We have found the guidelines helpful, informed and focused on the key areas of risk. We do however have a number of comments and have set these out in the paragraphs that follow.
Paragraph 2 sets out the scope of the guidance, and refers to Directive 2015/849 (“4MLD”). It suggests that firms may use the guidance when undertaking risk assessments under Article 8 4MLD. This is helpful, but extends the scope of Guidelines beyond the mandate of articles 17 and 18(4) 4MLD. The role of the Guidelines in respect of Article 8 obligations would therefore benefit from additional clarity, distinguishing any obligations placed on firms by the Guidelines in relation to this provision from those under Articles 17 and 18(4).
17 Risk factors
The holistic approach is supported, as is the statement that isolated risk factors do not necessarily move a relationship into a higher or lower risk category.
The third bullet refers to a firm’s understanding of the risks associated with its products and services. This presumably relates to yet unknown risks associated with new products and services, rather than a firm’s degree of understanding being a risk. Clarification would be helpful.
33-35 Weighting risk factors
This approach is welcome, as it provides for a more nuanced and meaningful process of risk assessment.
Clarification would however be welcome of bullet point 4 of paragraph 34, which suggests that a firm cannot overrule the high-risk assessment in 4MLD or a national risk assessment. Presumably, this does not suggest that such risks cannot be mitigated and addressed. Having addressed such risks, it may be that the residual risk is reduced, and the overall assessment will be similarly impacted. It would help if this could be elaborated in the guidelines.
Please also see our comment under the section on PEPs below with regard to the same issue.
The provision is overly complex, as it requires enquiries into both source of funds and wealth, senior management approval for both entering into and continuing relationships, and the level of seniority of management varying with the risk. Monitoring is required of both transactions and the ‘risk’, as well as the ongoing collection of information. All such provisions then need to be applied to PEPs, their family members and known close associates.
This could lead to the exclusion of many PEPs from financial services, as the cost of maintaining their accounts may outweigh any commercial benefit. Reference to a simplified approach where this is consistent with the risk posed would be helpful.
This can be addressed as part of the initial risk assessment. For example, the use of a EUR 250 prepaid card by a PEP or their associates is unlikely to give rise to the concerns associated with source of funds and source of wealth.
Alternatively, it may be that 4MLD Article 20(a), which requires ‘risk based procedures to determine’ whether a customer is a PEP in the first place provides sufficient flexibility to apply this requirement in a reasonable manner.
51-52 Correspondent relationships
Paragraph 51 elaborates on Article 19 of 4MLD, which requires additional CDD to be undertaken in relation to the business of a cross border third country correspondent relationship. This extends to an assessment of the correspondent’s AML controls, and where ‘payable-through’ account functionality is offered, to ensure that customers of the respondent have been subject to CDD and ongoing monitoring, and that such information is available to the correspondent on request.
This requirement is borne from the need to ensure that equivalent levels of AML controls have been applied on the respondent’s jurisdiction, and that customers of the respondent have been subject to comparable CDD processes.
This makes the provisions of paragraph 52 unusual, where they state: “these guidelines may also be useful for firms in other correspondent relationships.” “Other correspondent relationships” is likely to be read as referring to relationships with other payment service providers that are NOT located in third countries; in other words to relationships with other institutions in the same jurisdiction.
This is problematic, as it could suggest:
An obligation on the regulated institutions, requiring them to ‘know their customer’s customer’.
An outsourcing of supervisory responsibilities by the regulator to other financial institutions, requiring some to oversee the compliance performance of other regulated institutions in their member state
An implicit question regarding the role of the regulator, and the extent to which it is able to supervise institutions equally.
The concern is that wording in paragraph 52 will give credence to the de-risking phenomenon that is creating an unbanked remittance sector. This will result in adverse competitive factors and may ultimately result in the displacement of payments to the unregulated sector.
We urge the EBA to remove the last sentence of paragraph 52, and to replace it with a sentence clarifying the demarcation of responsibilities in relation to domestic firms. It is important for the EBA to help reinforce the compliance boundaries of banks, in order for banks to be able to manage their risk effectively, and enter into relationships with other PSPs without regarding this as an unquantifiable source of risk.
60 Other considerations
This provision is helpful. We suggest that the language is made more specific, by clearly describing the harm that is being addressed, the need for a case by case risk assessment, and the need to maintain banking services for other financial institutions and payment service providers.
We would also like to draw attention to the UK FCA statement on this matter, which goes further and sets out outcome expectations as well as general principles. It states:
“Firms should note that the application of a risk-based approach does not require them to refuse, or terminate, business relationships with entire categories of customers that they associate with higher ML/TF risk, as the risk associated with individual business relationship will vary, even within one category. While the decision to accept or maintain a business relationship is ultimately a commercial one for the bank, there should be relatively few cases where it is necessary to decline business relationships solely because of anti-money laundering requirements. As a result, supervisors should, when supervising AML compliance, should consider whether firms’ de-risking strategies give rise to consumer protection and/or competition issues.”
It is also helpful to be more specific and address the offer of banking facilities to other payment service providers in particular. The provisions of the second Payment Services Directive which requires credit institutions to provide reasons for refusing to extend such facilities to other payment service providers is helpful in this regard and can be referenced. This has the effect of creating a default position of enabling access to banking services, and EBA guidance can therefore go further. It can reference the obligation under PSD2 and clarify that the risk assessment should relate to the client payment service provider itself and not extend to the client’s customers.
Yes, subject to comments we have made in relation to both general guidelines (above) and sector specific guidelines (attached).
We support the structure of the guidelines and have a number of specific points to raise in relation to the e-money sectoral guidelines. These are set out in the table below.