(1)

Article 9a(2) of Regulation (EU) No 1093/2010 requires the European Banking Authority (EBA) to establish and keep up to date a central database of information collected in accordance with Article 9a(1), point (a), of that Regulation. As a result, specifying how information is to be analysed and made available to reporting authorities on a need-to-know and confidential basis, as required by Article 9a(3) of that Regulation, inevitably relates to the specification of details for setting up that central database.

(2)

It is necessary to specify the corresponding situations where weaknesses may occur. Supervision includes all relevant activities, without prejudice to national competences, of all reporting authorities to be carried out pursuant to the sectoral legislative acts, and is, hence, diverse. Therefore, the corresponding situations should be specified having regard to the supervisory activities performed by the different reporting authorities.

(3)

To determine the materiality of a weakness, it is necessary to set out its general definition and a non-exhaustive list of criteria to specify that definition further. Such definition and list of criteria are necessary to achieve on the one hand a harmonised approach in the application of that general definition, while on the other hand to ensure that all material weaknesses, within the meaning of the general definition, are captured taking into account the specific context.

(4)

To ensure that reporting authorities report weaknesses to the database at an early stage, a material weakness should be defined in such a way that it encompasses not only weaknesses that reveal, but also those weaknesses that could lead to a significant failure in complying with applicable requirements related to anti-money laundering and combating the financing of terrorism (AML/CFT) even if such failure has not yet occurred. This is also justified by the fact that information should be reported to the database on a best effort basis by those authorities that do not possess the same level of AML/CFT information and expertise as the supervisory authorities designated as competent under Directive (EU) 2015/849 of the European Parliament and of the Council (2).

(5)

To set out the type of information to be submitted, it is necessary to distinguish between general information, information on material weaknesses and information on the measures taken.

(6)

When setting out the components of the general information to be submitted, particular attention should be given to financial sector operators that operate on a cross-border basis, including financial sector operators that are part of a group for which a college operates. To ensure comparability of information submitted, AML/CFT authorities should also submit to the EBA as part of that general information the financial sector operator’s AML/CFT risk profile using common categories.

(7)

Prudential authorities should, as part of the general information that they are to report, provide information on the result of the relevant risk assessment of any supervisory review process and of any other similar process affected by the money laundering and terrorist financing risk of the financial sector operator together with information on any negative final assessment or negative decision on applications for authorisation, where such assessment or decision is also based on the grounds of money laundering and terrorist financing risks.

(8)

To take into account the distinct competences of the home and host AML/CFT authorities as set out in Directive (EU) 2015/849, it is necessary to clarify that both the home and the host AML/CFT authorities should report to the EBA material weaknesses they have each identified in the performance of their respective competences. It is also necessary to clarify that the measures taken by the host AML/CFT authority should be submitted to the database independently of any notification to the home authority.

(9)

It is necessary to ensure that the EBA can effectively exercise its role to lead, coordinate and monitor activities to promote the integrity, transparency, and security in the financial system to prevent the use of that system for money laundering or terrorist financing purposes, by making full use of all its powers and tools under Regulation (EU) No 1093/2010 while respecting the principle of proportionality. The EBA should therefore be able to combine, for the purposes of analysing the information submitted to the database, information that it has from other sources. The EBA should endeavour to make use of this information for the achievement of all its tasks as set out in Regulation (EU) No 1093/2010.

(10)

While analysing information submitted to the database and made available to the reporting authorities, this Regulation should ensure cooperation with the European Insurance and Occupational Pensions Authority (EIOPA) and European Securities and Markets Authority (ESMA) in accordance with the principle of sincere cooperation pursuant to Article 4(3) of the Treaty on European Union as further specified in Article 2(4) of Regulation (EU) No 1093/2010, Article 2(4) of Regulation (EU) No 1094/2010 of the European Parliament and of the Council (3) and Article 2(4) of Regulation (EU) No 1095/2010 of the European Parliament and of the Council (4). In particular, it should be specified that information requested by the EBA to those authorities or otherwise received from those authorities could be used, where appropriate, for the purposes of the analysis and that the EBA should provide EIOPA and ESMA with that information, either on its own initiative or upon a request received from those authorities.

(11)

It is necessary to specify how information is made available to reporting authorities. Article 9a(2) of Regulation (EU) No 1093/2010 refers generally to the fact that the EBA is to ensure that information is made available to reporting authorities on a need-to-know and confidential basis, while Article 9a(3) of that Regulation refers specifically to reasoned requests. Both provisions are part of the process regarding how information is made available to reporting authorities. To that end, the particular elements of the reasoned request to be received by the EBA from reporting authorities should also be set out.

(12)

To ensure respect for the principle of proportionality and avoid the duplication of information, an AML/CFT authority submitting information on a measure should be deemed as also submitting the notification referred to in Article 62 of Directive (EU) 2015/849, with regard to that measure. Furthermore, it is necessary to require that an AML/CFT or prudential authority submitting information to the central database specifies as part of its submission whether that authority has already submitted a notification under Article 97(6) of Directive 2013/36/EU of the European Parliament and of the Council (5).

(13)

To ensure that the AML/CFT central database becomes an effective tool in the fight against money laundering and terrorist financing, it is necessary to ensure that the reporting authorities submit that information to the central database in a timely manner, and to ensure the quality of that information. To that end, information on material weaknesses and measures taken should be submitted without undue delay and reporting authorities should respond without undue delay to any request from the EBA made after any quality check analysis is performed. For the same reason, reporting authorities should ensure the ongoing accuracy, completeness, adequacy and updates of such information, and information on a material weakness should be submitted independently of any measure taken in response to it.

(14)

To ensure time efficiency, thereby promoting consistent, systematic and effective monitoring and assessment of risks in relation to money laundering and terrorist financing in the Union’s financial systems, submissions and requests should be made in English. At the same time, to ensure respect for the principle of proportionality and to avoid excessive costs for the reporting authorities, where the supporting documents are not available in English, they should be submitted in their original language and be accompanied by a summary in English.

(15)

Where the operation of a deposit guarantee scheme is administered by a private entity, the designated authority supervising that scheme should ensure that such scheme reports material weaknesses that are identified in the course of its activities to the designated authority.

(16)

Given the large number of reporting authorities involved and to anticipate the considerable differences in the reporting frequency as some of those reporting authorities are, due to their supervisory responsibilities, likely to report AML/CFT material weaknesses and measures less frequently than others, and to achieve operational and cost efficiency both for the reporting authorities and for the EBA, a sequential approach should be built into the architecture of the database. On the basis of that sequential approach, some reporting authorities should have direct, and others indirect, access to the database.

(17)

All parties involved in the exchange of information should be bound by professional secrecy and confidentiality requirements. Hence, specific provisions should be set out as to how the information can be further disclosed, thereby preserving confidentiality.

(18)

When the information that is submitted, requested, shared or made available concerns natural persons, the principle of proportionality should be respected in the processing of information on those natural persons. To that end, it is necessary to specify the information processed concerning natural persons.

(19)

To ensure the efficiency of the database and analysis of the information in it in order to be an effective tool in the fight against money laundering and terrorist financing, the EBA should be able to combine as part of its analysis information submitted to it in accordance with this Regulation with other information available on material weaknesses in individual financial sector operators that make them vulnerable to money laundering or terrorist financing and which the EBA acquires in carrying out its tasks within the scope of its mandate. To ensure its relevance, when the information combined contains personal data, such data should fall under the data categories listed in Annex II. Combining of personal data should be exceptional and such processing may serve only to achieving the purposes of the present Regulation. The data may need to be combined in order to (i) ensure the accuracy and completeness of data obtained from competent authorities or (ii) to enable the EBA to integrate into its database relevant information of the same nature as that transmitted by the competent authorities but obtained through another channel such as through its investigations into potential breaches of Union law pursuant to Article 17 of Regulation (EU) No 1093/2010.

Information relating to suspicions of criminal offences or criminal convictions committed by a customer, a beneficial owner, a member of the management body or key function holder could be an indicator of a lack of honesty, integrity or ML/TF risks. This can be a significant cause or contributor to material weaknesses in a financial sector operator’s governance arrangements, fitness and propriety, holders of qualifying holdings, business model or activities. Therefore, the personal data specified in Annex II may include information related to suspicion or conviction for criminal offences.

Only the data related to material weaknesses can be included in the database. Given that under this Regulation the material weaknesses relate only to significant failures in the compliance with any of the AML/CFT-related requirements, this ensures the processing of the data under the Regulation remain limited in scope to grave breaches of the AML/CFT-related requirements, and hence remain limited to what is necessary and proportionate.

All the personal data processed for the implementation of this Regulation should be handled in accordance with the data protection framework of the Union, including the principles relating to the processing such as lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

(20)

Data protection laws, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council (6) and Regulation (EU) 2018/1725 of the European Parliament and of the Council (7) are applicable to the processing of personal data.

(21)

The EBA, ESMA, EIOPA and the reporting authorities should determine their respective responsibilities as joint controllers of personal data by means of an arrangement between them in accordance with Article 26 of Regulation (EU) 2016/679 and Article 86 of Regulation (EU) 2018/1725, to the extent that those responsibilities are not determined by the Union law or national law to which they are subject.

(22)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and provided formal comments on 24 January 2023.

(23)

Given the complementary character of the mandate set out in Article 9a(1) of Regulation (EU) No 1093/2010 pertaining to the definition of weakness and its materiality, the specification of corresponding situations where a weakness may occur and the type and practical implementation of the information collection, and of the mandate set out in paragraph 3 of that Article as to how information collected should be analysed and made available on a need to-know and confidential basis, the relevant specifications should be set out in a single Regulation.

(24)

Article 9a of Regulation (EU) No 1093/2010 tasks the EBA with the collection of information about the measures taken by the reporting authorities in response to material weaknesses identified. Such measures should be understood as any supervisory and administrative measures, sanctions and penalties including precautionary or temporary measures, taken by reporting authorities in the context of a supervisory activity as set out in Article 2(5), second subparagraph, of Regulation (EU) No 1093/2010, in Article 2(5), second subparagraph, of Regulation (EU) No 1094/2010 and in Article 2(5), second subparagraph, of Regulation (EU) No 1095/2010.

(25)

This Regulation is based on the draft regulatory technical standards submitted to the Commission by the EBA.

(26)

The EBA has conducted open public consultations on the draft regulatory technical standards on which this Regulation is based, analysed the potential related costs and benefits and requested the advice of the Stakeholder Group established in accordance with Article 37 of Regulation (EU) No 1093/2010,