Response to consultation on draft Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and ML/TF risk factors
Go back
- paragraph 18.11 of the draft revised guidelines: Requiring AISPs to monitor all visible PSU activity would imply that AISPs need to adapt their systems and processes to read and analyse the PSU’s statements to the ASPSP. That would be extremely expensive and time consuming. The requirement would be disproportionate given the limited ML/TF risk associated with the business of AISPs. It could result in market players refusing to provide AIS, which would go against the goal of PSD2 to foster competition in banking and payment markets. The same goes for PISPs, to the extent they are required to monitor transactions beyond those in which they are involved. We therefore suggest that the guidelines clarify that the requirement to monitor the PSU’s transactional activity only applies to PISPs and only with respect to the transactions in which they are involved as PISP.
- paragraph 18.13 of the draft revised guidelines: PayBelgium fully acknowledges the relevance of requesting a customer whether an account is his own account, a shared account, or a legal entity's account to which the customer has a mandate to access . However, it is not possible for AISPs to verify and validate the information that the customer would provide as a response to the request. Indeed, there is no trusted source available to AISPs for the name of the holder of an account, except for the ASPSP. The ASPSP does not currently provide that information through their API (because it is not required to do so under the PSD2 legal framework). Consequently, the AISP would have to rely on the information the customer provides while the information could be intentionally wrong. It is therefore necessary to amend or complement the PSD2 legal framework so as to oblige ASPSPs to communicate the nature of the account (e.g., personal, shared, legal entity) through their API.
Question 3: Do you have any comments on the proposed amendments to Guideline 2 on identifying ML/TF risk factors?
Comment on paragraph 2.9 of the draft revised guidelines: It is generally possible to independently determine/verify the jurisdiction in which the customer is based or resident (e.g. on the basis of the customer’s ID card) and the jurisdictions where it has its main places of business (e.g. on the basis of public databases). However, there are generally no sources available to verify the jurisdictions to which the customer has personal, business, financial or legal interests. We would therefore suggest to amend this paragraph so as to make clear that firms should consider the risks mentioned under a) to c) to the extent they can verify the information provided.Question 18: Do you have any comments on the additional sector-specific Guideline 18 on account information and payment initiation service providers?
PayBelgium welcomes the proposal of a specific sectoral guideline 18 for PISPs and AISPs. We also welcome that the proposed guideline takes into account the low inherent ML/FT risk associated with payment initiation services and account information services. However, we do have the following specific comments on the proposed guideline:- paragraph 18.11 of the draft revised guidelines: Requiring AISPs to monitor all visible PSU activity would imply that AISPs need to adapt their systems and processes to read and analyse the PSU’s statements to the ASPSP. That would be extremely expensive and time consuming. The requirement would be disproportionate given the limited ML/TF risk associated with the business of AISPs. It could result in market players refusing to provide AIS, which would go against the goal of PSD2 to foster competition in banking and payment markets. The same goes for PISPs, to the extent they are required to monitor transactions beyond those in which they are involved. We therefore suggest that the guidelines clarify that the requirement to monitor the PSU’s transactional activity only applies to PISPs and only with respect to the transactions in which they are involved as PISP.
- paragraph 18.13 of the draft revised guidelines: PayBelgium fully acknowledges the relevance of requesting a customer whether an account is his own account, a shared account, or a legal entity's account to which the customer has a mandate to access . However, it is not possible for AISPs to verify and validate the information that the customer would provide as a response to the request. Indeed, there is no trusted source available to AISPs for the name of the holder of an account, except for the ASPSP. The ASPSP does not currently provide that information through their API (because it is not required to do so under the PSD2 legal framework). Consequently, the AISP would have to rely on the information the customer provides while the information could be intentionally wrong. It is therefore necessary to amend or complement the PSD2 legal framework so as to oblige ASPSPs to communicate the nature of the account (e.g., personal, shared, legal entity) through their API.