EFA Position Paper: Towards a harmonised Anti-Money Laundering Framework
Please find the EFA’s position paper in PDF here.
The European FinTech Association (EFA) welcomes the European Commission’s (Commission) recent legislative proposal to establish a harmonized European framework to prevent money laundering and counter-terrorist financing (ML/TF) in the EU. We believe that a harmonized framework is more than essential to ensure ML/TF risks are effectively tackled, and to remove regulatory barriers that have impeded European FinTechs from scaling up their operations cross-border.
High-level EFA Messages:
- The EFA strongly supports the EU-wide harmonization of digital identification methods through a defined set of qualified methods and criteria for the digital identification of customers that should be applicable across the EU.
- The list of data points that need to be obtained on customers is much more detailed and extensive than was previously the case. This discourages firms from focusing their resources on higher-risk customers.
- The inclusion of Account Information Service Providers (AISPS) and Payment Initiation Service Providers (PISPs) is not risk-proportionate and would only duplicate the obligations.
- The EFA would welcome a clear and homogeneous standard of KYC information that firms are required to obtain from customers during identification and verification processes at onboarding.
- The EFA would also like to stress that the newly established AML Authority should avoid targeting specific sectors or activities in its definition of a high-risk institution.
i. Ensuring a risk based approach
As mentioned in our previous position paper dated December 2020, the EFA supports the harmonization of digital identification methods across the EU and believes that the implementation of an AML regulation rather than a directive is an important first step to remove “gold-plating” on a national level, overcoming a substantial cross-border barrier for European FinTechs.
However, the proposed requirements do not currently allow firms to take a risk-based approach to identifying and verifying their customers. Based on the proposed AML regulation, the list of items that need to be obtained by customers is much more detailed and extensive than was previously the case (e.g. “place of birth” is asked for but is not widely gathered at present and is not found on many commonly-used identity documents such as driving licences). This places new burdens on businesses and consumers, discouraging firms from using a more effective risk-based and tailored approach to identify higher-risk customers.
- Suggestion: Clarify what data and information firms should gather to identify and verify their customers that would allow the deployment of high-risk profiling of customers. It is important to also clarify that non-face-to-face digital onboarding is as secure as face-to-face onboarding. A customer relationship established via a non face-to-face channel should not be considered riskier.
ii. Regulatory Scope
The EFA believes that for the AML regulation to be effectively implemented, it needs to target the right entities within its scope, avoiding unproportionate regulatory burden on FinTechs that do not represent a risk for ML/TF. This is currently the case for AISPs and PISPs under the proposed AML regulation. More specifically, AISPs and PISPs are not holding payment accounts, are not carrying out any transactions, and do not have or collect any data of their own, but – by definition – only get a small subset of the data of the underlying Account Servicing Payment Service Provider (ASPSP).
Moreover, the European Banking Authority clearly stated in its revised guidelines that the inherent risk of ML/TF is limited with regards to PISPs and AISPs. In addition, the EBA provided advice to the European Commission on a future EU AML/CFT framework recommending further assessment of the inclusion of AISPs as obliged entities.
- Suggestion: In order to ensure that the ML/TF risk is proportionate to the requirements, AISPs and PISPs should be excluded from the current regulatory scope.
iii. Uniformity of Rules on Identity and Verification
The approach taken in the proposed AML regulation regarding “minimum” requirements to identity and verification opens the door to future variations at the national level. The EFA is concerned that this could defeat the purpose of having a single and unique EU rulebook. Moreover, the EFA is of the view that the proposed AML regulation could benefit from the inclusion of more specific details in Article 18 with regards to use cases and the impact on core KYC data points and verification requirements, when a European Digital Identification is used during KYC.
- Suggestion: In order to guarantee a uniform implementation of the regulation, all identity and verification requirements, both for face-to-face and remote processes, should be listed as an EU-wide standard on core KYC customer data points. This would encourage a unified standard across the EU.
- Suggestion: A further inclusion under Article 18 to be considered is making reference to remote identity verification and authentication services as qualified trusted services. Currently, such services fall within the scope of “any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities” in Article 13 of the AML directive, which implies that there is no harmonisation. Such service providers are effectively blocked from servicing customers cross-border unless they are recognised in each Member State they operate in. To avoid fragmentation and significant revisions to national rules, the EFA stresses that this part of the AML directive should instead be included in AML regulation with a mutual recognition of such processes across the EU.
iv. Supervision & Cooperation
The EFA supports the creation of a designated AML Authority (AMLA) to tackle ML/TF in the EU. We strongly believe that an effective law enforcement framework needs to be put in place and be fit for purpose.
The AML regulation also proposes that the AMLA would issue guidelines addressed to obliged entities concerning the governance structure and procedures they would need to have in place for outsourcing activities. This would ensure harmonisation of outsourcing rules in the EU, which are currently not uniformly applied, with many EU jurisdictions still non-compliant with the guidelines from the European Banking Authority. However, while Article 40 in the proposed AML Regulation sets out the expectations on outsourcing arrangements, it remains unclear if the prohibitions on certain types of outsourcing would also apply in cases of intra-group outsourcing (i.e. activity performed to another company in the same group of companies).
- Suggestion: The newly established AMLA should avoid targeting specific sectors or activities in its definition of a high-risk institution. This is necessary to ensure the supervisory power of AMLA is based on the risk profile of obliged entities.
- Suggestion: To effectively harmonise the EU outsourcing regime and create further certainty for customer due diligence (CDD) service providers, a common approach to sub-outsourcing is needed, and hence needs to be addressed in the upcoming regulations.
- Suggestion: AMLA needs to be established much sooner than currently outlined in the regulation, in order to ensure that the market receives the guidance and technical standards timely.
v. Reliance on an Obliged Entity
The proposed timeline outlined in Article 39 of the AML Regulation with regards to the process of reliance on another obliged entity may be operationally impractical, and could lead to excessive administrative burden without a substantial impact to AML/CFT. This is particularly prevalent in situations where documentation for legal entities is being obtained, and customers need more time to provide all the relevant documentation.
- Suggestion: A more practical timeline for the collection of documentation from customers would lead to a more effective implementation of the envisaged rules.