18.1 - 18.3) We agree on the definition of the scope and the limited inherent risk of AML/CTF for AISPs/PISPs.
18.4) We agree. It is clear from these customer risk factors that an AISP/PISP is at the best position to detect potential money laundering activity only after the customer has been onboarded and has provided transaction history data or undertaken the initiation of a payment. This is in line with the approach that SDD (at least upon onboarding) will be the norm.
We would ask the EBA to consider adding in additional guidance to those PISPs that provide their services to third-party merchants, much like a traditional merchant acquirer, which allows third parties to have the functionality to accept customers’ direct bank transfer payments. The customer risk here is increased and should be considered in line with the risks associated to merchant acquiring, in that it is for the PISP provider to understand the merchants’ expected profile including the merchants’ trading hours, transaction values & volumes, the merchants’ establishment address, etc.
18.5) We disagree. Although the ESA’s Opinion on the use of innovative solution in the customer due diligence process is a very useful tool when considering how due diligence should be undertaken given technical advances, I would not agree that this document provides context on analysing an AISP/PISPs distribution channel risk.
Instead, I believe the EBA should consider the risk of AISPs having agents. For example, where an AISP segregates data in different databases depending on the access rights of the AISP agent, how this affects the principle AISP’s ability to undertake effective cross transactional data analysis of the whole customer base, especially where a customer may have multiple accounts across different AISP agents.
Some AISP business models include analysis of transactional data for the purposes of AML onboarding due diligence either for themselves or third-party businesses. Companies no longer need to wait for transactional data to be available within their own infrastructure, which would normally be an extremely limited view of the customers' overall transaction profile. Instead, analysis of data via an AISP allows the company to understand the customers’ transaction profile holistically before the establishment of the business relationship. This I believe should affect the content of the ESA’s opinion paper mentioned above, to include a reference to how transactional data can be imported and analysed at the point of onboarding for the purpose of DD, rather than this consultation including reference to the opinion.
18.6 & 7) We agree with the guidance provided here.
18.8 – 18.10) We agree with the guidance provided here with no additional comment.
18.11) We agree to an extent. An AISP provider has access to “first-hand” transactional data, which may have been accessed from multiple sources, creating a unique opportunity to have a holistic customer transactional profile. Therefore, AISPs should have a known responsibility to be able to detect if there are any irregular activities taking place. However, the costs associated with implementing sophisticated transactional monitoring capabilities could be an overhead that overrides the minimal profit margins associated with many AISP business models (also keeping in mind that the ASPSPs connected with the AISP must have controls to detect irregular activity). We would ask that the EBA provide clarity that the level of monitoring undertaken by the AISP/PISP should be risk-based and proportionate to the volume of data held on customers.
18.12) Agreed, that PISPs should be beholden to CDD requirements including the ability to undertake SDD where the risk is low (the norm). However, it seems unnecessary for AISPs to consider undertaking CDD on a customer considering the business has no ability to actively prevent money laundering taking place, the AISP can only detect suspicious patterns of activity post-event and has no ability to prevent further transactions from taking place. AISPs should be used as a tool for the data they hold and should not be required to undertake DD which would have little, if no, impact on the firm’s residual risk of money laundering. This is especially significate as the ASPSP is the one responsible for ensuring the customer undertakes SCA and 2FA to reduce fraud and AML risk.
18.13) We disagree with this guidance. The ASPSP is responsible for ensuring SCA has been undertaken at the point of adding the account with the AISP. It is for the ASPSP to ensure this has been accessed correctly and that the account is only used by the individuals that are allocated to the account utilising 2FA. The ASPSP should be able to provide the names on the accounts to the AISP. Also, it is unclear what the AML risk mitigation benefit is for the AISP knowing who else has access to the account, especially where DD is highly unlikely to be undertaken.
18.14) We agree, this would be applicable on a risk-based approach i.e. if the PISP has a B2B business model which requires the business to know who their customer is (such as a merchant). However, it seems highly unlikely that EDD would be an effective control in mitigating risks of AML for an AISP.
18.15) We agree in principle to the guidance here. For b) CDD is much more likely to be relevant for PISPs, and less so for AISPs. For c) we would ask for the EBA to clarify the use of the word “assuming” used here. We would expect the AISP/PISP to understand the nature and purpose of the business relationship on a business risk assessment scale, which would instruct the client risk considered at onboarding and ongoing monitoring. The firm may assume the nature and purpose of the business relationship, however, this must be specifically in line with the firm’s expectations based on the business risk assessment.