Response to consultation on draft Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and ML/TF risk factors
Go back
AFEPAME is the leading French association of Payment Institutions, Electronic Money, AISP and PISP players having an agreement from ACPR to operate in the European payment markets. 50 Payment Institutions are members of AFEPAME.
AFEPAME welcomes the opportunity to comment on the EBA Guidelines on revised money laundering and terrorist financing (ML/TF) risk factors. However, AFEPAME would like to express fundamental general concerns on the scope of the implied AML requirements mostly for AISPs. In the first part of its response, AFEPAME therefore raises these general concerns and explain why AISPs should not be covered by the scope of the AML requirements and guidelines. AFEPAME also has concerns about PISP and their potential added value to the actual AML supervision.
In the second part of its response, AFEPAME comments on those specific requirements and drafting suggestions for the guideline 18 that should be taken into account in order to ensure business neutrality, if the EBA were to include the AML requirements in their guidelines for AIS and PIS providers.
I. Comments on the scope of AML requirements
All ‘Financial Institutions’ are subject to the anti-money laundering requirements. ‘Financial Institutions’ are defined as those carrying out one or more of the listed activities set out in points 2 to 12, 14 and 15 of Annex 1 to the Capital Requirements Directive (CRD). Point 4 of the annex to CRD previously included payment services as defined under PSD1. PSD2 (article 113) updated Point 4 of CRD to include the new list of payment services in PSD2, which includes AIS and PIS and brought these services in scope of AML.
AFEPAME believes that before a specific consultation on the detailed AML guidelines for AIS and PIS providers is launched, a more fundamental discussion should take place, as to whether there is a need to include these services into the scope of the AML requirements. The EBA consultation acknowledges that they and other ESAs ‘consider that the ML/TF risk associated with their activities is limited’. However, some actions suggested for AISPs and PISPs could be counterproductive or redundant, creating no value added in some cases:
● As part of their CDD processes, PISPs and AISPs should ensure that their AML/CFT systems are set up in a way that alerts them to unusual or suspicious transactions. Even without holding significant information on the customer, PISPs and AISPs should use their own, or third party typologies, to detect unusual transactional activity.
● PISPs and AISPs should apply CDD measures to their customers
● Each time an account is added, the AISP should ask the customer whether the account is his own account, a shared account, or a legal entity’s account to which the customer has a mandate to access (eg: an association, a corporate account).
A. AFEPAME concerns on impacts of AML application to Account Information Service Provider (AISP) businesses
1. It has been 10 years since AISP are offering their services in the EU. There has been no evidence that money-laundering or terrorist financing can occur through an AISP platform, so far.
AFEPAME agrees with the objective of the EU’s Fourth Anti-Money Laundering Directive (4MLD) to restrict the flow of illicit finance by setting minimum common regulatory standards for Member States. Whilst the purpose of AML requirements is to restrict the flow of illicit finance, AML legislation also focuses on the idea that firms should take a risk-based approach to ensure proportionate duties on participants; thus striking a balance between regulation to protect the financial system and onerous administrative duties for legitimate businesses.
However, as the EBA acknowledged in its consultation, AISPs do not provide payments and are not involved in the payment chain; they are information service providers. AISPs have read-only access to customer bank account information and neither the AISP nor the AISP’s customer can conduct financial transactions on a bank account from within the AISP environment. Application of AML requirements to AISPs would not have the effect of restricting the flow of illicit finance since there is no basis for money laundering or terrorist financing to occur via an AISP platform. AML obligations properly sit with the financial institution (i.e. the bank/ASPSP), which provides the accounts in relation to which an AISP provides information services; this is where the transactions take place and where the relevant business relationship with the customer exists.
AISPs enable customers to share data with their selected service providers, including third party providers. Data itself is indeed personal to its owner and shall be handled securely. But we believe that the risks for money laundering are low (not to say null). When a customer selects an AISP, and consents for its AISP to retrieve specific data from its ASPSP, there are essentially three parties that hold the exact same data: the regulated ASPSP, the Technical Service Provider (TSP), and the AISP. It is clear that holding the data is not indicative of facilitating money laundering, nor is the act of sharing that data a means to money laundering.
2. Data treatment for the purposes of AML is incompatible with EBA sustainable finance action plan.
The EBA Guidelines appear asking AISPs to “ensure that their AML/CFT systems are set up in a way that alerts them to unusual or suspicious transaction activity.”
This is effectively asking AISPs to serve an additional purpose never initially outlined as an objective of PSD2. Under PSD2 and GDPR (data minimisation), these companies must only use data strictly to provide services customers request.
For customers with multiple bank accounts, this means an AISP is therefore obliged to monitor the transactions across all the accounts and banks to which they are connected. This is beyond the scope of PSD2, and beyond the service an AISP provides. It is quite an heavy responsibility, and not really in line with an AISP capabilities. It is also an additional cost layer, which performs redundant purposes.
These additional algorithms, which are proprietary services offered by other fintechs, would not actually run in real time, and therefore not provide any notification before the transaction order is completed. They would discover suspicious activity after the fact. They would also be a duplication of work already being done by the banks and come at an additional cost.
This cost is to be calculated as a sum of people, money but also energy and CO2.
Running algorithms with such amount of data would require lots of IT resources, considering the size of AISP, they cannot afford to have internal datacenters, they would go for Cloud hosted infrastructure. This additional cost would probably feed American tech giants such as AWS, Microsoft or Google since they actually are the only providers offering scalable and dedicated services regarding Big Data treatments. Security shall therefore be handled to ensure that these non-EU providers don’t have access to that personal Data.
Regarding big data issues, the impact on our environment cannot be ignored. There have been studies in the past few years pointing out that training a machine learning model produce over 270 kg of CO2, five times the amount produced by the average car over its lifetime.
Our financial regulation may have to learn some restraints: to stem the urge to impose measures at all cost ; and to realize that the digital world is not based on unlimited resource. The prevailing idea that we should not question new technologies in relation to their resource consumption is getting harder and harder to justify in an era of climate change. As for everything, “Return On Investment” shall be properly calculated.
For these reasons, requiring AISPs to perform transaction monitoring for suspicious AML/CTF activity is redundant, costly and has a negative impact.
3. Dispropotion
PSD2/Open Banking was introduced to increase innovation and competition – providing consumers with more choices and options. Any application of AML requirements to AISPs is counterproductive when assessing the purpose of this regime. Some AISPs will definitely not be able to continue to operate with the compliance overhead of AML requirements, and others simply shall not get off the ground due to the additional cost layers resulting from both the AML/CTF checks as well as the heavier touch transaction monitoring obligations. This will make it incredibly difficult for small businesses and consumers to effectively and efficiently access and use new, disruptive AIS such as online accounting and money management products. As a specific example, implementing identification and verification checks into the sign-up flows of AISPs will have a negative impact on customer adoption of new products and services affecting the future viability and success of these businesses, and ultimately of the open banking regime.
Point 1.29 of the EBA guidelines says that “to identify ML/TF risk, firms should refer to information from a variety of sources. These sources can be accessed individually or through commercially available tools or databases that pool information from several sources”. But Point 1.30 precises that the firms should take in account at least 13 sources of information. It is not possible for a human being to easily do so. It means that the firms are obliged to pay for a tool, which is expensive. A public list tool should be made available if EBA considers than at least 13 lists have to be checked.
4. Redundancy
We believe that a number of the requirements of AML regulations are already satisfied prior to an AISP consuming transaction data from a financial institution. For example, banks will already have conducted customer due diligence measures on account holders using AISP services, meaning that further checks are ‘doubling up’.
In nearly all cases, the bank is best placed to undertake the appropriate checks and monitor transactions for suspicious behaviour. Requiring an AISP to perform the same measure the bank has already taken is redundant and would serve no purpose other than charging AISPs with unnecessary overhead costs.
One of the aims of the 4MLD is to balance the objective of protecting society from crime with the need for creating a regulatory environment that allows companies to grow their businesses without incurring disproportionate compliance costs. Any onerous and redundant double-up compliance on an AISP would be counter to the objectives of the 4MLD, and also negatively impact competition and customer choice and convenience.
Conclusion regarding AISP AML Requirements
There are no evidences that Data could be facilitating money laundering, nor is the act of analysing that data or sharing that data a means to prevent money laundering. An AISP only holds and shares that data, therefore there is no known risk of an AISP facilitating money laundering. AISPs do not actually monitor transactions. PSD2 states that AISPs should provide a light touch as a conduit, with minimal processing. To fulfill AML/CTF compliance on transaction monitoring would not be in line with the PSD2 light touch requirement. The additional cost on AISPs and the Environment to comply runs counter to promoting competition, contradicting the desired outcomes of PSD2 and EBA's involvement in sustainable finance.
It is for these reasons that AFEPAME strongly believes that AISPs should be removed from the scope of AML requirements. AML requirements for AISPs would not serve the purpose for which they were intended, and be disproportionate to the risk (potentially none) of any money laundering or terrorist financing occurring through AISP platforms, as well as costly and redundant.
B. AFEPAME Concerns on impact of AML application to Payment Initiation Service Providers (PISP) businesses
The PSD2 regulated activity of ‘payment initiation services’ has been designed specifically as a ‘light touch’ regulatory regime for innovative firms - ‘PISPs’ - to compete with incumbent payment providers such as banks and card schemes.
Some of the arguments for removing AML obligations from AISPs apply equally to PISPs. However, the following are key considerations:
1. Duplicate and redundant PISPs customer due diligence on each end-customer.
Depending on the ‘risk profile’ this could involve requesting name and address from each customer, storing these details, and using a paid-for electronic ID verification system. This would make it de facto impossible for PISPs to provide services. An end-user uses a PIS on an ad-hoc basis, when interacting with and paying a merchant. In those instances, PIS will be one of several payment methods in the merchant’s “check-out” section. The end-user will want to pay in a quick and safe way. Inserting a CDD-process as part of the payment flow will make it an onerous procedure to pay (i.e. stopping the customer and asking for a copy of their passport), which will mean many end-users, having initially chosen to pay with PIS, will drop out of the process and not complete the payment. This from a merchant perspective could mean unacceptably low conversion for PIS as a payment method. It is actually one of the key PISP differentiators over cards and wallets that customers do not have to open any additional account with any additional credentials, but can simply use their existing bank account for paying online. This also allows customers to easily use different PISPs with different merchants depending on the available check-out options.
Most importantly, in every PIS transaction there is already one party undertaking customer due diligence on the end user customer - the customer’s bank, as per the AMLD obligations. One of the objectives of the AML4 Directive is to balance the objective of protecting society from crime with the need for creating a regulatory environment that allows companies to grow their businesses without incurring disproportionate compliance costs. This would be paradoxical to the objectives of AML4, and also negatively impact competition, customer choice and convenience.
2. Unlevel the playing field between PISPs and card processors/ schemes
In a merchant context, a customer (i.e. the end-user) has a 'one-off' interaction with the PISP, in the same way as a customer paying by card has a 'one-off' interaction with whichever card-acquirer happens to be serving the merchant. As explained above, imposing CDD obligations vis-a-vis the end-user would put PISPs at an unleveled playing field with the card payment services they are competing with, thereby frustrating the PDS2 mandate to increase competition. It is also duplicative and redundant as the customer has already likely entered the name and address of the merchant and would due to the conversion impact render PIS as a merchant-facing payment method worthless. Card processors do not perform AML on payment service users at the check-out.
However, unlike PISPs, Card processors can be in possession of a payment service user’s authentication data (card details including PAN/CVV/PIN). PISPs rely on authentication procedures set by the bank during the payment flow, so are inherently at lower risk of being used to commit fraud.
3. Compelling PISPs to conduct CDD checks on end customers is a significant barrier to providing payment initiation services.
These requirements undermine the very principle of “fair competition among all payment service providers” postulated in PSD2: PISPs are subject to stricter requirements in comparison to card processors who have a similar business model. Not only will it not “allow for the development of a user-friendly, accessible, and innovative means of payment”, it will not “ensure technology and business-model neutrality”, both of which are PSD2 requisites. It goes further to damage competition, as it will cause payment service user dissatisfaction and lead to increased abandonment during the payment process.
4. Disproportion
Moreover, unlike other payment service providers (banks, money remitters, e-money institutions), who come into possession of funds during the provision of their services, pure PISPs are not part of the flow of funds. Instead, PISPs create payment orders on the customer’s behalf, just as a customer would do, if they were to make a credit transfer using online banking. A pure PISP is dependent on the customer’s bank to actually execute the payment, and move the money from the customer’s bank to the payee's bank. As PSD2 states in recital 31: “When exclusively providing payment initiation services, the payment initiation service provider does not at any stage of the payment chain hold the user’s funds”.
As a minimum the scope should be limited to the real customer of the PISPs, which is the merchant (i.e. the payee) in most cases. Such an approach is consistent with the objectives of AML4 as AML risks are present in relation to merchants rather than the end-user collective that is using the services of the PISPs. Ensuring that PISPs take appropriate measures to verify who the beneficiaries of end-users payments are and for what purposes the merchant is obtaining the PISP’s service will likely better fulfill the objectives of AML4 directive than PISPs conducting CDD on the end-users (which have already been checked by the ASPSPs).
Requesting PISPs as additional compliance requirement to perform CDD on end-users sets an unlevel playing field for providers not in scope who perform similar services; with similar risk assessments that have already been exempted from the requirement; and adds additional cost layers to duplicate efforts already performed by the ASPSPs. The CDD requirement is fundamentally counterproductive to promoting competition and innovation.
Conclusions regarding AML requirements for PIS Providers
These elements lead AFEPAME to uphold that PISPs should be carved out from strict application of CDD requirements. CDD requirements to PISPs would not serve the purpose for which they were intended and be disproportionate to the risk of any money laundering or terrorist financing occurring through PISP platforms. That being said, in certain circumstances, PISP could complete the overall AML supervision with CDD when they are offering their service to the Payee.
Basically, AFEPAME believes that AML requirements regarding PISP should be more efficient if focused on the analysis of the transactions.
II. Specific comments on EBA Guidance for PISPs under AML in guideline 18
If EBA wants to include the AML requirements for AIS and PIS providers in Art. 18 of the Guidelines, AFEPAME would like to emphasise the following points that should be taken into consideration:
The sector-specific Guidelines for AISPs and PISPs should remain risk and principle based and as a minimum do not exclude certain business models by making statements that rule out any other market practice. The market for AIS and PIS services in particular is still in an early stage of development and many business models may yet arise to address a particular market need.
While questioning the scope, the AFEPAME nevertheless welcomes the incorporation of a sector specific guideline for TPPs to take in account the consequences of their low risk. AFEPAME agrees with the section 18.2 which states “the inherent ML/TF risk associated is limited due to the fact that :
a) PISPs, although being involved in the payment chain do not execute themselves the payment transactions and do not hold payment service user’s (PSU) funds;
b) AISPs are not involved in the payment chain and do not hold payment service user’s funds.”
Business-model neutrality (Definition in Art. 18.8.)
If any AML requirements were to be applied to PISPs they should be limited to what is strictly necessary and avoid any duplicate AML requirements that are already conducted by the ASPSP. They should take into account who is the effective customer of the PISPs, which can be in many cases the merchants (i.e. the payees), rather than the end user (i.e. payer). Such an approach is consistent with the objectives of the 4AMLD as AML risks are present in relation to merchants rather than the end-user collective that is using the services of the PISPs. Ensuring that PISPs take appropriate measures to verify who the beneficiaries of end-user payments are and for what purposes the merchant is obtaining the PISP’s service will likely better fulfill the objectives of the 4th AMLD than PISPs conducting CDD on their end-users (which have already been checked by the ASPSPs).
To ensure business neutrality, the guidelines should distinguish between the different business models where AML requirements for PISPs would be limited to the merchant provided that:
a) the merchant is a PISP customer based on a contractual relationship between the PISP and the merchant,
b) the end-user is not the PISP customer, but is the customer of the bank and the PISP simply provides a software tool that the end user (i.e. payer) can use,
c) under the general AML obligations the PISP may, where possible, undertake monitoring to spot suspicious patterns of transactions and report these as necessary would still monitor traffic including end-user related one.
AFEPAME therefore does not agree with the definition of the PISPs in Art. 18.8. which states “ the customer is the natural or legal person who holds the payment account”. This definition is too limited and does not take into account the most common PISP business and contractual relationship, where the payee is the consumer of the PISP. PIS services specifically can be applied in a variety of market environments: a PISP may offer its services to account holders, consumers to enable them to pay another consumer for the purchase of a good on a marketplace, but may also offer the same services to an online merchant to enable it to accept payments via payment initiation / credit transfer. In the latter model, the payer will not be a customer of the PISP as its relationship is with the online merchant only to enable payment acceptance in the same way as e.g. card acquirers do.
In such a business model, only the merchant would be the customer of the PISP with whom it has a contractual relationship. The merchant would thus be the customer subject to CDD but the payer would not. The PISP should in any event perform transaction monitoring on all flows based on its general AML obligations. This model has not been taken into account in the definition of the PISPs customer in art 18.8.a. of the Guidelines.
Article 4.10 of PSD2, define a Payment Service User as: “a natural or legal person making use of a payment service in the capacity of payer, payee, or both”.
The Guidelines should in our view not state that ‘For PISPs: the customer is the natural or legal person who holds the payment account and request the initiation of a payment order from that account the (Payment service user)’, but rather state that ‘For PISPs: multiple business models can exist where the customer can either be the natural or legal person who holds the payment account and request the initiation of a payment order from that account (the Payer) , or, when the PIS is provided to a merchant, the merchant (Payee) is the customer while the Payer is not.’
Thus even if the EBA were to include AML requirements for AIS and/ or PIS providers in its guidelines, these guidelines should make a distinction between their different business models and the definition of their customers.
Simplified Customer Due Diligence (Art. 18.10)
If the EBA considers that TPPs are obliged to perform KYC check, AFEPAME agrees with the fact that due to the limited risk of their activities, the simplified customer due diligence (CDD) should be the norm. As written in Art.18.10 “In most cases, the low level of inherent risk associated with these business models means that SDD (simplified due diligence) will be the norm”
The EBA guidelines suggest that the PISP can typically perform simplified customer due diligence (unless risk factors are present). It however needs to be clarified that this means that the PISP will not have to undertake the following actions:
● Sanctions screening: Sanctions screening cannot be performed based on the name of the customer only since the number of false positives will mean that a very large amount of payment transactions are blocked
● PEP screening: For the same reason as sanctions screening, PEP screening cannot be performed based on name only. as long as payment transaction is initiated from a payment account services by a European or AML equivalent third country credit institution, the PISP should not independently have to perform a source of funds control.
Question 18: Do you have any comments on the additional sector-specific Guideline 18 on account information and payment initiation service providers?
AFEPAME is the leading French association of Payment Institutions, Electronic Money, AISP and PISP players having an agreement from ACPR to operate in the European payment markets. 50 Payment Institutions are members of AFEPAME.
AFEPAME welcomes the opportunity to comment on the EBA Guidelines on revised money laundering and terrorist financing (ML/TF) risk factors. However, AFEPAME would like to express fundamental general concerns on the scope of the implied AML requirements mostly for AISPs. In the first part of its response, AFEPAME therefore raises these general concerns and explain why AISPs should not be covered by the scope of the AML requirements and guidelines. AFEPAME also has concerns about PISP and their potential added value to the actual AML supervision.
In the second part of its response, AFEPAME comments on those specific requirements and drafting suggestions for the guideline 18 that should be taken into account in order to ensure business neutrality, if the EBA were to include the AML requirements in their guidelines for AIS and PIS providers.
I. Comments on the scope of AML requirements
All ‘Financial Institutions’ are subject to the anti-money laundering requirements. ‘Financial Institutions’ are defined as those carrying out one or more of the listed activities set out in points 2 to 12, 14 and 15 of Annex 1 to the Capital Requirements Directive (CRD). Point 4 of the annex to CRD previously included payment services as defined under PSD1. PSD2 (article 113) updated Point 4 of CRD to include the new list of payment services in PSD2, which includes AIS and PIS and brought these services in scope of AML.
AFEPAME believes that before a specific consultation on the detailed AML guidelines for AIS and PIS providers is launched, a more fundamental discussion should take place, as to whether there is a need to include these services into the scope of the AML requirements. The EBA consultation acknowledges that they and other ESAs ‘consider that the ML/TF risk associated with their activities is limited’. However, some actions suggested for AISPs and PISPs could be counterproductive or redundant, creating no value added in some cases:
● As part of their CDD processes, PISPs and AISPs should ensure that their AML/CFT systems are set up in a way that alerts them to unusual or suspicious transactions. Even without holding significant information on the customer, PISPs and AISPs should use their own, or third party typologies, to detect unusual transactional activity.
● PISPs and AISPs should apply CDD measures to their customers
● Each time an account is added, the AISP should ask the customer whether the account is his own account, a shared account, or a legal entity’s account to which the customer has a mandate to access (eg: an association, a corporate account).
A. AFEPAME concerns on impacts of AML application to Account Information Service Provider (AISP) businesses
1. It has been 10 years since AISP are offering their services in the EU. There has been no evidence that money-laundering or terrorist financing can occur through an AISP platform, so far.
AFEPAME agrees with the objective of the EU’s Fourth Anti-Money Laundering Directive (4MLD) to restrict the flow of illicit finance by setting minimum common regulatory standards for Member States. Whilst the purpose of AML requirements is to restrict the flow of illicit finance, AML legislation also focuses on the idea that firms should take a risk-based approach to ensure proportionate duties on participants; thus striking a balance between regulation to protect the financial system and onerous administrative duties for legitimate businesses.
However, as the EBA acknowledged in its consultation, AISPs do not provide payments and are not involved in the payment chain; they are information service providers. AISPs have read-only access to customer bank account information and neither the AISP nor the AISP’s customer can conduct financial transactions on a bank account from within the AISP environment. Application of AML requirements to AISPs would not have the effect of restricting the flow of illicit finance since there is no basis for money laundering or terrorist financing to occur via an AISP platform. AML obligations properly sit with the financial institution (i.e. the bank/ASPSP), which provides the accounts in relation to which an AISP provides information services; this is where the transactions take place and where the relevant business relationship with the customer exists.
AISPs enable customers to share data with their selected service providers, including third party providers. Data itself is indeed personal to its owner and shall be handled securely. But we believe that the risks for money laundering are low (not to say null). When a customer selects an AISP, and consents for its AISP to retrieve specific data from its ASPSP, there are essentially three parties that hold the exact same data: the regulated ASPSP, the Technical Service Provider (TSP), and the AISP. It is clear that holding the data is not indicative of facilitating money laundering, nor is the act of sharing that data a means to money laundering.
2. Data treatment for the purposes of AML is incompatible with EBA sustainable finance action plan.
The EBA Guidelines appear asking AISPs to “ensure that their AML/CFT systems are set up in a way that alerts them to unusual or suspicious transaction activity.”
This is effectively asking AISPs to serve an additional purpose never initially outlined as an objective of PSD2. Under PSD2 and GDPR (data minimisation), these companies must only use data strictly to provide services customers request.
For customers with multiple bank accounts, this means an AISP is therefore obliged to monitor the transactions across all the accounts and banks to which they are connected. This is beyond the scope of PSD2, and beyond the service an AISP provides. It is quite an heavy responsibility, and not really in line with an AISP capabilities. It is also an additional cost layer, which performs redundant purposes.
These additional algorithms, which are proprietary services offered by other fintechs, would not actually run in real time, and therefore not provide any notification before the transaction order is completed. They would discover suspicious activity after the fact. They would also be a duplication of work already being done by the banks and come at an additional cost.
This cost is to be calculated as a sum of people, money but also energy and CO2.
Running algorithms with such amount of data would require lots of IT resources, considering the size of AISP, they cannot afford to have internal datacenters, they would go for Cloud hosted infrastructure. This additional cost would probably feed American tech giants such as AWS, Microsoft or Google since they actually are the only providers offering scalable and dedicated services regarding Big Data treatments. Security shall therefore be handled to ensure that these non-EU providers don’t have access to that personal Data.
Regarding big data issues, the impact on our environment cannot be ignored. There have been studies in the past few years pointing out that training a machine learning model produce over 270 kg of CO2, five times the amount produced by the average car over its lifetime.
Our financial regulation may have to learn some restraints: to stem the urge to impose measures at all cost ; and to realize that the digital world is not based on unlimited resource. The prevailing idea that we should not question new technologies in relation to their resource consumption is getting harder and harder to justify in an era of climate change. As for everything, “Return On Investment” shall be properly calculated.
For these reasons, requiring AISPs to perform transaction monitoring for suspicious AML/CTF activity is redundant, costly and has a negative impact.
3. Dispropotion
PSD2/Open Banking was introduced to increase innovation and competition – providing consumers with more choices and options. Any application of AML requirements to AISPs is counterproductive when assessing the purpose of this regime. Some AISPs will definitely not be able to continue to operate with the compliance overhead of AML requirements, and others simply shall not get off the ground due to the additional cost layers resulting from both the AML/CTF checks as well as the heavier touch transaction monitoring obligations. This will make it incredibly difficult for small businesses and consumers to effectively and efficiently access and use new, disruptive AIS such as online accounting and money management products. As a specific example, implementing identification and verification checks into the sign-up flows of AISPs will have a negative impact on customer adoption of new products and services affecting the future viability and success of these businesses, and ultimately of the open banking regime.
Point 1.29 of the EBA guidelines says that “to identify ML/TF risk, firms should refer to information from a variety of sources. These sources can be accessed individually or through commercially available tools or databases that pool information from several sources”. But Point 1.30 precises that the firms should take in account at least 13 sources of information. It is not possible for a human being to easily do so. It means that the firms are obliged to pay for a tool, which is expensive. A public list tool should be made available if EBA considers than at least 13 lists have to be checked.
4. Redundancy
We believe that a number of the requirements of AML regulations are already satisfied prior to an AISP consuming transaction data from a financial institution. For example, banks will already have conducted customer due diligence measures on account holders using AISP services, meaning that further checks are ‘doubling up’.
In nearly all cases, the bank is best placed to undertake the appropriate checks and monitor transactions for suspicious behaviour. Requiring an AISP to perform the same measure the bank has already taken is redundant and would serve no purpose other than charging AISPs with unnecessary overhead costs.
One of the aims of the 4MLD is to balance the objective of protecting society from crime with the need for creating a regulatory environment that allows companies to grow their businesses without incurring disproportionate compliance costs. Any onerous and redundant double-up compliance on an AISP would be counter to the objectives of the 4MLD, and also negatively impact competition and customer choice and convenience.
Conclusion regarding AISP AML Requirements
There are no evidences that Data could be facilitating money laundering, nor is the act of analysing that data or sharing that data a means to prevent money laundering. An AISP only holds and shares that data, therefore there is no known risk of an AISP facilitating money laundering. AISPs do not actually monitor transactions. PSD2 states that AISPs should provide a light touch as a conduit, with minimal processing. To fulfill AML/CTF compliance on transaction monitoring would not be in line with the PSD2 light touch requirement. The additional cost on AISPs and the Environment to comply runs counter to promoting competition, contradicting the desired outcomes of PSD2 and EBA's involvement in sustainable finance.
It is for these reasons that AFEPAME strongly believes that AISPs should be removed from the scope of AML requirements. AML requirements for AISPs would not serve the purpose for which they were intended, and be disproportionate to the risk (potentially none) of any money laundering or terrorist financing occurring through AISP platforms, as well as costly and redundant.
B. AFEPAME Concerns on impact of AML application to Payment Initiation Service Providers (PISP) businesses
The PSD2 regulated activity of ‘payment initiation services’ has been designed specifically as a ‘light touch’ regulatory regime for innovative firms - ‘PISPs’ - to compete with incumbent payment providers such as banks and card schemes.
Some of the arguments for removing AML obligations from AISPs apply equally to PISPs. However, the following are key considerations:
1. Duplicate and redundant PISPs customer due diligence on each end-customer.
Depending on the ‘risk profile’ this could involve requesting name and address from each customer, storing these details, and using a paid-for electronic ID verification system. This would make it de facto impossible for PISPs to provide services. An end-user uses a PIS on an ad-hoc basis, when interacting with and paying a merchant. In those instances, PIS will be one of several payment methods in the merchant’s “check-out” section. The end-user will want to pay in a quick and safe way. Inserting a CDD-process as part of the payment flow will make it an onerous procedure to pay (i.e. stopping the customer and asking for a copy of their passport), which will mean many end-users, having initially chosen to pay with PIS, will drop out of the process and not complete the payment. This from a merchant perspective could mean unacceptably low conversion for PIS as a payment method. It is actually one of the key PISP differentiators over cards and wallets that customers do not have to open any additional account with any additional credentials, but can simply use their existing bank account for paying online. This also allows customers to easily use different PISPs with different merchants depending on the available check-out options.
Most importantly, in every PIS transaction there is already one party undertaking customer due diligence on the end user customer - the customer’s bank, as per the AMLD obligations. One of the objectives of the AML4 Directive is to balance the objective of protecting society from crime with the need for creating a regulatory environment that allows companies to grow their businesses without incurring disproportionate compliance costs. This would be paradoxical to the objectives of AML4, and also negatively impact competition, customer choice and convenience.
2. Unlevel the playing field between PISPs and card processors/ schemes
In a merchant context, a customer (i.e. the end-user) has a 'one-off' interaction with the PISP, in the same way as a customer paying by card has a 'one-off' interaction with whichever card-acquirer happens to be serving the merchant. As explained above, imposing CDD obligations vis-a-vis the end-user would put PISPs at an unleveled playing field with the card payment services they are competing with, thereby frustrating the PDS2 mandate to increase competition. It is also duplicative and redundant as the customer has already likely entered the name and address of the merchant and would due to the conversion impact render PIS as a merchant-facing payment method worthless. Card processors do not perform AML on payment service users at the check-out.
However, unlike PISPs, Card processors can be in possession of a payment service user’s authentication data (card details including PAN/CVV/PIN). PISPs rely on authentication procedures set by the bank during the payment flow, so are inherently at lower risk of being used to commit fraud.
3. Compelling PISPs to conduct CDD checks on end customers is a significant barrier to providing payment initiation services.
These requirements undermine the very principle of “fair competition among all payment service providers” postulated in PSD2: PISPs are subject to stricter requirements in comparison to card processors who have a similar business model. Not only will it not “allow for the development of a user-friendly, accessible, and innovative means of payment”, it will not “ensure technology and business-model neutrality”, both of which are PSD2 requisites. It goes further to damage competition, as it will cause payment service user dissatisfaction and lead to increased abandonment during the payment process.
4. Disproportion
Moreover, unlike other payment service providers (banks, money remitters, e-money institutions), who come into possession of funds during the provision of their services, pure PISPs are not part of the flow of funds. Instead, PISPs create payment orders on the customer’s behalf, just as a customer would do, if they were to make a credit transfer using online banking. A pure PISP is dependent on the customer’s bank to actually execute the payment, and move the money from the customer’s bank to the payee's bank. As PSD2 states in recital 31: “When exclusively providing payment initiation services, the payment initiation service provider does not at any stage of the payment chain hold the user’s funds”.
As a minimum the scope should be limited to the real customer of the PISPs, which is the merchant (i.e. the payee) in most cases. Such an approach is consistent with the objectives of AML4 as AML risks are present in relation to merchants rather than the end-user collective that is using the services of the PISPs. Ensuring that PISPs take appropriate measures to verify who the beneficiaries of end-users payments are and for what purposes the merchant is obtaining the PISP’s service will likely better fulfill the objectives of AML4 directive than PISPs conducting CDD on the end-users (which have already been checked by the ASPSPs).
Requesting PISPs as additional compliance requirement to perform CDD on end-users sets an unlevel playing field for providers not in scope who perform similar services; with similar risk assessments that have already been exempted from the requirement; and adds additional cost layers to duplicate efforts already performed by the ASPSPs. The CDD requirement is fundamentally counterproductive to promoting competition and innovation.
Conclusions regarding AML requirements for PIS Providers
These elements lead AFEPAME to uphold that PISPs should be carved out from strict application of CDD requirements. CDD requirements to PISPs would not serve the purpose for which they were intended and be disproportionate to the risk of any money laundering or terrorist financing occurring through PISP platforms. That being said, in certain circumstances, PISP could complete the overall AML supervision with CDD when they are offering their service to the Payee.
Basically, AFEPAME believes that AML requirements regarding PISP should be more efficient if focused on the analysis of the transactions.
II. Specific comments on EBA Guidance for PISPs under AML in guideline 18
If EBA wants to include the AML requirements for AIS and PIS providers in Art. 18 of the Guidelines, AFEPAME would like to emphasise the following points that should be taken into consideration:
The sector-specific Guidelines for AISPs and PISPs should remain risk and principle based and as a minimum do not exclude certain business models by making statements that rule out any other market practice. The market for AIS and PIS services in particular is still in an early stage of development and many business models may yet arise to address a particular market need.
While questioning the scope, the AFEPAME nevertheless welcomes the incorporation of a sector specific guideline for TPPs to take in account the consequences of their low risk. AFEPAME agrees with the section 18.2 which states “the inherent ML/TF risk associated is limited due to the fact that :
a) PISPs, although being involved in the payment chain do not execute themselves the payment transactions and do not hold payment service user’s (PSU) funds;
b) AISPs are not involved in the payment chain and do not hold payment service user’s funds.”
Business-model neutrality (Definition in Art. 18.8.)
If any AML requirements were to be applied to PISPs they should be limited to what is strictly necessary and avoid any duplicate AML requirements that are already conducted by the ASPSP. They should take into account who is the effective customer of the PISPs, which can be in many cases the merchants (i.e. the payees), rather than the end user (i.e. payer). Such an approach is consistent with the objectives of the 4AMLD as AML risks are present in relation to merchants rather than the end-user collective that is using the services of the PISPs. Ensuring that PISPs take appropriate measures to verify who the beneficiaries of end-user payments are and for what purposes the merchant is obtaining the PISP’s service will likely better fulfill the objectives of the 4th AMLD than PISPs conducting CDD on their end-users (which have already been checked by the ASPSPs).
To ensure business neutrality, the guidelines should distinguish between the different business models where AML requirements for PISPs would be limited to the merchant provided that:
a) the merchant is a PISP customer based on a contractual relationship between the PISP and the merchant,
b) the end-user is not the PISP customer, but is the customer of the bank and the PISP simply provides a software tool that the end user (i.e. payer) can use,
c) under the general AML obligations the PISP may, where possible, undertake monitoring to spot suspicious patterns of transactions and report these as necessary would still monitor traffic including end-user related one.
AFEPAME therefore does not agree with the definition of the PISPs in Art. 18.8. which states “ the customer is the natural or legal person who holds the payment account”. This definition is too limited and does not take into account the most common PISP business and contractual relationship, where the payee is the consumer of the PISP. PIS services specifically can be applied in a variety of market environments: a PISP may offer its services to account holders, consumers to enable them to pay another consumer for the purchase of a good on a marketplace, but may also offer the same services to an online merchant to enable it to accept payments via payment initiation / credit transfer. In the latter model, the payer will not be a customer of the PISP as its relationship is with the online merchant only to enable payment acceptance in the same way as e.g. card acquirers do.
In such a business model, only the merchant would be the customer of the PISP with whom it has a contractual relationship. The merchant would thus be the customer subject to CDD but the payer would not. The PISP should in any event perform transaction monitoring on all flows based on its general AML obligations. This model has not been taken into account in the definition of the PISPs customer in art 18.8.a. of the Guidelines.
Article 4.10 of PSD2, define a Payment Service User as: “a natural or legal person making use of a payment service in the capacity of payer, payee, or both”.
The Guidelines should in our view not state that ‘For PISPs: the customer is the natural or legal person who holds the payment account and request the initiation of a payment order from that account the (Payment service user)’, but rather state that ‘For PISPs: multiple business models can exist where the customer can either be the natural or legal person who holds the payment account and request the initiation of a payment order from that account (the Payer) , or, when the PIS is provided to a merchant, the merchant (Payee) is the customer while the Payer is not.’
Thus even if the EBA were to include AML requirements for AIS and/ or PIS providers in its guidelines, these guidelines should make a distinction between their different business models and the definition of their customers.
Simplified Customer Due Diligence (Art. 18.10)
If the EBA considers that TPPs are obliged to perform KYC check, AFEPAME agrees with the fact that due to the limited risk of their activities, the simplified customer due diligence (CDD) should be the norm. As written in Art.18.10 “In most cases, the low level of inherent risk associated with these business models means that SDD (simplified due diligence) will be the norm”
The EBA guidelines suggest that the PISP can typically perform simplified customer due diligence (unless risk factors are present). It however needs to be clarified that this means that the PISP will not have to undertake the following actions:
● Sanctions screening: Sanctions screening cannot be performed based on the name of the customer only since the number of false positives will mean that a very large amount of payment transactions are blocked
● PEP screening: For the same reason as sanctions screening, PEP screening cannot be performed based on name only. as long as payment transaction is initiated from a payment account services by a European or AML equivalent third country credit institution, the PISP should not independently have to perform a source of funds control.