Response to consultation on draft Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and ML/TF risk factors
Go back
Moreover, an independent review of the effectiveness of a risk assessment approach should lie with the statutory auditor. If there is tangible evidence for a lack of effectiveness, a statutory auditor MUST identify it. The EBA should refrain from recommending independent reviews by third parties which are not statutory auditors thus weakening responsibilities of the latter.
Legal and regulatory provisions for TPPs that are far beyond risk-based and proportionality principles can endanger a successful open banking market in Europe. A current example is AML regulation for TPPs. AML rules should apply to cases where business models have a clear connection with money laundering risks. For example, where businesses are responsible for executing transactions and come into possession of customer funds.
When the new Payment Services of Account Information Service (AIS) and Payment Initiation Service (PIS) were introduced by PSD2, providers of both services were automatically classed as obliged entities under AMLD, despite the fact that neither type of provider executes transactions or comes into possession of funds.
As the EBA itself acknowledges in its Draft Guidelines “the inherent ML/TF risk associated with [these services] is limited” for these very reasons. The inclusion of these services needs to be re-examined as part of the Commission’s AML action plan, to remove duplication and friction which will ultimately prevent consumer take-up of these innovative new services and hamper innovation and competition.
We ask that the EBA’s Risk Sector AML Guidelines are not finalised until the conclusion of the Commission’s consultation - particularly given the contention around whether AIS and PIS were intended to be included as obliged entities, or whether this was the unintentional result of cross referencing between PSD2, CRD and AMLD.
If, despite their low risk, PISPs were to remain in scope of AMLD, a number of changes need to be made to ensure PIS business models remain viable:
- Since PISPs’ primary relationship is with the online merchant (with whom they contract to provide the regulated service) it should be clarified that AML due diligence is required to be carried out on the PISPs merchant client, and not on every PSU who makes purchases from the merchant via PIS. To do otherwise will hugely and unnecessarily disadvantage PISPs compared to other payment methods, who are not under this obligation.
- PISPs should not be required to undertake transaction monitoring in order to avoid unnecessary, i.e. risk-based avoidable double efforts for the whole open banking sector.
To provide a deeper view into the market practise from our side, the current AML/CFT practise by finleap connect is based on national authority guidelines as follows:
As part of finleap connect's overall risk management framework, as described in a Governance & Risk Strategy, finleap connect maintains a Anti-Money Laundering, Combating the Financing of Terrorism and Anti-Fraud Policy covering the according two risk areas. Overall objective of this policy is to explain how according risks are identified, prevented and countered in an appropriate manner and how finleap connect fulfils its duties as an obliged payment institution under the German Money Laundering Act. This especially includes finleap connect's risk assessment for these risk areas and finleap connect's according internal controls and risk minimising measures.
Because of finleap connect's general obligation under the German Money Laundering Act and in order to ensure on an ongoing basis that finleap connect can guarantee the observance of simplified due diligence obligations through a clean derivation of risks (risk-based approach), finleap connect complies with requirements primarily from chapter 2 of the German Money Laundering Act ("Risk Management"). Moreover, the obligations that are explicitly defined by German Financial Supervisory Authority ("BaFin") as part of its administrative practice (interpretation and application references of BaFin as of May 2020), which are an obligation to report suspicions and the general duties of care with regard to payees for PISPs) were determined as minimum requirements for finleap connect as account information service and payment initiation service provider. finleap connect will always react to any changing circumstances and new threat developments, i.e. will take any new findings into account for ongoing up-to-date AML procedures, esp. Know Your Customer, i.e. customer due diligence procedures. Moreover, finleap connect is continuously monitoring if any further national Anti Money Laundering ("AML") laws apply due to being active under passporting rights within other EU countries.
As part of the finleap connect Overall Risk Assessment the appropriateness of first level controls, second level controls and risk minimising measures is assessed for the risk areas AML/CFT and Anti-Fraud. The risk assessment is updated at least yearly and on an ad hoc basis if necessary. The results of the risk assessments can include newly identified risks, possible weaknesses or gaps, which are used to plan new or adapt existing risk minimising measures. finleap connect will always react to any changing circumstances and new threat developments, i.e. will take any new findings into account for ongoing up-to-date AML procedures, esp. Know Your Customer, i.e. customer due diligence procedures.
First Level Controls - Customer Due Diligence Measures: As the ongoing risk assessment - so far taking into account the factors and types of evidence of potentially lower risks (Annex II) and higher risks (Annex III) from Directive 2015/849 of 20 May 2015 (AMLD4) - has consistently shown a very low risk for money laundering/terrorist financing finleap connect decided to apply simplified customer due diligence measures.
The interpretation and application references of BaFin as of May 2020 state that customer due diligence measures are at least necessary when the B2B customer of payment initiation services is also the payee. Thus, finleap connect understood its initial risk analysis, which was provided to BaFin beforehand, as approved and implemented a three level Know Your Customer (KYC) approach for its B2B-customer. We apply it consistently for all B2B customers, regardless of serving them with PISP/AISP services as a payment institution or only acting as a technical service provider. For PISP/AISP services, we apply a medium Level of simplified CDD. For PISP services in which our B2B customer is also acting as a payee, we apply full CDD in line with BaFin provisions as of May 2020.
So far under current practise no IT monitoring of transactions is necessary, which is highly welcomed in order to avoid unnecessary and risk-based avoidable double efforts for the market. Our approach has proven to serve as the right level of risk identification and CDD scopes. We were able to focus our AML/CFT management system on actual risk minimization and not redundant documentation efforts.
Last but not least we would like to mention that esp. banks that we serve as a technical service provider from finleap connect’s perspective already stated that if the EBA guidelines 18 becomes applicable to the drafted extent, they would rather refrain from offering Multibanking Services and other PSD2 use cases to their end customers (PSUs) instead of following those guidelines. Costs for the proposed measures by EBA esp. for switching from a B2B customer approach to any PSU linked measures based on Guideline 18.8 as well as IT Monitoring based on Guideline 18.11 do not match actual risks at all.
Moreover, they are likely to kill actual motivation for the market to provide user centric services and thus are a big hurdle to PSD2’s goal of fostering innovation in the EU market. We highly recommend EBA to refrain from the proposed approach for AISP/PISP and follow smart approaches taken in member states markets such as France (AISP excluded; simplified obligations for PISP under Décret n° 2017-1313 du 31 août 2017 portant transposition de la directive n° 2015/2366) or Germany as outlined in detail before.
Question 1: Do you have any comments with the proposed changes to the Definitions section of the Guidelines?
finleap connect does not have any comments on the proposed changes to the definitions section of the Guidelines.Question 2: Do you have any comments on the proposed amendments to Guideline 1 on risk assessment?
finleap connect does not have any comments on the proposed Guideline 1.Question 3: Do you have any comments on the proposed amendments to Guideline 2 on identifying ML/TF risk factors?
finleap connect does not have any comments on the proposed Guideline 2 or 3.Question 4: Do you have any comments on the proposed amendments and additions in Guideline 4 on CCD measures to be applied by all firms?
finleap connect does not have any comments on the proposed Guideline 4.Question 5: Do you have any comments on the amendments to Guideline 5 on record keeping?
finleap connect does not have any comments on the proposed Guideline 5.Question 6: Do you have any comments on Guideline 6 on training?
finleap connect does not have any comments on the proposed Guideline 6.Question 7: Do you have any comments on the amendments to Guideline 7 on reviewing effectiveness?
finleap connect would like to comment on Guideline 7 that any effectiveness review shall at best be part of the risk assessment of a firm. Independent risk assessments and effectiveness reviews do not foster a coherent and sustainable risk-based approach.Moreover, an independent review of the effectiveness of a risk assessment approach should lie with the statutory auditor. If there is tangible evidence for a lack of effectiveness, a statutory auditor MUST identify it. The EBA should refrain from recommending independent reviews by third parties which are not statutory auditors thus weakening responsibilities of the latter.
Question 8: Do you have any comments on the proposed amendments to Guideline 8 for correspondent banks?
finleap connect does not have any comments on the proposed Guideline 8.Question 9: Do you have any comments on the proposed amendments to Guideline 9 for retail banks?
finleap connect does not have any comments on the proposed Guideline 9.Question 10: Do you have any comments on the proposed amendments to Guideline 10 for electronic money issuers?
finleap connect does not have any comments on the proposed Guideline 10.Question 11: Do you have any comments on the proposed amendments to Guideline 11 for money remitters?
finleap connect does not have any comments on the proposed Guideline 11.Question 12: Do you have any comments on the proposed amendments to Guideline 12 for wealth management?
finleap connect does not have any comments on the proposed Guideline 12.Question 13: Do you have any comments on the proposed amendments to Guideline 13 for trade finance providers?
finleap connect does not have any comments on the proposed Guideline 13.Question 14: Do you have any comments on the proposed amendments to Guideline 14 for life insurance undertakings?
finleap connect does not have any comments on the proposed Guideline 14.Question 15: Do you have any comments on the proposed amendments to Guideline 15 for investment firms?
finleap connect does not have any comments on the proposed Guideline 15.Question 16: Do you have any comments on the proposed amendments to Guideline 16 for providers of investment funds and the definition of customer in this Guideline?
finleap connect does not have any comments on the amended Guideline 16.Question 17: Do you have any comments on the additional sector-specific Guideline 17 on crowdfunding platforms?
finleap connect does not have any comments on the additional sector-specific Guideline 17 on crowdfunding platforms.Question 18: Do you have any comments on the additional sector-specific Guideline 18 on account information and payment initiation service providers?
We would like to give our opinion on the additional sector-specific Guideline 18 on TPPs, i.e. AISP and PISP under PSD2, from finleap connect’s perspective as a payment institution offering these services.Legal and regulatory provisions for TPPs that are far beyond risk-based and proportionality principles can endanger a successful open banking market in Europe. A current example is AML regulation for TPPs. AML rules should apply to cases where business models have a clear connection with money laundering risks. For example, where businesses are responsible for executing transactions and come into possession of customer funds.
When the new Payment Services of Account Information Service (AIS) and Payment Initiation Service (PIS) were introduced by PSD2, providers of both services were automatically classed as obliged entities under AMLD, despite the fact that neither type of provider executes transactions or comes into possession of funds.
As the EBA itself acknowledges in its Draft Guidelines “the inherent ML/TF risk associated with [these services] is limited” for these very reasons. The inclusion of these services needs to be re-examined as part of the Commission’s AML action plan, to remove duplication and friction which will ultimately prevent consumer take-up of these innovative new services and hamper innovation and competition.
We ask that the EBA’s Risk Sector AML Guidelines are not finalised until the conclusion of the Commission’s consultation - particularly given the contention around whether AIS and PIS were intended to be included as obliged entities, or whether this was the unintentional result of cross referencing between PSD2, CRD and AMLD.
If, despite their low risk, PISPs were to remain in scope of AMLD, a number of changes need to be made to ensure PIS business models remain viable:
- Since PISPs’ primary relationship is with the online merchant (with whom they contract to provide the regulated service) it should be clarified that AML due diligence is required to be carried out on the PISPs merchant client, and not on every PSU who makes purchases from the merchant via PIS. To do otherwise will hugely and unnecessarily disadvantage PISPs compared to other payment methods, who are not under this obligation.
- PISPs should not be required to undertake transaction monitoring in order to avoid unnecessary, i.e. risk-based avoidable double efforts for the whole open banking sector.
To provide a deeper view into the market practise from our side, the current AML/CFT practise by finleap connect is based on national authority guidelines as follows:
As part of finleap connect's overall risk management framework, as described in a Governance & Risk Strategy, finleap connect maintains a Anti-Money Laundering, Combating the Financing of Terrorism and Anti-Fraud Policy covering the according two risk areas. Overall objective of this policy is to explain how according risks are identified, prevented and countered in an appropriate manner and how finleap connect fulfils its duties as an obliged payment institution under the German Money Laundering Act. This especially includes finleap connect's risk assessment for these risk areas and finleap connect's according internal controls and risk minimising measures.
Because of finleap connect's general obligation under the German Money Laundering Act and in order to ensure on an ongoing basis that finleap connect can guarantee the observance of simplified due diligence obligations through a clean derivation of risks (risk-based approach), finleap connect complies with requirements primarily from chapter 2 of the German Money Laundering Act ("Risk Management"). Moreover, the obligations that are explicitly defined by German Financial Supervisory Authority ("BaFin") as part of its administrative practice (interpretation and application references of BaFin as of May 2020), which are an obligation to report suspicions and the general duties of care with regard to payees for PISPs) were determined as minimum requirements for finleap connect as account information service and payment initiation service provider. finleap connect will always react to any changing circumstances and new threat developments, i.e. will take any new findings into account for ongoing up-to-date AML procedures, esp. Know Your Customer, i.e. customer due diligence procedures. Moreover, finleap connect is continuously monitoring if any further national Anti Money Laundering ("AML") laws apply due to being active under passporting rights within other EU countries.
As part of the finleap connect Overall Risk Assessment the appropriateness of first level controls, second level controls and risk minimising measures is assessed for the risk areas AML/CFT and Anti-Fraud. The risk assessment is updated at least yearly and on an ad hoc basis if necessary. The results of the risk assessments can include newly identified risks, possible weaknesses or gaps, which are used to plan new or adapt existing risk minimising measures. finleap connect will always react to any changing circumstances and new threat developments, i.e. will take any new findings into account for ongoing up-to-date AML procedures, esp. Know Your Customer, i.e. customer due diligence procedures.
First Level Controls - Customer Due Diligence Measures: As the ongoing risk assessment - so far taking into account the factors and types of evidence of potentially lower risks (Annex II) and higher risks (Annex III) from Directive 2015/849 of 20 May 2015 (AMLD4) - has consistently shown a very low risk for money laundering/terrorist financing finleap connect decided to apply simplified customer due diligence measures.
The interpretation and application references of BaFin as of May 2020 state that customer due diligence measures are at least necessary when the B2B customer of payment initiation services is also the payee. Thus, finleap connect understood its initial risk analysis, which was provided to BaFin beforehand, as approved and implemented a three level Know Your Customer (KYC) approach for its B2B-customer. We apply it consistently for all B2B customers, regardless of serving them with PISP/AISP services as a payment institution or only acting as a technical service provider. For PISP/AISP services, we apply a medium Level of simplified CDD. For PISP services in which our B2B customer is also acting as a payee, we apply full CDD in line with BaFin provisions as of May 2020.
So far under current practise no IT monitoring of transactions is necessary, which is highly welcomed in order to avoid unnecessary and risk-based avoidable double efforts for the market. Our approach has proven to serve as the right level of risk identification and CDD scopes. We were able to focus our AML/CFT management system on actual risk minimization and not redundant documentation efforts.
Last but not least we would like to mention that esp. banks that we serve as a technical service provider from finleap connect’s perspective already stated that if the EBA guidelines 18 becomes applicable to the drafted extent, they would rather refrain from offering Multibanking Services and other PSD2 use cases to their end customers (PSUs) instead of following those guidelines. Costs for the proposed measures by EBA esp. for switching from a B2B customer approach to any PSU linked measures based on Guideline 18.8 as well as IT Monitoring based on Guideline 18.11 do not match actual risks at all.
Moreover, they are likely to kill actual motivation for the market to provide user centric services and thus are a big hurdle to PSD2’s goal of fostering innovation in the EU market. We highly recommend EBA to refrain from the proposed approach for AISP/PISP and follow smart approaches taken in member states markets such as France (AISP excluded; simplified obligations for PISP under Décret n° 2017-1313 du 31 août 2017 portant transposition de la directive n° 2015/2366) or Germany as outlined in detail before.