1. To what extend do AISPs need to comply with the obligations in relation to anti-money laundering and terrorist financing under Directive (EU) 2015/849 of the European Parliament? 2. Is a requirement for AISPs on the basis of national law and national supervisory practices to submit to the competent supervisor a description of the internal control mechanisms with regard to AML regulations compliant with PSD2 and EBA’s Guidelines on Guidelines on authorisation and registration under PSD2?

On the basis of Article 33 PSD2, Article 5(1)(k) does not apply to AISPs. This means that AISPs, for authorisation as a payment institution, do not need to submit a description of the internal control mechanisms with regard to AML regulations. See also EBA’s Guidelines on Guidelines on authorisation and registration under PSD2 (paragraph 2.2, point 25). In the Netherlands, the competent autority (i) takes the position that AML requirements apply to AISPs (see: https://www.toezicht.dnb.nl/3/50-237181.jsp) and (ii) requires that a description of internal contral mechanism with regard to such requirements is submitted as part of the license application.

Answer to Q1 (prepared by the EBA): Point (2) of Article 2(1) of the Directive (EU) 2015/849 (AMLD) lists financial institutions as obliged entities. . Point (2)(a) of Article 3 of the AMLD defines the term  financial institutions as follows:  “…an undertaking other than a credit institution, which carries out one or more of the activities listed in points (2) to (12), (14) and (15) of Annex I to Directive 2013/36/EU of the European Parliament and of the Council {CRD), including the activities of currency exchange offices (bureaux de change). Point (4) of Annex I to CRD refers to: Payment services as defined in point (3) of Article 4 of Directive (EU) 2015/2366 of the European Parliament and of the Council (PSD2). Point (3) of Article 4 of the PSD2 defines payment services as any business activity set out in Annex I. Point (8) of Annex I to the PSD2 refers to Account information services (AISPs).” Thus, AISPs are obliged entities under the AMLD.

Pursuant to Article 8(3) of the AMLD ”Member States shall ensure that obliged entities have in place policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified at the level of the Union, the Member State and the obliged entity. Those policies, controls and procedures shall be proportionate to the nature and size of the obliged entities.” What such policies, controls and procedures shall include is specified in Article 8(4) of the AMLD.

Like other obliged entities, AISPs are required therefore to comply with the AMLD’s requirements. AISPs do not benefit from exemptions under the AMLD but, like other obliged entities, can adjust their Anti Money Laundering/Countering the Financing of Terrorism (AML//CFT) systems and controls on a risk-sensitive basis.

In the EBA’s Guidelines on money laundering and terrorist financing (ML/TF) risk factors (EBA/GL/2021/02), the EBA sets out how AISPs can adjust their AML/CFT systems and controls in a risk-sensitive and proportionate way. Taking into account that the inherent ML/TF risk associated with these financial institutions is limited due to the fact that AISPs are not involved in the payment chain and do not hold payment service user’s funds, the Guidelines state that simplified due diligence measures are appropriate in most situations.

Answer to Q2 (prepared by the European Commission): Article 33(1) of Directive (EU) 2015/2366 (PSD2) states that persons providing only the payment service as referred to in point (8) of Annex I, namely AISPs, are to be exempt from the application of the procedure and conditions set out in Sections 1 and 2 PSD2, with the exception of, inter alia, Article 5(1), points (a), (b), (e) to (h), (j), (l), (n), (p) and (q), PSD2.

According to Article 5(1), point (k), PSD2 the following is to be submitted to the competent authority: ‘for payment institutions subject to the obligations in relation to money laundering and terrorist financing under Directive (EU) 2015/849 of the European Parliament and of the Council [AMLD] and Regulation (EU) 2015/847 of the European Parliament and of the Council [ToFR]: a description of the internal control mechanisms which the applicant has established in order to comply with those obligations’.

Thus, AISPs are exempt from the application of Article 5(1), point (k), PSD2 and, as clarified in the  EBA Guidelines on authorisation and registration under PSD2, EBA/GL/2017/09, do not have to submit to the competent authority a description of the internal control mechanisms established in order to comply with their obligations under AMLD and ToFR. Consequently, a national competent authority cannot ask for this information during the registration process based on the national provisions transposing Article 5(1), point (k), PSD2.

This is without prejudice to any request the competent authorities might raise based on other legal grounds, e.g. national law transposing AMLD or the ToFR and AISP obligations under these acts.

Disclaimer for the answer to Q2:

The answers clarify provisions already contained in the applicable legislation. They do not extend in any way the rights and obligations deriving from such legislation nor do they introduce any additional requirements for the concerned operators and competent authorities. The answers are merely intended to assist natural or legal persons, including competent authorities and Union institutions and bodies in clarifying the application or implementation of the relevant legal provisions. Only the Court of Justice of the European Union is competent to authoritatively interpret Union law. The views expressed in the internal Commission Decision cannot prejudge the position that the European Commission might take before the Union and national courts.