Primary tabs

European Payment Institutions Federation (EPIF)

EPIF is pleased to have the opportunity to provide comments for the EBA Revised Guidelines on ML/TF risk factors.
Although the EBA revised Guidelines will significantly improve and help all the obliged entities to take the necessary steps to identify and assess the ML/FT risk, we ask the EBA to take into consideration our recommendations to ensure their ongoing accuracy and relevance, moreover because the risk can vary in each EU member state and according to the different sectorial or business model they represent.

As a general comment, we agree with the generic Guidelines in Title I, but we would like to include some specific comments about cash withdrawals/ATMs, transaction monitoring, record keeping and independent audit that firms should take into consideration to tackle potential emerging risks.

We welcome, among other recommendations mentioned in this document, the addition of sector-specific Guidelines to the Risk Factor Guidelines (Title II) but would like to ask to include certain additional sectors (credit or charge card companies), not specifically considered in the revised Guidelines.
Finally, as stated in the revised Guidelines, together Title I and Title II promote the development of a common understanding, by firms and competent authorities across the EU, of what the assessment of ML/TF risk entails and how it should be conducted. Nevertheless, we would consider it generally helpful if the EBA were to also consider issuing guidelines for other business models and, in addition, to review areas of EU law that are not fully harmonised or are not yet addressed by EU law.
We welcome the addition of sector-specific Guidelines to the Risk Factor Guidelines. In this regard, we suggest that the EBA considers including guidance for additional business models, namely credit and charge card issuers. This would promote effective risk management and support firms’ AML/CTF compliance efforts, enhancing the ability of the EU´s credit and charge card sector effectively to deter and detect ML/TF by means of guidance on:
• business-wide and individual ML/TF risk assessments;
• customer due diligence measures including on the beneficial owner;
• terrorist financing risk factors; and
• emerging risks, such as the use of innovative solutions for CDD purposes
In that regards, FATF and Wolfsberg issued similar documents:
1. Prepaid cards, mobile payments and internet-based payment services (June 2013)
2. Wolfsberg AML Guidance on Credit/Charge Card Issuing and Merchant Acquiring Activities (2009)
Additionally, this new guidance for credit and charge card companies would help reduce competitive disadvantage versus other financial companies under similar AML regulations in EU, especially if EU competent authorities were to set supervisory expectations of firms by reference to the guidance, rather than for example requiring compliance with the same standards applicable to generally much higher risk entities such as banks who might also happen to issue credit or charge cards. This type of guidance would help supervisors to communicate and set clear expectations of the factors firms should consider when identifying and assessing ML/TF risk and deciding on the appropriate level of CDD.

According to FATF ( access to cash through the international ATMs (some of them based in high risk countries) or national ATM network increases the level of ML/TF risk. In our view, the revised Guidelines focus on cash withdrawal only in two sectors (Sectoral guideline for electronic money issuers and crowdfunding) and don´t consider other industries/firms where this factor may contribute to elevated customer risk. For example, the use of ATMs by retail bank or wealth management firm customers, which gives them access to a global ATM network that allows high-value cash withdrawals or multiple withdrawals in a short period of time and without an economic rationale. In our view the ability to use ATMs in relation to a product should be included as a risk factor when identifying the risk associated with it, and the involvement of an ATM is also relevant to the assessment of an individual transaction as suspicious or not.

In addition, the guideline proposes to consider a lack of face-to-face interaction (or avoidance thereof) as a risk factor. For online businesses where by definition there is no face-to-face due diligence, we would suggest that this wording is expanded to include a customer attempting to avoid due diligence altogether or, where various non face-to-face CDD options are available, refusing to comply with the more direct and personal options such as face matching or live selfies.
One of the main requirements of any transaction monitoring program is that its efficacy should be kept under regular review (Guideline #7 and chapter 4.72: Firms should ensure that their approach to transaction monitoring is effective and appropriate). In addition to the different proposals included in Guideline 4 (Transaction monitoring, chapters 4.72 to 4.74), our suggestion would be to explore the possibility of allowing disclosure of information between two or more entities about a shared customer or transaction (regardless of the professional category/sector) as long as those entities are under the same AML regime and subject to equivalent obligations as regards professional secrecy and personal data protection. The information exchanged would be used exclusively for the purposes of the prevention of money laundering and terrorist financing and would be disclosed by the AML Compliance Department. Ideally, this type of disclosure would also be permitted between firms domiciled in the European Union or in equivalent third countries (in terms of their AML, professional secrecy and data protection standards). Naturally, it would not extend to disclosure to entities domiciled in third countries not classified as equivalent.

We welcome the EBA’s recognition, at Guideline 4.32, that Directive (EU) 2015/849 is technology neutral with respect to customer verification.
As firms are best placed to assess the risks they are exposed to, they are best placed to identify the solutions to those risks. We therefore welcome the obligation for Firms to assess the efficacy of technology solutions utilized by them (Guideline 4.33).
New technologies, when applied appropriately, represent an opportunity to address and reduce ML/TF risks as they enable firms to take account of additional data points and to robustly scrutinize information provided by financial services users. As the financial services industry continues to develop, the need for non-face to face verification continues to rise. Non-face to face verification is essential to facilitate financial inclusion and competition among firms (by way of reducing barriers to market entry).
While we accept firms must be in a position to demonstrate the appropriateness of technological solutions adopted by them (as set out in Guideline 4.36), we ask that confirmation is provided with regard to when firms will be required to do so. We are of the view that firms should not be required to obtain prior approval from Competent Authorities regarding the use of a particular technology solution but rather be required to demonstrate the appropriateness of the solution after implementation. This will enable ML/TF mitigation measures to keep pace with risks that continually develop. However, we recognize that firms will need to have robust governance and testing in place to facilitate this approach.
We would further strongly encourage CAs to develop a forum where they can inform each other and exchange know-how of such best practices employed by firms in their respective jurisdictions
With regards to beneficial ownership and control – frequently when onboarding or reviewing a multinational customer organization, where complex ownership structures are the norm rather than the exception, challenges arise around the legal declaration that there is no beneficial owner or individual who exercises control over the customer. We suggest adding a reference to large corporates with complex structures where it is reasonable to conclude that there is no beneficial owner, rather than expending excessive effort on a fruitless search.
On SDD, the possible threshold utilized before enforcing full due diligence must be directly tied and proportionate to the firm’s assessment of the customer risk profile. There is no “one size fits all” approach to SDD thresholds. SDD must also be supported by other elements of a holistic controls framework, such as transaction monitoring.
It would be useful if the due diligence guidelines can clarify the amount of “informal reliance” firms can place on the fact that a customer holds a verified account with another financial institution subject to the same regulatory framework. This should not and cannot be the only factor considered, but rather a form of additional confirmation and assurance that the customer has gone through the due diligence process at another financial institution.
The European Banking Authority (EBA) published last October a report identifying potential impediments to the cross-border provision of banking and payment services in the EU. Developed under the EBA’s FinTech Roadmap, this Report calls on the European Commission to facilitate cross-border access, including the update of interpretative communications on the cross-border provision of services and further harmonisation of consumer protection, conduct of business and AML/CFT requirements, in order to facilitate the scaling up of activity cross-border.
In order to allow passporting firms to comply with record keeping obligations and demonstrate to their competent authority that the measures taken are adequate, areas of EU AML law should be harmonized to the maximum extent possible. As an example, some EU countries require firms to keep documents for 10 years (Spain or Italy) and other EU countries only 5 years (France) after the relationship or professional service has ended, or the carrying out of the transaction. We would suggest that the EBA considers advising EU policy makers on a harmonized approach, in order to remove obstacles that impede the operation of the Single Market in payment services. Therefore, harmonization about the record keeping requirements should be consistent across EU, moreover whenever there are firms passporting their services in different EU markets.
Unless required by the local AML/TF regulation (for example, in Spain since 2005), we submit that an independent review should only be required whenever the second or third line of defense detect potential high-risk issues that directly impact the firm´s risk profile. This independent review should focus only on specific AML controls (for example, EDD process or Transaction Monitoring), rather than the complete AML program. As well as being a more proportionate approach, this would also reduce the cost of implementation of this recommendation for firms.
Some electronic money products are created to support sections of the population which are unbanked or who have less access to traditional banking products. Due diligence and monitoring for such customers needs to take into account financial inclusion and a risk-based approach for EMI firms.

For factors that may reduce risk: products that represent a “closed loop” where funds can only be used for a specific purpose or with a limited number of approved merchants (building on the existing bullet 10.5 c) iii. )

In the section around factors that may contribute to increasing risk: multiple different customers who present similarities in their data which may indicate that those accounts are being controlled by one person (e.g. IP or device data).

The threshold mentioned in 10.18 a) of 150 EUR for SDD low risk scenarios goes beyond the threshold in Article 12 of Directive (EU) 2015/849 which was 250 EUR. We find this excessively restrictive and in contradiction with the drive for a risk-based approach where we believe a holistic and strict controls framework can enable higher thresholds for Simplified Due Diligence.
Payments services providers
European Payment Institutions Federation (EPIF)