ResourcesPractical guidance and standards for financial crime compliance practitioners

The Wolfsberg Group
c/o Basel Institute on Governance
Steinenring 60 | 4051 B asel,
Switzerland

October 28, 2022

For the attention of:

Mr. Miroslav Benáček, Financial Services Attaché of the Czech Republic
Mr. Eero Heinäluoma, Member of the European Parliament
Mr. Emil Radev, Member of the European Parliament
Mr. John Berrigan, Director-General, DG FISMA

Cc:
Mr. Mats Anderson, Financial Services Attaché of Sweden
Mr. Markus Forsman, Financial Services Attaché of Sweden
Mr. Tomas Nasarre, Financial Services Attaché of Spain
Ms. Alexandra Jour-Schroeder, Deputy Director-General, DG FISMA
Mr. Martin Merlin, Deputy Director-General, Banking, Insurance and Financial Crime, DG FISMA
Ms. Raluca Prună, Head of Financial Crime Unit, DG FISMA

Wolfsberg Group Comment Letter on the EU AML/CFT Legislative Package

Dear Sir/Madam,

The Wolfsberg Group (the Group) is an association of thirteen global banks which aims to develop frameworks and guidance for the management of financial crime risk.¹ In December 2019, the Group published a Statement on Effectiveness² outlining what we believe are the key elements of an effective Anti-Money Laundering/Counter Terrorist Financing (AML/CFT)³ programme (The Wolfsberg Factors). The Group subsequently published papers on the ways in which a Financial Institution (FI) can assess risk in defined priority areas and demonstrate the effectiveness of its AML/CFT programme,⁴ and further drive effectiveness through engagement with Public-Private Partnerships.⁵

The Group welcomes the ambitious package of legislative proposals to strengthen and harmonise the EU’s AML/CFT framework (the EU AML Package). FIs can detect, prevent, and report money laundering and terrorist financing most effectively within a consistent AML/CFT framework consisting of a baseline of risk-focused rules and a risk-based approach (RBA). Clearly defined information sharing gateways, consistent with GDPR principles, can provide highly useful information to relevant government agencies. Harmonised supervisory practices and standards, considering all sectors that introduce money laundering and terrorist financing risk, can strengthen the integrity of the EU’s financial system.

The Group has been publishing standards, frequently asked questions, and guidance documents on a wide range of financial crime compliance topics for over 20 years. These publications are used by the financial services industry worldwide and have been supported by the public sector and cited favourably by regulatory authorities. Topics covered have included standards on private banking, the risk-based approach, payment transparency, politically exposed persons, source of wealth/source of funds, anti-bribery and corruption, sanctions screening, risk management for customers who transact digitally, and the handling of negative media. The Group is also the creator and publisher of the Correspondent Banking Due Diligence Questionnaire which has become the industry-standard for correspondent banking due diligence.

Purpose of the Submission

Money laundering and terrorist financing pose a serious threat to the integrity of the EU financial system and the security of its citizens.⁶ The Group would like to stress its support for the EU AML Package as an important step in delivering a strong AML/CFT framework. In the context of ongoing trilogue negotiations and recent submissions by EU bodies including the European Data Protection Board (EDPB) and the European Banking Authority (EBA), our letter provides suggestions and observations on the following key issues:

I. Harmonisation of supervisory practices and standards by establishing the EU AML Authority (AMLA) supported by Regulatory Technical Standards (RTS). It is vital that harmonisation comprises a rationalised set of requirements and practices based on identified money laundering and terrorist financing risks.

II. Enhanced information sharing in line with GDPR principles whereby Financial Institutions (FIs) can provide highly useful information to government agencies aligned with defined EU financial crime priorities.

III. Facilitating an effective Risk-Based Approach with particular focus on developing a baseline of rules that support FIs in detecting, preventing, and reporting suspected cases of money laundering and terrorist financing.

Our proposals are in line with individual responses contributed by our members who have also engaged on the EU AML package with trade associations and international bodies.

I. Harmonisation of supervisory practices and standards

A. Anti-Money Laundering Authority (AMLA)

The Group welcomes the establishment of the AMLA as an overarching EU supervisor as part of an integrated AML/CFT supervisory system. We support AMLA’s role as the source of consistent supervisory standards applicable across all Member States.

The Group encourages AMLA, when setting out its RBA to supervision,⁷ to focus supervisory and FI resources on activity that has a high impact on money laundering and terrorist financing, taking into account law enforcement priorities set by the EU.

It is important that AMLA documents a clear and predictable methodology for selecting obliged entities for direct supervision, with a streamlined selection process based on harmonised criteria. Sufficient notice period should be provided to allow obliged entities to align their processes and governance (comparable to the establishment of the single supervisory mechanism) with the requirements. Stable, predictable, regulatory oversight over an extended period would be welcome.

It is important that AMLA’s scope incorporates all sectors that introduce money laundering and terrorist financing risk into the system. This includes peer reviews of supervisory authorities in the non-financial sector as part of AMLA’s responsibility to ensure high-quality supervision across the EU.

B. Regulatory Technical Standards

The Group encourages AMLA, when setting the RTS, to focus on AML/CFT outcomes and effectiveness rather than technical compliance. This can be achieved by enforcing a baseline of risk-focused rules requiring obliged entities to implement controls that are reasonably designed to manage the specific risks they face. We have provided examples in the section below entitled ‘Facilitating an effective Risk Based Approach’.

The Group encourages both the Commission and AMLA to further global consistency by leveraging guidance issued by the Financial Action Taskforce (FATF), including but not limited to, areas that are highlighted in this letter such as beneficial ownership. Reinforcing international standards will reduce the risk of creating unintended loopholes in AML/CFT measures between the EU and third countries, as well as reducing the risk of potential competitive disadvantages for stakeholders in the EU - one of the six pillars of the European Commission’s 2019 action plan.

The replacement of fragmented requirements with a single set of RTS under AMLA should increase AML/CFT effectiveness and assist consumers by removing friction when accessing financial services across the EU. To avoid duplication and conflicting standards there needs to be clarity on the applicability of existing requirements and guidelines⁸ (e.g. those previously published by the EBA and national competent authorities). We would also like to underline the importance of making the RTS available to FIs as soon as possible to allow adequate time for implementation.

Given the importance of the RTS in driving harmonisation and effectiveness, the Group would be very happy to offer its technical expertise to AMLA in the drafting process.

II. Enhanced information sharing in line with GDPR principles

FATF has stated that the fight against financial crime and the objectives of data privacy are “not in opposition nor inherently mutually exclusive”.⁹ The Group believes that the EU’s AML/CFT efforts can be made more effective by permitting and encouraging relevant public and private sector stakeholders to share financial crime information, both domestically and internationally, through an appropriate legal framework consistent with GDPR principles; we also support FATF’s recommendation that countries consider “updating existing legal or supervisory instruments”.¹⁰

Information sharing within Public-Private Partnerships (PPPs) enables FIs and government authorities to gain an improved overview of the threat landscape by leveraging the combined perspectives of all participants and by conducting targeted network analysis. Examples have demonstrated the effectiveness of PPPs sharing actionable intelligence to identify criminal networks, both strategically (e.g. typologies and geographic indicators) and tactically (underlying case data).¹¹

In addition to information sharing between the public and private sectors, it is also important for obliged entities to be permitted to share information between themselves (e.g. via joint utilities) in line with GDPR principles. Since criminal networks tend to use multiple FIs, the ability for FIs to share information between themselves for the purposes of detecting and preventing financial crime can enhance their ability to identify such networks; thereby improving the quality of information provided to relevant government agencies.¹²

III. Facilitating an effective Risk-Based Approach

FATF establishes the Risk-Based Approach (RBA) as the key pillar of an effective AML/CFT programme and seeks to optimise the detection or deterrence of illicit activity (i.e. focused on outcomes), as opposed to purely technical compliance with regulations.¹³ Rules that are not aligned to the actual risk they are designed to manage can result in unintended consequences, such as overburdening legitimate customers with excessive requirements, or undermining financial inclusion – which ultimately hampers financial crime detection and prevention efforts. These unintended consequences should be minimised.

The Group believes that a baseline of risk-focused rules, documented in regulation and technical standards/guidance, is critical for reducing complexity and ensuring harmonised and effective AML/CFT measures across the EU. These rules should be designed to focus on outcomes rather than on activities with a low impact on the prevention, detection and reporting of money laundering and terrorist financing. These rules must be supported by a requirement for FIs to design their control environment, dedicate their resources, demonstrate the design effectiveness of their approach, all in accordance with the risks they face, and be examined/regulated accordingly. There is therefore a critical role for supervisors to play in true implementation of the risk-based approach and the recent FATF paper on the role of supervisors and their role in supporting the delivery of a more effective framework is relevant here.¹⁴

The Group has identified seven areas where the EU AML Package can enhance the RBA: Beneficial Ownership; Customer Due Diligence; Outsourcing; “Ongoing” Reliance; Cash Limits; Technology; Bank Account Registers and Electronic Data Retrieval Systems.

1. Beneficial Ownership (art. 42 & 44 AML-R and AMLD-6)
   Beneficial ownership transparency is critical for detecting and preventing the misuse of legal persons and legal arrangements for money laundering and terrorist financing. The Group believes strongly that beneficial ownership reform must be aligned with FATF Recommendations and driven by a thorough understanding of risk. In particular:

(a) Control through an ownership interest (art. 42 AML-R): The Group supports the EU’s aim to harmonise the definition of beneficial ownership. To drive an effective RBA, the Group encourages the EU to retain the current position of 25% plus one share, without the possibility for Member States to apply lower thresholds. FIs should have the ability to select lower thresholds for certain customer groups to manage risk in line with their RBA.

The Group supports the European Banking Federation¹⁵ position on beneficial ownership in its Joint Industry Letter submitted to Mr. Heinäluoma and Mr. Carême, MEPs, on 22 May 2022.

(b) Information requirements (art. 44 AML-R): The Group supports the importance of identifying beneficial owners. However, the private personal information required must have a clear AML/CFT purpose and must be harmonised with other regulatory initiatives such as digital identification, UBO registries and bank account registries. Descriptive information, such as place of birth, does not always contribute to identifying an individual and/or assessing their associated risk. In such cases, in accordance with the RBA, FIs should have discretion to establish when such information is necessary to manage risk effectively.

In addition, article 44 (2) AML-R sets “14 calendar days following any change of the beneficial owner(s), and on an annual basis” for obtaining beneficial ownership information. The Group would welcome clarity as to whom this requirement is directed and believes that legal entities and legal arrangements should be responsible for updating their own beneficial ownership information held in a central register in a timely manner.

(c) Beneficial Ownership Registers (AMLD-6): The benefits of comprehensive and verified beneficial ownership registers to law enforcement, relevant persons, legal entities and legal arrangements have been well documented.¹⁶

The Group believes that the following measures are necessary for beneficial ownership registers to be an effective tool for detecting and preventing money laundering and terrorist financing:

• A single EU-wide definition and methodology for assessing and reporting beneficial ownership across legal persons and legal arrangements.
• Legal compulsion for legal persons and legal arrangements to submit timely, accurate and complete information.
• The entity that manages the register should be ultimately responsible for verifying the accuracy of submissions received.
• Using multiple data sources and methodologies to verify customer information, including the use of information already held by government agencies. To do this, data must be stored in a consistent manner and data systems must be inter-operable to facilitate effective analysis.
• Enforcement of proportionate and dissuasive sanctions for legal persons and legal arrangements that fail to provide beneficial owner information as and when required.
• Risk-based and adequate measures to verify both the personal identity of beneficial owners and their status within the legal person / legal arrangement.
• Providing the body that manages the beneficial ownership register with sufficient resource and risk-based powers to question, correct, and delete data and to report suspicion of money laundering or terrorist financing to the FIU.
• Ensuring that the body that manages the register is well-versed in AML/CFT laws and aware of known and emerging threats to identify financial crimes typologies, inconsistencies, and materially incorrect information.
• Requiring obliged entities to report material beneficial ownership discrepancies as a complementary measure focusing on threat typologies and national threat priorities rather than administrative (technical) errors.

2. Customer Due Diligence (art. 21 (2) AML-R)
   Article 21 (2) AML-R requires obliged entities to update customer information no less frequently than every five years. The Group agrees with the importance of keeping information up to date. However, technology such as digital channels and KYC utilities are providing a deeper, dynamic understanding of the customer risk profile, enabling FIs to be more targeted in the application of resources to keep information up to date. Setting a minimum frequency for all customers, regardless of risk, is not only inconsistent with an RBA, but also stifles innovation, results in low-impact AML/CFT activity, and creates unnecessary friction for customers.

3. Outsourcing (art. 40 AML-R)
   FIs often outsource activity to another legal entity within their group (e.g. the parent company), with the outsourcing entity retaining responsibility for the outsourced activity. According to the current proposal, outsourcing is strictly limited even within a group. We believe strongly that FIs should be permitted to outsource activity within a group (whilst maintaining responsibility), and more widely provided appropriate governance is in place. Moreover, we note that small and medium-sized FIs depend on outsourcing, particularly making use of expertise available at specialised companies to address the ever-increasing complexity of financial crime risk prevention more efficiently, which improves competition within the banking industry. The Group welcomes the numerous amendments to article 40 AML-R proposed by the European Parliament in this regard.¹⁷

4. “Ongoing” reliance (art. 38 AML-R)
   The Group is keen to underline the importance of obliged entities placing reliance on other obliged entities for compliance with customer due diligence and record-keeping requirements where appropriate. Reliance means that customers do not need to be asked multiple times for the same information and documents, on some occasions by one and the same employee acting on behalf of several entities within a group. The Group supports any amendment that avoids unnecessary burden on customers and recommends that reliance should be permissible both when an FI onboards a customer and when the FI refreshes its customer due diligence.

5. Cash limits (art. 59 AML-R)
   Article 59 AML-R contains a new obligation for FIs to report to the FIU any (single or linked) cash payments and deposits made at their premises above EUR 10,000. To make this proposal both effective and efficient, the Group recommends that Article 59 AML-R is revisited to: (i) allow cash transaction data to be submitted to the FIU in an automated fashion, and (ii) eliminate the aggregation requirement. This approach has three benefits: (i) FIUs will receive information on cash transactions much faster than today, (ii) FIUs will be able to aggregate cash transactions across all reporting FIs thereby providing a more holistic view of the depositor’s activity, and (iii) FIs would be able to redeploy staff to more effective AML/CFT tasks.

If a cash limit is to be included in the Regulation,¹⁸ the Group recommends that it is applied consistently across all the EU, without permission for Member States to apply a lower limit, as currently included in the proposal¹⁹ to avoid unnecessary complexity for consumers and incentives for criminals.

6. Technology
   The Group encourages AMLA both to use and support appropriate and responsible use of new technologies to enhance the effectiveness of AML/CFT risk management. The potential of machine learning, data analytics and digital identity in managing AML/CFT risk is ever increasing.

Innovation can only be as effective as the ability of the regulatory environment to adjust and remain in sync with technological changes. The Group recommends that innovation in financial regulatory technology is encouraged at an EU-level. An example to support more targeted suspicious activity reports is the usage of artificial intelligence (AI) e.g. by detecting atypical behaviour. The Group supports a legal basis for AI in the AML-R, bearing in mind the proposed role for AMLA to develop AI services and tools for FIUs.²⁰ The Group would also support establishing an agreed set of principles on data ethics to support consistent adoption of technology. When switching to more effective systems, regulated entities should also not be expected to run parallel systems if the new system has proven to be more effective.

7. Bank account registers and electronic data retrieval systems (AMLD-6)
   The Group recognises the value of centralised bank account registers. However, EU implementation of these registers is fragmented which may undermine the usefulness of registers for law enforcement authorities and results in significant complexity, inefficiencies, and cost for FIs operating in multiple Member States. The Group encourages the harmonisation of centralised bank account register definitions, technical standards, and requirements across the EU (including, for example, the necessary personal information required on each customer or beneficial owner).

The Group remains at your disposal should any clarification with respect to the above be required. We note that some matters under consideration may require technical or specialised input, which the Group will be happy to provide, in particular as part of the RTS drafting process. We look forward to engaging further with EU authorities on these matters.

Sincerely

Alan Ketley
Executive Secretary

---

Footnotes

1. The Group’s members are Banco Santander, Bank of America, Barclays, Citigroup, Credit Suisse, Deutsche Bank, GoldmanSachs, HSBC, J.P. Morgan Chase, MUFG Bank, Société Générale, Standard Chartered Bank, and UBS. ↩

2. The Wolfsberg Statement on Effectiveness ↩

3. Wolfsberg publications use the acronym ‘CTF’ but this document uses ‘CFT’ for consistency with the EU AML Package terminology. ↩

4. Developing an Effective AML/CTF Programme & Demonstrating Effectiveness ↩

5. Effectiveness through Collaboration ↩

6. Context to the AML-R. ↩

7. Article 8 AMLA Commission Proposal. ↩

8. As example: EBA, Guidelines on money laundering and terrorist financing risk factors, revised in March 2021. ↩

9. FATF/OECD (2022), Partnering in the Fight Against Financial Crime: Data Protection, Technology and Private Sector Information Sharing. ↩

10. Idem. ↩

11. RUSI/FFIS (August 2020), Survey Report, Five years of growth in public-private financial information-sharing partnerships to tackle crime. ↩

12. MEP Amendment 878. ↩

13. FATF (March 2022), The FATF Recommendations 2012, International standards on combatting on money laundering and the financing of terrorism & proliferation. ↩

14. FATF (March 2021) FATF Guidance on Risk-Based Supervision. ↩

15. In collaboration with the European Savings Banks Group, the European Association of Cooperative Banks, and the European Association of Public Banks. ↩

16. For example, FATF’s Best Practices on Beneficial Ownership for Legal Persons. ↩

17. MEP Amendments 720 – 725, 727 – 729, 731 – 738. ↩

18. The following MEP Amendments address deletion of this article that the Group would support: 916 – 920. ↩

19. Article 59 (2) and (3) AML-R – MEP Amendments that address deviation by Member States: amendments 931 and 932. ↩

20. Article 5 (5) (e) AMLA Commission Proposal. ↩