applied across the EU by specifying what information obliged entities shall collect to comply with their

CDD, SDD and EDD requirements.

Compliance by obliged entities with the new CDD requirements introduced by the AMLR will generate

significant costs for obliged entities according to private sector representatives that attended the

EBA’s roundtable in October 2024. Against this background, the EBA considered several policy options.

73

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

The EBA’s overall objective is to propose a RTS that is risk-based and proportionate where possible,

and conducive to effective outcomes while keeping associated compliance costs to a necessary

minimum.

C. Baseline scenario

In the baseline scenario, obliged entities would comply with the requirements under the new EU AML

framework pursuant to Chapter III of Regulation 2024/1624 without any further regulatory standards,

or guidance, on how exactly they should fulfil such compliance.

D. Options considered

Degree of specification of Level 1 requirements

The aim of the mandate in Article 28(1) of the AMLR is to further harmonise the way customer due

diligence measures are applied across the EU by setting out what information is necessary for the

performance of customer due diligence. The EBA considered two options.

Option 1a: Not specifying further level 1 requirements that are already sufficiently detailed and only

providing further clarification where needed to achieve a harmonised, risk-based approach.

Option 1b: Fostering maximum harmonisation by being as detailed and comprehensive as possible.

Specifying all level 1 requirements further by way of this draft RTS would mean that the draft RTS

would set out specific requirements for every situation. This option would bring some benefits, for

example it would maximise harmonisation, set clear regulatory expectations and make AML/CFT

supervision – and possibly enforcement – easier by limiting the scope supervisors have to assess

whether or not an obliged entity’s approach is adequate. Nevertheless, by limiting the flexibility

obliged entities have to adjust their controls, such an approach it is likely to make AML/CFT

compliance less risk-based. It also means that obliged entities may be unable to respond effectively

to situations that are not covered by the draft RTS.

Contrariwise, setting out a core set of rules and requirements that apply to all sectors and activities

where necessary, as part of a maximum harmonisation framework within which obliged entities can

identify the most suitable due diligence measures in light of the risks they have identified will leave

obliged entities room to adjust their CDD measures where this is warranted. Given the variety of

obliged entities – in terms of size, business model and ML/TF risk exposure – to which this RTS will

apply, this flexibility is crucial and likely to lead to more effective outcomes. This approach will also

cater for situations unforeseen at this stage.

There are, nevertheless, a number of provisions in Regulation 2024/1624 that the draft RTS – taking

into account the mandate in Article 28(1) of that Regulation – cannot change. These include, for

example, the measures that obliged entities need to take to identify the beneficial owners, now that

these requirements are comprehensively laid out in Chapter IV of Regulation 2024/1624 on beneficial

74

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

owner transparency. A similar point relates to Article 34(4) (e) and 34(4)(g) of Regulation 2024/1624

where the Level 1 text is sufficiently detailed that would not require further clarification in the RTS.

Based on the above, the Option 1a has been chosen as the preferred option and the draft RTS under

Article 28(1) of the AMLR will further specify the level 1 requirements only to the extent that this is

necessary to achieve the AMLR’s policy objectives.

E. Conclusion

The draft RTS under Article 28(1) of the AMLR will further harmonise the way due diligence measures

are applied across the EU by harmonising the information to be collected by obliged entities to comply

with their CDD, SDD and EDD requirements. For obliged entities and stakeholders (such as

supervisors), the draft RTS requirements are – by themselves – not expected to trigger significant

medium to long term costs as these requirements are linked to the AMLR requirements and thus the

costs incurred will be due to a great extent to the underlying related requirements set out in the AMLR.

Overall, the impact assessment on the draft RTS suggests that the expected benefits are higher than

the expected costs incurred.

5.4 Draft cost-benefit analysis / impact assessment – RTS under

Article 53(10) of the AMLD6 on pecuniary sanctions,

administrative measures and periodic penalty payments

A. Problem identification

In 2020, the EBA published a Report on the future AML/CFT framework in the EU to respond to the

European commission’s call for advice⁹. It underlined that national competent authorities’ approaches

to determining and imposing sanctions and other the sanctions or measures that competent

authorities imposed for breaches of financial institutions’ AML/CFT obligations were not

proportionate, effective, or dissuasive. It also stressed that harmonisation of the legal framework by

means of directly applicable provisions in Union law was necessary to ensure an effective and robust

approach.

Since then, the findings of 4th round of the implementation reviews performed by the EBA in

2023/2024¹⁰highlighted that while national supervisors assessed during that round had taken steps

to strengthen their approach to enforcement, enforcement processes were not fully effective or

deterrent and not all of the supervisors assessed were using their enforcement powers effectively.

9

Report on the future AML/CFT framework in the EU to respond to the European commission’s call for advice on defining

the scope of application and the enacting terms of a regulation to be adopted in the field of preventing money laundering

and terrorist financing

¹⁰REPORT ON NCAS’ APPROACHES TO THE SUPERVISION OF BANKS WITH RESPECT TO ANTI-MONEY LAUN-DERING AND

COUNTERING THE FINANCING OF TERRORISM (ROUND 4 – 2023/24)

75

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

In parallel, the data reported by national supervisors to EuReCA, the EBA’s AML/CFT database, suggest

that supervisory approaches to enforcement are still not aligned. This means that the same breach by

the same institution would be treated differently depending on where in the EU it occurs.

The mandate under Article 53(10) of the AMLD6 on pecuniary sanctions, administrative measures and

periodic penalty payments, aims to foster greater convergence of supervisors’ approaches to

enforcement and the imposition of administrative measures in the European Union. Moreover, it

introduces Periodic Penalty Payments (PePPs) as a new EU tool that aims to end an ongoing AML/CFT

breach that is already object to a specific administrative measure imposed by an AML/CFT supervisor.

PePPs are currently used by only a few Members States in the EU.

B. Policy objectives

The general policy objective is to harmonise approaches by AML/CFT supervisors in the EU when

imposing sanctions, administrative measures and when introducing periodic penalty payments. The

mandate under Article 53(10) of the AMLD6 therefore request AMLA to set out in the form of

regulatory technical standards (the draft RTS) (i) indicators to classify the level of gravity of breaches,

(ii) criteria to be taken into account when setting the level of pecuniary sanctions or applying

administrative measures, (iii) a methodology for the imposition of periodic penalty payments.

C. Baseline scenario

In the baseline scenario, supervisors would need to apply the provisions of the AMLD6 in relation to

pecuniary sanctions, administrative measures and periodic penalty payments embedded respectively

in Articles 55, 56 and 57 of AMLD6 without (i) common indicators defined to classify the level of gravity

of breaches, (ii) criteria to be taken into account when setting the level of pecuniary sanctions or

applying administrative measures, (iii) a methodology for the imposition of periodic penalty payments.

In line with the general provisions of Article 53 of the AMLD6, supervisors would need to ensure that

any pecuniary sanction imposed or administrative measure applied, is effective, proportionate and

dissuasive. Pursuant to Article 57 of the AMLD6, a periodic penalty payment shall be effective and

proportionate and can be imposed until the obliged entity or person concerned complies with the

relevant administrative measure, but not for longer than 12 months. This scenario is likely to lead to

supervisors keeping divergent approaches to enforcement, which would make the EU’s new approach

less effective and would not meet the objectives of AMLD6.

D. Options considered

Level of supervisory judgement

As mentioned above, the draft RTS will set out indicators to classify the level of gravity of breaches,

and criteria to be taken into account when setting the level of pecuniary sanctions or applying

administrative measures. The indicators and criteria will be harmonized and inspired by existing EBA

work on material weakness in the RTS on the central AML/CFT database¹¹and the Joint ESAs Report

¹¹Commission Delegated Regulation (EU) 2024/595, OJ L, 2024/595, 16.2.2024.

76

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

on the withdrawal of authorization for serious AML/CFT breaches¹². In the process of developing

specific indicators and criteria, the EBA evaluated to which degree supervisory judgement should be

exercised by national competent authorities. For this purpose, two options were considered.

Option 1a: Setting the indicators and criteria in the draft RTS with inspiration taken from existing

EBA work on material weakness in the RTS on the central AML/CFT database¹³and the Joint ESAs

Report on the withdrawal of authorization for serious AML/CFT breaches¹⁴without any room for

supervisory judgment.

Option 1b: Setting the indicators and criteria in the draft RTS with inspiration taken from existing

EBA work on material weakness in the RTS on the central AML/CFT database¹⁵and the Joint ESAs

Report on the withdrawal of authorization for serious AML/CFT breaches ¹⁶with room for

supervisory judgment.

Leaving no room for supervisory judgement would provide for maximum convergence and meet the

policy objective. However, it would not allow supervisors to take into account the specific context of

the breach. Option 1b also ensures a high level of convergence, but provides for greater flexibility by

enabling supervisors to consider the context of the breach. Taking the specific context of a breach

enable to have a more in-depth analysis of the breach and subsequently for supervisors to tailor the

measure to the specific situation identified. By doing so, it enables a more effective response and

ultimately a more efficient enforcement approach. The main stakeholders impacted by the choice of

either option would be the competent authorities. The costs of either option would not be significantly

different.

Based on the considerations above, the Option 1b has been chosen as the preferred option and the

draft RTS under Article 53(10), of the AMLD6 will set the indicators and criteria in the draft RTS with

inspiration taken from existing EBA work on material weakness in the RTS on the central AML/CFT

database and the Joint ESAs Report on the withdrawal of authorization for serious AML/CFT breaches

but with room for supervisory judgment.

Periodic penalty payments

Pursuant to Article 53(10), point (c) of the AMLD6, the draft RTS will set out a methodology for the

imposition of PePPs. The methodology proposed by the EBA was inspired by delegated and

implementing acts adopted by the European Commission. When developing the methodology for the

imposition of PePPs, the EBA assessed the extent to which provisions of administrative law in the draft

RTS should be harmonised and considered two options.

¹²ESAs 2022 23, 31 May 2022, Joint ESAs report.

¹³Commission Delegated Regulation (EU) 2024/595, OJ L, 2024/595, 16.2.2024.

¹⁴ESAs 2022 23, 31 May 2022, Joint ESAs report.

¹⁵Commission Delegated Regulation (EU) 2024/595, OJ L, 2024/595, 16.2.2024.

¹⁶ESAs 2022 23, 31 May 2022, Joint ESAs report.

77

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

Option 1a: Setting out a granular set of provisions of administrative law by minimising room for the

application of national provisions of administrative law.

Option 1b: Competent authorities to apply their national provisions of administrative law when

imposing PePPs.

Leaving no, or little room for the application of national provisions of administrative law would provide

for maximum convergence and in that sense would help to meet the policy objective. It would

however not allow supervisors to take into account longstanding specific jurisprudence in the area of

administrative law and require them to apply different provisions of administrative law when

enforcing PePPs compared to other enforcement measures. This could have unintended

consequences and mean that supervisors might avoid using PePPs, as their imposition is a choice and

not a duty of the supervisor. On the other hand, leaving room for the application of national provisions

of administrative law when imposing PePPs would, while also ensuring convergence, provide for more

flexibility when imposing PePPs.

The main stakeholder impacted by the choice of either option would be competent authorities. The

costs would not change significantly with either option; potentially, costs could be lower by focusing

only on some aspects of the methodology for the imposition of PePP to be included into the draft RTS,

as this would not require the complete review and amendment of national provisions of

administrative law in 27 Member States for the purpose of imposition of PePPs.

Based on the above, the Option 1b has been chosen as the preferred option and the draft RTS under

Article 53(10) of AMLD 6 will set a methodology for periodic penalty payments in the draft RTS by

allowing supervisors to apply procedures stipulated by national administrative law.

E. Conclusion

The draft RTS under Article 53(10) of the AMLD6 on pecuniary sanctions, administrative measures and

periodic penalty payments will set out indicators to classify the level of gravity of breaches, criteria to

be taken into account when setting the level of pecuniary sanctions or applying administrative

measures and a methodology for the imposition of periodic penalty payments. This will provide for

more convergent approaches by AML/CFT supervisors in the EU when imposing sanctions,

administrative measures and when introducing periodic penalty payments. The main stakeholder

impacted in terms of costs by the draft RTS would be the competent authorities but some of these

costs are associated with underlying legal requirement in the AMLD6. Overall, taking into account the

EBA’s preference for a proportionate approach where possible, the impact assessment on the draft

RTS suggests that the expected benefits are higher than the incurred expected costs.

78

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

5.5 Overview of questions for consultation

RTS under Article 40(2) of the AMLD

Question 1

Do you have any comments on the approach proposed by the EBA to assess and classify the risk profile

of obliged entities?

Question 2

Do you agree with the proposed relationship between inherent risk and residual risk, whereby residual

risk can be lower, but never be higher, than inherent risk? Would you favour another approach

instead, whereby the obliged entity’s residual risk score can be worse than its inherent risk score? If

so, please set out your rationale and provide evidence of the impact the EBA’s proposal would have.

Question 3

Do you have any comments on the proposed list of data points in Annex I to this Consultation Paper?

Specifically,

-

What will be the impact, in terms of cost, for credit and financial institutions to provide

this new set of data in the short, medium and long term?

Among the data points listed in the Annex I to this consultation paper, what are those that

are not currently available to most credit and financial institutions?

To what extent could the data points listed in Annex I to this Consultation Paper be

provided by the non-financial sector?

Please provide evidence where possible.

Question 4

Do you have any comments on the proposed frequency at which risk profiles would be reviewed (once

per year for the normal frequency and once every three years for the reduced frequency)? What

would be the difference in the cost of compliance between the normal and reduced frequency? Please

provide evidence.

Question 5

Do you agree with the proposed criteria for the application of the reduced frequency? What

alternative criteria would you propose? Please provide evidence.

Question 6

When assessing the geographical risks to which obliged entities are exposed, should cross-border

transactions linked with EEA jurisdictions be assessed differently than transactions linked with third

countries? Please set out your rationale and provide evidence.

79

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

RTS under article 12(7) AMLAR

Question 1

Do you agree with the thresholds and provided in Article 1 of the draft RTS and their value?

If you do not agree, which thresholds to assess the materiality of the activities exercised under the

freedom to provide services should the EBA propose instead? Please explain your rationale and

provide evidence of the impact the EBA’s proposal and your proposal would have.

Question 2

What is your view on the possibility to lower the value of the thresholds that are set in article 1 of the

draft RTS? What would be the possible impact of doing so? Please provide evidence.

Question 3

Do you agree on having a single threshold on the number of customers, irrespective of whether they

are retail or institutional customers? Alternatively, do you think a distinction should be made between

these two categories? Please explain the rationale and provide evidence to support your view.

Question 4

Do you agree that the methodology for selection provided in this RTS builds on the methodology laid

down in the RTS under article 40(2)? If you do not agree, please provide your rationale and evidence

of the impact the EBA’s proposal and your proposal would have.

Question 5

Do you agree that the selection methodology should not allow the adjustment of the inherent risk

score provided in article 2 of draft under article 40(2) AMLD6? If you do not agree, please provide the

rationale and evidence of the impact the EBA’s proposal would have.

Question 6

Do you agree with the methodology for the calculation of the group-wide score that is laid down in

article 5 of the RTS? If you do not agree, please provide the rationale for it and provide evidence of

the impact the EBA’s proposal and your proposal would have.

Question 7

Do you have any concern with the identification of the group-wide perimeter? Please provide the

rationale and the evidence to support your view on this.

Question 8

Do you agree to give the same consideration to the parent company and the other entities of the

group for the determination of the group-wide risk profile? Do you agree this would reliably assess

80

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

the group-wide controls effectiveness even if the parent company has a low-relevant activity

compared to the other entities?

Question 9

Do you agree with the transitional rules set out in Article 6 of this RTS? In case you don’t, please

provide the rationale for it and provide evidence of the impact the EBA’s proposal and your proposal

would have.

RTS under Article 28(1) AMLR

Question 1

Do you agree with the proposals as set out in Section 1 of the draft RTS? If you do not agree, please

explain your rationale and provide evidence of the impact this section would have, including the cost

of compliance, if adopted as such?

Question 2

Do you have any comments regarding Article 6 on the verification of the customer in a non face-to-

face context? Do you think that the remote solutions, as described under Article 6 paragraphs 2-6

would provide the same level of protection against identity fraud as the electronic identification

means described under Article 6 paragraph 1 (i.e. e-IDAS compliant solutions)? Do you think that the

use of such remote solutions should be considered only temporary, until such time when e-IDAS-

compliant solutions are made available? Please explain your reasoning.

Question 3

Do you have any comments regarding Article 8 on virtual IBANS? If so, please explain your reasoning.

Question 4

Do you agree with the proposals as set out in Section 2 of the draft RTS? If you do not agree, please

explain your rationale and provide evidence of the impact this section would have, including the cost

of compliance, if adopted as such?

Question 5

Do you agree with the proposals as set out in Section 3 of the draft RTS? If you do not agree, please

explain your rationale and provide evidence of the impact this section would have, including the cost

of compliance, if adopted as such?

Question 6

Do you agree with the proposals as set out in Section 4 of the draft RTS? If you do not agree, please

explain your rationale and provide evidence of the impact this section would have, including the cost

of compliance, if adopted as such?

81

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

Question 7

What are the specific sectors or financial products or services which, because they are associated with

lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be

explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide

evidence.

Question 8

Do you agree with the proposals as set out in Section 5 of the draft RTS? If you do not agree, please

explain your rationale and provide evidence of the impact this section would have, including the cost

of compliance, if adopted as such?

Question 9

Do you agree with the proposals as set out in Section 6 of the draft RTS? If you do not agree, please

explain your rationale and provide evidence of the impact this section would have, including the cost

of compliance, if adopted as such?

Question 10

Do you agree with the proposals as set out in Section 7 of the draft RTS? If you do not agree, please

explain your rationale and provide evidence of the impact this section would have, including the cost

of compliance, if adopted as such?

Question 11

Do you agree with the proposals as set out in Section 8 of the draft RTS (and in Annex I linked to it)?

If you do not agree, please explain your rationale and provide evidence of the impact this section

would have, including the cost of compliance, if adopted as such?

Draft RTS under Article 53(10) of the AMLD6 on pecuniary sanctions, administrative

measures and periodic penalty payments

Question1

Do you any have comments or suggestions regarding the proposed list of indicators to classify the

level of gravity of breaches sets out in Article 1 of the draft RTS? If so, please explain your reasoning.

Question 2

Do you have any comments or suggestions on the proposed classification of the level of gravity of

breaches sets out in Article 2 of the draft RTS? If so, please explain your reasoning.

82

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

Question 3

Do you have any comments or suggestions regarding the proposed list of criteria to be taken into

account when setting up the level of pecuniary sanctions of Article 4 of the draft RTS? If so, please

explain your reasoning.

Question 4

Do you have any comments or suggestions of addition regarding what needs to be taken into account

as regards the financial strength of the legal or natural person held responsible (Article 4(5) and Article

4(6) of the draft RTS)? If so, please explain.

Question 5

Do you have any comments or suggestions on the proposed criteria to be taken into account by a

supervisor when applying the administrative measures listed under this draft RTS and in particular

when the supervisor intends to:

- restrict or limit the business, operations or network of institutions comprising the obliged entity, or

to require the divestment of activities as referred to in Article 56 (2) (e) of Directive (EU) 2024/1640?

- withdrawal or suspension of an authorisation as referred to in Article 56 (2) (f) of Directive (EU)

2024/1640?

- require changes in governance structure as referred to in Article 56 (2) (g) of Directive (EU)

2024/1640?

Question 6

Which of these indicators and criteria could apply also to the non-financial sector? Which ones should

not apply? Please explain your reasoning.

Question 7

Do you think that the indicators and criteria set out in the draft RTS should be more detailed as regards

the naturals persons that are not themselves obliged entities and in particular as regards the senior

management as defined in AMLR? If so, please provide your suggestions.

Question 8

Do you think that the draft RTS should be more granular and develop more specific rules on factors

and on the calculation of the amount of the periodic penalty payments and if yes, which factors should

be included into the EU legislation and why?

Question 9

Do you think that the draft RTS should create a more harmonised set of administrative rules for the

imposition of periodic penalty payments, and if yes, which provisions of administrative rules would

you prefer to be included into EU legislation compared to national legislation and why?

83

PROPOSED REGULATORY TECHNICAL STANDARDS IN THE CONTEXT OF THE EBA’S RESPONSE TO

THE EUROPEAN COMMISSION’S CALL FOR ADVICE ON NEW AMLA MANDATES

6. Annexes

Annex 1 - Data Points to be collected for the purpose of the RTS

under under Article 40(2) of the AMLD and Article 12(7) of the AMLA

Regulation.

Section A – Inherent risk

(1) The data points in this annex are not the same as the indicators supervisors will use to

calculate the ML/TF risk of each financial institution.

(2) The final RTS will include an ‘interpretive note’ that will specify what each data point entails

in relation to each sector as well as clarifications in relation to the dates associated with each

data point.

(3) Some data points do not apply to all sectors, given the specific nature of their activities.

Likewise, the data points under 'Products and Services' will only be considered if the obliged

entity offers the product or service.