Commission Delegated Regulation (EU) 2024/595 of 9 November 2023 supplementing Re... (32024R0595)
EU - Rechtsakte: 10 Economic and monetary policy and free movement of capital
2024/595
16.2.2024

COMMISSION DELEGATED REGULATION (EU) 2024/595

of 9 November 2023

supplementing Regulation (EU) No 1093/2010 of the European Parliament and of the Council with regard to regulatory technical standards specifying the materiality of weaknesses, the type of information collected, the practical implementation of the information collection and the analysis and dissemination of the information contained in the Anti-money laundering and counter terrorist financing (AML/CFT) central database referred to in Article 9a(2) of that Regulation

(Text with EEA relevance)

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (1), and in particular Article 9a(1), third subparagraph, and Article 9a(3), third subparagraph, thereof,
Whereas:
(1) Article 9a(2) of Regulation (EU) No 1093/2010 requires the European Banking Authority (EBA) to establish and keep up to date a central database of information collected in accordance with Article 9a(1), point (a), of that Regulation. As a result, specifying how information is to be analysed and made available to reporting authorities on a need-to-know and confidential basis, as required by Article 9a(3) of that Regulation, inevitably relates to the specification of details for setting up that central database.
(2) It is necessary to specify the corresponding situations where weaknesses may occur. Supervision includes all relevant activities, without prejudice to national competences, of all reporting authorities to be carried out pursuant to the sectoral legislative acts, and is, hence, diverse. Therefore, the corresponding situations should be specified having regard to the supervisory activities performed by the different reporting authorities.
(3) To determine the materiality of a weakness, it is necessary to set out its general definition and a non-exhaustive list of criteria to specify that definition further. Such definition and list of criteria are necessary to achieve on the one hand a harmonised approach in the application of that general definition, while on the other hand to ensure that all material weaknesses, within the meaning of the general definition, are captured taking into account the specific context.
(4) To ensure that reporting authorities report weaknesses to the database at an early stage, a material weakness should be defined in such a way that it encompasses not only weaknesses that reveal, but also those weaknesses that could lead to a significant failure in complying with applicable requirements related to anti-money laundering and combating the financing of terrorism (AML/CFT) even if such failure has not yet occurred. This is also justified by the fact that information should be reported to the database on a best effort basis by those authorities that do not possess the same level of AML/CFT information and expertise as the supervisory authorities designated as competent under Directive (EU) 2015/849 of the European Parliament and of the Council (2).
(5) To set out the type of information to be submitted, it is necessary to distinguish between general information, information on material weaknesses and information on the measures taken.
(6) When setting out the components of the general information to be submitted, particular attention should be given to financial sector operators that operate on a cross-border basis, including financial sector operators that are part of a group for which a college operates. To ensure comparability of information submitted, AML/CFT authorities should also submit to the EBA as part of that general information the financial sector operator’s AML/CFT risk profile using common categories.
(7) Prudential authorities should, as part of the general information that they are to report, provide information on the result of the relevant risk assessment of any supervisory review process and of any other similar process affected by the money laundering and terrorist financing risk of the financial sector operator together with information on any negative final assessment or negative decision on applications for authorisation, where such assessment or decision is also based on the grounds of money laundering and terrorist financing risks.
(8) To take into account the distinct competences of the home and host AML/CFT authorities as set out in Directive (EU) 2015/849, it is necessary to clarify that both the home and the host AML/CFT authorities should report to the EBA material weaknesses they have each identified in the performance of their respective competences. It is also necessary to clarify that the measures taken by the host AML/CFT authority should be submitted to the database independently of any notification to the home authority.
(9) It is necessary to ensure that the EBA can effectively exercise its role to lead, coordinate and monitor activities to promote the integrity, transparency, and security in the financial system to prevent the use of that system for money laundering or terrorist financing purposes, by making full use of all its powers and tools under Regulation (EU) No 1093/2010 while respecting the principle of proportionality. The EBA should therefore be able to combine, for the purposes of analysing the information submitted to the database, information that it has from other sources. The EBA should endeavour to make use of this information for the achievement of all its tasks as set out in Regulation (EU) No 1093/2010.
(10) While analysing information submitted to the database and made available to the reporting authorities, this Regulation should ensure cooperation with the European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) in accordance with the principle of sincere cooperation pursuant to Article 4(3) of the Treaty on European Union as further specified in Article 2(4) of Regulation (EU) No 1093/2010, Article 2(4) of Regulation (EU) No 1094/2010 of the European Parliament and of the Council (3) and Article 2(4) of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4). In particular, it should be specified that information requested by the EBA to those authorities or otherwise received from those authorities could be used, where appropriate, for the purposes of the analysis and that the EBA should provide EIOPA and ESMA with that information, either on its own initiative or upon a request received from those authorities.
(11) It is necessary to specify how information is made available to reporting authorities. Article 9a(2) of Regulation (EU) No 1093/2010 refers generally to the fact that the EBA is to ensure that information is made available to reporting authorities on a need-to-know and confidential basis, while Article 9a(3) of that Regulation refers specifically to reasoned requests. Both provisions are part of the process regarding how information is made available to reporting authorities. To that end, the particular elements of the reasoned request to be received by the EBA from reporting authorities should also be set out.
(12) To ensure respect for the principle of proportionality and avoid the duplication of information, an AML/CFT authority submitting information on a measure should be deemed as also submitting the notification referred to in Article 62 of Directive (EU) 2015/849, with regard to that measure. Furthermore, it is necessary to require that an AML/CFT or prudential authority submitting information to the central database specifies as part of its submission whether that authority has already submitted a notification under Article 97(6) of Directive 2013/36/EU of the European Parliament and of the Council (5).
(13) To ensure that the AML/CFT central database becomes an effective tool in the fight against money laundering and terrorist financing, it is necessary to ensure that the reporting authorities submit that information to the central database in a timely manner, and to ensure the quality of that information. To that end, information on material weaknesses and measures taken should be submitted without undue delay and reporting authorities should respond without undue delay to any request from the EBA made after any quality check analysis is performed. For the same reason, reporting authorities should ensure the ongoing accuracy, completeness, adequacy and updates of such information, and information on a material weakness should be submitted independently of any measure taken in response to it.
(14) To ensure time efficiency, thereby promoting consistent, systematic and effective monitoring and assessment of risks in relation to money laundering and terrorist financing in the Union’s financial systems, submissions and requests should be made in English. At the same time, to ensure respect for the principle of proportionality and to avoid excessive costs for the reporting authorities, where the supporting documents are not available in English, they should be submitted in their original language and be accompanied by a summary in English.
(15) Where the operation of a deposit guarantee scheme is administered by a private entity, the designated authority supervising that scheme should ensure that such scheme reports material weaknesses that are identified in the course of its activities to the designated authority.
(16) Given the large number of reporting authorities involved and to anticipate the considerable differences in the reporting frequency as some of those reporting authorities are, due to their supervisory responsibilities, likely to report AML/CFT material weaknesses and measures less frequently than others, and to achieve operational and cost efficiency both for the reporting authorities and for the EBA, a sequential approach should be built into the architecture of the database. On the basis of that sequential approach, some reporting authorities should have direct, and others indirect, access to the database.
(17) All parties involved in the exchange of information should be bound by professional secrecy and confidentiality requirements. Hence, specific provisions should be set out as to how the information can be further disclosed, thereby preserving confidentiality.
(18) When the information that is submitted, requested, shared or made available concerns natural persons, the principle of proportionality should be respected in the processing of information on those natural persons. To that end, it is necessary to specify the information processed concerning natural persons.
(19) To ensure the efficiency of the database and analysis of the information in it in order to be an effective tool in the fight against money laundering and terrorist financing, the EBA should be able to combine as part of its analysis information submitted to it in accordance with this Regulation with other information available on material weaknesses in individual financial sector operators that make them vulnerable to money laundering or terrorist financing and which the EBA acquires in carrying out its tasks within the scope of its mandate. To ensure its relevance, when the information combined contains personal data, such data should fall under the data categories listed in Annex II. Combining of personal data should be exceptional and such processing may serve only to achieving the purposes of the present Regulation. The data may need to be combined in order to (i) ensure the accuracy and completeness of data obtained from competent authorities or (ii) to enable the EBA to integrate into its database relevant information of the same nature as that transmitted by the competent authorities but obtained through another channel such as through its investigations into potential breaches of Union law pursuant to Article 17 of Regulation (EU) No 1093/2010.
Information relating to suspicions of criminal offences or criminal convictions committed by a customer, a beneficial owner, a member of the management body or key function holder could be an indicator of a lack of honesty, integrity or ML/TF risks. This can be a significant cause or contributor to material weaknesses in a financial sector operator’s governance arrangements, fitness and propriety, holders of qualifying holdings, business model or activities. Therefore, the personal data specified in Annex II may include information related to suspicion or conviction for criminal offences.
Only the data related to material weaknesses can be included in the database. Given that under this Regulation the material weaknesses relate only to significant failures in the compliance with any of the AML/CFT-related requirements, this ensures the processing of the data under the Regulation remain limited in scope to grave breaches of the AML/CFT-related requirements, and hence remain limited to what is necessary and proportionate.
All the personal data processed for the implementation of this Regulation should be handled in accordance with the data protection framework of the Union, including the principles relating to the processing such as lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.
(20) Data protection laws, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (6) and Regulation (EU) 2018/1725 of the European Parliament and of the Council (7) are applicable to the processing of personal data.
(21) The EBA, ESMA, EIOPA and the reporting authorities should determine their respective responsibilities as joint controllers of personal data by means of an arrangement between them in accordance with Article 26 of Regulation (EU) 2016/679 and Article 86 of Regulation (EU) 2018/1725, to the extent that those responsibilities are not determined by the Union law or national law to which they are subject.
(22) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and provided formal comments on 24 January 2023.
(23) Given the complementary character of the mandate set out in Article 9a(1) of Regulation (EU) No 1093/2010 pertaining to the definition of weakness and its materiality, the specification of corresponding situations where a weakness may occur and the type and practical implementation of the information collection, and of the mandate set out in paragraph 3 of that Article as to how information collected should be analysed and made available on a need to-know and confidential basis, the relevant specifications should be set out in a single Regulation.
(24) Article 9a of Regulation (EU) No 1093/2010 tasks the EBA with the collection of information about the measures taken by the reporting authorities in response to material weaknesses identified. Such measures should be understood as any supervisory and administrative measures, sanctions and penalties including precautionary or temporary measures, taken by reporting authorities in the context of a supervisory activity as set out in Article 2(5), second subparagraph, of Regulation (EU) No 1093/2010, in Article 2(5), second subparagraph, of Regulation (EU) No 1094/2010 and in Article 2(5), second subparagraph, of Regulation (EU) No 1095/2010.
(25) This Regulation is based on the draft regulatory technical standards submitted to the Commission by the EBA.
(26) The EBA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010,
HAS ADOPTED THIS REGULATION:

Article 1

Definitions

For the purposes of this Regulation, the following definitions shall apply:
(1) ‘reporting authorities’ means any of the authorities referred to in points (2) to (7) of this Article and the Single Resolution Board;
(2) ‘AML/CFT authority’ means the authority entrusted with the duty to ensure compliance of a financial sector operator with Directive (EU) 2015/849;
(3) ‘prudential authority’ means the authority entrusted with the duty to ensure compliance of a financial sector operator with the prudential framework set out in any of the legislative acts referred to in Article 1(2) of Regulation (EU) No 1093/2010, Article 1(2) of Regulation (EU) No 1094/2010 and Article 1(2) of Regulation (EU) No 1095/2010 and in any national laws transposing the Directives referred to in those provisions, including the European Central Bank with regard to matters relating to the tasks conferred on it by Council Regulation (EU) No 1024/2013 (8);
(4) ‘payment institutions authority’ means the authority referred to in Article 22 of Directive (EU) 2015/2366 of the European Parliament and of the Council (9);
(5) ‘conduct of business authority’ means the authority entrusted with the duty to ensure compliance of a financial sector operator with the conduct of business or the consumer protection framework set out in any of the legislative acts referred to in Article 1(2) of Regulation (EU) No 1093/2010, Article 1(2) of Regulation (EU) No 1094/2010 and Article 1(2) of Regulation (EU) No 1095/2010 and in any national laws transposing the Directives referred to in those Articles;
(6) ‘resolution authority’ means a resolution authority as defined in Article 2(1), point (18), of Directive 2014/59/EU of the European Parliament and of the Council (10);
(7) ‘designated authority’ means a designated authority as defined in Article 2(1), point (18), of Directive 2014/49/EU of the European Parliament and of the Council (11);
(8) ‘AML/CFT-related requirement’ means any requirement with regard to the prevention and countering the use of the financial system for the purpose of money laundering or terrorist financing imposed on a financial sector operator in accordance with the legislative acts referred to in Article 1(2) of Regulation (EU) No 1093/2010, Article 1(2) of Regulation (EU) No 1094/2010 and Article 1(2) of Regulation (EU) No 1095/2010, and with any national laws transposing the Directives referred to in those Articles;
(9) ‘measure’ means any supervisory and administrative measure, sanction and penalty, including precautionary or temporary measure, taken by a reporting authority in response to a weakness which is deemed material in accordance with Article 3;
(10) ‘branch’ means a place of business which forms a legally dependent part of a financial sector operator and which carries out directly all or some of the transactions inherent in the business of the financial sector operator, whether its registered office or head office is situated in a Member State or in a third country;
(11) ‘parent financial sector operator’ means a financial sector operator in a Member State that has another financial sector operator as a subsidiary or that holds a participation in such a financial sector operator and which is not itself a subsidiary of another financial sector operator authorised in the same Member State;
(12) ‘Union parent financial sector operator’ means a parent financial sector operator in a Member State that is not a subsidiary of another financial sector operator established in any Member State;
(13) ‘college’ means a college of supervisors as referred to in Article 116 of Directive 2013/36/EU, a resolution college or a European resolution college as set out in Articles 88 and 89 of Directive 2014/59/EU, or an AML/CFT college.

Article 2

Weaknesses and corresponding situations where weaknesses may occur

1.   For the purposes of Article 9a(1), point (a), first subparagraph, of Regulation (EU) No 1093/2010, a weakness shall mean any of the following:
(a) a breach by a financial sector operator of an AML/CFT-related requirement, which has been identified by a reporting authority;
(b) any situation in which the reporting authority has reasonable grounds to suspect that the financial sector operator has breached an AML/CFT-related requirement, or that the financial sector operator has attempted to breach such a requirement (‘potential breach’);
(c) the ineffective or inappropriate application by a financial sector operator of an AML/CFT-related requirement, or the application of internal policies and procedures that financial sector operators put in place to comply with AML/CFT-related requirements in a way that the reporting authority considers to be inadequate or insufficient to achieve the intended effects of those requirements or policies and procedures and is likely, by its nature, to lead to a breach as referred to in point (a), or to a potential breach as referred to in point (b),if the situation is not rectified (‘ineffective or inappropriate application’).
2.   The corresponding situations where weaknesses may occur are set out in Annex I.

Article 3

Materiality of a weakness

1.   Reporting authorities shall consider a weakness to be material where that weakness reveals, or could lead to, significant failures in the compliance of the financial sector operator, or of the group to which the financial sector operator belongs, with any of the AML/CFT-related requirements.
2.   For the purposes of paragraph 1, reporting authorities shall assess at least all of the following criteria:
(a) whether the weakness is occurring or has occurred repeatedly;
(b) whether the weakness has persisted over a significant period of time (duration);
(c) whether the weakness is serious or egregious (gravity);
(d) whether the management body, or the senior management, of the financial sector operator appear to know about the weakness and decided not to remedy it (negligence), or whether they adopted decisions or held deliberations directed at generating the weakness (wilful misconduct);
(e) whether the weakness increases the exposure of the financial sector operator, or of the group to which it belongs, to money laundering or terrorist financing risks;
(f) whether the weakness has, or could have, a significant impact on the integrity, transparency and security of the financial system of a Member State or of the Union as a whole, or on the financial stability of a Member State or of the Union as a whole;
(g) whether the weakness has, or could have, a significant impact on the viability of the financial sector operator or of the group to which the financial sector operator belongs;
(h) whether the weakness has, or could have, a significant impact on the orderly functioning of financial markets.

Article 4

Information to be provided by reporting authorities

Exclusively for the purposes of Article 9a(1), point (a), first subparagraph, of Regulation (EU) No 1093/2010, reporting authorities shall provide the EBA with all of the following types of information:
(a) the general information specified in Article 5 of this Regulation;
(b) the information specified in Article 6 of this Regulation about material weaknesses;
(c) the information specified in Article 7 of this Regulation about any measures taken.

Article 5

General information

1.   Reporting authorities shall provide the EBA with all of the following general information:
(a) the identification of the reporting authority, including the specification whether it is the home or host AML/CFT authority and, where Article 12(4) applies, the identification of the authority submitting that information indirectly;
(b) the identification of the financial sector operator and of its branches, of the agents as defined in Article 4, point (38), of Directive (EU) 2015/2366, and of distributors, including the type of financial sector operator and, where applicable, the type of establishment, where that operator, or its branches, agents, or distributors are concerned by the material weakness or the measure taken;
(c) where the financial sector operator is part of a group, the identification of the Union parent financial sector operator and of the parent financial sector operator;
(d) where the information is submitted by the European Central Bank, the Single Resolution Board, or the national reporting authority of the Member State where the financial sector operator has its registered office, or, if the financial sector operator has no registered office, of the Member State in which the head office of the financial sector operator is situated, the identification of the countries in which the financial sector operator operates branches and subsidiaries or operates through a network of agents and distributors;
(e) where the financial sector operator is part of a group, information about any college in which the reporting authority participates, including information about the members, observers, and about the lead supervisor, group supervisor, consolidating supervisor or group level resolution authority of that college;
(f) whether there is a central contact point as referred to in in Article 45(9) of Directive (EU) 2015/849, and, where applicable, its identification;
(g) any other relevant information about the financial sector operator, branch, agent or distributor, including information about whether:
(i) the financial sector operator is currently applying for authorisation, or is in the process of applying to exercise its right of establishment or its freedom to provide services, or of any other supervisory approvals;
(ii) the financial sector operator is subject to any of the proceedings set out in Directive 2014/59/EU, or other insolvency proceedings;
(h) information on the size of the activities of the financial sector operator and its branches, including, where applicable:
(i) information on financial statements;
(ii) the number of clients;
(iii) the volume of assets under management;
(iv) for an insurance undertaking, its annual gross written premium (GWP) and the size of its technical provisions;
(v) for an insurance intermediary, the volume of premiums intermediated;
(vi) for payment institutions and electronic money institutions, the size of the distribution network, including information on the number of agents and distributors.
2.   Prudential authorities shall, in addition to the information referred to in paragraph 1, submit all of the following information to the database:
(a) the result of risk assessment determined on the basis of any relevant supervisory review process, including the supervisory reviews referred to in Article 97 of Directive 2013/36/EU and Article 36 of Directive 2009/138/EC of the European Parliament and of the Council (12), and of any other similar processes affected by the exposure of the financial sector operator, or of its branches, to the risk of money laundering or terrorist financing, including in the areas of internal governance, business model, operational risk, liquidity and credit risk;
(b) any negative final assessment of, or decision on, an application for authorisation as a financial sector operator, including where a member of the management body does not meet the requirements on fitness and propriety, and including where such an assessment or decision is based on grounds of money laundering or terrorist financing.
Any reporting on natural persons for the purposes of point (b) shall be made in accordance with Annex II.
3.   AML/CFT authorities shall, in addition to the information referred to in paragraph 1, provide the EBA with the money laundering and terrorist financing risk profile of the financial sector operator and of its branches, and with available information about the money laundering and terrorist financing risk profile of the agents and distributors using the categories specified in Annex III.

Article 6

Information about material weaknesses

Reporting authorities shall provide the EBA with all of the following information about material weaknesses:
(a) the type of material weakness as set out in Article 2(1);
(b) the reason as to why the reporting authority considers that the weakness is material;
(c) a description of the material weakness;
(d) the corresponding situation in which the material weakness has occurred, as set out in Annex I;
(e) the timeline of the material weakness;
(f) the origin of the information on the material weakness;
(g) the AML/CFT-related requirement to which the material weakness relates;
(h) the type of products, services or activities for which the financial sector operator has been authorised that are affected by the material weakness;
(i) whether the material weakness concerns the financial sector operator on its own, its branch, its agent or its distributor alone, as well as any cross-border impact of the material weakness;
(j) whether information on the material weakness has been communicated to a college that has been established for the group to which the financial sector operator belongs; and, if not communicated yet, the reason why;
(k) for the host AML/CFT authorities, whether the information on the material weakness has been communicated to the home AML/CFT authority or to the central contact point referred to in Article 45(9) of Directive (EU) 2015/849, where applicable, and, if not communicated yet, the reason why;
(l) whether the material weakness appears to be inherent in the design of the product, service or activity concerned;
(m) whether the material weakness appears to be linked to specific natural persons, whether a customer, a beneficial owner, a member of the management body or key function holder, including the reasons why the reporting authority considers that that natural person appears to be linked to the material weakness;
(n) any contextual or background information with regard to the material weakness, where known by the reporting authority, including:
(i) whether the material weakness is linked to a specific area relevant for money laundering or the financing of terrorism that has already been identified by the EBA;
(ii) for the AML/CFT authorities, whether the material weakness indicates an emerging risk as regards money laundering or the financing of terrorism;
(iii) whether the material weakness is linked to the use of new technology, and, if so, a short description of that new technology.
For the purposes of point (m), any information on natural persons shall be provided in accordance with Annex II.

Article 7

Information about any measures taken

Reporting authorities shall provide the EBA with all of the following information about any measures taken:
(a) a reference to the material weakness in relation to which the measure has been taken, and, where relevant, any update of the information provided in accordance with Article 6;
(b) the date of the imposition of the measure;
(c) the type of measure, its internal reference number and link to it, if published;
(d) full information about the legal and natural persons on which the measure was imposed;
(e) a description of the measure, including its legal basis;
(f) the status of the measure, including whether any appeal has been brought against the measure;
(g) whether and how the measure has been published, including the reasons for any anonymous publication, delay in publication or non-publication;
(h) all information relevant to the remediation of the material weakness that the measure concerns, including any action planned or taken for such remediation, and any additional explanations necessary regarding remediation process and the relevant timeline by which remediation is expected;
(i) whether the information about the measure has been communicated to a college that has been established for the group to which the financial sector operator belongs; and if not communicated yet, the reason why;
(j) for the host AML/CFT authorities, whether information on the measure has been communicated to the home AML/CFT competent authority; and, if not communicated yet, the reason why.
For the purposes of point (d), any information on natural persons shall be provided in accordance with Annex II.

Article 8

Timelines and obligation to provide updates

1.   Reporting authorities shall provide the EBA with all information about material weaknesses and measures without undue delay.
2.   Reporting authorities shall provide the EBA with information about material weakness irrespective of whether any measure has been taken in response to such material weakness. In addition, host AML/CFT authorities shall submit that information irrespective of any notification made to the home AML/CFT authority.
3.   Reporting authorities shall ensure that the information they provide to the EBA remains accurate, complete, appropriate and up to date.
4.   Where the EBA determines that the information provided is not accurate, complete, adequate or up to date, the reporting authorities shall provide the EBA upon its request with any additional or subsequent information without undue delay.
5.   Reporting authorities shall provide the EBA, in due time, with all the information necessary to keep the EBA informed about any subsequent developments relating to the information provided, including information related to the material weakness identified or to the measure taken and its remediation.

Article 9

Analysis of the information received by the EBA

1.   The EBA shall analyse the information received in accordance with this Regulation on a risk-based approach.
2.   The EBA may, where appropriate, combine information submitted in accordance with this Regulation with any other information available to the EBA, including information disclosed to the EBA by any natural or legal person including the type of information listed in Annex II.
3.   ESMA and EIOPA shall provide the EBA, where requested, with any additional information necessary for the analysis of the information received in accordance with this Regulation. Where the additional information includes personal data, such data shall be provided using the categories in Annex II.
4.   The EBA shall endeavour to make use of the information received in accordance with this Regulation for the performance of its tasks as set out in Regulation (EU) No 1093/2010, including all of the following:
(a) to conduct analyses on an aggregate basis:
(i) to inform its opinion referred to in Article 6(5) of Directive (EU) 2015/849;
(ii) to perform the risk assessments referred to in Article 9a(5) of Regulation (EU) No 1093/2010;
(b) to provide responses to requests received from reporting authorities for information about financial sector operators relevant for the supervisory activities of those authorities with regard to the prevention of the use of the financial system for the purposes of money laundering or of terrorist financing, as specified in Article 9a(3) of Regulation (EU) No 1093/2010;
(c) to inform requests for investigation as referred to in Article 9b of Regulation (EU) No 1093/2010;
(d) to disclose, on its own initiative, information to reporting authorities relevant for their supervisory activities as specified in Article 10(1), point (b);
(e) to provide EIOPA and ESMA with information analysed in accordance with this Regulation, including information on individual financial sector operators, and on natural persons in accordance with Annex II, either on its own initiative, or following a request received from EIOPA or ESMA providing reasons as to why that information is necessary for the achievement of their tasks as set out in Regulation (EU) No 1094/2010 and Regulation (EU) No 1095/2010, respectively.

Article 10

Making information available to the reporting authorities

1.   The EBA shall provide the reporting authorities with the information received in accordance with this Regulation and analysed in accordance with Article 9 in all of the following situations:
(a) following a request received from the reporting authority for information about financial sector operators relevant for the supervisory activities of that authority with regard to the prevention of the use of the financial system for the purpose of money laundering or terrorist financing, as specified in Article 9a(3) of Regulation (EU) No 1093/2010;
(b) on the EBA’s own initiative, including for the following cases on a risk-based approach:
(i) to the lead supervisor, group supervisor, consolidating supervisor or group level resolution authority, where a college has been established but the information has not been disseminated therein in accordance with Article 6, point (j), and Article 7, point (i), of this Regulation and the EBA deems the information relevant for that college;
(ii) where no college has been established, but the financial sector operator is part of a cross-border group or has branches or operates through agents or distributors in other countries and the EBA deems the information relevant for the authorities supervising such group entities, branches, agents or distributors.
2.   The request referred to in paragraph 1, point (a), shall specify the following:
(a) the identification of the requesting reporting authority and the authority enabling the indirect submission as referred to in Article 12(4), as applicable;
(b) the identity of the financial sector operator concerned by the request;
(c) whether the request concerns the financial sector operator or a natural person;
(d) why the information is relevant for the requesting reporting authority and its supervisory activities with regard to the prevention of the use of the financial system for the purpose of money laundering or terrorist financing;
(e) the intended use of the requested information;
(f) the date by which the information should be received, if any, and a justification for that date;
(g) whether there is a degree of urgency, and a justification for that urgency;
(h) any additional information that may assist the EBA while processing the request, or which is requested by the EBA.
3.   Where natural persons are concerned, requests referred to in paragraph 1, point (a), and the provision of information in accordance with paragraph 1, point (b), shall be made in accordance with Annex II.

Article 11

Articulation with other notifications

1.   The submission of information about a measure by an AML/CFT authority to the EBA in accordance with Article 7 of this Regulation shall be deemed to be a submission of information as referred to in Article 62 of Directive (EU) 2015/849 with regard to that measure.
2.   An AML/CFT or a prudential authority submitting information in accordance with this Regulation shall specify with its submission whether it has already submitted a notification under Article 97(6) of Directive 2013/36/EU.

Article 12

Practical implementation of the information collection

1.   The information referred to in Articles 5, 6 and 7 and the requests referred to in Article 9(4), point (b), and Article 10(1), point (a), shall be submitted by electronic means and in English.
2.   Supporting documents that are not available in English shall be submitted in their original language, accompanied by a summary in English.
3.   Where the operation of a deposit guarantee scheme is administered by a private entity, the designated authority supervising that scheme shall ensure that such private entity administering the scheme reports to that designated authority material weaknesses identified in the course of its activities.
4.   Where a reporting authority, other than an AML/CFT authority (‘authority indirectly submitting’), submits information and requests to the EBA and receives information from the EBA through the AML/CFT authority in charge of the supervision of the financial sector operator concerned by the material weakness of the Member State where the authority indirectly submitting is established (‘authority enabling indirect submission’), the following shall apply:
(a) the authority indirectly submitting shall submit information and requests to and receive information from the EBA only through the authority enabling indirect submission;
(b) the liability of the authority enabling indirect submission shall be limited solely to submitting to the EBA all the information and requests received from the authority indirectly submitting and to transferring to that authority all the information received from the EBA;
(c) the authority indirectly submitting shall remain exclusively liable to comply with its obligations to report material weaknesses and measures in accordance with this Regulation;
(d) the notifications under Article 9a(3) of Regulation (EU) No 1093/2010 shall be done by the EBA for the authority indirectly submitting through the authority enabling indirect submission.
5.   Reporting authorities shall appoint a person of appropriate seniority to represent the authority vis-à-vis the EBA for the submission, request and reception of information in accordance with this Regulation, and inform the EBA of that appointment and of any changes to that appointment. Reporting authorities shall ensure that sufficient resources are dedicated for their reporting obligations under this Regulation. Reporting authorities shall appoint a person or persons as contact points for the submission, the requests and the reception of information under this Regulation and notify the EBA thereof. Any notifications made in accordance with this paragraph shall be made in accordance with Annex II. Authorities indirectly submitting shall make those notifications to the authorities enabling their indirect submission.
6.   For the AML/CFT authority, the additional information referred to in Article 9a(1), point (a), third subparagraph, of Regulation (EU) No 1093/2010 shall include the current money laundering or terrorist financing risk profile of the group, if any, and the money laundering or terrorist financing risk assessments of the financial sector operator, branch, agent or distributor or of the group. Reporting authorities shall provide the EBA with any information or document not referred to in this Regulation that is relevant for any material weakness or measure with an explanation of such relevance.
7.   The EBA shall set out and communicate to reporting authorities technical specifications, including data exchange formats, representations, relevant data points and instructions, rights of access to the database, to which the reporting authorities shall conform, when submitting or receiving information in accordance with this Regulation. The EBA shall, having regard to the different supervisory activities of the reporting authorities, the expected frequency of submissions and the need to achieve operational and cost efficiency, identify the reporting authorities that shall be authorities indirectly submitting in accordance with paragraph 4.

Article 13

Confidentiality

1.   Without prejudice to provisions of this Regulation as to how information is analysed and made available to authorities, information submitted to the EBA in accordance with this Regulation shall be subject to Articles 70, 71 and 72 of Regulation (EU) No 1093/2010. Information received by EIOPA and ESMA in accordance with this Regulation shall be subject to Articles 70, 71 and 72 of Regulation (EU) No 1094/2010 and to Articles 70, 71 and 72 of Regulation (EU) No 1095/2010, respectively.
2.   Members of the reporting authorities’ management bodies, and persons working for those authorities or who have worked for those authorities, even after their duties have ceased, shall be subject to professional secrecy requirements and shall not disclose information received in accordance with this Regulation, except in summary or aggregate form only such that individual financial sector operators, branches, agents, distributors or other natural persons cannot be identified, without prejudice to cases where criminal law proceedings are pending.
3.   Reporting authorities receiving information in accordance with this Regulation shall treat that information as confidential and shall use it only in the course of their supervisory activities with regard to the prevention of the use of the financial system for money laundering or terrorist financing, carried out pursuant to the legal acts referred to in Article 1(2) of Regulation (EU) No 1093/2010, Article 1(2) of Regulation (EU) No 1094/2010 and Article 1(2) of Regulation (EU) No 1095/2010, including in appeals against measures taken by those authorities and in any court proceedings concerning supervisory activities.
4.   Paragraph 2 shall not preclude a reporting authority from disclosing information received in accordance with this Regulation to another reporting authority or to an authority or body pursuant to the legal acts referred to in Article 1(2) of Regulation (EU) No 1093/2010, Article 1(2) of Regulation (EU) No 1094/2010 and Article 1(2) of Regulation (EU) No 1095/2010.

Article 14

Data protection

The EBA may keep personal data in an identifiable form for a period of up to 10 years from the collection by the EBA and, where it does so, shall delete personal data upon expiry of that period. Based on a yearly assessment of their necessity, personal data may be deleted before the end of that maximum period on a case-by-case basis.

Article 15

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the
Official Journal of the European Union
.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 9 November 2023.
For the Commission
The President
Ursula VON DER LEYEN
(1)  
OJ L 331, 15.12.2010, p. 12
.
(2)  Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (
OJ L 141, 5.6.2015, p. 73
).
(3)  Regulation (EU) No 1094/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Insurance and Occupational Pensions Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/79/EC (
OJ L 331, 15.12.2010, p. 48
).
(4)  Regulation (EU) No 1095/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Securities and Markets Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/77/EC (
OJ L 331, 15.12.2010, p. 84
).
(5)  Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (
OJ L 176, 27.6.2013, p. 338
).
(6)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (
OJ L 119, 4.5.2016, p. 1
).
(7)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (
OJ L 295, 21.11.2018, p. 39
).
(8)  Council Regulation (EU) No 1024/2013 of 15 October 2013 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions (
OJ L 287, 29.10.2013, p. 63
).
(9)  Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (
OJ L 337, 23.12.2015, p. 35
).
(10)  Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms and amending Council Directive 82/891/EEC, and Directives 2001/24/EC, 2002/47/EC, 2004/25/EC, 2005/56/EC, 2007/36/EC, 2011/35/EU, 2012/30/EU and 2013/36/EU, and Regulations (EU) No 1093/2010 and (EU) No 648/2012, of the European Parliament and of the Council (
OJ L 173, 12.6.2014, p. 190
).
(11)  Directive 2014/49/EU of the European Parliament and of the Council of 16 April 2014 on deposit guarantee schemes (
OJ L 173, 12.6.2014, p. 149
).
(12)  Directive 2009/138/EC of the European Parliament and of the Council of 25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance (Solvency II) (
OJ L 335, 17.12.2009, p. 1
).

ANNEX I

CORRESPONDING SITUATIONS

Reporting authorities may come across weaknesses in the following situations:

PART 1:

   

AML/CFT authorities

When carrying out their on-site and off-site supervisory activities, regarding:
(a) customer due diligence measures, including customer ML/TF risk assessments, reliance on third parties and transaction monitoring;
(b) suspicious transaction reporting;
(c) record-keeping;
(d) internal AML/CFT systems and controls;
(e) risk management system, including business-wide ML/TF risk assessments;
(f) group-wide policies and procedures including policies for sharing information within the group.

PART 2:

   

Prudential authorities

1.
During the authorisation process and the process for the assessment of the acquisition of qualifying holdings, regarding:
(a) analysis of business strategy and of business model and reflection on other risk areas, including liquidity where applicable;
(b) fitness and propriety assessment of the members of the management body and key function holders, where performed;
(c) notification to establish a branch or to provide services under the freedom of establishment or the freedom to provide services;
(d) shareholders or members holding qualifying holdings or, exclusively at authorisation, and where applicable, identity of 20 largest shareholders or members if there are no qualifying holdings;
(e) internal governance arrangements including remuneration policies and practices;
(f) internal control framework, including risk management, compliance and internal audit;
(g) information communication technology risk and risk management;
(h) assessment of the sources of funds to pay up capital at authorisation or the source of funds to purchase the qualifying holding.
2.
During ongoing supervision, including on-site inspections and off-site supervisory activities, regarding:
(a) internal governance arrangements, including remuneration policies and practices;
(b) internal control framework, including risk management, compliance and internal audit;
(c) fitness and propriety assessment of the members of the management body and key function holders, where performed;
(d) the assessment of the notifications of proposed acquisitions of qualifying holdings;
(e) operational risks including legal and reputational risks;
(f) information communication technology risk and risk management;
(g) business models;
(h) liquidity management;
(i) outsourcing arrangements and third party risk management;
(j) carrying out the procedures related to market access, banking licensing and authorisations;
(k) carrying out the Supervisory Review and Evaluation Process (SREP); the supervisory review process (SRP), or similar supervisory review processes;
(l) the assessment of ad hoc requests, notifications and applications;
(m) the assessment of the eligibility of and monitoring institutional protection schemes;
(n) information received during ongoing work to ensure compliance with Union prudential rules, including the collection of supervisory reporting.

PART 3:

   

Designated authorities

When preparing for DGS interventions, including stress testing and on-site or off-site inspections, or when executing a DGS intervention, including pay-outs.

PART 4:

   

Resolution authorities and the Single Resolution Board

In the course of their functions, from resolution planning to execution.

PART 5:

   

Conduct of business authorities

When carrying out their on-site and off-site supervisory activities, and in particular in situations where they are aware of:
(a) a denial of access to financial products or services for reasons of anti-money laundering or combating the financing of terrorism;
(b) a termination of a contract or the end of a service for reasons of anti-money laundering or combating the financing of terrorism;
(c) an exclusion of categories of customers, in particular in the situations referred to in points (a) and (b) for reasons of anti-money laundering or combating the financing of terrorism.

PART 6:

   

Payment institutions authorities

In particular:
1.
during the authorisation process and passporting;
2.
when carrying out their on-site and off-site supervisory activities, and in particular:
(a) with regard to payment institutions and electronic money institutions, including when they provide their activities through agents and distributors;
(b) with regard to the payment service provider’s obligations under Directive (EU) 2015/2366, including the obligation of the payee’s payment service providers to make funds available to the payee immediately after the amount is credited to the payment service provider’s account.

PART 7:

   

Any other situations where the weakness is material.

ANNEX II

INFORMATION ON NATURAL PERSONS

1.   
The information to be provided in application of Article 5(2), point (b)
(a) name, surname, date of birth, country of residence, nationality, function in the financial sector operator or branch;
(b) the grounds of money laundering or terrorist financing.
2.   
The information to be provided in application of Article 6, point (m):
(a) customers or beneficial owners:
(i) name, surname, date of birth, country of residence, nationality;
(ii) whether the customer or beneficial owner is or was also a member of the management body or a key function holder in the financial sector operator or branch;
(iii) whether the customer or beneficial owner holds or held, directly or indirectly, shares in the financial sector operator or branch;
(iv) whether the customer is considered as ‘high risk’ by the financial sector operator, branch, agent or distributor;
(b) members of the management body or key function holders:
(i) name, surname, date of birth, country of residence, nationality;
(ii) function in the financial sector operator or branch;
(c) any natural person referred to in points 2(a) or (b) of this Annex: the reason why the reporting authority considers that the natural person appears to be linked with the material weakness.
3.   
The information to be provided in application of Article 7, point (d):
(a) name, surname, date of birth, country of residence, nationality;
(b) function in the financial sector operator, branch, agent or distributor or, with regard to the customer or beneficial owner, role.
4.   
The information to be provided in application of Article 10(3) by a reporting authority when making a request about natural persons:
(a) name, surname, date of birth, nationality, country of residence;
(b) where known, the function, or, with regard to the customer or beneficial owner, role;
(c) the reason why the information about that specific person is necessary for the requesting reporting authority for its supervisory activity with regard to the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and the intended use(s) of the information requested.
5.   
The dissemination of personal data by the EBA:
When requested by a reporting authority, the EBA shall share personal data under the conditions referred to in point 4(c) of this Annex, and on its own initiative under the conditions laid down in Article 10(1), point (b), if the information about the person concerned is necessary for the reporting authority for its supervisory activity with regard to the prevention of the use of the financial system for the purpose of money laundering or terrorist financing. In both cases, the information shall be shared between authenticated users and secured communication channels shall be used.
6.   
The information to be provided in application of Article 12(5) shall contain the name, surname, function, and business contact.

ANNEX III

MONEY LAUNDERING AND TERRORIST FINANCING RISK PROFILE

1.   Less significant risk profile:

The financial sector operator, branch, agent or distributor has a less significant risk profile where its inherent risk is less significant and its risk profile remains unaffected by mitigation, or where inherent risk is moderately significant or significant but is effectively mitigated through anti-money laundering and combating the financing of terrorism (AML/CFT) systems and controls.

2.   Moderately significant risk profile:

The financial sector operator, branch, agent or distributor has a moderately significant risk profile where its inherent risk is moderately significant and its risk profile remains unaffected by mitigation, or where its inherent risk is significant or very significant but is effectively mitigated through AML/CFT systems and controls.

3.   Significant risk profile:

The financial sector operator, branch, agent or distributor has a significant risk profile where its inherent risk exposure is significant and the risk profile remains unaffected by mitigation, or where its inherent risk is very significant but is effectively mitigated through AML/CFT systems and controls.

4.   Very significant risk profile:

The financial sector operator, branch, agent or distributor has a very significant risk profile where its inherent risk is very significant and, regardless of the mitigation, the risk profile remains unaffected by mitigation, or where the inherent risk is very significant but is not effectively mitigated due to systemic AML/CFT system and control weaknesses in the financial sector operator.
ELI: http://data.europa.eu/eli/reg_del/2024/595/oj
ISSN 1977-0677 (electronic edition)
Markierungen
Leseansicht