Response to consultation on proposed RTS in the context of the EBA’s response to the European Commission’s Call for advice on new AMLA mandates

Go back

Question 7: What are the specific sectors or financial products or services which, because they are associated with lower ML/TF risks, should benefit from specific sectoral simplified due diligence measures to be explicitly spelled out under Section 4 of the daft RTS? Please explain your rationale and provide evidence.

ZNPay a.s., reg.no. 02013517, with its registered office at Palackého třída 3048/124, 612 00 Brno, Czech Republic, registered in the Commercial Register kept by the Municipal Court in Prague, Section B, Insert 23823 (“ZNPay”) is a payment institution regulated by the Czech National Bank licensed to provide Payment Initiation Services (PIS) and Account Information Services (AIS) as a third-party provider (TPP).

 

  1. General comments on RTS specifying requirements for CDD under Article 28(4) AMLR

ZNPay welcomes the opportunity to respond to the European Banking Authority's (EBA) Consultation Paper on the draft Regulatory Technical Standards (RTS) specifying requirements for customer due diligence (CDD) under Article 28(4) and the list of an exhaustive list of simplified due diligence (SDD) factors under Article 29(5) of the Regulation (EU) 2024/[XXX] (AMLR).

As an innovative provider of PIS and AIS operating within the European Union, ZNPay is committed to the development of a robust, effective, and proportionate Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) framework. We support the EBA's efforts to enhance the consistency and effectiveness of AML/CFT measures across the EU.

We understand that the draft RTS aim to provide clarity and harmonisation on CDD obligations, including in situations of lower risk. While we appreciate the EBA's objective to establish clear minimum identification requirements, we wish to take this opportunity to highlight specific considerations pertinent to PIS and AIS providers. It is crucial that the final RTS strike an appropriate balance that upholds strong AML/CFT defences while fostering innovation, competition, and the continued development of Open Banking and the EU's digital finance ecosystem, particularly for services that are inherently low-risk. We believe that careful calibration of these standards is necessary to avoid disproportionate impacts on such services and to ensure alignment with the EU's broader strategic objectives for digital payments. Specifically, we propose that PIS and AIS providers are not required to collect the customer's Date of Birth (DOB), Place of Birth (POB), and nationality for customer due diligence purposes, reflecting the inherently low-risk nature of these services.

 

  1. CDD/SDD Principles and Distinct Context of PISP/AISP Services

The AMLR explicitly provides for a risk-sensitive application of CDD through SDD measures. Article 33 of the AMLR permits obliged entities to apply SDD where a business relationship or transaction presents a low degree of risk, considering the risk factors  outlined in Annexes II and III of the Regulation. This provision allows for more flexible and less burdensome approaches in low-risk scenarios, including potentially reducing the amount of information collected or deferring identity verification under specific conditions.

However, even within the context of lower risk, the EBA's draft RTS under Article 28 of the AMLR, specifically Article 18 of these draft RTS, stipulate certain minimum information that obliged entities must obtain to identify a natural person customer. Despite stating in recitals that “When obliged entities collect information from customers for the purposes of complying with customer due diligence requirements, that information may not always involve the collection of documentation”, these minimum requirements include (i) all names and surnames; (ii) place and full date of birth; and (iii) nationalities. These requirements can however be obtained only via collection of documentation. 

While the principle of applying SDD to low-risk services is welcomed, ZNPay believes that PISPs and AISPs constitute a distinct category even among entities potentially eligible for SDD measures. This special consideration is warranted because their operational models and the existing regulatory environment under which they function present unique characteristics that significantly mitigate ML/TF risks and impact the proportionality of applying uniform minimum identification requirements. 

Specifically:

  • PISP and AISP are inherently low-risk: By design, neither PISP nor AISP hold client funds. PISPs merely initiate payment instructions from an already identified and verified bank account to another, while AISPs aggregate account information, again based on explicit consent from an identified and verified account holder. This absence of fund-holding capability fundamentally limits their potential for misuse in ML/TF schemes.
  • Reliance on comprehensive ASPSP KYC/CDD: PISP and AISP services operate as an overlay to existing bank accounts. ASPSPs, typically banks, have already performed full CDD, including the verification of identity details like place of birth and nationality, on these account holders in line with their own stringent AML/CFT obligations.
  • Operational challenges and disproportionality of specific data collection: The minimum identification data points specified in Article 18 of the draft RTS, particularly 'place of birth' and 'nationality', are not standardly or consistently available to PISP and AISP through the secure, regulated Open Banking APIs used for service provision. Requiring PISP/AISP to independently collect and verify this information, which has already been robustly verified by the ASPSP, introduces operational impracticalities, creates redundancy, imposes disproportionate burdens, and risks undermining the user-friendly and efficient nature of these innovative services, without a commensurate increase in AML/CFT effectiveness.

Therefore, the application of SDD principles, and particularly the interpretation of minimum identification requirements, to PISP and AISP necessitates a nuanced approach that fully acknowledges these specific circumstances.

 

  1. The Challenge of Specific Data Requirements for PISP/AISP: Advocating for Reliance on API-Available Information

Mandating PISP and AISP to independently collect and verify 'date and place of birth' and 'nationality' would necessitate a fundamental departure from their current technologically efficient and user-centric operational models. These services are designed to leverage the existing, secure SCA process performed by the customer with their ASPSP. This process provides a high degree of assurance regarding the customer's identity, as it is underpinned by the comprehensive KYC/CDD already conducted by the ASPSP.

If PISP and AISP are required to obtain data points not available via the ASPSP's API, they would be forced to:

  • Maintain full scale onboarding procedures: This would involve interrupting the streamlined user journey to request additional information directly from the customer. Such processes would likely require manual data entry and potentially separate document submission (ID, passport) or verification steps, adding considerable friction.
  • Increase user drop-off rates: The introduction of additional, perceived "high-friction" steps in the onboarding or service usage process inevitably leads to higher abandonment rates, particularly for services valued for their speed and convenience. This would disproportionately affect innovative fintech services.
  • Undermine the efficiency of SCA-based models: One of the core benefits of Open Banking is the ability for TPPs to rely on the authentication already performed by the customer's bank. Requiring separate data collection by PISP/AISP diminishes this efficiency and introduces complexity that runs counter to the aims of seamless digital experiences.

This operational shift would not only impose significant development and maintenance costs on PISP/AISP, particularly impacting smaller innovators, but would also degrade the user experience, potentially making these valuable services less attractive to consumers and businesses.

 

  1. The Case for Sufficiency of API-Accessible, ASPSP-Verified Information

ZNPay advocates for an interpretation of the CDD requirements for PISP and AISP that aligns with the technological realities of Open Banking and the principle of proportionality. Specifically, for low-risk PISP/AISP services interacting with customers whose identities have been fully verified by an ASPSP:

  • Identification requirements should be satisfiable through data reliably accessible via standard ASPSP APIs following a successful SCA process. This approach leverages the high level of identity assurance provided by the bank's existing comprehensive KYC/CDD and the secure authentication of the customer.
  • Where specific data points listed in draft RTS Article 18 (such as 'place/date of birth' or 'nationality') are not made available by ASPSPs through their standard APIs, PISP and AISP should not be mandated to independently seek, collect, and verify this information from the customer.

This position does not seek to dilute AML/CFT safeguards. Instead, it proposes a smarter, risk-sensitive application of these safeguards by:

  • Recognizing the ASPSP as the primary entity responsible for comprehensive KYC/CDD of the account holder.
  • Leveraging the security and identity assurance inherent in the SCA process performed with the ASPSP.
  • Avoiding duplicative and burdensome data collection exercises that offer minimal additional value and can hinder the adoption of innovative financial services.
  • Focusing PISP/AISP compliance efforts on risks pertinent to their specific operations, such as the security of consent mechanisms, data protection, and monitoring for anomalous transaction patterns or unauthorized access attempts.

Adopting this approach would ensure that the RTS are both effective in their AML/CFT objectives and supportive of a dynamic, innovative, and user-friendly digital payments market in the EU, consistent with the Union's broader strategic goals.

The European Union has consistently demonstrated strong strategic support for Open Banking and the digital transformation of its financial sector, a commitment initiated with the foundational Second Payment Services Directive (PSD2) and now set to be further advanced and deepened by the proposed Payment Services Directive 3 (PSD3) and Payment Services Regulation (PSR). These frameworks underscore the EU's recognition that innovative services like those offered by PISPs and AISPs are central to fostering a competitive, innovative financial ecosystem, crucial for economic growth, consumer empowerment, and the Digital Single Market. The EU's broader digital finance and retail payments strategies aim to build an integrated, data-driven landscape, promoting efficient payment methods such as Account-to-Account payments and the broader development of Open Finance. Consequently, it is vital that regulatory approaches, including those pertaining to AML/CFT, are carefully calibrated to be proportionate and risk-sensitive. This will enable PISPs and AISPs to operate effectively and realize the full potential of Open Banking, ensuring that such regulations support, rather than inadvertently hinder, the EU's clearly articulated strategic vision for a more competitive and digitally advanced financial sector.

 

  1. Summary

Further to the specific points raised above and with the aim of ensuring proportionality and fostering innovation in Open Banking services, ZNPay proposes the following adjustments or clarifications in the context of the upcoming RTS:

Regarding Article 18 of the draft RTS, which states: "1. In situations of lower risk, obliged entities shall obtain at least the following information to identify the customer and the person purporting to act on behalf of the customer: a. for a natural person, all names and surnames; place and full date of birth and nationalities or, where applicable, statelessness and refugee or subsidiary protection status;"

We propose that specific, less burdensome requirements under SDD be established for AISPs and PISPs. Given that these providers act based on customer consent that has already been strongly authenticated (via Strong Customer Authentication - SCA) by the ASPSPs at the time the account is linked, the risk associated with these services is inherently lower.

Therefore, we propose that Article 18 of the RTS, or any implementing guidelines, explicitly differentiate situations concerning PISP and AISP. For these entities, obtaining the customer's name(s) and surname(s), as confirmed during the SCA process when consent is granted to link the account at the ASPSP, should be sufficient for identifying a natural person under the SDD regime.

This approach would ensure that PISP and AISP are not forced to duplicatively collect and verify details such as date of birth, place of birth, and nationality, which would contradict the principle of proportionality and could unduly hinder the development of these innovative services, crucial for the EU's digital finance ecosystem.

We believe that these adjustments will contribute to the creation of a balanced regulatory framework that effectively combats money laundering and terrorist financing without unnecessarily burdening low-risk services or impeding competition and innovation.

 

Jakub Koudelka, ZNPay CEO

Johan Schweigl, ZNPay Head of Legal & Compliance

Name of the organization

ZNPay a.s.