European Banking Authority advises European Commission on more harmonized EU anti-money laundering regime

Direct supervision by AMLA (Article 12 AMLAR):

Under Article 12(1) of AMLAR, credit and financial institutions (and their groups) operating in at least six Member States, including their home state, can be directly supervised by AMLA, whether they operate through branches or by providing services across borders. The selection of these obliged entities occurs in two steps. First, the Authority identifies all credit and financial institutions, or their groups, that operate in at least six Member States (including their home state), either through local branches or by providing services across borders. Second, the Authority assesses and classifies the ML/TF risk profile of these entities to single out those with a high residual risk.

In accordance with Articles 12 and 13 of AMLAR, AMLA will select a list of approximately 40 obliged entities for its direct supervision. An entity is considered for selection if it operates in at least six Member States, and its residual risk profile has been classified as high.

Some entities notify their supervisors of their intention to offer cross-border services but then do not provide these services in practice, or provide them in a way that is not relevant to their overall business. Therefore, AMLA needs to distinguish between cases where cross-border services are a significant part of the business and those where they are not. EBA's draft RTS specifies the conditions required for an entity to be considered as operating in a Member State when providing cross border services and sets thresholds to determine whether cross border operations are material and count towards the number of Member States in which an obliged entity operates: (a) more than 20,000 resident customers in that Member State; or (b) transaction volume (incoming and outgoing) exceeding EUR 50 million.

Since it may be difficult for institutions to track all customers onboarded specifically under the freedom to provide services, the number of resident customers is used as a proxy.

For assessing and classifying the group-wide residual risk profile, the EBA proposes to aggregate entity-level residual risk scores using a weighted averaging method. Based on these scores, which are calculated using the same three-step methodology as set out above (assessing inherent risk, evaluating AML/CFT controls, and determining residual risk), AMLA will classify the residual risk profile of the group as low, medium, substantial, or high. This classification will determine the group's eligibility for direct supervision.

Risk assessment methodology (Article 40 (2) AMLD):

Article 40 of the AMLD requires supervisors to use a risk-based approach when overseeing AML/CFT, meaning they need to tailor how often and how closely they supervise each entity based on its risk of ML/TF. It also requires AMLA to create a standard method that all supervisors will use to assess the level of these risks for the entities they supervise.

For the standard method, EBA suggests a three-step approach. The aim is to ensure consistent risk assessments across Member States and to reduce the regulatory burden for institutions operating in multiple jurisdictions.

• Firstly, the supervisors should assess and classify each entity’s inherent ML/TF risk using relevant indicators.
• Secondly, they should evaluate how effective the entity’s AML/CFT controls are at reducing those risks.
• Finally, supervisors should assess and classify the remaining (residual) risk that an entity may be used for ML/TF even after AML/CFT controls have been applied.

To facilitate this, the EBA proposes an automatic scoring system to assess and classify the inherent and residual risk profile of each obliged entity in a consistent manner by all competent authorities. Supervisors should assign numerical scores ranging from 1 (lowest level of risk) to 4 (highest level of risk) to assess inherent risk indicators based on pre-determined factors relating to customers, products, and geography, as outlined in Annex I, section A of the draft RTS. These scores should be combined and weighted to determine the overall inherent risk score for the obliged entity, reflecting the significance of each risk category.

The same methodology applies to the assessment and classification of the quality of AML/CFT controls, using a scale from poor quality of controls to very good quality of controls. Data points, as per Annex I, Section B, relate to the categories of

• AML/CFT governance structure,
• Risk assessment,
• AML/CFT policies and procedures, and
• Group oversight.

Previous supervisory assessments or external auditors' assessments may warrant an adjustment to any of the combined scores.

An automated scoring system would then combine the inherent risk with the controls quality score to produce the residual risk profile of the obliged entity. ML/TF inherent risks come from various factors, such as customer types, products/services, distribution channels, and geographic areas. Similarly, AML/CFT controls can be grouped into categories like governance, risk assessment, policies, and group compliance. To organize the assessment and classification of the residual risk profile of an entity, both risk and control indicators should be divided into four categories according to their risk significance and controls’ quality.

Despite standardization and the automatic scoring system, the method must remain adaptable and be regularly updated by AMLA as ML/TF risks are constantly changing. Article 5 of the draft RTS requires supervisors to review the inherent and residual risk profiles of obliged entities at least annually, or at least every three years in specific cases (such as small businesses, insurance intermediaries, or credit intermediaries), unless major events or developments in management and operations trigger an ad hoc assessment and classification.

Customer due diligence requirements (Article 28 (1) AMLR):

According to Article 28(1) lit. a. of the AMLR, AMLA is required to harmonise the rules on customer due diligence. This includes specifying the information that obliged entities must gather for standard, simplified, and enhanced due diligence procedures.

In its draft RTS, EBA recommends a flexible framework for institutions to determine the extent and quality of information required during customer due diligence, in line with the new AMLR. Rather than prescribing specific documents, the EBA provides guidance on the types of documents and sources institutions should consider, allowing for effective compliance while managing costs.

Customer data of legal entities

For legal entities (incl. legal arrangements), the following information should be collected:

• Statutory documents required by law (e.g., certificates of incorporation or audited financial statements).
• Most recent version of constitutive documents (e.g., Memorandum of Association, Articles of Association or alternatively).

In case of a trust (incl. similar legal arrangements) that is not subject to registration:

• Recent copy of the trust deed, or an extract thereof,
• Any document determining the exercise of powers by trustees or similar administrators, certified by an independent professional.

Independent and reliable sources are essential for customer due diligence. The draft RTS emphasizes that the most recent documents should be collected for customer due diligence as they are more reliable than information that dates back several years.

Regarding the identification of individuals, the draft RTS provides clarity: obliged entities are required to collect information on the nationality and place of birth of their customers. As some government-issued identity documents may not include details regarding a person’s nationality or place of birth, obliged entities may need to obtain this information directly from the customer or from alternative sources. If a customer holds multiple nationalities and discloses them in good faith, it is sufficient to verify one of those nationalities. In cases where an individual is stateless or holds refugee or subsidiary protection status, the relevant status information should be collected instead.

Ultimate beneficial owner and senior managing officials

The draft RTS sets out detailed requirements for the identification and verification of beneficial owners. The consultation of central registers for information on beneficial owners (e.g. transparency register) is necessary but not sufficient to fulfil the verification requirements. Specifically, obliged entities must gain a clear understanding of their customers’ ownership and control structures by obtaining information on all legal entities and/or legal arrangements that serve as intermediaries between the customer and their beneficial owners. Furthermore, for each of these intermediary legal entities or arrangements, obliged entities are required to collect a comprehensive set of references:

• legal form
• reference to the existence of any nominee shareholders
• jurisdiction of incorporation or registration (for trusts: jurisdiction of their governing law)
• shares of interest held / type of shares / voting rights
• information on the regulated market on which a security is listed / the extent of listing.

When an obliged entity is unable to identify an individual as a beneficial owner, the identification of senior managing officials is required. For this, obliged entities shall collect and verify the information in the same way as for beneficial owners. However, obliged entities may decide to obtain the address of the registered office of the legal entity instead of the senior managing official’s residential address and country of residence.

The draft RTS clarifies that difficulty in identifying the beneficial owner—such as in situations involving complex corporate structures—does not, in itself, constitute ‘doubts’. As a result, this alone does not provide a sufficient basis for the obliged entity to identify the senior managing officials instead.

Purpose and intended nature of the business relationship or the occasional transaction

Obliged entities are required to apply risk-sensitive measures to understand the reasons behind a customer's choice of their products and services, the intended use of these products or services, and whether the customer maintains other business relationships with the entity or its group. In situations assessed as higher risk, obliged entities must also ascertain the source of the customer's wealth.

The draft RTS further mandates that obliged entities obtain information on the purpose and economic rationale of the business relationship or transaction, including details such as the estimated amount of funds involved, transaction specifics, the origin and destination of funds, and the customer's business activity or occupation.

For clients identified as low risk, obliged entities must, at a minimum, take risk-sensitive steps to understand the client's reasons for selecting the entity's products and services, the source of funds used in the business relationship or occasional transaction, and the intended use of the products or services. Where relevant, this should also include an understanding of the estimated amounts expected to flow through the account.

Enhanced due diligence

The draft RTS provides for specific obligations to obtain additional information in case of enhanced due diligence measures. Obliged entities shall obtain additional information, that enables the entity to

• verify the authenticity and accuracy of data on the customer and beneficial owners, or the ownership and control structure (for non-natural persons),
• assess the reputation of the customer and beneficial owners,
• identify and comprehensively assess ML/TF risks associated with the customer, beneficial owners, or any close relationships known to or publicly known by the obliged entity,
• confirm the authenticity and accuracy of the intended nature of the business relationship,
• ensure the destination of funds is consistent with the stated nature of the business relationship or transaction and the customer’s risk profile,
• assess that the expected number, size, type, volume, and frequency of transactions are consistent with the declared business activity, source of funds, or source of wealth.

Additional information may include details on the customer’s key customers, contracts, business partners, associates, or, where relevant, the beneficial owner’s business partners or associates.

Information to confirm that the source of funds and source of wealth of the customer and beneficial owners are derived from lawful activities may include, among others, tax declarations, official income statements, audited accounts, investment documentation, credit facility agreements, and loan agreements.

Obliged entities must collect information on the reasons for intended or completed transactions to ensure they are credible and align with their knowledge of the customer. They should also check that the transactions are consistent with the customer’s business activities and turnover, especially for higher-risk sectors. Additionally, they must gather information to clarify any higher risks related to the parties involved in the transaction, including intermediaries and their relationship with the customer.

The EBA recognises the challenges that obliged entities may face in applying the new customer due diligence (CDD) standards to all clients by 10 July 2027, which is both the date the AMLR will take effect and the deadline for AMLA to issue various regulatory technical standards (RTS). To facilitate a smoother transition to the new AML/CFT requirements, the EBA highlights the importance of a risk-based approach, directing obliged entities to prioritise the review of business relationships that present a high risk of money laundering or terrorist financing (ML/TF). For all other (non-high-risk) business relationships, the EBA proposes a transitional period of five years to complete the necessary updates.

Sanctions and enforcement (Article 53 (10) AMLD6):

The draft RTS aims to harmonise the approach of AML/CFT supervisors across the EU on enforcement measures to ensure that the same breach of AML/CFT requirements is assessed in the same way by all supervisors in all Member States and that the resulting enforcement measure is proportionate, effective, and dissuasive. For this, Article 53(10) of AMLD6 addresses the following three main areas:

• Indicators for assessing the level of gravity of breaches,
• Criteria for determining financial penalties and administrative actions, and
• The methodology for imposing periodic penalty payments.

In its draft RTS EBA proposes indicators and criteria for setting pecuniary sanctions and administrative measures. As a first step, supervisors will assess the level of gravity of a breach considering the list of indicators in the RTS. In a second step, supervisors will classify the level of gravity of a breach in one of four categories by order of severity. In a third step, supervisors determine the level of pecuniary sanctions or administrative measures. For this, the RTS lists criteria that are to be applied.

The following indicators, among others, should be considered: the duration of the breach, the repetition of the breach, the approximate number of customers affected by the breach, and the nature of the breach, by assessing whether the breach is related to internal policies, procedures and controls.

The level of cooperation and the conduct of individuals or entities, especially their management, are a key criterion in assessing the severity of breaches (e.g. intentional or negligent behaviour). The draft RTS explicitly states that the list of indicators and criteria is non-exhaustive. Supervisors may identify additional indicators and criteria that are to be considered subject to justification.

The draft RTS introduces a methodology for imposing periodic penalty payments. According to the draft RTS, periodic penalty payments are a tool that supervisors can use to compel compliance with administrative measures. Periodic penalty payments should only be imposed if there is evidence that an entity or individual has not complied with an administrative measure within a specified timeframe. When setting the amount of periodic penalty payments, supervisors should consider all relevant factors to ensure that the penalties are appropriate and proportionate for compelling compliance. The amount of periodic penalty payments can be set on a daily, weekly or monthly basis and should be appropriate and proportionate for compelling compliance. Relevant factors include the type and object of the breached administrative measure, the reasons for non-compliance, any losses to third-parties or benefits derived from non-compliance, and the financial strength of the responsible party.

The new set of rules shall not apply to proceedings related to pecuniary sanctions, administrative measures and periodic penalty payments initiated before 10 July 2027.This cut-off date helps to minimize the risk of inconsistent application of the rules by different supervisory authorities. This date aligns with the deadline for Member States to transpose the provisions of AMLD6 into their national legal frameworks.

Authored by Dr. Viktoria Hennig.