We would like to give our opinion on the additional sector-specific Guideline 18 on TPPs, i.e. AISP and PISP under PSD2, from finleap connect’s perspective as a payment institution offering these services.

Legal and regulatory provisions for TPPs that are far beyond risk-based and proportionality principles can endanger a successful open banking market in Europe. A current example is AML regulation for TPPs. AML rules should apply to cases where business models have a clear connection with money laundering risks. For example, where businesses are responsible for executing transactions and come into possession of customer funds.

When the new Payment Services of Account Information Service (AIS) and Payment Initiation Service (PIS) were introduced by PSD2, providers of both services were automatically classed as obliged entities under AMLD, despite the fact that neither type of provider executes transactions or comes into possession of funds.

As the EBA itself acknowledges in its Draft Guidelines “the inherent ML/TF risk associated with [these services] is limited” for these very reasons. The inclusion of these services needs to be re-examined as part of the Commission’s AML action plan, to remove duplication and friction which will ultimately prevent consumer take-up of these innovative new services and hamper innovation and competition.

We ask that the EBA’s Risk Sector AML Guidelines are not finalised until the conclusion of the Commission’s consultation - particularly given the contention around whether AIS and PIS were intended to be included as obliged entities, or whether this was the unintentional result of cross referencing between PSD2, CRD and AMLD.

If, despite their low risk, PISPs were to remain in scope of AMLD, a number of changes need to be made to ensure PIS business models remain viable:
- Since PISPs’ primary relationship is with the online merchant (with whom they contract to provide the regulated service) it should be clarified that AML due diligence is required to be carried out on the PISPs merchant client, and not on every PSU who makes purchases from the merchant via PIS. To do otherwise will hugely and unnecessarily disadvantage PISPs compared to other payment methods, who are not under this obligation.
- PISPs should not be required to undertake transaction monitoring in order to avoid unnecessary, i.e. risk-based avoidable double efforts for the whole open banking sector.

To provide a deeper view into the market practise from our side, the current AML/CFT practise by finleap connect is based on national authority guidelines as follows:

As part of finleap connect's overall risk management framework, as described in a Governance & Risk Strategy, finleap connect maintains a Anti-Money Laundering, Combating the Financing of Terrorism and Anti-Fraud Policy covering the according two risk areas. Overall objective of this policy is to explain how according risks are identified, prevented and countered in an appropriate manner and how finleap connect fulfils its duties as an obliged payment institution under the German Money Laundering Act. This especially includes finleap connect's risk assessment for these risk areas and finleap connect's according internal controls and risk minimising measures.

Because of finleap connect's general obligation under the German Money Laundering Act and in order to ensure on an ongoing basis that finleap connect can guarantee the observance of simplified due diligence obligations through a clean derivation of risks (risk-based approach), finleap connect complies with requirements primarily from chapter 2 of the German Money Laundering Act ("Risk Management"). Moreover, the obligations that are explicitly defined by German Financial Supervisory Authority ("BaFin") as part of its administrative practice (interpretation and application references of BaFin as of May 2020), which are an obligation to report suspicions and the general duties of care with regard to payees for PISPs) were determined as minimum requirements for finleap connect as account information service and payment initiation service provider. finleap connect will always react to any changing circumstances and new threat developments, i.e. will take any new findings into account for ongoing up-to-date AML procedures, esp. Know Your Customer, i.e. customer due diligence procedures. Moreover, finleap connect is continuously monitoring if any further national Anti Money Laundering ("AML") laws apply due to being active under passporting rights within other EU countries.

As part of the finleap connect Overall Risk Assessment the appropriateness of first level controls, second level controls and risk minimising measures is assessed for the risk areas AML/CFT and Anti-Fraud. The risk assessment is updated at least yearly and on an ad hoc basis if necessary. The results of the risk assessments can include newly identified risks, possible weaknesses or gaps, which are used to plan new or adapt existing risk minimising measures. finleap connect will always react to any changing circumstances and new threat developments, i.e. will take any new findings into account for ongoing up-to-date AML procedures, esp. Know Your Customer, i.e. customer due diligence procedures.
First Level Controls - Customer Due Diligence Measures: As the ongoing risk assessment - so far taking into account the factors and types of evidence of potentially lower risks (Annex II) and higher risks (Annex III) from Directive 2015/849 of 20 May 2015 (AMLD4) - has consistently shown a very low risk for money laundering/terrorist financing finleap connect decided to apply simplified customer due diligence measures.

The interpretation and application references of BaFin as of May 2020 state that customer due diligence measures are at least necessary when the B2B customer of payment initiation services is also the payee. Thus, finleap connect understood its initial risk analysis, which was provided to BaFin beforehand, as approved and implemented a three level Know Your Customer (KYC) approach for its B2B-customer. We apply it consistently for all B2B customers, regardless of serving them with PISP/AISP services as a payment institution or only acting as a technical service provider. For PISP/AISP services, we apply a medium Level of simplified CDD. For PISP services in which our B2B customer is also acting as a payee, we apply full CDD in line with BaFin provisions as of May 2020.

So far under current practise no IT monitoring of transactions is necessary, which is highly welcomed in order to avoid unnecessary and risk-based avoidable double efforts for the market. Our approach has proven to serve as the right level of risk identification and CDD scopes. We were able to focus our AML/CFT management system on actual risk minimization and not redundant documentation efforts.

Last but not least we would like to mention that esp. banks that we serve as a technical service provider from finleap connect’s perspective already stated that if the EBA guidelines 18 becomes applicable to the drafted extent, they would rather refrain from offering Multibanking Services and other PSD2 use cases to their end customers (PSUs) instead of following those guidelines. Costs for the proposed measures by EBA esp. for switching from a B2B customer approach to any PSU linked measures based on Guideline 18.8 as well as IT Monitoring based on Guideline 18.11 do not match actual risks at all.

Moreover, they are likely to kill actual motivation for the market to provide user centric services and thus are a big hurdle to PSD2’s goal of fostering innovation in the EU market. We highly recommend EBA to refrain from the proposed approach for AISP/PISP and follow smart approaches taken in member states markets such as France (AISP excluded; simplified obligations for PISP under Décret n° 2017-1313 du 31 août 2017 portant transposition de la directive n° 2015/2366) or Germany as outlined in detail before.