BBA and Payments UK (joint response, submitted in duplicate by Payments UK)
1. We are grateful for the opportunity to respond to the ESA consultation on draft guidelines to competent authorities and payment service providers (PSPs) on the measures that PSPs should take to comply with Regulation 2015/847 on information accompanying transfer of funds (the Regulation).
2. We strongly support the aim of the Regulation to bring EU legislation in line with international standards to prevent terrorist financing and money laundering in electronic fund transfers (FATF Recommendation 16 in particular), and for the ESA’s aim to use guidance to promote a common understanding and consistent application of the Regulation. However, we consider that some of the language used in the draft guidelines unduly constrains PSPs’ ability to apply a risk-based approach in determining when to apply burdensome procedures such as real-time monitoring, and we suggest that this language should be redefined to avoid disproportionate effort for PSPs and significant adverse impact on customers. In contrast, the draft guidance on handling PSPs that repeatedly fail to provide information is highly reliant on qualitative criteria and we consider more defined guidance is required to avoid inconsistency in implementation. We also consider that both competent authorities and PSPs should be allowed 12 months after the Regulation applies to implement required changes.
3. We recognise that the draft guidelines should provide further detail than the Regulation on requirements that PSPs to put in place effective procedures to detect potentially suspect transfers of funds that lack required information and risk-based procedures to determine how potentially suspect transfers should be handled. However, we consider that the draft guidelines currently go beyond the aims of the Regulation in mandating burdensome procedures as a matter of routine, such as extensive requirements for real-time monitoring and verification of payee information with an overly broad definition of linked transaction. We consider that such procedures are complex to implement without disproportionate and disruptive manual review and, in line with the risk-based approach, should only be required in cases of specific concern identified through ex post monitoring. Requiring such procedures on the basis of overly broad criteria, such as high value, will potentially result in adverse impacts on the efficient functioning of the market and significant disruption for customers. There could also be impacts on client relationships and claims where transactions are unnecessarily filtered or delayed where there are no specific identified risks.
4. Publication of the draft guidelines on 5th April 2017 for consultation until 5th June does not allow sufficient time for PSPs to implement required measures and be in compliance with the Regulation when it applies from 26th June 2017. Earlier consultations in October 2016 had identified concerns of potentially significant impact, as well as additional impacts on PCPs from the contemporaneous implementation of the Second Payments Services Directive and the 4th Money Laundering Directive. Given that the guidelines will not be finalised until after the consultation closes on 5th June, and that PSPs will be required to make significant changes to both their internal policies and systems, during the same period as changes required under related EU legislation, we consider that there should be an extended implementation period of at least 12 months after the Regulation applies to allow both competent authorities and PSPs to comply (i.e. until 26th June 2018).
5. In order to minimise unnecessary impact on the market and customers we also consider that the ESA should communicate as a matter of urgency whether there will be some additional implementation period, ideally by the end of the week of the close of the consultation period (i.e. 9th June). We consider that if there is no communication there is a real risk that some affected firms will rush development of processes and policy change to meet the implications of language used in the draft guidance, with early impacts on payment processing and consistency of implementation. There is also a risk that inconsistent implementation may also result in early and unnecessary notifications to competent authorities.
6. We expand upon these general comments below by responding to the specific questions raised in the consultation document. If it would help achieve the aims of the Regulation we would be happy to host industry roundtable discussions with you to share proposed wording for the finalised guidance and support further definition of implementation systems and procedures before the Regulation applies.
- Question 1: Do you agree with the general considerations in Chapter 1? In particular, do you agree that these are necessary to ensure an effective, risk-based and proportionate approach to complying with Regulation (EU) 2015/847? If you do not agree, clearly set out your rationale and provide supporting evidence where available. Please also set out what you consider to be the common principles that apply to both, the PSP of the payee and the intermediary PSP, and why.
7. The proposal to require PSPs to identify linked transactions for exemptions for lower value transfers (EUR 1000 and below) and for ex post monitoring would be highly complex. Based on current bank systems the proposal could require the identification and retention of billions of transactions and is likely to be impracticable to implement, if based on the proposed definition of linked transactions (transactions from the same payments account or containing the same payee and payer information, sent within a six months period). We therefore suggest that the definition of linked transactions is redefined to avoid specifying a time period.
8. The proposal to require real-time monitoring appears to go beyond the aims of the Regulation, which states that PSPs should conduct ex post payment monitoring OR real time screening. We consider that it for PSPs to choose what type of monitoring they undertake, while retaining a clear record of the reasons for the type of monitoring selected and how this mitigates the AML/CTF risk identified.
9. The proposal to require real-time monitoring for all transfers where the payer or payee are based in a country associated with high ML/TF risk would significantly extend the scope of current sanctions and CTF screening and be highly burdensome in terms of additional manual review, particularly for global banks. The proposal to require real-time monitoring for all unusually large transfers would also be highly burdensome and difficult to implement consistently across the wide variation of payment values and PSPs. We understand that it is not envisaged that PSPs will be required to engage routinely in large volumes of real time monitoring, yet the draft guidelines can be read to imply the opposite by stating that “High risk transfers of funds should be monitored in real time”. As currently drafted these proposals would have a significant adverse impact on straight through processing (STP) that could potentially result in adverse impacts on the efficient functioning of the market and significant disruption for customers.
10. We consider that such complex and burdensome procedures should only be required in cases of specific concern, in line with the risk-based approach. We therefore suggest that the proposal for real time monitoring is limited to cases of specific concern identified through ex post monitoring.
11. The proposal to require PSPs to implement procedures to detect missing or meaningless information would be challenging to implement without disproportionate effort given current systems and screening technology. There is also a risk of additional complications for PSPs outside of the EU/EEA but who are members of EU/EEA clearing systems like SEPA (for example, transactions to and from Switzerland will require full payer information and payee and name, while SEPA rules do not mandate this information).
12. The draft guidelines introduce the concept of ‘meaningless’ information (a concept which is not present in the regulation) defined as “information that makes no obvious sense”. However, it is a significant technological challenge to have in place (automated, real-time) procedures that can identify such ‘meaningless’ information. The current messaging protocols used by payments systems are based on international standards. These systems define the ‘syntax’ of these messages but are not designed to interpret the content. What is meaningless to one party might be meaningful to another, for example, messages in a different language, using an acronym recognisable to one party but not another, etc.
13. It may be possible to prevent the submission of missing information through the implementation of structured SWIFT message field formats, and to trigger NAK / Not Acknowledged messages where not compliant to trigger manual review. However, this might not identify meaningless information, and some banks may be technically unable to host structured SWIFT message fields. Current screening technology can identify multilingual name variants and abbreviations but in many cases further context and manual review is required to identify “obviously incomplete”. We therefore suggest that the definition for meaningless information be removed, or – if this is not possible - that the proposal for real-time monitoring to detect missing and meaningless information be reconsidered given technical limitations, and limited to the detection of missing information only.
14. It may be possible to identify further missing information through manual review of a risk-based sample, but this would need to be ex-post monitoring in order to avoid disproportionate effort and significant adverse impact on STP. To avoid inconsistent implementation there would also need to be detailed guidance on the appropriate sampling criteria (e.g. above a specific value threshold, where payer or payee are based in countries identified by FATF as having strategic AML/CFT deficiencies). We therefore suggest that the proposal for ex-post monitoring to detect missing information be limited to a risk-based sampling basis, with the finalised guidance providing more detailed guidance on the appropriate sampling criteria.
15. The proposal to require receiving PSPs to keep a record of all transactions with missing information is insufficiently defined and does not specify any time limit for data retention. Retained transaction data may include personal data falling under other regulatory requirements for retention and deletion (e.g. the General Data Protection Regulation). We suggest that the revised guidance clarify the duration of record retention of transactions with missing information, to support compliance with data protection and avoidance of burdensome requirements.
16. The proposal to require receiving PSPs to identify sending PSPs that repeatedly fail to provide required information is highly reliant on qualitative criteria, and we consider that this is overly permissive in relation to high AML/CFT risk and likely to lead to inconsistent implementation. We therefore suggest that the finalised guidance include more detailed guidance on the appropriate criteria for identifying ‘repeatedly failing’ sending PSPs, including a requirement to tighten the criteria where failings are associated with a high AML/CFT risk
17. The proposal for requiring receiving PSPs to restrict or terminate business relationships with ‘repeatedly failing’ sending PSPs after two warnings and consideration of alternative mitigations is also insufficiently defined, and is likely to lead to inconsistent implementation and risk conflicting with AML prohibitions against tipping off. We consider that prescriptive quantitative thresholds alone should not be used to define ‘repeatedly failing’ sending PSPs and would welcome further definition on how qualitative criteria should be used to contextualise quantitative criteria, in line with an effective risk-based approach. Given the aims of the Regulation and the risk-based approach we consider that options for alternative mitigations to termination should include enhanced monitoring, whether more frequent ex post or real time monitoring as well as restrictions on the business relationship. We also consider that the identification of a ‘repeatedly failing’ sending PSP should lead the receiving PSP to reconsider the ML/TF risk associated with the sending PSP. We therefore suggest that the finalised guidance should include more detailed guidance on the definition of a ‘repeatedly failing’ PSP, the required format and protocol for warnings, consistency with tipping off prohibitions, interaction with ML/TF risk assessment, restrictions and other alternative mitigations to terminations of business relationships.
18. The definition of real-time monitoring requires intermediary PSPs to perform the monitoring “before the funds are made available to the payee by the PSP who receives the funds”. We consider that this definition of real-time and the implied timelines for PSPs to act (specifically where the payee does not have a payment account with the PSP) are not realistic. In most cases “PSP1” (as an intermediary) is not aware of when “PSP2” will credit the funds to the payee and is therefore unaware of the time available for monitoring. We therefore suggest that the finalised guidance be amended to emphasise that the Payer Bank is responsible for providing required information and is ultimately the bank that is to be monitored for payment content and RFI response, as opposed to the Intermediary Bank.
19. The proposal at guideline 60 that PSPs only use systems that retain all information regardless of whether this is required by the Regulation may also be problematic. The Regulations allow domestic payments created from batch files to identify Payer/Payee by account/ID and name only, but would prevent a clearing participant from utilising a domestic low-level clearing system if additional party information was included that is not supported by that clearing infrastructure. We consider that this guideline is unduly restrictive and does not reflect the principle as set out in the FATF recommendations (see footnote below) . We therefore suggest that the finalised guidance be amended to confirm that conversion of cross-border payments to domestic systems is permitted where the information provided might be truncated, so long as there are appropriate mitigating procedures in place.
FATF INR.16, para.15 and 16: “Where technical limitations prevent the required originator or beneficiary information accompanying a cross-border wire transfer from remaining with a related domestic wire transfer, a record should be kept, for at least five years, by the receiving intermediary financial institution of all the information received from the ordering financial institution or another intermediary financial institution. The information should be made available by the ordering financial institution within three business days of receiving the request either from the beneficiary financial institution or from appropriate competent authorities”.
20. The proposal to require verification of payee information for transfers of funds above EUR 1000 would be challenging to implement given current SWIFT systems. Currently if an IBAN was referenced within field 59 of a SWIFT payment then the respective account would be credited without a Payee Bank knowing if the name on the payment was correct. In order to implement this proposal as defined payees would have to screen all payments above EU 1000 in real time in order to verify the accuracy of payee information, which is disproportionate and would have a significant adverse impact on STP. We therefore suggest that the proposal for verification of payee information for higher value transfers is further targeted to provide a more proportionate and workable scope (e.g. only where the payee information has not already been verified through customer due diligence procedures).