On the 6^th March 2025 the EBA issued the EBA/CP/2025/04 Consultation paper proposing Regulatory Technical Standards in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates (the “EBA Consultation paper”).

The EBA Consultation paper forms part of the general AML reformative package at EU level as it treats requests for regulatory technical standards (RTS) not only with regard to provisions inside the regulation establishing the new AML Authority at EU level (the “AMLA Regulation”[1]) per se but also with regard to authorizing provisions included in the new AML Regulation[2] and the new 6^th AML Directive^[3] all of which being strictly interrelated.

As per the AMLA Regulation, AMLA shall replace EBA with regard to the preparation of the proposals for RTS (art.49) and implementing technical standards (art.53) to be adopted by the EU Commission relating to AML.

According to the AMLA Regulation, AMLA’s main role consists of contributing to the AML supervisory convergence across the EU member states by undertaking the direct AML supervision of big financial conglomerates with activity in more than 6 EU member states (when their turnover is above certain thresholds) while with respect to the rest of financial institutions, these are to be supervised by AMLA indirectly by harmonizing the procedures and the templates of the AML questionnaires across the EU member states AML supervising authorities and by collecting raw comparable data from them to ensure unified application of the AML rules by all the EU member states.

Even though the articles relating to the organizational structure, the functions and competencies of AMLA are already in force as of 26^th June 2024, the whole AMLA Regulation will be applicable as of 31^st December 2025.

Since the AML regulatory transformations are going to monopolise our attention for the months to come, we have identified the main points introduced by the AML Regulation and the 6^th AML Directive, so that you better understand the EBA Consultation paper.

In this regard, the new AML Regulation describes in great detail the measures which the EU professionals in the AML scope must follow in an effort to set a common regulatory framework without significant deviations. While the previous EU acts with regard to AML were vested in the form of directives mostly setting the goals that should be achieved without defining the “means for achieving these goals”, now the AML Regulation provides a clear set of rules requiring the adoption of a lot of “obligations of means” in the pursuit of harmonized implementation and proper application of the rules. Under this frame of thought, a lot of the rules included in the 4th AML Directive are now included in the AML Regulation (for the correspondence in terms of the numbers of the articles see the last annex to the AML Regulation) so that these rules in their mature version become directly applicable to the obliged professionals establishing a level playing field in the EU jurisdictions.

In this regard, we could classify the provisions included in the AML Regulation in three main categories i.e. (1) rules with which Luxembourg is already “up-to-speed” due to its level of AML regulatory maturity, (2) rules with an element of novelty inspired either by FATF or by previous soft law guidelines and (3) rules that streamline and further develop the standard instituted AML rules. (to learn more about the new AML Regulation click here)

The 6^th AML Directive:

The 6^th AML Directive[4] complements the AML Regulation in matters having mostly to do with the better administrative organization, cooperation and coordination of the AML supervising authorities at EU and national levels. In this light, EU member states are obliged to make possible the cooperation of all and any administrative and judicial authority for the effective application of AML measures. This includes the FIUs, the tax authorities, the resolution authorities and practically any authority of the EU member states that can provide information or exert control (e.g. customs).

The 6^th AML Directive will replace (in parallel with the AML Regulation) the currently valid 4^th AML Directive, the last directive to be repealed with effect as of 10 July 2027. In this regard, references to the repealed 4^th AML Directive shall be construed as references to the 6^th AML Directive and to the AML Regulation.

The 6^th AML Directive is addressed to the EU member states which -apart from the mandatory provisions applicable to professionals in the scope of the AML Regulation- are allowed to adopt AML measures in any other sector which consider affected by AML risks.

The 6^th AML Directive is roughly divided into the following titles:

• 1. Measures applicable to sectors exposed to money laundering and terrorist financing at national level;
• 
  
• 2. Rules for access to beneficial ownership information and organization of central registers (Note: the below rules mentioned under this title have already implemented to some extent with the Luxembourg law of January 23, 2025 amending the UBO register law;
• 
  
• 3. Bank account registers and access to real estate information; 
• 
  
• 4. Responsibilities and tasks of Financial Intelligence Units (FIUs) of the EU member states;
• 
  
• 5. Responsibilities and tasks of the EU member states’ AML supervisors, cooperation between them, with AMLA and with other EU authorities;
• 
  
• 6. Common rules with regard to the type of breach and level of pecuniary sanctions or administrative measures (monetary penalties, administrative sanctions and periodic payments).

In relation to this last point, a mandate is provided to AMLA to develop draft RTS and submit them to the EU Commission for adoption by 10 July 2026.

The EBA Consultation paper

The EBA Consultation paper deals specifically with 4 mandates, as detailed below:

• 1. Draft RTS on the assessment and classification of the inherent and residual risk profile of obliged entities and the frequency at which such profiles must be reviewed.

Article 40, paragraph 2, of the 6^th AML Directive requires AMLA to develop a common methodology that all supervisors of the EU member states will use to assess the level of ML/TF risks to which obliged entities under their supervision are exposed.

In this respect, the EBA Consultation paper proposes the standard three steps, namely:

• a) Assessing each obliged entity’s level of exposure to inherent ML/TF risks and classifying its inherent risk profile in one of the following categories: low risk, medium risk, substantial risk, or high risk, with a defined scoring methodology;
  
  
• b) Assessing the quality of the AML/CFT controls put in place by the obliged entity to address these risks and classifying them in one of the following categories: very good quality of controls , good quality of controls, moderate quality of controls, or poor quality of controls, with a defined scoring methodology;
  
  
• c) Assessing the residual level of exposure to ML/TF risks after taking into account the quality of its AML/CFT control framework and classifying them in one of the following categories: low risk, medium risk, substantial risk, or high risk, with again a defined scoring methodology.
  
  

The differentiation consists in the fact that for the assessment to take place in line with the above steps, EBA defines the scoring mechanisms based on objective data instead of subjective assessments introducing a single set of data points as risk indicators that all supervisors would be required to use.

This includes a numerical score ranging from 1 (lowest level of risk) to 4 (highest level of risk) based on pre-determined thresholds to all the risk indicators which are applicable to the relevant obliged entity in line with a certain “weight” put on a set of indicators, sub-categories of indicators or categories of indicators to determine the score of the assessment.

Even though some adjustments to the automatically calculated risk score are possible based on expert judgment, these adjustments need to be duly justified and are subject to certain rules and limits, to ensure that they do not introduce an element of discretion.

Supervisors would review the inherent and residual risk profile of obliged entities once per year unless an institution is very small (i.e. with less than 5 compliance officers) or carries out activities that do not justify a yearly review (see list of small entities mentioned in the EBA Consultation paper).

Because risks vary and evolve, risk indicators and weights are not included in the draft RTS as AMLA, in cooperation with national supervisors, shall define the risk indicators and weights for each review cycle.

As regards to the group-wide risk assessment, there’s going to be an aggregation of entity - level residual risk scores with a weighted average, which reflects the importance of each entity within the group.

• 2. Draft RTS on the risk assessment for the purpose of selection of financial institutions and groups of credit and for direct supervision by AMLA (under article 12(7) of the AMLA Regulation)
  
  

The selection of entities which qualify for direct supervision is accordance with article 13(1) of the AMLA Regulation and takes place in two stages. In the first stage, the AMLA identifies all credit institutions, financial institutions or groups of credit and financial institutions that are operating in at least six member states, including their home member state, either via establishment or by conducting relevant operations under the freedom to provide services. In this regard, the draft RTS stipulates that operations under the freedom to provide services in another EU member state are material and count towards the number of member states in which the entity is considered to be operating for the purpose of article 12 (1) of the AMLA Regulation when: (i) the number of customers that are resident in each member state where the obliged entity is operating under the freedom to provide services is above 20,000; (ii)the total value in Euro of incoming and outgoing transactions generated by these customers is above 50,000,000. In the second stage, the ML/TF risk profile of these entities is classified, to identify those that present a high residual risk.

As regards the second element for the determination of the risk profile of the entity or the entities within a group, the same methodology for the determination of AML risk assessment of the obliged entities which is explained above, under the RTS1, is also applicable here, considering the interaction synergies between the two mandates.

In case of groups, the risk profiles should be aggregated for the classification of the group risk profile, at the level of the highest parent company in the EU which is a credit or a financial institution.

Regarding the assessment and classification of the quality of AML/CFT controls applied by each obliged entity according to which the residual AML risks are to be calculated, there is a mathematical formula taking into account the quality of the AML/CFT controls put in place by each credit or financial institution to mitigate the inherent risks to which it is exposed.

• 3. Draft RTS under Article 28(1) of the AML Regulation on customer due diligence (CDD)
  
  

General purpose of the draft RTS is to further harmonise the way due diligence measures are applied across the EU by specifying what information obliged entities shall collect to comply with their CDD, SDD and EDD requirements.

There are, nevertheless, a number of provisions in the AML Regulation that the draft RTS – taking into account the mandate in Article 28(1) of that Regulation – cannot change. These include, for example, the measures that obliged entities need to take to identify the beneficial owners, now that these requirements are comprehensively laid out in Chapter IV of the AML Regulation on beneficial ownership transparency. A similar point relates to article 34(4) (e) and 34(4)(g) of the AML Regulation where the level 1 text is sufficiently detailed that would not require further clarification in the RTS.

Since the CDD measures included both in the AML Regulation and the draft RTS to a large extent coincide with the CDD rules already established in Luxembourg, we are going to focus on the main points introducing some level of novelty in the AML regulatory universe of Luxembourg. These points are:

• - Exemption to the application of CDD in relation to electronic money upon occurrence of lower risk factors such as the use of attributes of electronic identification means and qualified trust services similar to digital signature for customer due diligence purposes (article 19(7) of the AML Regulation);
  
  
• - Information on all the nationalities of the customers of obliged entities is necessary;
  
  
• - Conditions for the equivalence of identification documents to an identity document or passport;
  
  
• - Requirement of use of electronic identification means or relevant qualified trust services as set out in the Regulation (EU) No 910/2014 in case of non “face-to-face” establishment of business relationship (in this light, explicit consent from the person to be identified is necessary and must be recorded, as well as, use of reliable and independent information sources combined with the mentioned safeguards regarding the quality and accuracy of the data and documents are to be collected.
  
  
• - Conditions for granting of virtual IBANs by non-issuers and time to perform CDD (i.e. where a financial institution, other than the issuer of the virtual IBAN and other than the financial institution servicing the account, provides a natural or legal person a virtual IBAN for their use, it shall provide to the issuer of the virtual IBAN the CDD information within a time period that enables the financial institution servicing the bank or payment account to fulfil its own CDD obligations);
  
  
• - Information to be provided by the trustee in case of class of beneficiaries (art. 22(4) of the AML Regulation) and in case of discretionary trust (art.22(5)).
  
  
• - Minimum requirements for the customer identification and verification in situations of lower risk, including that of the beneficial owners or senior managing officials in low-risk situations;
  
  
• - Minimum information to identify the purpose and intended nature of the business relationship or occasional transaction in low-risk situations (article 33(1) point (c) of the AML Regulation), i.e. why the customer has chosen the obliged entities’ products and services, the source of the funds used in the business relationship or occasional transaction, and how the customer plans to use the products or services provided, including where applicable the estimated amounts flowing through the account;
  
  
• - Additional information on the customer and the beneficial owners - compliance with the enhanced due diligence requirement (article 34(4) point (a) of the AML Regulation);
  
  
• - Additional information on the intended nature of the business relationship (ar. 34(4) (b) of the AML Regulation);
  
  
• - Corresponding list of attributes that electronic identification means and qualified trust services are required to feature in accordance with article 22(6) point (b) of the AML Regulation in order to fulfil the requirements of article 20(1) points (a) and (b) and article 22(1) of the AML Regulation, in the case of standard and enhanced due diligence, is laid down in Annex I of the draft RTS. Where an electronic identification means or qualified trust service does not possess all attributes that allow the identification and verification of the customer or beneficial owner, the obliged entity shall take steps to obtain and verify the missing attributes through other means in line with article 22(6) of the AML Regulation.
  
  

These RTS rules on CDD, on one hand, intend to further supplement the proposed by the AML Regulation and the 6th AML Directive rules to the point that any uncovered points in the Level I texts are not misused in their application by the EU member states while, on the other hand, provide the necessary clarifications for the application of CDD in the digital era.

• 
  
• 4. Draft RTS under article 53(10) of the 6^th AML Directive on pecuniary sanctions, administrative measures and periodic penalty payments

Supervisors need to have a common understanding of the gravity of breaches to ensure harmonisation across EU member states regarding the breaches for which pecuniary sanctions and administrative measures are imposed. For that purpose, the drafted RTS sets out a list of indicators that supervisors should take into account when assessing the level of gravity of breaches as well as a classification of the level of gravity of breaches into four categories of increased severity.

Important indicators to assess the level of gravity of breaches:

• - The conduct of the natural or legal person, including its senior management and management body in its supervisory function;
  
  
• - Supervisors should consider whether a breach was committed intentionally or negligently;
  
  
• - Whether the breach could have facilitated or otherwise led to criminal activities (as defined in article 2(1) point 3 of the AML Regulation);
  
  
• - Whether there is a structural failure within the obliged entity with regard to AML/CFT systems and controls and policies or a failure of the entity to put in place adequate AML/CFT systems and controls;
  
  
• - The actual or potential impact of the breach: i. on the integrity, transparency and security of the financial system of a Member State or of the Union as a whole, or on the financial stability of a Member State or of the Union as a whole; ii. on the orderly functioning of the financial markets;
  
  
• - The systematic nature of the breach;
• 
  

Criteria to be taken into account when setting the level of pecuniary sanctions:

• - The level of cooperation with the AML supervisory authority; and
  
  
• - The conduct of the natural or the legal person held responsible since the breach has been identified.

Last but not least, clarifications on the application of extreme administrative measures provided by the AML Regulation (such as withdrawal or suspension of an authorization) and on the conditions for the application of the measure of pecuniary payments (articles 55, 56 and 57 of the 6^th AML Directive) are provided.

The EBA Consultation paper is published for a three-month period. During this time, financial institutions in the scope of the proposed RTS can submit their comments and answers to the questions posed by EBA at the end of the paper. The EBA will consider feedback to this consultation when preparing its response to the European Commission, which it will submit on 31 October 2025.

In case you fall in the category of the financial institutions to be directly supervised by AMLA or simply you need advice in terms of AML in order to move around the new regulatory landscape, we can help you.

[1] Regulation (EU) 2024/1620 establishing the Authority for Anti-Money Laundering and Countering the Financing of Terrorism and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

[2] Regulation (EU) 2024/1624 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. It shall apply as of 10 July 2027.

[3] Directive (EU) 2024/1640 on the mechanisms to be put in place by Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Directive(EU) 2019/1937, and amending and repealing Directive (EU) 2015/849.

[4] Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing