Response to consultation on Guidelines to prevent transfers of funds can be abused for ML and TF
Go back
The proposal to require real-time monitoring appears to go beyond the aims of the Regulation, which states that PSPs should conduct ex post payment monitoring OR real time screening. We consider that it for PSPs to choose what type of monitoring they undertake, while retaining a clear record of the reasons for the type of monitoring selected and how this mitigates the AML/CTF risk identified.
The proposal to require real-time monitoring for all transfers where the payer or payee are based in a country associated with high ML/TF risk would significantly extend the scope of current sanctions and CTF screening and be highly burdensome in terms of additional manual review, particularly for global banks. The proposal to require real-time monitoring for all unusually large transfers would also be highly burdensome and difficult to implement consistently across the wide variation of payment values and PSPs. We understand that it is not envisaged that PSPs will be required to engage routinely in large volumes of real time monitoring, yet the draft guidelines can be read to imply the opposite by stating that “High risk transfers of funds should be monitored in real time”. As currently drafted these proposals would have a significant adverse impact on straight through processing (STP) that could potentially result in adverse impacts on the efficient functioning of the market and significant disruption for customers.
10. We consider that such complex and burdensome procedures should only be required in cases of specific concern, in line with the risk-based approach. We therefore suggest that the proposal for real time monitoring is limited to cases of specific concern identified through ex post monitoring.
The draft guidelines introduce the concept of ‘meaningless’ information (a concept which is not present in the regulation) defined as “information that makes no obvious sense”. However, it is a significant technological challenge to have in place (automated, real-time) procedures that can identify such ‘meaningless’ information. The current messaging protocols used by payments systems are based on international standards. These systems define the ‘syntax’ of these messages but are not designed to interpret the content. What is meaningless to one party might be meaningful to another, for example, messages in a different language, using an acronym recognisable to one party but not another, etc.
It may be possible to prevent the submission of missing information through the implementation of structured SWIFT message field formats, and to trigger NAK / Not Acknowledged messages where not compliant to trigger manual review. However, this might not identify meaningless information, and some banks may be technically unable to host structured SWIFT message fields. Current screening technology can identify multilingual name variants and abbreviations but in many cases further context and manual review is required to identify “obviously incomplete”. We therefore suggest that the definition for meaningless information be removed, or – if this is not possible - that the proposal for real-time monitoring to detect missing and meaningless information be reconsidered given technical limitations, and limited to the detection of missing information only.
It may be possible to identify further missing information through manual review of a risk-based sample, but this would need to be ex-post monitoring in order to avoid disproportionate effort and significant adverse impact on STP. To avoid inconsistent implementation there would also need to be detailed guidance on the appropriate sampling criteria (e.g. above a specific value threshold, where payer or payee are based in countries identified by FATF as having strategic AML/CFT deficiencies). We therefore suggest that the proposal for ex-post monitoring to detect missing information be limited to a risk-based sampling basis, with the finalised guidance providing more detailed guidance on the appropriate sampling criteria.
The proposal to require receiving PSPs to keep a record of all transactions with missing information is insufficiently defined and does not specify any time limit for data retention. Retained transaction data may include personal data falling under other regulatory requirements for retention and deletion (e.g. the General Data Protection Regulation). We suggest that the revised guidance clarify the duration of record retention of transactions with missing information, to support compliance with data protection and avoidance of burdensome requirements.
The proposal to require receiving PSPs to identify sending PSPs that repeatedly fail to provide required information is highly reliant on qualitative criteria, and we consider that this is overly permissive in relation to high AML/CFT risk and likely to lead to inconsistent implementation. We therefore suggest that the finalised guidance include more detailed guidance on the appropriate criteria for identifying ‘repeatedly failing’ sending PSPs, including a requirement to tighten the criteria where failings are associated with a high AML/CFT risk
The proposal for requiring receiving PSPs to restrict or terminate business relationships with ‘repeatedly failing’ sending PSPs after two warnings and consideration of alternative mitigations is also insufficiently defined, and is likely to lead to inconsistent implementation and risk conflicting with AML prohibitions against tipping off. We consider that prescriptive quantitative thresholds alone should not be used to define ‘repeatedly failing’ sending PSPs and would welcome further definition on how qualitative criteria should be used to contextualise quantitative criteria, in line with an effective risk-based approach. Given the aims of the Regulation and the risk-based approach we consider that options for alternative mitigations to termination should include enhanced monitoring, whether more frequent ex post or real time monitoring as well as restrictions on the business relationship. We also consider that the identification of a ‘repeatedly failing’ sending PSP should lead the receiving PSP to reconsider the ML/TF risk associated with the sending PSP. We therefore suggest that the finalised guidance should include more detailed guidance on the definition of a ‘repeatedly failing’ PSP, the required format and protocol for warnings, consistency with tipping off prohibitions, interaction with ML/TF risk assessment, restrictions and other alternative mitigations to terminations of business relationships.
The proposal at guideline 60 that PSPs only use systems that retain all information regardless of whether this is required by the Regulation may also be problematic. The Regulations allow domestic payments created from batch files to identify Payer/Payee by account/ID and name only, but would prevent a clearing participant from utilising a domestic low-level clearing system if additional party information was included that is not supported by that clearing infrastructure. We consider that this guideline is unduly restrictive and does not reflect the principle as set out in the FATF recommendations . We therefore suggest that the finalised guidance be amended to confirm that conversion of cross-border payments to domestic systems is permitted where the information provided might be truncated, so long as there are appropriate mitigating procedures in place.
Question 1: Do you agree with the general considerations in Chapter 1? In particular, do you agree that these are necessary to ensure an effective, risk-based and proportionate approach to complying with Regulation (EU) 2015/847? If you do not agree, clearly set out your rationale and provide supporting evidence where available. Please also set out what you consider to be the common principles that apply to both, the PSP of the payee and the intermediary PSP, and why.
The proposal to require PSPs to identify linked transactions for exemptions for lower value transfers (EUR 1000 and below) and for ex post monitoring would be highly complex. Based on current bank systems the proposal could require the identification and retention of billions of transactions and is likely to be impracticable to implement, if based on the proposed definition of linked transactions (transactions from the same payments account or containing the same payee and payer information, sent within a six months period). We therefore suggest that the definition of linked transactions is redefined to avoid specifying a time period.The proposal to require real-time monitoring appears to go beyond the aims of the Regulation, which states that PSPs should conduct ex post payment monitoring OR real time screening. We consider that it for PSPs to choose what type of monitoring they undertake, while retaining a clear record of the reasons for the type of monitoring selected and how this mitigates the AML/CTF risk identified.
The proposal to require real-time monitoring for all transfers where the payer or payee are based in a country associated with high ML/TF risk would significantly extend the scope of current sanctions and CTF screening and be highly burdensome in terms of additional manual review, particularly for global banks. The proposal to require real-time monitoring for all unusually large transfers would also be highly burdensome and difficult to implement consistently across the wide variation of payment values and PSPs. We understand that it is not envisaged that PSPs will be required to engage routinely in large volumes of real time monitoring, yet the draft guidelines can be read to imply the opposite by stating that “High risk transfers of funds should be monitored in real time”. As currently drafted these proposals would have a significant adverse impact on straight through processing (STP) that could potentially result in adverse impacts on the efficient functioning of the market and significant disruption for customers.
10. We consider that such complex and burdensome procedures should only be required in cases of specific concern, in line with the risk-based approach. We therefore suggest that the proposal for real time monitoring is limited to cases of specific concern identified through ex post monitoring.
Question 2: Do you agree that the expectations on intermediary PSPs and PSPs of the payee in Chapter II are proportionate and necessary to both comply with Regulation (EU) 2015/847 and ensure a level playing field? In particular, do you agree with: • The steps PSPs should take to detect and manage transfers of funds with missing information of inadmissible characters or inputs? • The steps PSPs should take to detect and manage PSPs that are repeatedly failing to provide the required information? If you do not agree, clearly set out your rationale and provide supporting evidence where available. Please also set out at what you believe PSPs should do instead, and why.
The proposal to require PSPs to implement procedures to detect missing or meaningless information would be challenging to implement without disproportionate effort given current systems and screening technology. There is also a risk of additional complications for PSPs outside of the EU/EEA but who are members of EU/EEA clearing systems like SEPA (for example, transactions to and from Switzerland will require full payer information and payee and name, while SEPA rules do not mandate this information).The draft guidelines introduce the concept of ‘meaningless’ information (a concept which is not present in the regulation) defined as “information that makes no obvious sense”. However, it is a significant technological challenge to have in place (automated, real-time) procedures that can identify such ‘meaningless’ information. The current messaging protocols used by payments systems are based on international standards. These systems define the ‘syntax’ of these messages but are not designed to interpret the content. What is meaningless to one party might be meaningful to another, for example, messages in a different language, using an acronym recognisable to one party but not another, etc.
It may be possible to prevent the submission of missing information through the implementation of structured SWIFT message field formats, and to trigger NAK / Not Acknowledged messages where not compliant to trigger manual review. However, this might not identify meaningless information, and some banks may be technically unable to host structured SWIFT message fields. Current screening technology can identify multilingual name variants and abbreviations but in many cases further context and manual review is required to identify “obviously incomplete”. We therefore suggest that the definition for meaningless information be removed, or – if this is not possible - that the proposal for real-time monitoring to detect missing and meaningless information be reconsidered given technical limitations, and limited to the detection of missing information only.
It may be possible to identify further missing information through manual review of a risk-based sample, but this would need to be ex-post monitoring in order to avoid disproportionate effort and significant adverse impact on STP. To avoid inconsistent implementation there would also need to be detailed guidance on the appropriate sampling criteria (e.g. above a specific value threshold, where payer or payee are based in countries identified by FATF as having strategic AML/CFT deficiencies). We therefore suggest that the proposal for ex-post monitoring to detect missing information be limited to a risk-based sampling basis, with the finalised guidance providing more detailed guidance on the appropriate sampling criteria.
The proposal to require receiving PSPs to keep a record of all transactions with missing information is insufficiently defined and does not specify any time limit for data retention. Retained transaction data may include personal data falling under other regulatory requirements for retention and deletion (e.g. the General Data Protection Regulation). We suggest that the revised guidance clarify the duration of record retention of transactions with missing information, to support compliance with data protection and avoidance of burdensome requirements.
The proposal to require receiving PSPs to identify sending PSPs that repeatedly fail to provide required information is highly reliant on qualitative criteria, and we consider that this is overly permissive in relation to high AML/CFT risk and likely to lead to inconsistent implementation. We therefore suggest that the finalised guidance include more detailed guidance on the appropriate criteria for identifying ‘repeatedly failing’ sending PSPs, including a requirement to tighten the criteria where failings are associated with a high AML/CFT risk
The proposal for requiring receiving PSPs to restrict or terminate business relationships with ‘repeatedly failing’ sending PSPs after two warnings and consideration of alternative mitigations is also insufficiently defined, and is likely to lead to inconsistent implementation and risk conflicting with AML prohibitions against tipping off. We consider that prescriptive quantitative thresholds alone should not be used to define ‘repeatedly failing’ sending PSPs and would welcome further definition on how qualitative criteria should be used to contextualise quantitative criteria, in line with an effective risk-based approach. Given the aims of the Regulation and the risk-based approach we consider that options for alternative mitigations to termination should include enhanced monitoring, whether more frequent ex post or real time monitoring as well as restrictions on the business relationship. We also consider that the identification of a ‘repeatedly failing’ sending PSP should lead the receiving PSP to reconsider the ML/TF risk associated with the sending PSP. We therefore suggest that the finalised guidance should include more detailed guidance on the definition of a ‘repeatedly failing’ PSP, the required format and protocol for warnings, consistency with tipping off prohibitions, interaction with ML/TF risk assessment, restrictions and other alternative mitigations to terminations of business relationships.
Question 3: Do you agree with the provisions for intermediary PSPs in Chapter III? If you do not agree, clearly set out your rationale and provide supporting evidence where available. Please also set out how you think intermediary PSPs can meet their obligations in Article 10 of Regulation (EU) 2015/847 instead.
The definition of real-time monitoring requires intermediary PSPs to perform the monitoring “before the funds are made available to the payee by the PSP who receives the funds”. We consider that this definition of real-time and the implied timelines for PSPs to act (specifically where the payee does not have a payment account with the PSP) are not realistic. In most cases “PSP1” (as an intermediary) is not aware of when “PSP2” will credit the funds to the payee and is therefore unaware of the time available for monitoring. We therefore suggest that the finalised guidance be amended to emphasise that the Payer Bank is responsible for providing required information and is ultimately the bank that is to be monitored for payment content and RFI response, as opposed to the Intermediary Bank.The proposal at guideline 60 that PSPs only use systems that retain all information regardless of whether this is required by the Regulation may also be problematic. The Regulations allow domestic payments created from batch files to identify Payer/Payee by account/ID and name only, but would prevent a clearing participant from utilising a domestic low-level clearing system if additional party information was included that is not supported by that clearing infrastructure. We consider that this guideline is unduly restrictive and does not reflect the principle as set out in the FATF recommendations . We therefore suggest that the finalised guidance be amended to confirm that conversion of cross-border payments to domestic systems is permitted where the information provided might be truncated, so long as there are appropriate mitigating procedures in place.