-
What's new
- All What's new
-
European
- What's new - All
- <hr>
- What's new - last 24 hrs
- What's new - last 7 days
- What's new - last 30 days
- <hr>
- New EU Legislation
- European Commission
- European Banking Authority
- European Securities and Markets Authority
- European Insurance and Occupational Pensions Authority
- <hr>
- Consultations and similar
- Commentaries
- <hr>
- Downloads and Exports
- Latest news by Topics
-
International
- What's new - All
- <hr>
- What's new - last 24 hrs
- What's new - last 7 days
- What's new - last 30 days
- <hr>
- Bank for International Settlements
- Basel Committee on Banking Supervision
- Egmont Group
- International Association of Insurance Supervisors
- International Monetary Fund
- <hr>
- Consultations and similar
- Commentaries
- <hr>
- Downloads and Exports
- Latest news by Topics
- Downloads and Exports
- Legislation
- Organisations
-
Commentaries
- Consultations
- Sanctioned regimes
- IFRSs
- Regulatory calendar
- Quicklinks
-
More
Table of Contents
Final Report - Guidelines EBA/2021/02 on customer due diligence and the factors credit and financial institutions should consider when assessing the money laundering and terrorist financing risk associated with individual business relationships and occasional transactions ('The ML/TF Risk Factors Guidelines') under Directive (EU) 2015/849 (EBA/GL/2021/02) (updated 30 December 2024)1. Executive summary2. Abbreviations3. Background and rationale3.1 Background (3.1.1-3.1.10)3.1.13.1.23.1.33.1.43.1.53.1.63.1.73.1.83.1.93.1.103.2 Rationale (3.2.11-3.2.36)3.2.113.2.12Business-wide risk assessments (3.2.13-3.2.14)3.2.133.2.14Non-face-to-face interactions (3.2.15-3.2.19)3.2.153.2.163.2.173.2.183.2.19Account information and payment initiation services (3.2.20-3.2.22)3.2.203.2.213.2.22Crowdfunding (3.2.23)3.2.23Editorial amendments (3.2.24)3.2.24High-risk third countries (3.2.25-3.2.26)3.2.253.2.26Financial inclusion and de-risking (3.2.27-3.2.29)3.2.273.2.283.2.29Scope of application of the Guidelines (3.2.30-3.2.31)3.2.303.2.31Independent reviews (3.2.32-3.2.33)3.2.323.2.33Investment citizenship schemes (3.2.34-3.2.36)3.2.343.2.353.2.36Guidelines1. Compliance and reporting obligations2. Subject matter, scope and definitions (updated 30 December 2024)3. ImplementationTitle I: General GuidelinesGuideline 1: Risk assessments: key principles for all firms (1.1-1.32)1.1General considerations (1.2-1.5)1.21.31.41.5Keeping risk assessments up to date (1.6-1.10)1.61.7 (updated 30 December 2024)1.81.91.10Business-wide risk assessments (1.11-1.17)1.111.121.131.141.15Proportionality (1.16)1.16Implementation (1.17)1.17Linking the business-wide and individual risk assessments (1.18-1.20)1.181.191.20Individual risk assessments (1.21-1.28)1.211.22Initial Customer Due Diligence (1.23-1.25)1.231.241.25Obtaining a holistic view (1.26-1.27)1.261.27Ongoing customer due diligence (1.28)1.28Sources of information (1.29-1.32)1.291.301.311.32Guideline 2: Identifying ML/TF risk factors (2.1-2.21)2.12.2Customer risk factors (2.3-2.8)2.32.4 (updated 30 December 2024)2.52.62.7 (updated 3 November 2023)2.8Countries and geographical areas (2.9-2.15)2.92.102.112.122.132.142.15Products, services and transactions risk factors (2.16-2.19)2.162.172.182.19Delivery channel risk factors (2.20-2.21)2.202.21Guideline 3: Assessing ML/TF risk (3.1-3.9)3.1Taking a holistic view (3.2-3.3)3.23.3Weighting risk factors (3.4-3.7)3.43.53.63.7Categorising risk (3.8-3.9)3.83.9Guideline 4: CDD measures to be applied by all firms (4.1-4.78)4.14.24.34.4Customer due diligence (4.5-4.39)4.54.64.74.8Financial inclusion and de-risking (4.9-4.11)4.94.104.11Beneficial owners (4.12-4.25)4.12Beneficial ownership registers (4.13)4.13Control through other means (4.14-4.18)4.144.154.164.174.18Identifying the customer’s senior managing officials (4.19-4.22)4.194.204.214.22Identifying the beneficial owner of a public administration or a state-owned enterprises (4.23-4.25)4.234.244.25Evidence of identity (4.26-4.37)4.264.274.28Non-face to face situations (4.29-4.31)4.29 (updated 30 December 2024)4.304.31Using innovative technological means to verify identity (4.32-4.37)4.324.334.344.35 (updated 30 December 2024)4.364.37Establishing the nature and purpose of the business relationship (4.38-4.39)4.384.39Simplified customer due diligence (4.40-4.44)4.404.414.424.434.44Enhanced customer due diligence (4.45-4.68)4.454.464.47Politically Exposed Persons (4.48-4.52)4.484.494.504.514.52High-risk third countries (4.53-4.57)4.534.544.554.564.57Correspondent relationships (4.58-4.59)4.584.59Unusual transactions (4.60-4.61)4.60 (updated 30 December 2024)4.61 (updated 30 December 2024)Other high-risk situations (4.62-4.65)4.624.634.644.65Other considerations (4.66-4.68)4.664.674.68Monitoring (4.69-4.78)4.694.704.71Transaction monitoring (4.72-4.75)4.724.734.74 (updated 30 December 2024)4.75Keeping CDD information up to date (4.76-4.78)4.764.774.78Guideline 5: Record-keeping (5.1-5.2)5.15.2Guideline 6: Training (6.1-6.3)6.16.2 (updated 30 December 2024)6.3Guideline 7: Reviewing effectiveness (7.1-7.2)7.17.2Title II: Sector-specific GuidelinesGuideline 8: Sectoral guideline for correspondent relationships (8.1-8.3)8.18.28.3Risk factors (8.4-8.9)Product, service and transaction risk factors (8.4-8.5)8.48.5Customer risk factors (8.6-8.7)8.6 (updated 30 December 2024)8.7Country or geographical risk factors (8.8-8.9)8.8 (updated 30 December 2024)8.9Measures (8.10-8.25)8.108.118.128.13Respondents based in non-EEA countries (8.14-8.17)8.148.158.168.17Respondents based in EEA countries (8.18-8.19)8.188.19Respondents established in high-risk third countries, and correspondent relationships involving high-risk third countries (8.20-8.25)8.208.218.228.238.248.25Guideline 9: Sectoral guideline for retail banks (9.1-9.24)9.19.29.3Risk factors (9.4-9.11)Product, service and transaction risk factors (9.4-9.5)9.49.5Customer risk factors (9.6-9.7)9.69.7Country or geographical risk factors (9.8-9.9)9.89.9Distribution channel risk factors (9.10-9.11)9.109.11Measures (9.12-9.24)9.12Enhanced customer due diligence (9.13-9.14)9.139.14Simplified customer due diligence (9.15)9.15Pooled accounts (9.16-9.19)9.16 (updated 30 December 2024)9.17 (updated 30 December 2024)9.18 (updated 30 December 2024)9.19Customers that offer services related to crypto-assets (9.20-9.24) (updated 30 December 2024)9.20 (updated 30 December 2024)9.21 (updated 30 December 2024)9.22 (updated 30 December 2024)9.23 (updated 30 December 2024)9.24Guideline 10: Sectoral guideline for electronic money issuers (10.1-10.18)10.110.2 (updated 30 December 2024)Risk factors (10.3-10.10)Product risk factors (10.3-10.5)10.310.410.5Customer risk factors (10.6-10.7)10.610.7Distribution channel risk factors (10.8-10.9)10.810.9Country or geographical risk factors (10.10)10.10Measures (10.11-10.18)Customer Due Diligence measures (10.11-10.14)10.1110.1210.1310.14Enhanced customer due diligence (10.15-10.16)10.1510.16Simplified customer due diligence (10.17-10.18)10.1710.18Guideline 11: Sectoral guideline for money remitters (11.1-11.16)11.111.211.311.4Risk factors (11.5-11.11)Product, service and transaction risk factors (11.5-11.6)11.511.6Customer risk factors (11.7-11.8)11.711.8Distribution channel risk factors (11.9-11.10)11.911.10Country or geographical risk factors (11.11)11.11Measures (11.12-11.16)11.1211.1311.1411.15Use of agents (11.16)11.16Guideline 12: Sectoral guideline for wealth management (12.1-12.8)12.112.212.3Risk factors (12.4-12.6)Product, service and transaction risk factors (12.4)12.4Customer risk factors (12.5)12.5Country or geographical risk factors (12.6)12.6Measures (12.7-12.8)12.7Enhanced customer due diligence (12.8)12.8Guideline 13: Sectoral guideline for trade finance providers (13.1-13.24)13.113.213.313.413.513.6Risk factors (13.7-13.15)13.713.813.9Transaction risk factors (13.10-13.11)13.1013.11Customer risk factors (13.12-13.13)13.1213.13Country or geographical risk factors (13.14-13.15)13.1413.15Measures (13.16-13.24)13.1613.1713.18Enhanced customer due diligence (13.19-13.23)13.1913.2013.2113.2213.23Simplified customer due diligence (13.24)13.24Guideline 14: Sectoral guideline for life insurance undertakings (14.1-14.23)14.114.214.314.414.5Risk factors (14.6-14.13)Product, service and transaction risk factors (14.6-14.7)14.614.7Customer and beneficiary risk factors (14.8-14.9)14.814.9Distribution channel risk factors (14.10-14.11)14.1014.11Country or geographical risk factors (14.12-14.13)14.1214.13Measures (14.14-14.23)14.1414.1514.1614.17Enhanced customer due diligence (14.18-14.22)14.1814.1914.2014.2114.22Simplified customer due diligence (14.23)14.23Guideline 15: Sectoral guideline for investment firms (15.1-15.12)15.1 (updated 30 December 2024)15.2Risk factors (15.3-15.8)Product, service or transaction risk factors (15.3-15.4)15.315.4Customer risk factors (15.5-15.6)15.515.6Distribution channel risk factors (15.7)15.7Country or geographical risk factors (15.8)15.8Measures (15.9-15.12)15.915.1015.1115.12Guideline 16: Sectoral guideline for providers of investment funds (16.1-16.22)16.116.216.316.4Risk factors (16.5-16.12)Product, service or transaction risk factors (16.5-16.7)16.516.616.7Customer risk factors (16.8-16.9)16.816.9Distribution channel risk factors (16.10-16.11)16.1016.11Country or geographical risk factors (16.12)16.12Measures (16.13-16.22)16.1316.14Enhanced Customer Due Diligence (16.15-16.18)16.1516.1616.1716.18Simplified Customer Due Diligence (16.19-16.22)16.1916.2016.2116.22Guideline 17: Sectoral guideline for regulated crowdfunding platforms (17.1-17.8)17.117.217.3Risk factors (17.4-17.9)Product, service and transaction risk factors (17.4-17.5)17.4 (updated 30 December 2024)17.5Customer risk factors (17.6)17.6 (updated 30 December 2024)Distribution channel risk factors (17.7-17.8)17.717.8Country or geographical risk factors (17.9)17.9Measures (17.10-17.17)17.1017.1117.1217.13Customer due diligence (17.14-17.15)17.1417.15Enhanced customer due diligence (17.16)17.16Simplified customer due diligence (17.17)17.17Guideline 18: Sectoral guideline for payment initiation service providers (PISPs) and account information service providers (AISPs) (18.1-18.15)18.118.218.3Risk factors (18.4-18.7)Customer risk factors (18.4)18.4Distribution channel risk factors (18.5)18.5Country or geographical risk factor (18.6-18.17)18.618.7Measures (18.8-18.15)18.818.918.1018.11Customer due diligence (18.12-18.15)18.1218.13Enhanced customer due diligence (18.14)18.14Simplified customer due diligence (18.15)18.15Guideline 19: Sectoral guideline for firms providing activities of currency exchange offices (19.1-19.12)19.119.2Risk factors (19.3-19.7)Product, service and transaction risk factors (19.3-19.4)19.319.4Customer risk factors (19.5)19.5Distribution channel risk factors (19.6)19.6Country or geographical risk factors (19.7)19.7Measures (19.8-19.12)19.8Customers due diligence (19.9-19.10)19.919.10Enhanced customer due diligence (19.11)19.11Simplified customer due diligence (19.12)19.12Guideline 20: Sectoral guideline for corporate finance (20.1-20.9)20.120.2Risk factors (20.3-20.5)Customer and beneficiary risk factors (20.3-20.4)20.320.4Country or geographical risk factors (20.5)20.5Measures (20.6-20.9)20.6Enhanced customer due diligence (20.7)20.7Simplified due diligence (SDD) (20.8-20.9)20.820.9Guideline 21: Sectoral Guideline for crypto-asset services providers (CASPs) (updated 30 December 2024)Annex: Customers that are NPOs (updated 3 November 2023)4. Accompanying documents4.1 Cost-benefit analysis/impact assessment (4.1.1-4.1.46)Introduction (4.1.1-4.1.5)4.1.14.1.24.1.34.1.44.1.5Scope and objectives (4.1.6-4.1.10)4.1.64.1.74.1.84.1.94.1.10Baseline (4.1.11-4.1.14)4.1.114.1.124.1.134.1.14Consistency with international AML/CFT standards (4.1.15)4.1.15Option 1 - ESAs’ GL simply reproduce international AML/CFT standards (4.1.16-4.1.20)4.1.164.1.174.1.184.1.194.1.20Option 2 - ESAs’ GL are consistent with international AML/CFT standards (4.1.21-4.1.23)4.1.214.1.224.1.23Option 3 - ESAs’ GL disregard international AML/CFT standards (4.1.24-4.1.26)4.1.244.1.254.1.26Preferred option (4.1.27)4.1.27Level of prescription (4.1.28-4.1.29)4.1.284.1.29Option 1 - Exact definitions and actions (what constitutes high ML/TF risk and low ML/TF risk and what firms should do) (4.1.30-4.1.32)4.1.304.1.314.1.32Option 2 - Information to consider (to assess as high or low ML/TF risk, and which type of CDD might be appropriate to manage that risk) (4.1.33-4.1.35)4.1.334.1.344.1.35Preferred option (4.1.36)4.1.36Costs and benefits (4.1.37-4.1.39)4.1.374.1.384.1.39Firms (4.1.40-4.1.43)4.1.404.1.414.1.424.1.43Competent authorities (4.1.44-4.1.46)4.1.444.1.454.1.464.2 Overview of questions for consultation4.3 Summary of responses to the consultation and the EBA's analysis
Document Overview
Tools
Text comparison
Print / Export
Notification
Bookmark
Share / Source link
AI Disclaimer
Please note that AI-generated content should not be considered legal advice. Users are encouraged to consult with qualified professionals or legal advisors where specific legal guidance is required.
We are committed to transparency and responsible use of AI in a way that supports, but never replaces, human expertise.
If you have any questions or concerns about the use of AI on our platform, please feel free to contact us.
1.7
(updated 30 December 2024)
The systems and controls that firms should put in place to ensure their individual and business- wide risk assessments remain up to date should include:
a) Setting a date for each calendar year on which the next business-wide risk assessment update will take place, and setting a date on a risk sensitive basis for the individual risk assessment to ensure new or emerging risks are included.
b) Where the firm becomes aware before that date that a new ML/TF risk has emerged, or an existing one has increased, this should be reflected in their individual and business-wide risk assessments as soon as possible; and
c) Carefully recording issues throughout the relevant period that could have a bearing on risk assessments, such as internal suspicious transaction reports, compliance failures and intelligence from front office staff.
d) Where the firm is launching new products, services, or business practices, or significantly changing them, including where it introduces a new delivery channel, or adopts an innovative technology as part of its AML/CFT systems and controls framework, it should assess the ML/TF risk exposure prior to the launch of these products, services or business practices. Where these products, services or business practices have a significant impact on the firm's ML/TF risk exposure, the firm should reflect this assessment in its business-wide risk assessment carried out in accordance with Article 8(2) of Directive (EU) 2015/849 and its policies and procedures.