ResourcesPractical guidance and standards for financial crime compliance practitioners

Mr. Jose Manuel Campa
Chairperson
European Banking Authority
Tour Europlaza
20 Avenue André Prothin
CS 3015492927 Paris La Défense CEDEX
France

Dear Mr. Campa:

RE: Consultation on effective management of ML/TF risks when providing access to financial services (EBA/CP/2022/13)

The Wolfsberg Group (“the Group”) and the Institute of International Finance (“IIF”) are grateful for the opportunity to respond to the European Banking Authority’s (“EBA”) Consultation on effective management of Money Laundering and Terrorist Financing (“ML/TF”) risks when providing access to financial services (the “Consultation”).¹ This response builds on our submission to the EBA’s 2020 call for input on de-risking on September 11, 2020. Our organisations strongly support the work of the EBA in leading, coordinating and monitoring the Anti-Money Laundering and Countering the Financing of Terrorism (“AML/CFT”) efforts of the European Union’s (“EU”) financial sector. Consultations like this – which help to make the drivers and effects of issues such as de-risking and the links with AML/CFT policy more understandable – are important undertakings and the financial services industry values playing a constructive role in the EBA’s review.

As noted in the Group’s Statement on Effectiveness, efforts by jurisdictions on adopting the Financial Action Task Force (“FATF”) focus on effective outcomes will bring ‘the benefit of reducing friction on customers and helping governments with their objective of financial inclusion’.²

We therefore recommend that the EBA consider concerns regarding de-risking as intrinsically linked with the wider work to address systemic issues of AML/CFT reform underway in the EU, specifically through the European Commission’s Action Plan for a comprehensive Union policy on preventing money laundering and terrorist financing and the legislative process to implement that Plan. We also encourage a focus on the wider strategies to promote financial inclusion amongst Non-Profit Organisations (“NPO”) and vulnerable persons, including consideration of Environmental, Social, and Governance (“ESG”) goals, as detailed below. Lastly, we strongly recommend close alignment between the EBA’s work and that of FATF, specifically on de-risking but also on wider reform matters with the aim of ensuring international consistency in all measures to tackle financial crime across jurisdictions.

Key Issues and Recommendations: This stand-alone letter complements a detailed submission made online and highlights recommendations in the following areas:

I. Definition of ‘De-Risking’

FATF’s 2021 Stocktake of unintended consequences recognised that “The loss of access to financial services represents de-risking if it is not based on a case-by-case assessment of risk and ability to mitigate that risk”.³ However, the EBA’s proposed definition of ‘de-risking’ does not include reasonable grounds Financial Institutions (“FIs”) may have for exiting/declining individual customers or transactions to manage higher ML/TF risk or commercial realities following a case-by-case assessment. For example:

• Customer conduct: Including, inter alia, customers acting willingly as money mules or defrauding the FI.
• Risk management and compliance with legal obligations: Examples include transactions that may breach relevant sanctions obligations, instances where customer due diligence cannot be completed or where there are reasonable grounds to suspect ML/TF e.g. where wire transfers do not contain all required payer/payee information. Similarly, unclear or divergent legal obligations across jurisdictions can present FIs with regulatory risk which may fall outside of their risk appetite.
• Prudent commercial decisions: There is a distinction between undue de-risking and the prudent commercial decisions made by FIs balancing the cost of compliance with the AML/CFT legal and regulatory framework and the residual risk against the reasonably expected value of the business relationship/transaction. This is an appropriate and prudent business practice.

Recommendation:

➢ We recommend the EBA adopts FATF’s definition of ‘de-risking’ to align with international standards and to avoid unintended consequences: “financial institutions terminating or restricting business relationships with clients or categories of clients to avoid, rather than manage, risk in line with the FATF’s risk-based approach.”

II. General Requirements

• The General Requirements outlined in the Consultation need to consider unacceptable customer conduct (e.g. money mules). FIs must be permitted to terminate or decline individual customers in these circumstances without necessarily first considering all possible mitigating measures.
• Where an FI does not believe that it can manage the financial crime risks associated with an individual business relationship effectively – either with respect to mitigating the risk to be within its risk tolerance or to manage the risk in a commercially viable manner – it would not enter or maintain that business relationship, in line with legal obligations and international standards.⁴
• It is an appropriate and prudent business practice to consider the cost of effective risk management when determining the viability of a relationship or product offering; only in exceptional cases (e.g. vulnerable groups) should refusal be restricted by law.
• We welcome the statement in the Consultation that the existing legal limitations for payment accounts with basic functionality mitigate the risk of the product.
• FATF’s first principle on Identification for Sustainable Development requires “countries to fulfil their obligations to provide legal identification to all residents… particularly when these are a pre-requisite for accessing basic public and private sector services, such as banking.”⁵ FIs require legal certainty when applying exceptions relating to verifying identity, while consumers benefit from standardisation and consistent adoption by regulated firms.

Recommendations:

• We recommend that the General Guidance acknowledges the following:
  • The principle of FIs having legitimate risk management reasons for exiting/declining individual customers on a case-by-case basis.
  • That it is appropriate and prudent business practice to consider the cost of effective risk management when determining the viability of a relationship or product offering.
• In these circumstances, it should not be necessary for FIs to consider all possible mitigating measures.
• The following measures will support FIs applying simplified due diligence on payment accounts with basic features within the meaning of Art. 16 of Directive 2014/92/EU, thereby facilitating access to banking:
  • A regulatory low-risk presumption for these payment accounts with basic features.
  • To be truly effective, this presumption could be supported by clear articulation by Member State competent authorities to FIs and supervisory authorities on access to banking being a policy priority balanced against financial crime risk.
  • Once determined, these measures could be issued by the dedicated Anti-money laundering Authority (“AMLA”) due to be established in the EU.
• Member States/supervisors could set out which forms of identification are considered independent and reliable, while permitting regulated firms flexibility to maximise access to banking.

III. Applying Restrictions to Services or Products

• We are concerned that the imposition of targeted restrictions on financial products and services by FIs will create tension with Article 17 of the Directive 2014/92/EU.
• The potentially adverse impact on customers’ needs to be considered before the guidance is finalised.
• We note that transactional restrictions can be circumvented by criminals opening accounts with multiple FIs, depriving any one FI of a full picture of the customer’s activities. This ultimately makes it harder for law enforcement to follow the money.

Recommendation: ➢ We recommend that the EBA revisits this guidance to ensure it does not result in tension with Article 17 of the Directive 2014/92/EU and does not result in unintended consequences.

IV. Non-Profit Organisations (“NPOs”)

• We are concerned that the annex that sets out factors to be considered when assessing the ML/TF risks associated NPOs (the “annex”) risks exacerbating the issue it intends to remedy by not addressing the causes of undue de-risking of NPOs, as identified in the EBA’s 2022 Opinion⁶ on de-risking and FATF’s 2021 Stocktake.
• The annex does not recognise the full spectrum of ML/TF risk posed by different NPOs, as identified by Member State national risk assessments, recognised by the 2022 Supranational Risk Assessment (“SNRA”)⁷ and as experienced by FIs.
• As shown by national risk assessments as well as our experience, the majority of the NPOs pose a lower level of ML/TF risk. However, FIs are currently dissuaded from applying appropriate risk-based due diligence on NPOs by the SNRA and will be prohibited from doing so if the list of measures in the annex is expected to be applied in all cases, following a rules-based approach.
• FIs need to have the ability to apply a risk-based approach (“RBA”) to NPOs and be able to use their own risk assessment, informed by a nuanced SNRA and national risk assessments, to determine the level of risk posed by each individual NPO. FIs should not be required to treat the sector as homogenous (as supported by the interpretive note to FATF Recommendation 8 (“R.8”) which says, inter alia “since not all NPOs are inherently high risk (and some may represent little or no risk at all)”).
• FATF’s 2021 Stocktake recognises that “rules-based requirements increase inclusion barriers”. This is because rules-based requirements increase the cost of compliance, disproportionate to the risk being managed and increase the fear of supervisory action should they not be applied in full, even when they are disproportionate to the risk. The annex risks exacerbating these issues.
• Due to the significant complexities in sanctions and AML regimes and the risk of FIs being held liable for the activity of their customers, FIs need to be confident that higher-risk NPOs are aware of their own obligations and that they have implemented effective compliance regimes. Competent authorities have an important role in helping NPOs build risk awareness and risk management capabilities.
• Just as NPOs can engage with their financial services provider(s) openly and proactively on operational issues, such as sanctions licencing, FIs need to work with NPOs to understand their structure and how they operate. Competent authorities have an important role in fostering dialogue at an industry level.

Recommendations:

• We recommend that the annex is updated to reflect the full spectrum of ML/TF financing risk posed by different NPOs. This will empower FIs to apply a true risk-based approach (RBA) to NPOs and not be required to treat the sector as homogenous.
• The annex could also be updated to specifically address the causes of undue de-risking identified by the EBA and FATF.
• We encourage Competent Authorities to implement an RBA designed to protect NPOs from terrorist financing abuse in line with FATF’s Recommendation 8.
• The EBA should clarify that the list of due diligence measures in the annex is illustrative and neither mandatory nor comprehensive; instead, an FI can apply such measures as required to manage the risk posed by an NPO effectively, based on the FI’s customer risk assessment where higher-risk NPOs are involved.
• It would be optimal for the SNRA to be updated to reflect Member State risk assessments, thereby supporting the application of simplified due diligence when NPOs pose a low risk of ML/TF.
• We welcome the examples of effective multi-stakeholder dialogue between competent authorities, FIs and NPOs highlighted in the EBA’s 2022 Opinion and encourage further engagement at the national level.
• We encourage the European Commission and Member States to undertake further assessment of the scale and causes of limiting financial access for NPOs to maximise effectiveness of corrective measures while minimising unintended consequences. Further assessment will also inform efforts to measure the effectiveness of measures taken to address undue de-risking of NPOs.

The Group and the IIF look forward to working with you on these important issues. If we can be of further assistance, please contact the Wolfsberg Group Secretariat at info@wolfsberg-group.org and Matthew Ekberg of the IIF at mekberg@iif.com.

Very truly yours,

Alan Ketley
Executive Secretary
The Wolfsberg Group
TR ID 744386148303-66 | Andres Portilla
Managing Director and Head
Regulatory Affairs Department
Institute of International Finance

[https://www.bis.org/bcbs/publ/d405.pdf].