ResourcesPractical guidance and standards for financial crime compliance practitioners

The Wolfsberg Group c/o Basel Institute on Governance Steinenring 60 | 4051 Basel, Switzerland

August 25, 2023

Mr Jose Manual Campa Chairperson Ms Carolin Gardner Head of Unit (AML/CFT) European Banking Authority Tour Europlaza 20 Avenue André Prothin CS 3015492927 Paris La Défense CEDEX France

Dear Mr Campa, dear Ms Gardner:

RE: Public Consultation on revised Guidelines on money laundering and terrorist financing (ML/TF) risk factors (EBA/CP/2023/11)

The Wolfsberg Group (the Group) welcomes the opportunity to comment on the EBA’s proposed guidelines on variables and factors to be considered by credit and financial institutions, including crypto asset service providers (CASPs), when addressing money laundering and terrorist financing (ML/TF) risks. The Group further welcomes that the EBA acknowledges that the ML/TF Risk factor Guidelines apply to CASPs “as they do to other firms” and notes the affirmation of this principle in the new section 21.1. The Group is of the view that those who undertake the same activity and create the same risk should be subject to the same rules. The Group recommends that the EBA enhances its approach to supervision for all entities including CASPs that engage in the movement of financial value and notes that this Principle as it applies to crypto-asset activities was reaffirmed by the FSB in a publication on 17 July 2023.¹

Question 1: Do you have any comments on the proposed changes to definitions?

(i) Amendments to Subject matter, scope and definitions

7. Paragraph 12 is amended by replacing the introductory sentence with the following sentence: ‘Unless otherwise specified, terms used and defined in Directive (EU) 2015/849 and Regulation (EU) XXXX/XXX have the same meaning in the guidelines. In addition, for the purposes of these guidelines, the following definitions apply:’

8. Paragraph 12 point (f) and (m) are deleted.

Definitions for CASP activities have evolved rapidly over recent years as have international standards² and the Group recommends that the EBA ensure that CASP-specific definitions are clearly understood by all parties. The Group has recognised challenges in this space and is currently in the process of seeking to produce a standardised set of definitions to ensure that everyone has a consistent idea of the same concepts when discussing whether the activity is the same. The Group would welcome the opportunity to review this further with the EBA.

With regards to definitions and terms used throughout this document, the Group notes that ‘bank’, ‘firm’, ‘Money Service Business’, ‘PSP’ (defined on page 26 as Payment Solutions Providers, which differs from the definition used in the second Payment Services Directive which defines it as Payment Service Provider), and ‘CASP’ are used in various places through the Guidelines and requests that there be greater consistency. We would suggest the inclusion of a definitions section where it can be made clear that the Guidelines apply to all these types of entities and that they are referred to as ‘firms’ throughout.

Section 12p) includes a reference to ‘bank accounts’ which we suggest is too specific as, for example, pooled wallets can exist and Payment Service Providers other than banks may provide similar functionality.

Question 2: Do you have any comments on the proposed changes to Guideline 1?

(ii) Amendments to Guideline 1: Risk assessments: key principles for all firms

9. At the end of Guideline 1.7 the following new letter is added: ‘d) Where the firm is launching a new product or service, or a new business practice, including a new delivery mechanism, or is adopting an innovative technology as part of its AML/CFT systems and controls framework, it should assess the ML/TF risk exposure prior to the launch and reflect this assessment in the firm’s business-wide risk assessment and its policies and procedures.’

The Group considers that an ML/TF assessment should be conducted at the product’s design as well as periodically if the way that the product is configured or used, or the market in which it is offered, varies significantly from inception. This will ensure that risk assessment is a dynamic process rather than being fixed at a point in time.

The Group recommends that the term ‘launching’ not be used as new products may be made available initially as a pilot, trial, or proof of concept whose limited scope might not be considered by its provider as a ‘launch’ – the Group suggests referring to product provision in order to cover this nuance.

Question 3: Do you have any comments on the proposed changes to Guideline 2?

(iii) Amendments to Guideline 2: Identifying ML/TF risk factors

10. Guideline 2.4 letter b) is amended as follows: ‘b) Does the customer or beneficial owner have links to sectors that are associated with higher ML/TF risk, for example certain Money Service Businesses, unregulated businesses that provide services related to crypto assets as described in Guideline 9.21, casinos or dealers in precious metals?’

The Group recommends deleting ‘unregulated’ in the following text “for example ……, unregulated businesses that provide services….” since virtual currency activities are usually viewed as inherently high risk and requests the EBA to verify whether the reference made to Guideline 9.21 should be to the new Guideline 9.21 or 9.20.

Please refer to our response to Question 1 regarding definitions and the use of the term ‘Money Service Business’ in this proposed addition.

Question 4: Do you have any comments on the proposed changes to Guideline 4?

(iv) Amendments to Guideline 4: CDD measures to be applied by all firms

11. The introductory sentence of Guideline 4.29 is amended as follows: ‘4.29 To perform their obligations under Article 13(1) of Directive (EU) 2015/849, where the business relationship is initiated, established, or conducted in non-face to face situations or an occasional transaction is done in non-face to face situations in accordance with the EBA’s Guidelines (EBA/GL/2022/15) on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849, firms should:’

12. Guideline 4.35 is amended as follows: ‘4.35 Where the external provider is a firm established in a third country, the firm should ensure that it understands the legal risks and operational risks and data protection requirements associated therewith and mitigates those risks effectively. The firm should also ensure that it can promptly access the relevant customer data and information when necessary.’

13. Guideline 4.60 letter a) is amended as follows: ‘a) they differ from what the firm would normally expect, including when transactions are larger or more frequent than usual or transactions involving small amounts that are unusually frequent, or there are successive transactions without obvious economic rationale.’

14. Guideline 4.61 letter a) is amended as follows: ‘a) taking reasonable and adequate measures to understand the background and purpose of these transactions, for example by establishing the source and destination of the funds or crypto assets or finding out more about the customer’s business to ascertain the likelihood of the customer making such transactions; and’

15. Guideline 4.74 letter b) is amended as follows: ‘b) Whether they will monitor transactions manually or by using an automated transaction monitoring system. Firms that process a high volume of transactions or transactions at high frequencies should consider putting in place an automated transaction monitoring system;’

16. In Guideline 4.74 a new letter is added as follows: ‘d) whether the use of advanced analytics tools, like the distributed ledger analytics tools, is necessary in light of the ML/TF risk associated with the firm’s business, and with the firm’s customers’ individual transactions.’

The group has two comments relating to Guideline 4.6:

• Referencing lists of published red flags is likely to result in a static and ineffective approach to risk management as the publication of the red flags means that they are visible to criminals who can be expected to alter their behaviour based on what they read. The Group recommends that references to red flags also include references to a risk-based approach and the need to consider other factors as they become known to the industry or to the firm.
• The reference to ‘economic rationale’ in Guideline 4.60 excludes the possibility of rationales that may be broader than simply economic; the Group suggests referring to ‘business purpose and/or economic rationale’.

The Group also wishes to highlight that the revised ‘CDD measures to be applied by all firms’ do not include any provisions relating to the need to understand the types of crypto asset that the underlying customer is offering or facilitating. We believe that, regardless of whether a firm is facilitating crypto asset transactions associated with the CASP customer or not, firms should have a general understanding of the types of the crypto assets their customers are engaged in. The same observation is relevant to Guidelines 8 and 9.

Question 5: Do you have any comments on the proposed changes to Guideline 6?

(v) Amendments to Guideline 6: Training

17. Guideline 6.2 letter c) is amended as follows: ‘c) How to recognise suspicious or unusual transactions and activities, taking into account the specific nature of their products and services, and how to proceed in such cases;’

18. In Guideline 6.2 a new letter is added as follows: d) How to use automated systems, including advanced analytics tools, to monitor transactions and business relationships, and how to interpret the outcomes from these systems and tools.’

The Group supports these amendments but recommends a revision to the newly added 6.2d) as this appears directed at a smaller set of staff than those affected by a)-c). We recommend 6.2d) be amended as follows:

“d) How to use automated systems relevant to their responsibilities, including advanced analytics tools, to monitor transactions and business relationships, and how to interpret the outcomes from these systems and tools.”

Question 6: Do you have any comments on the proposed changes to Guideline 8?

(vi) Amendments to Guideline 8: Sectoral guideline for correspondent relationships

19. Guideline 8.6 letter d) is amended as follows: ‘d) The respondent conducts significant business with sectors that are associated with higher levels of ML/TF risk; for example, the respondent conducts: i. significant remittance business; ii. business on behalf of certain money remitters or exchange houses; iii. business on behalf of or with providers of services in the crypto-assets ecosystem established in third countries which are not regulated under Regulation (EU) XXXX/XXX9 or under any other relevant EU regulatory framework and which are bound by an AML/CFT regulatory and supervisory regime that is less robust than the regime foreseen in Directive (EU) 2015/849; iv. business on behalf of CASPs which allow transfers to and from self-hosted addresses; v. business with non-residents or vi. business in a currency other than that of the country in which it is based.

20. In Guideline 8.6 a new letter is added as follows: ‘h) the ownership of the IBAN account provided by a respondent CASP to receive fiat funds from customers is in the name of a company other than the CASP.’

21. In Guideline 8.8 a new letter is inserted as follows: ‘d) The respondent is unable to verify with a sufficient level of certainty that its customers are not based in jurisdictions stated in point a) of Guideline 8.8, including when the respondent is unable to verify the IP addresses of its customers, in circumstances where it is required by the respondent’s policies and procedures.’

22. Guideline 8.17 letters a) and c) are amended as follows: ‘a) Gather sufficient information about a respondent institution to understand fully the nature of the respondent's business, in order to establish the extent to which the respondent’s business exposes the correspondent to higher money-laundering risk. This should include taking steps to understand and risk-assess the nature of respondent’s customer base, if necessary, by asking the respondent about its customers, and the type of activities that the respondent will transact through the correspondent account or, if relevant, the type of crypto assets the respondent CASP will transact through the correspondent account.’ ‘c) Assess the respondent institution's AML/CFT controls. This implies that the correspondent should carry out a qualitative assessment of the respondent’s AML/CFT control framework, not just obtain a copy of the respondent’s AML policies and procedures. This assessment should include the transaction monitoring tools in place to ensure that they are adequate for the type of business carried out by the respondent. This assessment should be documented appropriately. In line with the risk-based approach, where the risk is especially high and in particular where the volume of correspondent banking transactions is substantive, the correspondent should consider on-site visits and/or sample testing to be satisfied that the respondent’s AML policies and procedures are implemented effectively.’

The Group believes that the extension of correspondent banking-like obligations to CASPs who provide services to other CASPs is appropriate and warranted. However, to the extent that usage of terminology such as ‘correspondent’ and ‘respondent’ may not be common practice by CASPs, a clear statement that this is what the Guideline means would be beneficial. This is especially necessary in the newly added 8.8d) where reference to the respondent assessing its customers could be taken to imply that the correspondent has an obligation to determine this – please also see our response to Question 7 on KYCC below.

We have three observations on Section 8.17c)

• The proposed revision to 8.17c) contains a reference to ‘correspondent banking services’ which does not seem appropriate and could cause confusion if not changed – we would suggest ‘correspondent services’ instead to be clear that such services could be provided by PSPs other than banks.
• We suggest that the following edit be made in the third sentence “This assessment should include consideration of the transaction monitoring tools in place to ensure that they are adequate for the type of business carried out by the respondent.” Since, in practice, evaluating a customer’s transaction monitoring tool is performed at a high level.
• We suggest amending the fourth sentence references so that it reads “This assessment should be documented appropriately in line with the correspondent’s policies and procedures using a risk-based approach” as this provides practical guidance.

Question 7: Do you have any comments on the proposed changes to Guideline 9?

(vii) Amendments to Guideline 9: Sectoral guideline for retail banks

23. Guideline 9.3 is amended as follows: '9.3. Banks should consider the following risk factors and measures alongside those set out in Title I of these guidelines. Banks that provide wealth management services should also refer to sectoral guideline 12, payment initiation services or account information services should also refer to the sectoral guideline 18 and those that provide crypto asset services should refer to the sectoral guideline 21.’

24. Guideline 9.16 is amended as follows: ‘9.16 Where a bank’s customer opens a ‘pooled/ omnibus account’ in order to administer funds or crypto assets that belong to the customer’s own clients, the bank should apply full CDD measures, including treating the customer’s clients as the beneficial owners of funds held in the pooled account and verifying their identities.’

25. Guideline 9.17 is amended as follows: ‘9.17 Where a bank has determined, based on its ML/TF risk assessment carried out in accordance with these guidelines, that the level of the ML/TF risk associated with the business relationship is high, it should apply the EDD measures set out in Article 18 of Directive (EU) 2015/849 as appropriate.’

26. The introductory sentence of Guideline 9.18 is amended as follows: ‘9.18. However, to the extent permitted by national legislation, where, in accordance with the individual ML/TF risk assessment of the customer, the risk associated with the business relationship is low, a bank may apply SDD measures, provided that:’

27. The heading of Guidelines 9.20 to 9.24 is amended as follows: ‘Customers that offer services related to crypto-assets’

28. Guidelines 9.20 to 9.23 are replaced as follows: ‘9.20 When entering into a business relationship with a customer who is a provider of services in a crypto-assets ecosystem established in a third country, which is not regulated under Regulation (EU) [xxxx/xxx]10 or under any other relevant EU regulatory framework, banks may be exposed to increased risk of ML/TF. Banks should carry out the ML/TF risk assessment of these customers and, as part of this, banks should also consider the ML/TF risk associated with the specific type of crypto assets.

9.21 To ensure that the level of ML/TF risk associated with customers described in Guideline 9.20 is mitigated, banks, as part of their CDD measures, should at least: a) enter into a dialogue with the customer to understand the nature of the business and the ML/TF risks to which it is exposed; b) in addition to verifying the identity of the customer’s beneficial owners, carry out due diligence on senior management to the extent that they are different, including consideration of any adverse information; c) understand the extent to which these customers apply their own customer due diligence measures to their clients either under a legal obligation or on a voluntary basis; d) establish whether the customer is registered or licensed in an EU/EEA Member state or a third country, and, in the case of a third country, take a view on the adequacy of that third country’s AML/CFT regulatory and supervisory regime; e) establish whether the services provided by the customer fall within the scope of the registration or licence of the customer; f) establish whether the customer is providing other services for which it is registered or licensed as a credit or financial institution; g) find out whether businesses issuing crypto assets to raise funds such as Initial Coin Offerings (ICOs), are legitimate and, where applicable, regulated for AML/CFT purposes in accordance with internationally agreed standards, such as standards published by the Financial Action Task Force.’

Please see our response to Question 1 regarding definitions as several of the sections under Guideline 9 refer only to banks. We recommend that these apply more broadly to firms, rather than just banks, in line with the principle of same activity, same risk, same regulation/supervision.

Guideline 9.16 seems to suggest that there is a KYC obligation by the firm towards the CASPs’ customers. The situation described in 9.16 is that of a correspondent relationship. The international standard as well as industry practice in these situations is to NOT KYC the customer’s customer.³ Following the logic that we support, i.e. to apply similar rules to CASPs where similar rules can be applied (please see also our additional remark under question 6), we ask that the EBA puts the focus under 9.16 on the CASPs rather than the CASPs’ customers. If the responsibility is not placed on the CASP, it may result in derisking of correspondent services businesses as many may deem this requirement as impracticable.

We recommend that Guideline 9.17 require CASPs to perform EDD when they determine that their customer poses high ML/TF risk.

Question 8: Do you have any comments on the proposed changes to Guidelines 10, 15 and 17?

(viii) Amendments to Guideline 10: Sectoral guideline for electronic money issuers

29. Guideline 10.2 is amended as follows: ‘10.2. Firms that issue e-money should consider the following risk factors and measures alongside those set out in Title I of these guidelines. Firms whose authorisation includes the provision of business activities as payment initiation services and account information services should also refer to the sectoral guideline 18. The sectoral guideline 11 for money remitters may also be relevant in this context. Firms that provide crypto asset services should also refer to the sectoral guideline 21’.’

The Group supports the amendments.

Question 9: Do you have any comments on the proposed changes to Guideline 21?

(xi) ‘Guideline 21: Sectoral guideline for crypto asset services providers (CASPs)

21.1. CASPs should be mindful that they are exposed to ML/TF risks due to specific features of their business model and technology used as part of their business which allows them to transfer crypto assets instantly across the world and onboard customers in different jurisdictions. The risk is further increased when they process or facilitate transactions or offer products or services which contain privacy-enhancing features or which offer a higher degree of anonymity.

21.2. When offering crypto asset services, CASPs should comply with provisions in Title I as well as the provisions set out in this sectoral guideline and Guideline 8, if relevant.

The Group supports the amendments.

Your sincerely

Alan Ketley
Executive Secretary
The Wolfsberg Group