The European Banking Authority (EBA) recently published a Consultation Paper setting out its proposals for a suite of draft Regulatory Technical Standards (RTS). These standards aim to bring greater consistency, clarity, and robustness to AML/CFT supervision and controls across the EU, affecting both supervisors and financial institutions within its remit.
These changes and public consultation input will guide the future work of the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA).
The Regulatory Technical Standards (RTS) focused on four core areas:
1) Risk Profiling
RTS on how to assess and classify the inherent and residual AML risk profiles of obliged entities, and how often they should be reviewed.
The EBA is introducing a harmonised methodology that all AML/CFT supervisors across the EU must use to assess and classify the ML/TF risk profile of obliged entities.
The proposed methodology involves three key steps:
- Assessing inherent risk based on factors like business model, customer base, and operational exposure, classifying entities into one of four categories: low (1), medium (2), substantial (3), or high (4).
- Evaluating the quality of AML/CFT controls, classifying them as A (very good), B (good), C (moderate), or D (poor).
- Determining residual risk (the remaining risk after controls are applied) again using the same 1–4 scale.
This entire process is intended to be automated via a scoring system, but allows for manual adjustments by supervisors, if justified. The resulting residual risk score will inform the frequency and intensity of supervisory actions, aligning oversight with the actual risk an entity poses.
The goal is to establish a uniform supervisory framework that is proportionate, transparent, and data-driven across all Member States.
2) Direct Supervision
RTS on risk assessments to determine which entities may fall under AMLA’s direct supervision.
According to the proposal, an entity is eligible for direct supervision by AMLA if it operates in at least six Member States either through establishment or through the freedom to provide services.
To qualify under the proposed Regulatory Technical Standards (RTS), the EBA sets two alternative thresholds to assess material activity in a Member State:
Financial institutions should either have
- Number of customers resident in that Member State: above 20,000,
or
- Total value of transactions by those customers: above €50,000,000.
These thresholds apply regardless of whether the customers are retail or institutional.
3) Customer Due Diligence
RTS covering standardised approaches to CDD requirements.
The AMLR sets out a standardised list of data points that obliged entities must collect to identify and verify customers, beneficial owners, and legal entities. It also defines requirements for data formatting, identity verification, cross-checking, and record-keeping to ensure consistency across the EU. The aim is to improve data quality and enable more effective and harmonised customer due diligence.
The draft RTS also introduces a risk-based frequency for reviewing the ML/TF risk profiles of financial institutions, with annual reviews as the default. Smaller or lower-risk entities may be reviewed every three years instead, but supervisors must reassess more frequently if new risks emerge or existing profiles become outdated. This ensures supervisory efforts remain proportionate and responsive to changes in risk.
4) Sanctions and Penalties
RTS on the use of pecuniary sanctions, administrative actions, and periodic penalty payments.
The draft RTS on the use of pecuniary sanctions, administrative measures, and periodic penalty payments aims to harmonise and clarify how supervisors should apply penalties across the EU for AML/CFT failures. It sets out a framework for determining the seriousness of a breach, considering factors such as its duration, financial impact, and whether it was intentional or negligent. The RTS also specifies criteria for choosing appropriate administrative measures and calculating financial penalties, and it introduces periodic penalty payments as a tool to encourage prompt compliance.
The overall objective is to make enforcement more consistent, fair, and effective, while reflecting the principle of proportionality and the unique circumstances of each case.
How should financial institutions prepare? Response from Napier AI
The EBA’s proposals aim to be proportionate, risk-based, and practical, helping both financial institutions and supervisors implement the rules effectively while managing compliance costs.
Learn in-depth explanations of the proposed changes and response to key questions on financial crime compliance from Napier AI
Photo by Christian Lue on Unsplash