Response to consultation on draft Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and ML/TF risk factors
Go back
Point 1.27, which states that there are no expectations for the firms to draw up a complete customer risk profile when carrying out occasional transactions, seems to contradict point 1.26, that require firms to obtain sufficient information to identify all relevant risk factors before carrying out occasional transactions.
Because the lack of a definition for complete customer risk profile, the expectations for the firms are unpredictable.
In our opinion, point 1.27 does not bring any obvious benefit in terms of clarity, thus we suggest eliminating it.
According to point 4.12 let.d), firms should apply risk-based approach to document and verify the information related to the beneficial owner. This approach is inconsistent with Article 13 para.1 let.b) and Article 40 of Directive 2015/849, according to which the obliged entities have to verify the beneficial owner information in all cases in order to understand the ownership and control structure of the customer and to retain evidence and records.
In our opinion 4.12 let. d) should be applicable in relation to the extent of the verification, thus we suggest to rephrase it as follows:
“4.12. d) The firms should determine the extent of the application of steps b) and c) on a risk-sensitive basis.”
Point 4.52 should be extended in relation to all clients with high risk factors and not to be limited only to PEPs.
According to point 4.52, firms should ensure that the measures they put in place in relation to PEPs do not lead to PEP customers being denied access to financial services.
De-risking practices by financial institutions threaten to cut off access to the financial system for clients with a higher risk (eg. gambling businesses). If the current trend continues, it is possible that some high risk clients to be completely cut off from access to regulated financial services.
In our opinion EU law should deal with de-risking, thus we suggest a more general approach concerning other potential high-risk clients as well, not only the PEPs.
“Firms should ensure that the measures they put in place to comply with the Directive (EU) 2015/849 and with these guidelines in respect of high risk factors do not result in entire categories of customers unduly being denied access to financial services.”
PISP and AISP are never in the frontline of the fight for preventing/combating ML/TF because their customers are always ASPSP clients (more often banks), which have specific KYC requirements. The only value they added in the fight against ML/TF is their general perspective on their clients’ transactions (they have information for the same client from different ASPSP).
However, despite this perspective, they are not able/permitted to undertake in depth analyses as they can apply KYC measures only with regard to their own performance and, in addition, their access to information is limited, being governed by express provisions in PSD II, which specifically regulates the use of such data.
Also, the replication of KYC measures undertaken by the main provider of the payment service (which could happen even twice in cases when both PIPSs and AISPs are involved), is not justified as, although this could provide some benefit in terms of AML objectives, as another filter of the transactions, this would certainly entail greater costs for the operation of PISP and AISP which would hinder the development of such sector.
Given these considerations, we consider that the application of AML rules to AISP and PISP should be carefully designed in order to balance costs and benefits.
Thus, we consider absolute necessary to identify the elements with which AISP and PISP can really contribute to improving the resilience of the financial sector against ML/TF threats.
Regarding KYC measures, our opinion is that, as the customer identification and verification is done anyway by ASPSP, who has all the necessary information regarding the client, AISP and PISP should rely on them and no additional burden be put on the AISP and PISP (see point 18.10 and 18.15 let. a)). That means not requiring them to gather and verify information that would be very difficult to obtain and would not bring significant additional benefit to what was already done by the ASPSP.
Regarding the obligation of monitoring the business relationship, we appreciate that, as neither AISP or PISP enter at any moment into the possession of funds or have the means to determine the clear economic or legitimate rationale of fund transfers, this obligation should aim only transactions ordered by their client from accounts held by more than one ASPSP.
Question 2: Do you have any comments on the proposed amendments to Guideline 1 on risk assessment?
Point 1.27 of the draft is confusing.Point 1.27, which states that there are no expectations for the firms to draw up a complete customer risk profile when carrying out occasional transactions, seems to contradict point 1.26, that require firms to obtain sufficient information to identify all relevant risk factors before carrying out occasional transactions.
Because the lack of a definition for complete customer risk profile, the expectations for the firms are unpredictable.
In our opinion, point 1.27 does not bring any obvious benefit in terms of clarity, thus we suggest eliminating it.
Question 4: Do you have any comments on the proposed amendments and additions in Guideline 4 on CCD measures to be applied by all firms?
More clarity is needed for point 4.12 letter d) of the draft.According to point 4.12 let.d), firms should apply risk-based approach to document and verify the information related to the beneficial owner. This approach is inconsistent with Article 13 para.1 let.b) and Article 40 of Directive 2015/849, according to which the obliged entities have to verify the beneficial owner information in all cases in order to understand the ownership and control structure of the customer and to retain evidence and records.
In our opinion 4.12 let. d) should be applicable in relation to the extent of the verification, thus we suggest to rephrase it as follows:
“4.12. d) The firms should determine the extent of the application of steps b) and c) on a risk-sensitive basis.”
Point 4.52 should be extended in relation to all clients with high risk factors and not to be limited only to PEPs.
According to point 4.52, firms should ensure that the measures they put in place in relation to PEPs do not lead to PEP customers being denied access to financial services.
De-risking practices by financial institutions threaten to cut off access to the financial system for clients with a higher risk (eg. gambling businesses). If the current trend continues, it is possible that some high risk clients to be completely cut off from access to regulated financial services.
In our opinion EU law should deal with de-risking, thus we suggest a more general approach concerning other potential high-risk clients as well, not only the PEPs.
“Firms should ensure that the measures they put in place to comply with the Directive (EU) 2015/849 and with these guidelines in respect of high risk factors do not result in entire categories of customers unduly being denied access to financial services.”
Question 18: Do you have any comments on the additional sector-specific Guideline 18 on account information and payment initiation service providers?
We have some general remarks regarding the application of AML/CFT legislation to PISP and AISP, as follows:PISP and AISP are never in the frontline of the fight for preventing/combating ML/TF because their customers are always ASPSP clients (more often banks), which have specific KYC requirements. The only value they added in the fight against ML/TF is their general perspective on their clients’ transactions (they have information for the same client from different ASPSP).
However, despite this perspective, they are not able/permitted to undertake in depth analyses as they can apply KYC measures only with regard to their own performance and, in addition, their access to information is limited, being governed by express provisions in PSD II, which specifically regulates the use of such data.
Also, the replication of KYC measures undertaken by the main provider of the payment service (which could happen even twice in cases when both PIPSs and AISPs are involved), is not justified as, although this could provide some benefit in terms of AML objectives, as another filter of the transactions, this would certainly entail greater costs for the operation of PISP and AISP which would hinder the development of such sector.
Given these considerations, we consider that the application of AML rules to AISP and PISP should be carefully designed in order to balance costs and benefits.
Thus, we consider absolute necessary to identify the elements with which AISP and PISP can really contribute to improving the resilience of the financial sector against ML/TF threats.
Regarding KYC measures, our opinion is that, as the customer identification and verification is done anyway by ASPSP, who has all the necessary information regarding the client, AISP and PISP should rely on them and no additional burden be put on the AISP and PISP (see point 18.10 and 18.15 let. a)). That means not requiring them to gather and verify information that would be very difficult to obtain and would not bring significant additional benefit to what was already done by the ASPSP.
Regarding the obligation of monitoring the business relationship, we appreciate that, as neither AISP or PISP enter at any moment into the possession of funds or have the means to determine the clear economic or legitimate rationale of fund transfers, this obligation should aim only transactions ordered by their client from accounts held by more than one ASPSP.