Response to consultation on Guidelines to prevent transfers of funds can be abused for ML and TF
Go back
Paragraph 8 and 9
The terms used correspond neither to the EU Payment Services Directive nor to industry practice. Instead, it should be specified that “PSPs have to determine for each payment whether they act as the PSP of the payer, the PSP of the payee or as an intermediary PSP in order to meet the requirements of the FTR.
Paragraph 11 and 13
Checking related payments has been common practice since the entry into force of the first FTR. However, it is not clear why it seems now necessary to identify such payments over a period of six months. To illustrate this it means that approximately 100 billion yearly transactions that would have to be coordinated just in Europe. Also, EBIC would like to stress that it is extremely difficult to identify ‘linked transactions’ as generally transactions are monitored separately. It is important to stress that the FTR states that “for transfers of funds exceeding EUR 1 000, whether those transfers are carried out in a single transaction or in several transactions which appear to be linked” checking obligations apply. Defining a time frame seems to imply that to correctly perform an analysis of the linked transactions – all money transfers (irrespectively of the transferred sums) would have to be checked on potential links with other transactions over a longer period of time than under the first FTR. For a bank this would mean that all clients need to be identified (before each transfer and irrespectively of the transferred sum), in order to allow for a conclusive ex-post analysis of possibly linked transactions to take place and the data to be submitted. Such an obligation would be disproportionate and would seem to contradict Art. 2 paragraph 5 of the FTR. PSPs should continue to check for linked transactions as already required by the first FTR. We propose deleting a concrete time frame as we do not have any indication that the current practice is not effective and as the provision creates uncertainties.
Moreover, Article 2 of the Regulation sets out that the PSPs cannot benefit from exemptions from the Regulation when a payment card, an electronic money instrument or a mobile phone, or any other digital or IT prepaid or postpaid device with similar characteristics is used in order to make a person-to-person transfer of funds. In this respect EBIC would welcome more clarity on what kind of transactions should be considered as “person-to-person” transfers of funds."
• contains all the fields necessary to obtain the information required by Regulation 2015/847. (For SEPA and intra-Union transactions, this includes the account number or IBAN of the payer and the payee or a unique transaction identifier);
• automatically prevents the sending or receiving of payments should inadmissible characters or inputs be detected”.
Regarding the detection of missing information, EBIC would like to raise the point that meaningless or even obviously" meaningless information is not mentioned in Article 8 of Regulation 2015/847/EU. In addition, we consider that it is difficult to detect such kind of information because it is not technically possible to identify whether the information (letters, numbers, etc.) is meaningless or real – neither automatically nor manually.
Paragraphs 25 and 27
The risk assessment should focus solely on the existence and completeness of information. It is not appropriate to take account of the amount limits, as well as States or payment service providers with high "ML / TF risk". Furthermore, EBIC does not share the interpretation that high-risk transfers of funds should be monitored in real time in particular on the criterion of a certain (high) value and where the payer or the payee are based in a country associated with high ML/TF risk. In both situations, the possibility offered by the Regulation 2015/847/EU to choose between ex-post and real time monitoring should be maintained. Indeed, the assessment of whether or not the amount of a specific transaction is high depends on the business activity rather than on a general threshold applicable in all circumstances. Having in place such systems would imply triggering a substantial amount of real-time alerts which will be difficult or even impossible to process in real-time. In the end, such a system would be ineffective.
Paragraph 26
EBIC would welcome clear cut definitions of “random” and “targeted” sampling because of the serious impact on checking procedures.
Paragraph 38
EBIC considers that a deadline of three or five working days is too short, as several payment service providers can be involved in the payment chain. This is especially important in the light of increased requirements on intermediate PSPs and the administrative burden connected with requests for information on complex transactions. It should be at least seven days for Intra-Union or more for payment from outside the Union as defined in the CEBS/CEIOPS/CESR Common Understanding of October 2008 (paragraphs 23 and 24).
Paragraph 51
Reporting on a monthly basis appears to be excessive as it increases the amount of information on payments that needs to be collected, analyzed and reported. A three-month-period as applied today in many Member States deems sufficient. It should also be clarified that reporting can be done on aggregated basis and not for each single transaction.
Paragraph 52
Reporting in such as detailed fashion appears excessive. It should not be required to report each period of time for which breaches that were identified and the reasons a PSP may have given to justify repeated failures.
Finally, we would like to highlight that, according to the table provided in annex 1, not all the information on the payer listed by the Regulation is required to accompany a transfer of funds. The information laid down in the Regulation 2015/847/EU - the payer's address, official personal document number, customer identification number or date and place of birth - seems to be required unlike under the previous Regulation. We would therefore like to have a confirmation of this interpretation because Regulation 2015/847/EU is not clear on this. Indeed, a different interpretation, which implies that all the information concerning the payer listed by the Regulation has to accompany the transfer, would cause a huge increase in compliance risks and costs."
Question 1: Do you agree with the general considerations in Chapter 1? In particular, do you agree that these are necessary to ensure an effective, risk-based and proportionate approach to complying with Regulation (EU) 2015/847? If you do not agree, clearly set out your rationale and provide supporting evidence where available. Please also set out what you consider to be the common principles that apply to both, the PSP of the payee and the intermediary PSP, and why.
EBIC believes some provisions are disproportionate and go beyond what is required in the regulation. EBIC also sees the need for some clarifications under this Chapter:Paragraph 8 and 9
The terms used correspond neither to the EU Payment Services Directive nor to industry practice. Instead, it should be specified that “PSPs have to determine for each payment whether they act as the PSP of the payer, the PSP of the payee or as an intermediary PSP in order to meet the requirements of the FTR.
Paragraph 11 and 13
Checking related payments has been common practice since the entry into force of the first FTR. However, it is not clear why it seems now necessary to identify such payments over a period of six months. To illustrate this it means that approximately 100 billion yearly transactions that would have to be coordinated just in Europe. Also, EBIC would like to stress that it is extremely difficult to identify ‘linked transactions’ as generally transactions are monitored separately. It is important to stress that the FTR states that “for transfers of funds exceeding EUR 1 000, whether those transfers are carried out in a single transaction or in several transactions which appear to be linked” checking obligations apply. Defining a time frame seems to imply that to correctly perform an analysis of the linked transactions – all money transfers (irrespectively of the transferred sums) would have to be checked on potential links with other transactions over a longer period of time than under the first FTR. For a bank this would mean that all clients need to be identified (before each transfer and irrespectively of the transferred sum), in order to allow for a conclusive ex-post analysis of possibly linked transactions to take place and the data to be submitted. Such an obligation would be disproportionate and would seem to contradict Art. 2 paragraph 5 of the FTR. PSPs should continue to check for linked transactions as already required by the first FTR. We propose deleting a concrete time frame as we do not have any indication that the current practice is not effective and as the provision creates uncertainties.
Moreover, Article 2 of the Regulation sets out that the PSPs cannot benefit from exemptions from the Regulation when a payment card, an electronic money instrument or a mobile phone, or any other digital or IT prepaid or postpaid device with similar characteristics is used in order to make a person-to-person transfer of funds. In this respect EBIC would welcome more clarity on what kind of transactions should be considered as “person-to-person” transfers of funds."
Question 2: Do you agree that the expectations on intermediary PSPs and PSPs of the payee in Chapter II are proportionate and necessary to both comply with Regulation (EU) 2015/847 and ensure a level playing field? In particular, do you agree with: • The steps PSPs should take to detect and manage transfers of funds with missing information of inadmissible characters or inputs? • The steps PSPs should take to detect and manage PSPs that are repeatedly failing to provide the required information? If you do not agree, clearly set out your rationale and provide supporting evidence where available. Please also set out at what you believe PSPs should do instead, and why.
EBIC agrees with the steps that intermediary PSPs and PSPs of the payee should take to detect transfers of funds with inadmissible characters or inputs. The Guidelines set out that these PSPs should ensure that its system:• contains all the fields necessary to obtain the information required by Regulation 2015/847. (For SEPA and intra-Union transactions, this includes the account number or IBAN of the payer and the payee or a unique transaction identifier);
• automatically prevents the sending or receiving of payments should inadmissible characters or inputs be detected”.
Regarding the detection of missing information, EBIC would like to raise the point that meaningless or even obviously" meaningless information is not mentioned in Article 8 of Regulation 2015/847/EU. In addition, we consider that it is difficult to detect such kind of information because it is not technically possible to identify whether the information (letters, numbers, etc.) is meaningless or real – neither automatically nor manually.
Paragraphs 25 and 27
The risk assessment should focus solely on the existence and completeness of information. It is not appropriate to take account of the amount limits, as well as States or payment service providers with high "ML / TF risk". Furthermore, EBIC does not share the interpretation that high-risk transfers of funds should be monitored in real time in particular on the criterion of a certain (high) value and where the payer or the payee are based in a country associated with high ML/TF risk. In both situations, the possibility offered by the Regulation 2015/847/EU to choose between ex-post and real time monitoring should be maintained. Indeed, the assessment of whether or not the amount of a specific transaction is high depends on the business activity rather than on a general threshold applicable in all circumstances. Having in place such systems would imply triggering a substantial amount of real-time alerts which will be difficult or even impossible to process in real-time. In the end, such a system would be ineffective.
Paragraph 26
EBIC would welcome clear cut definitions of “random” and “targeted” sampling because of the serious impact on checking procedures.
Paragraph 38
EBIC considers that a deadline of three or five working days is too short, as several payment service providers can be involved in the payment chain. This is especially important in the light of increased requirements on intermediate PSPs and the administrative burden connected with requests for information on complex transactions. It should be at least seven days for Intra-Union or more for payment from outside the Union as defined in the CEBS/CEIOPS/CESR Common Understanding of October 2008 (paragraphs 23 and 24).
Paragraph 51
Reporting on a monthly basis appears to be excessive as it increases the amount of information on payments that needs to be collected, analyzed and reported. A three-month-period as applied today in many Member States deems sufficient. It should also be clarified that reporting can be done on aggregated basis and not for each single transaction.
Paragraph 52
Reporting in such as detailed fashion appears excessive. It should not be required to report each period of time for which breaches that were identified and the reasons a PSP may have given to justify repeated failures.
Finally, we would like to highlight that, according to the table provided in annex 1, not all the information on the payer listed by the Regulation is required to accompany a transfer of funds. The information laid down in the Regulation 2015/847/EU - the payer's address, official personal document number, customer identification number or date and place of birth - seems to be required unlike under the previous Regulation. We would therefore like to have a confirmation of this interpretation because Regulation 2015/847/EU is not clear on this. Indeed, a different interpretation, which implies that all the information concerning the payer listed by the Regulation has to accompany the transfer, would cause a huge increase in compliance risks and costs."