Major and emerging ML/FT risks identified by the EBA in its report on payment institutions

The scale and nature of the money laundering and terrorism financing (“ML/TF”) risk associated with the payment institutions (“PI”) sector and the extent to which PIs’ anti-money laundering and combatting of financing of terrorism (“AML/CFT”) systems and controls are adequate and effective in tackling ML/TF risks are two of the primary areas of focus of a report  issued by the European Banking Authority (the “EBA”) on the 16 June 2023 (the “EBA Report”).[1] The report follows an assessment of ML/FT risks in the PI sector carried out by the EBA in 2022.

The EBA Report builds on the opinion of the European Commission which,  in its 2022 supranational risk assessment, commented that payment institutions are inherently exposed to both ML and TF risks and that they ‘appeared to be most vulnerable to risks arising from weaknesses in AML/CFT systems and controls’.[2]  The EBA Report emphasises that within the payment institutions sector there exist a variety of business models which render it anything but homogeneous, clearly impacting the extent to which each PI  is exposed to ML/TF risk, the type of risk and, consequently, the necessary control measures which should be in place.

Major risk factors and emerging risks

The EBA Report notes the major risk factors which are linked to the PI sector derived from an analysis of information extracted from regulatory returns and supervisory findings.

Customer Risk

PIs tend to have a customer base with a high proportion of potentially higher-risk customers, such as non-resident customers and individual customers who have been de-risked from the banking sector and corporate customers from certain high-risk sectors such as including gambling companies and crypto asset service providers. The EBA comments on new client typologies such as platforms and marketplaces, which, by creating additional layers give rise to complexities and result in an increase in the overall ML/TF risk level.

Geographical risk

The cross-border nature of transactions executed by the sector, often with high-risk third countries is also singled out as one of the most significant risks associated with PIs. AML/CFT supervisors noted that this risk was particularly prevalent with money remittance, considering that they often operate in geographical areas where they provide access to payment services filling the gap of absent credit institutions.

Product risk

New technologies permitting anonymity, innovative products and the high speed of transactions were also identified as instigators of higher ML/TF risks. The findings also highlight the use of cash and the prevalence of one-off transactions. AML/CFT supervisors considered that higher ML/TF risks stemming from those business models which allow the sending of cash from the payer to the payee without an established business relationship of either of the two counterparties, using the money remittances sector. The EBA noted the trend where instead of physical cash handover, “the customer transfers money to the money remitter by PayPal or other transfer (excluding funds transfer from a bank) thereby adding an additional transaction to the chain of cash remittance.” Furthermore, one-off transactions were themselves a risk factor in that the ability of payment institutions to create a customer risk profile and to identify and manage ML/TF risks associated with individual transactions is limited.

Delivery channels: Use of intermediaries (agents)

The EBA noted that the most significant risk associated with delivery channels is the widespread use of intermediaries, including agents. The EBA commented that, “the agents’ core business is not always linked to the financial services industry, and that instead, agents are newsagents, internet and phone stores, tobacco shops, mini markets and petrol stations. This can limit agents’ awareness of applicable AML/CFT rules and consequently the effective application of AML/CFT controls put in place by appointing payment institutions. Evidence also suggests that many agents serve one or more payment institutions at the same time and that agents frequently change payment institutions.”  According to the EBA, this contributes to weaker oversight by payment institutions of their agent network and makes it harder to put in place effective controls. Information provided to the EBA by AML/CFT supervisors suggests that the ML/TF risk in this area is high.

Outsourcing of AML/CFT-related tasks

The EBA Report stresses that without appropriate safeguards outsourcing can adversely impact the robustness of a PI’s control and risk management framework.  This also links the issue of “local substance” such that when the payment institution is not effectively managed and controlled in the jurisdiction where it was established, it can contribute to a limited oversight of the quality of the outsourced service.[3]

Emerging risks in the PIs sector

Several AML/CFT supervisors highlighted that the increased use of ‘white labelling’ was of ML/TF concern. PIs make their licence available to independent agents which develop their own product under the licence of the regulated PI. In view of the agents having control over the business relationship, including the communication with payment service users and sometimes also obtaining control of the financial flow or possession of funds, the ML/TF risk exposure becomes more difficult to manage.[4]  

Virtual International Bank Account Numbers (“VIBANs”) are also seen as an emerging risk considering that the jurisdiction where the underlying account is located is often blurred and in the EBA’s view it may mean that, “payment institutions do not comply with the applicable AML/CFT framework.”

Third-party merchant acquiring is the third emerging trend, and potentially a new ML/TF risk, identified by the EBA. The merchant acquirer outsources certain parts of the acquiring process to a third-party acquirer (“TPA”). TPAs are responsible for complying with the AML/CFT laws of the respective jurisdiction (within or outside the EU) when onboarding and monitoring the merchant. This exposes the merchant acquirer to the risk of indirectly processing illicit funds through the TPA where TPA’s AML/CFT programme is vulnerable to ML/TF.

AML/CFT weaknesses

The EBA has identified a number of weaknesses within the AML/CFT framework of PIs which in turn lead to recurring breaches related to ongoing monitoring, internal controls and overall AML/CFT policies and procedures, customer identification and verification of ID, the CRA and the BRA.[5]

  1. A poor overall awareness of ML/TF risk and the lack of rigorous training on AML/CFT issues;
  2. Insufficient transaction monitoring, deficient transaction monitoring systems and unmeaningful transaction monitoring;
  3. Insufficient suspicious transaction identification and reporting (STR), primarily as a result of a lack of awareness of ML/TF risk and also consequential to weak ongoing transaction monitoring;
  4. Failure to implement systems and controls to comply with restrictive measures such as in the area of ongoing screening of customers and transactions, which in some PI was noted that it was happening sporadically or not at all;
  5. Weak internal governance arrangements, especially where PIs were “new entrants seeking rapid growth and maximum profit.” These weaknesses varied from the lack of application of a clear three-lines-of-defence system to a relatively high turnover of staff in the key function holder positions;
  6. TF risks are poorly understood and managed. This risk is linked to specific features of the product and services on offer, such as the cash-based nature and the wide geographical reach of the service, which usually involves low-value transactions; and
  7. Remote/online onboarding without appropriate safeguards which may result in PIs often failing to identify high-risk customers, including PEPs.

Why is the above important?

The identification of risks within sector in which the PI operates is a key cornerstone of a robust AML-CFT framework. It is however extremely beneficial for PIs to understand and be alert to the weaknesses and vulnerabilities of other PIs to ensure that the framework adopted by the PI is not hampered by the same weaknesses. Unless the PI identifies the risks to which it may be exposed to in view of its business model and the vulnerabilities of the sector, the PI would not be able to set in place an effective framework to manage ML/FT risks in an adequate manner.

It is therefore key for PIs to assess whether they are exposed to the risks identified, inter alia, in the EBA Report and ensure that such risks are captured by the business risk assessment and the customer risk assessments and that the necessary controls are set within the PIs policies, procedures, and systems. In addition, the weaknesses identified are to be taken into account for the purposes of establishing the relevant framework and ensure that the PI does not fall foul of its obligations. Through the relevant compliance testing and, where applicable, internal audits, PIs should ensure that the controls adopted to mitigate such risks are effective in managing the risks identified.

______________________________

[1] EBA/REP/2023/18 https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Reports/2023/1056453/Report%20on%20ML%20TF%20risks%20associated%20with%20payment%20institutions.pdf

[2] 2 Report from the Commission to the European Parliament and the Council on the assessment of the risk of money laundering and terrorist financing affecting the internal market and relating to cross-border activities {SWD(2022) 344 final}, published on 27 October 2022, available here: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52022DC0554

[3] EBA report on the peer review on authorisation under PSD2, EBA/REP/2023/01 of 11 January 2023, available here: https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Reports/2023/1050744/Pee r%20Review%20Report%20on%20authorisation%20under%20PSD2.pdf

[4] Opinion of the EBA on its technical advice on the review of Directive (EU) 2015/2366 on payment services in the internal market (PSD2), EBA/Op/2022/06 of 23 June https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Opinions/2022/Opinion%20 od%20PSD2%20review%20%28EBA-Op-2022- 06%29/1036016/EBA%27s%20response%20to%20the%20Call%20for%20advice%20on%20the%20review%20of%20PSD 2.pdf

[5]The same deficiencies are mirrored by AML/CFT supervisors’ submissions to the EBA’s AML/CFT database, EuReCA, which was put in place in January 2022 as part of the EBA’s renewed AML/CFT mandate. The sector of payment institutions is the second most reported sector to EuReCA, after credit institutions. Since EuReCA’s establishment in January 2022, competent authorities have reported 62 material weaknesses in relation to 19 payment institutions12, out of which 59 were ‘breaches’ or ‘potential breaches’.