SPA agrees there is a gap in 4th AML Directive (EU) 2015/849 that creates legal uncertainty for obliged credit and financial institutions when funds are moved to a third country account where the group AML/CFT policy, compliant with EU law don’t apply. SPA considers that the European harmonization of practices recommended by FATF Recommendation 18 (2012) are properly covered in the 4th AML Directive. However the FATF recommendations don’t detail how to proceed when the group policy cannot be put in place. The FATF somehow translates the decision to regional or national regulators. Therefore these ESAs requirements supplement the objectives of the FATF standards, with the added value of an EU harmonization that prevents the existence of a “weak” national link that might be used by financial criminals.
It remains that there are different documents related to specific provisions for the application of the 4Th AML Directive (EU) 2015/849 and the subsequent amendments. Other ESAs papers refer to other regulations (eg, EU 2015/847) implementing other FATF recommendations. Our understanding that even if all these regulations refer to the 4th AML Directive, they exclusively apply to credit and financial institutions, not to other business supervised under the Directive. The 4th AML Directive itself must be read with other legal texts. Overall, the regulatory architecture for AML/CFT appears too complex.
SPA members are vendors of secure technology to credit and financial institutions, as well as to other payment service providers and other organizations regulated by the 4Th AML Directive and the PSD2.
Even if SPA members are not obliged entities, this regulatory framework complexity difficults our product roadmap and it’s likely to multiply certification programs. Longer time-to-market periods will be difficult to conciliate with the aggressive schedules imposed by the regulators for evident security reasons. Money laundering risks are closely related to fraud risks and SPA members are committed to develop the best technology to fight fraud both for electronic retail payments instruments as well as for automatic identification & authentication procedures. SPA members serve both international and the european markets. Therefore from a vendor prospective, a clarification of the overall applicable regulatory framework and the search for agreements with other world regions, in terms of implementation and roadmap would be highly beneficial for the European security industry.
AML/CFT countermeasures should be proportional to the particular risk of a transaction as per Directive (EU) 2015/849. This core principle set out by the 4th AML Directive should also apply for the specific scenario addressed by this RTS, whenever local laws prevents the group AML/CFT policy to be implemented. This “extra-risk” scenario for the bank, is therefore mitigated in a harmonized way by the minimum requirements set out in Article 3. To be consistent with the “risk-based” approach, it should be up to each credit or financial institution to decide which additional measures from those set out by Articles 4 to 8 to apply in a given transaction.
Yes. The requirements set out by Article 3 are clear and appropriate. Nevertheless , we suggest to replace the current title of Article 3 by “ Minimum Requirements”.
They are appropriate because they provide a “baseline” for harmonization, affordable by small or specialized credit and financial institutions, with a minimum investment effort and therefore likely to be put in place in short.
We also suggest to add a new requirement setting out the following:
e) the training program referred to in d) will be referenced in the group-wide AML/CFT policies and procedures.
• Materials for this training program will be shared with the competent authority upon request.
• New employees should be properly trained.
These additional measures are appropriate. However we believe that the requirement set out in letter a) approval of the local senior management to establish and/or pursue a business relationship should be mandatory in any case. Then complemented with any of the remainder procedures as per letters b) to e).
Add 3) d) Document this scenario to the competing home authority requesting for a waiver
Rationale: They may be particular scenarios requiring a certain flexibility in order for a credit/financial institution with a sound reputation to preserve an existing business relationship. In that scenario, there is a significant difference between “ prohibiting” and “restricting”. The nature of these “restrictions” may lead to authorize certain payments if specific monitoring conditions for such a transaction (TBD) apply.
The measures set out by Article 5 are appropriate and consistent with Article 4 and therefore our previous comment, still applies (need for flexibility). In our opinion, however, Article 5, appears as a particular scenario of Article 4. However, other interpretations remain possible. Thus, Article 5 addresses the scenario where AML/CFT provisions can be implemented by the local branch but the information relative to the beneficiary of the payment cannot be shared within the group meaning that from the home authority prospective the “head office” cannot provide evidence that AML/CFT provisions are applied by its local branch. Sometimes the inability to apply the AML/CFT group policy is due to the inexistence of official identity documents to verify the customer's identity. Yet local data protection legal constraints might also create problems to apply the group policy. It seems to us that’s more an issue addressed in Art 6.
In this case, the local branch might send a confirmation message signed by its local national authority to the home bank. The local authority would act as a “trusted third party” guaranteeing that the local branch effectively complied with the requirements of Customer Due Diligence to a certain extent. The grounds of such a “cross-border” recognition, could be agreed by international organizations such as the BIS or the World Bank, because the fight against financial crime is global.
Financial the financial activities closed and those eventually maintained as a result of a failure to comply with the provisions set out in paragraphs 1 and 2 provisions should be documented and made available to the home authority by the “head office” credit or financial institution.
We believe that the implementation of Art 6 and Art 7 raises fundamental questions and constitute sensitive material. The important point is the efficiency of the procedures to screen those “suspicious transaction” that are really justified and report to the authority what is to be reported. Big-data is going to make things worse and more powerful and complex screening algorithms will be ruled out ( How are they designed, evaluated and maintained? How privacy is guaranteed? How are they protected against malware? Are these screening algorithms global or should they be adapted to local regulatory provisions? Is Cloud processing authorized? Who’s the final repository of a suspected transaction? ). Otherwise a myriad of “false positive” transactions will be wrongly identified, with the adverse impact on reputation of both the customers and the banks themselves. Feasibility of an efficient “super-screening” processing system that in addition in the context of this RTS may be fed with incomplete information from a third party, should not be taken for granted.
On the other hand, tax evasion is considered as a financial crime and therefore subject to the same obligation of reporting than for instance an attempt to transfer funds to a “rogue” country. Yet AML and the fight against tax evasion target different objectives and use different techniques. Should then be put in place separated processing systems for these different types of financial crimes ?
Refer to our previous answer
New payment instruments present features attractive for money laundering (e.g., instant payments, may be difficult to track).These type of payments may be appropriate for cross-border remittances, where the beneficiary of the payment is often resident in a country where appropriate Customer Due Diligence may be impossible to implement. Such a risks have been discussed by SPA in previous paper positions. It’s true that the FATF provides regularly with assessment papers on the vulnerabilities of new payment instruments or processing facilities. Recommended procedures for the use of these new electronic payment methods when third country law prevents or makes it impossible to apply group policy could be useful.
In addition to this move towards faster processing, there may be also a conflict between a more easily accessible offer of payment /banking products on the one side and the effort to fight money laundering and terrorist financing on the other. With this respect, a trade-off is to be found to facilitate for instance, financial inclusion.
SPA members does not hold information on which countries exposes at a higher risk of financial crime using bank networks or other IT infrastructures to convey payment-related information. FATF provides regular information on national AML/CFT policies and of the degree of endorsement of FATF recommendation as regional regulations.