Primary tabs

Payments UK

The proposal to require PSPs to identify linked transactions for exemptions for lower value transfers (EUR 1000 and below) and for ex post monitoring would be highly complex. Based on current bank systems the proposal could require the identification and retention of billions of transactions and is likely to be impracticable to implement, if based on the proposed definition of linked transactions (transactions from the same payments account or containing the same payee and payer information, sent within a six months period). We therefore suggest that the definition of linked transactions is redefined to avoid specifying a time period.

The proposal to require real-time monitoring appears to go beyond the aims of the Regulation, which states that PSPs should conduct ex post payment monitoring OR real time screening. We consider that it for PSPs to choose what type of monitoring they undertake, while retaining a clear record of the reasons for the type of monitoring selected and how this mitigates the AML/CTF risk identified.

The proposal to require real-time monitoring for all transfers where the payer or payee are based in a country associated with high ML/TF risk would significantly extend the scope of current sanctions and CTF screening and be highly burdensome in terms of additional manual review, particularly for global banks. The proposal to require real-time monitoring for all unusually large transfers would also be highly burdensome and difficult to implement consistently across the wide variation of payment values and PSPs. We understand that it is not envisaged that PSPs will be required to engage routinely in large volumes of real time monitoring, yet the draft guidelines can be read to imply the opposite by stating that “High risk transfers of funds should be monitored in real time”. As currently drafted these proposals would have a significant adverse impact on straight through processing (STP) that could potentially result in adverse impacts on the efficient functioning of the market and significant disruption for customers.

10. We consider that such complex and burdensome procedures should only be required in cases of specific concern, in line with the risk-based approach. We therefore suggest that the proposal for real time monitoring is limited to cases of specific concern identified through ex post monitoring.
The proposal to require PSPs to implement procedures to detect missing or meaningless information would be challenging to implement without disproportionate effort given current systems and screening technology. There is also a risk of additional complications for PSPs outside of the EU/EEA but who are members of EU/EEA clearing systems like SEPA (for example, transactions to and from Switzerland will require full payer information and payee and name, while SEPA rules do not mandate this information).

The draft guidelines introduce the concept of ‘meaningless’ information (a concept which is not present in the regulation) defined as “information that makes no obvious sense”. However, it is a significant technological challenge to have in place (automated, real-time) procedures that can identify such ‘meaningless’ information. The current messaging protocols used by payments systems are based on international standards. These systems define the ‘syntax’ of these messages but are not designed to interpret the content. What is meaningless to one party might be meaningful to another, for example, messages in a different language, using an acronym recognisable to one party but not another, etc.

It may be possible to prevent the submission of missing information through the implementation of structured SWIFT message field formats, and to trigger NAK / Not Acknowledged messages where not compliant to trigger manual review. However, this might not identify meaningless information, and some banks may be technically unable to host structured SWIFT message fields. Current screening technology can identify multilingual name variants and abbreviations but in many cases further context and manual review is required to identify “obviously incomplete”. We therefore suggest that the definition for meaningless information be removed, or – if this is not possible - that the proposal for real-time monitoring to detect missing and meaningless information be reconsidered given technical limitations, and limited to the detection of missing information only.

It may be possible to identify further missing information through manual review of a risk-based sample, but this would need to be ex-post monitoring in order to avoid disproportionate effort and significant adverse impact on STP. To avoid inconsistent implementation there would also need to be detailed guidance on the appropriate sampling criteria (e.g. above a specific value threshold, where payer or payee are based in countries identified by FATF as having strategic AML/CFT deficiencies). We therefore suggest that the proposal for ex-post monitoring to detect missing information be limited to a risk-based sampling basis, with the finalised guidance providing more detailed guidance on the appropriate sampling criteria.

The proposal to require receiving PSPs to keep a record of all transactions with missing information is insufficiently defined and does not specify any time limit for data retention. Retained transaction data may include personal data falling under other regulatory requirements for retention and deletion (e.g. the General Data Protection Regulation). We suggest that the revised guidance clarify the duration of record retention of transactions with missing information, to support compliance with data protection and avoidance of burdensome requirements.

The proposal to require receiving PSPs to identify sending PSPs that repeatedly fail to provide required information is highly reliant on qualitative criteria, and we consider that this is overly permissive in relation to high AML/CFT risk and likely to lead to inconsistent implementation. We therefore suggest that the finalised guidance include more detailed guidance on the appropriate criteria for identifying ‘repeatedly failing’ sending PSPs, including a requirement to tighten the criteria where failings are associated with a high AML/CFT risk

The proposal for requiring receiving PSPs to restrict or terminate business relationships with ‘repeatedly failing’ sending PSPs after two warnings and consideration of alternative mitigations is also insufficiently defined, and is likely to lead to inconsistent implementation and risk conflicting with AML prohibitions against tipping off. We consider that prescriptive quantitative thresholds alone should not be used to define ‘repeatedly failing’ sending PSPs and would welcome further definition on how qualitative criteria should be used to contextualise quantitative criteria, in line with an effective risk-based approach. Given the aims of the Regulation and the risk-based approach we consider that options for alternative mitigations to termination should include enhanced monitoring, whether more frequent ex post or real time monitoring as well as restrictions on the business relationship. We also consider that the identification of a ‘repeatedly failing’ sending PSP should lead the receiving PSP to reconsider the ML/TF risk associated with the sending PSP. We therefore suggest that the finalised guidance should include more detailed guidance on the definition of a ‘repeatedly failing’ PSP, the required format and protocol for warnings, consistency with tipping off prohibitions, interaction with ML/TF risk assessment, restrictions and other alternative mitigations to terminations of business relationships.
The definition of real-time monitoring requires intermediary PSPs to perform the monitoring “before the funds are made available to the payee by the PSP who receives the funds”. We consider that this definition of real-time and the implied timelines for PSPs to act (specifically where the payee does not have a payment account with the PSP) are not realistic. In most cases “PSP1” (as an intermediary) is not aware of when “PSP2” will credit the funds to the payee and is therefore unaware of the time available for monitoring. We therefore suggest that the finalised guidance be amended to emphasise that the Payer Bank is responsible for providing required information and is ultimately the bank that is to be monitored for payment content and RFI response, as opposed to the Intermediary Bank.

The proposal at guideline 60 that PSPs only use systems that retain all information regardless of whether this is required by the Regulation may also be problematic. The Regulations allow domestic payments created from batch files to identify Payer/Payee by account/ID and name only, but would prevent a clearing participant from utilising a domestic low-level clearing system if additional party information was included that is not supported by that clearing infrastructure. We consider that this guideline is unduly restrictive and does not reflect the principle as set out in the FATF recommendations . We therefore suggest that the finalised guidance be amended to confirm that conversion of cross-border payments to domestic systems is permitted where the information provided might be truncated, so long as there are appropriate mitigating procedures in place.
The proposal to require verification of payee information for transfers of funds above EUR 1000 would be challenging to implement given current SWIFT systems. Currently if an IBAN was referenced within field 59 of a SWIFT payment then the respective account would be credited without a Payee Bank knowing if the name on the payment was correct. In order to implement this proposal as defined payees would have to screen all payments above EU 1000 in real time in order to verify the accuracy of payee information, which is disproportionate and would have a significant adverse impact on STP. We therefore suggest that the proposal for verification of payee information for higher value transfers is further targeted to provide a more proportionate and workable scope (e.g. only where the payee information has not already been verified through customer due diligence procedures).
Rhiannon Butterfield