PayPal supports the proposed changes to the section on definitions, and in particular the distinction proposed regarding ‘Inherent risk’ as the level of risk before mitigation and ‘residual risk’ as the level of risk that remains after mitigation.
PayPal supports the risk-sensitive approach taken in guideline 4.12 (d) to understanding the customer’s ownership and control structure (beneficial ownership). It is of paramount importance that the risk profile that a customer relationship represents remains a central feature of the measures that obliged entities are required to put in place for BO verification. We are therefore supportive of guideline 4.18 that assures this.
Regarding the verification of beneficial owners (BO), PayPal would generally welcome further guidance on the use of BO registers and in particular instances where information obtained therein can be considered sufficient for establishing a beneficial owner, as outlined in guideline 4.13. Alternatively, and taking into account the whole of the circumstances, PayPal would welcome a standard that establishes a presumption of reliability for information contained in the BO registers, unless a firm knows or has reason to know that the information contained therein is inaccurate.
We note that guideline 4.17 (“control through other means”) has a major impact on current BO verification practice, and would be particularly difficult to establish in some instances. In order to reduce the burden on obliged entities, the provision should explicitly clarify in which cases requirements as per guidelines 4.17 (a-c) are deemed necessary, in line with the risk-based approach. We are supportive of guideline 10.12, which allows for flexibility for certain types of eMoney accounts in line with a risk-based approach.
Guideline 4.22 puts in place a new measure requiring obliged entities to document reasons for identifying senior managers instead of the traditional beneficial owner of the firm. We would welcome further guidance on the format of such documentation, and possible necessary reporting obligations.
Regarding non-face-to-face situations, PayPal is generally supportive of the initial EBA guidelines as well as changes to the guidelines clarifying CDD obligations for financial firms. We however believe that it is essential for a risk-based approach to be applied to customer due diligence, taking into account the business model of the obliged entity as well as the type of activity in question. We do not believe that non-face-to-face transactions or customer onboarding themselves by default constitute a higher ML/TF risk – AML/CTF processes have been designed in close cooperation with regulators to include safeguards to assess what types of situations require the application of higher due diligence. We therefore do not see a need for fundamental changes to enhanced due diligence triggers as this point in time.
Consequently, we believe that guideline 4.30 as revised does not embed a risk-based approach. Indeed, we do not believe that a non-face-to-face activity automatically should trigger enhanced due diligence (EDD). We propose that this guideline is revisited to reflect that the key determinant for EDD is a high-risk interaction, not non-face-to-face activity.
Generally in relation to guidelines 4.32-4.37, PayPal welcomes the FATF’s recent recommendations regarding digital identities and the ESA 2018 Joint Opinion on the use of innovative solutions that call on competent authorities to encourage a flexible, risk-based approach to using digital ID systems for CDD that supports financial inclusion. The reliance on national eID schemes of high assurance for identification purposes should be fully embedded in the practical implementation of AML/CTF regulation. We are supportive of harmonizing conditions for the use of remote identification technologies and services in the EU AML/CTF regulation.
PayPal believes that the use of trusted third-party service providers for the purpose of remote identification should be encouraged. Such tools provide significant benefits for the customer experience as well as for the financial entity onboarding the customer. Ideally, a financial entity could enter into a contract with a trusted third party vendor, which could operate seamlessly across the EU/EEA eID schemes. As we have noted recently in response to the European Commission’s consultation on an upcoming strategy on Digital Finance, a number of barriers to vendors’ ability to scale up and to making full use of such services however remain, including in relation to data availability, technological standards, contractual relationships, and differences in the level of uptake of electronic identity schemes.
We are supportive of guideline 4.32’s recognition of the technology-neutrality of directive (EU) 2015/849 in relation to customer verification, and guideline 4.33 allowing companies to assess the efficacy of used third-party technology. We further believe that it should be up to each firm to decide on the type of certified third-party service that they may wish to rely on to facilitate customer onboarding or verification, and note that guideline 4.36 should not be interpreted as firms needing to seek prior approval from competent authorities for their use.
Regarding guideline 4.53, we note that it is common practice for financial institutions to apply enhanced due diligence (EDD) to high-risk (HR) third country transactions or customers, in line with a risk-based approach. We believe that not every transaction or firm from a HR country should be automatically subject to full EDD, (and such an inflexible approach could have the perverse impact of disincentivizing use of the HR country designation), but rather, obliged entities should ensure that HR country transactions are adequately addressed. We therefore call on guidelines to be flexible enough to allow for additional aspects to be considered in conjunction with HR country lists in determining level of EDD application. More generally, we call on high-risk third-country lists to be aligned globally to ensure consistency, and welcome the European Commission’s recent efforts in this respect.
In line with AMLD5, we believe it is essential that the management board of the obliged entity continues to remain fully responsible for defining the risk appetite, and that the AML processes and safeguards are drawn up in close cooperation with the regulator. We therefore call on guideline 7.2. to be amended to clearly reflect article 8(4)(b) of Directive EU 2015/849 which notes that an independent audit function is required in exceptional circumstances only depending on size and nature of the business in question. Moreover, we also strongly believe that obliged entities established in one market that rely on a passport to operate in another, should only be obliged under the rules of the home member state.
Additions to guideline 10.9 represent a material change to the current guidelines in terms of establishing a requirement for an obliged entity entering into a relationship with a merchant to conduct additional background checks on the type of business activity in question and estimated transaction frequency. We believe such a fundamental change is not fully justified. PayPal would strongly advocate for a risk-based approach to be applied to instances where an agreement is entered into based on the risk profile of the merchant.
We are very supportive of Guideline 10.12, which appropriately recognizes that certain types of eMoney accounts rightly do not represent a high ML risk, and can therefore be subject to simplified due diligence. We are also supportive of guideline 10.14(e), dealing with linking certain e-money products to devices or IP addresses for web-based transactions.
Regarding guideline 10.15, we note that it is common practice for financial institutions to apply enhanced due diligence (EDD) to high-risk (HR) third country transactions or customers, in line with a risk-based approach. We believe that not every transaction or firm from a HR country should be automatically subject to full EDD, but rather, obliged entities should ensure that HR country transactions are adequately addressed. We therefore call on guidelines to be flexible enough to allow for additional aspects to be considered in conjunction with HR country lists in determining level of EDD application. More generally, we call on high-risk third-country lists to be aligned globally to ensure consistency, and welcome the European Commission’s recent efforts in this respect.