Response to consultation on Guidelines to prevent transfers of funds can be abused for ML and TF
Go back
The EBF believes some provisions are disproportionate and go beyond what is required in the regulation. The EBF also sees the need for some clarifications under this Chapter:
Paragraphs 8 and 9
The terms used correspond neither to the EU Payment Services Directive nor to industry practice. Instead, it should be specified that “PSPs have to determine for each payment whether they act as the PSP of the payer, the PSP of the payee or as an intermediary PSP in order to meet the requirements of the FTR”.
Paragraph 10
To benefit from the derogation in Article 5 of Regulation (EU) 2015/847, PSPs should be able to determine whether a PSP in the chain is based in a third country, outside the EU/EEA. An Annex with EEA and non-EEA countries would be helpful.
Paragraph 11
The establishment of a general limit of EUR 1.000 for payment transactions which fall under the Anti-Money Laundering Directive’s scope (see Article 2 para 5 of Directive 2015/849, 4th AMLD) should be envisaged.
Paragraph 13
Checking related payments has been common practice since the entry into force of the first FTR. However, it is not clear why it seems now necessary to identify such payments over a period of six months. It means that approximately 100 billion yearly transactions would have to be coordinated just in Europe. Also, the EBF would like to stress that it is extremely difficult to identify ‘linked transactions’ as generally transactions are monitored separately. To correctly perform an analysis of the linked transactions (timeframe of 6 months) all money transfers (irrespectively of the transferred sums) would be affected by the FTR. For a bank this would mean that all clients need to be identified (before each transfer and irrespectively of the transferred sum), in order to allow for a conclusive ex-post analysis of possibly linked transactions to take place and the data to be submitted. Such an obligation would be disproportionate and would seem to contradict Art. 2 paragraph 5 of the FTR. We would appreciate clarification of this issue and guidance on how such transfers can be processed correctly. PSPs should continue to check for linked transactions as already required by the first FTR. We propose deleting a concrete time frame as we do not have any indication that the current practice is not effective.
Moreover, Article 2 of the Regulation sets out that the PSPs cannot benefit from exemptions from the Regulation when a payment card, an electronic money instrument or a mobile phone, or any other digital or IT prepaid or postpaid device with similar characteristics is used in order to make a person-to-person transfer of funds. In this respect the EBF would welcome more clarity on what kind of transactions should be considered as “person-to-person” transfers of funds.
Paragraph 14
PSPs should establish and maintain effective policies and procedures to comply with Regulation (EU) 2015/847 that are proportionate to the nature and size of the PSP. We question how to deal with foreign branches? Individually they might not be that big, but if they are a part of a group, they might change. Automated solutions would then no longer be usable.
PSPs should establish and maintain effective policies and procedures to comply with Regulation (EU) 2015/847 that are proportionate to the nature and size of the PSP and commensurate to the ML/TF risk to which the PSP is exposed accordingly.
We fully agree with the effective policies and procedures as a result of the Regulation. However, “proportionate to nature/size” is open for interpretation and does not create a level playing field in which we can counter ML/TF.
• contains all the fields necessary to obtain the information required by Regulation 2015/847. For SEPA and intra-Union transactions, this includes the account number or IBAN of the payer and the payee or a unique transaction identifier;
• automatically prevents the sending or receiving of payments should inadmissible characters or inputs be detected.
Regarding the detection of missing information, the EBF would like to raise the point that meaningless or even obviously" meaningless information is not mentioned in Article 8 of Regulation 2015/847/EU. In addition, we consider that it is difficult to detect such kind of information because it is not technically possible to identify whether the information (letters, numbers, etc.) is meaningless or real – neither automatically nor manually.
Paragraphs 25 and 27
The risk assessment should focus solely on the existence and completeness of information. It is not appropriate to take account of the amount limits, as well as States or payment service providers with high "ML/TF risk". Furthermore, the EBF does not share the interpretation that high-risk transfers of funds should be monitored in real time in particular on the criterion of a certain (high) value. The possibility offered by the Regulation 2015/847/EU to choose between ex-post and real time monitoring should be maintained for transfers of funds that exceed a certain (high) value and where the payer or the payee is based in a country associated with high ML/TF risk. Indeed, the assessment of whether or not the amount of a specific transaction is high depends on the business activity rather than on a general threshold applicable in all circumstances. Having in place such systems would imply triggering a substantial amount of real-time alerts which will be difficult or even impossible to process in real-time. In the end, such a system would be ineffective.
Paragraph 26
The EBF would welcome clear cut definitions of “random” and “targeted” sampling because of the serious impact on checking procedures.
Paragraph 28
“PSPs should put in place effective risk-based procedures to determine whether to execute, reject or suspend a transfer of funds where real-time monitoring reveals that the required information on the payer or the payee is missing or provided using inadmissible characters or inputs.”
The EU regulation speaks of:
1. The payment service provider of the payee shall implement effective risk-based procedures, including procedures based on the risk-sensitive basis referred to in Article 13 of Directive (EU) 2015/849, for determining whether to execute, reject or suspend a transfer of funds lacking the required complete payer and payee information and for taking the appropriate follow-up action. Where the payment service provider of the payee becomes aware, when receiving transfers of funds, that the information referred to in Article 4(1) or (2), Article 5(1) or Article 6 is missing or incomplete or has not been filled in using characters or inputs admissible in accordance with the conventions of the messaging or payment and settlement system as referred to in Article 7(1), the payment service provider of the payee shall reject the transfer or ask for the required information on the payer and the payee before or after crediting the payee's payment account or making the funds available to the payee, on a risk-sensitive basis.
Also article 25 states: “High risk transfers of funds should be monitored in real time”.
And article 16: …“which transfers have to be monitored in real-time, and which can be monitored ex-post, and why;”
The obligation to monitor real-time will have serious impact on the business.
Paragraph 29
“The type of information missing gives rise to concern”. We feel that this is AML related. With the funds transfer regulation banks have to take care that the required information is present and if not they need to know how to act. So all information should be equally important.
“There are other indicators that suggest that the transaction presents a high ML/TF risk or gives rise to suspicion of ML/TF.” AML/TF screening and risk assessment are done by specialised AML (compliance) departments and not by payment departments.
Paragraph 32
When asking for missing information, the PSP should set a reasonable timeframe, within which the sending PSP should answer. The timeframe should be set out in the PSP’s procedures. This should not exceed 3 working days for intra-EEA transfers, and 5 working days for transfers of funds from outside the EEA. The PSP should notify the sending PSP that the transfer has been suspended. We note that this is new. The Regulation (EU) 2015/847 requires a reply within 3 working days. This means that a distinction must be made.
Paragraph 38
The EBF considers that a deadline of three or five working days is too short, as several payment service providers can be involved in the payment chain. This is especially important in the light of increased requirements on intermediate PSPs and the administrative burden connected with requests for information on complex transactions. It should be at least seven days for Intra-Union or more for payment from outside the Union as defined in the CEBS/CEIOPS/CESR Common Understanding of October 2008 (paragraphs 23 and 24).
Paragraph 45
We assume that repeatedly failing to supply information on the transfer and the follow up request for information is meant here. Or is it just repeatedly failing to provide the initial transfer information (without taking into account that the information is always supplied on request)? It is also important to be clear on what is meant by ‘repeatedly’, because different supervisors use various interpretations. EBA should come up with a clear number.
Paragraph 51
Reporting on a monthly basis appears to be excessive as it increases the amount of information on payments that needs to be collected, analyzed and reported. A three-month-period as applied today in many Member States seems sufficient. It should also be clarified that reporting can be done on an aggregated basis and not for each single transaction.
Paragraph 52
Reporting in such as detailed fashion appears excessive. It should not be required to report each period of time for which breaches were identified and the reasons a PSP may have given to justify repeated failures.
Finally, we would like to highlight that, according to the table provided in annex 1, not all the information on the payer listed by the Regulation is required to accompany a transfer of funds. The information laid down in the Regulation 2015/847/EU - the payer's address, official personal document number, customer identification number or date and place of birth - seems to be required unlike under the previous Regulation. We would therefore like to have a confirmation of this interpretation because Regulation 2015/847/EU is not clear on this. Indeed, a different interpretation, which implies that all the information concerning the payer listed by the Regulation has to accompany the transfer, would cause a huge increase in compliance risks and costs."
In cases where the domicile is outside of the EU it is however also required to check the account number of the payee and the correctness of his/her name. This means at least the obligation to cross-check the name (or the payment transaction number) of the payee mentioned in the transfer against the name of the holder of the receiving account.
The provisions regarding the PSP of the payee in the regulation may create confusion regarding the normally redundant obligation for payments within the EU to check if an account number matches the account holder’s name. The confusion is not removed by the wording “always” in the Annex 2 and that “Without prejudice to batch file transfers, in which case the information provided is in respect of that batch file”.
The EBF considers that the wording “without prejudice to the information requirements laid down in Regulation (EU) No 260/2012, where applicable” should not create extra obligations in this respect and in particular does not lead to the obligation to check if an account number matches the account holder’s name. This should be clarified by the ESAs in these guidelines.
In paragraph 61, we read that “PSPs of the payee should follow the guidance in Chapter II.2 and II.3 of these guidelines also in relation to information that is incomplete”. A clarification to which articles this refers to (Chapter II starts with 19) is needed.
Question 1: Do you agree with the general considerations in Chapter 1? In particular, do you agree that these are necessary to ensure an effective, risk-based and proportionate approach to complying with Regulation (EU) 2015/847? If you do not agree, clearly set out your rationale and provide supporting evidence where available. Please also set out what you consider to be the common principles that apply to both, the PSP of the payee and the intermediary PSP, and why.
It is our understanding from this that this indicates that the EEA countries outside of the EU could be treated as Member States for the purposes of the Regulation. Clarification is needed that this is a correct interpretation.The EBF believes some provisions are disproportionate and go beyond what is required in the regulation. The EBF also sees the need for some clarifications under this Chapter:
Paragraphs 8 and 9
The terms used correspond neither to the EU Payment Services Directive nor to industry practice. Instead, it should be specified that “PSPs have to determine for each payment whether they act as the PSP of the payer, the PSP of the payee or as an intermediary PSP in order to meet the requirements of the FTR”.
Paragraph 10
To benefit from the derogation in Article 5 of Regulation (EU) 2015/847, PSPs should be able to determine whether a PSP in the chain is based in a third country, outside the EU/EEA. An Annex with EEA and non-EEA countries would be helpful.
Paragraph 11
The establishment of a general limit of EUR 1.000 for payment transactions which fall under the Anti-Money Laundering Directive’s scope (see Article 2 para 5 of Directive 2015/849, 4th AMLD) should be envisaged.
Paragraph 13
Checking related payments has been common practice since the entry into force of the first FTR. However, it is not clear why it seems now necessary to identify such payments over a period of six months. It means that approximately 100 billion yearly transactions would have to be coordinated just in Europe. Also, the EBF would like to stress that it is extremely difficult to identify ‘linked transactions’ as generally transactions are monitored separately. To correctly perform an analysis of the linked transactions (timeframe of 6 months) all money transfers (irrespectively of the transferred sums) would be affected by the FTR. For a bank this would mean that all clients need to be identified (before each transfer and irrespectively of the transferred sum), in order to allow for a conclusive ex-post analysis of possibly linked transactions to take place and the data to be submitted. Such an obligation would be disproportionate and would seem to contradict Art. 2 paragraph 5 of the FTR. We would appreciate clarification of this issue and guidance on how such transfers can be processed correctly. PSPs should continue to check for linked transactions as already required by the first FTR. We propose deleting a concrete time frame as we do not have any indication that the current practice is not effective.
Moreover, Article 2 of the Regulation sets out that the PSPs cannot benefit from exemptions from the Regulation when a payment card, an electronic money instrument or a mobile phone, or any other digital or IT prepaid or postpaid device with similar characteristics is used in order to make a person-to-person transfer of funds. In this respect the EBF would welcome more clarity on what kind of transactions should be considered as “person-to-person” transfers of funds.
Paragraph 14
PSPs should establish and maintain effective policies and procedures to comply with Regulation (EU) 2015/847 that are proportionate to the nature and size of the PSP. We question how to deal with foreign branches? Individually they might not be that big, but if they are a part of a group, they might change. Automated solutions would then no longer be usable.
PSPs should establish and maintain effective policies and procedures to comply with Regulation (EU) 2015/847 that are proportionate to the nature and size of the PSP and commensurate to the ML/TF risk to which the PSP is exposed accordingly.
We fully agree with the effective policies and procedures as a result of the Regulation. However, “proportionate to nature/size” is open for interpretation and does not create a level playing field in which we can counter ML/TF.
Question 2: Do you agree that the expectations on intermediary PSPs and PSPs of the payee in Chapter II are proportionate and necessary to both comply with Regulation (EU) 2015/847 and ensure a level playing field? In particular, do you agree with: • The steps PSPs should take to detect and manage transfers of funds with missing information of inadmissible characters or inputs? • The steps PSPs should take to detect and manage PSPs that are repeatedly failing to provide the required information? If you do not agree, clearly set out your rationale and provide supporting evidence where available. Please also set out at what you believe PSPs should do instead, and why.
The EBF agrees with the steps that intermediary PSPs and PSPs of the payee should take to detect transfers of funds with inadmissible characters or inputs. The Guidelines set out that these PSPs should ensure that its system:• contains all the fields necessary to obtain the information required by Regulation 2015/847. For SEPA and intra-Union transactions, this includes the account number or IBAN of the payer and the payee or a unique transaction identifier;
• automatically prevents the sending or receiving of payments should inadmissible characters or inputs be detected.
Regarding the detection of missing information, the EBF would like to raise the point that meaningless or even obviously" meaningless information is not mentioned in Article 8 of Regulation 2015/847/EU. In addition, we consider that it is difficult to detect such kind of information because it is not technically possible to identify whether the information (letters, numbers, etc.) is meaningless or real – neither automatically nor manually.
Paragraphs 25 and 27
The risk assessment should focus solely on the existence and completeness of information. It is not appropriate to take account of the amount limits, as well as States or payment service providers with high "ML/TF risk". Furthermore, the EBF does not share the interpretation that high-risk transfers of funds should be monitored in real time in particular on the criterion of a certain (high) value. The possibility offered by the Regulation 2015/847/EU to choose between ex-post and real time monitoring should be maintained for transfers of funds that exceed a certain (high) value and where the payer or the payee is based in a country associated with high ML/TF risk. Indeed, the assessment of whether or not the amount of a specific transaction is high depends on the business activity rather than on a general threshold applicable in all circumstances. Having in place such systems would imply triggering a substantial amount of real-time alerts which will be difficult or even impossible to process in real-time. In the end, such a system would be ineffective.
Paragraph 26
The EBF would welcome clear cut definitions of “random” and “targeted” sampling because of the serious impact on checking procedures.
Paragraph 28
“PSPs should put in place effective risk-based procedures to determine whether to execute, reject or suspend a transfer of funds where real-time monitoring reveals that the required information on the payer or the payee is missing or provided using inadmissible characters or inputs.”
The EU regulation speaks of:
1. The payment service provider of the payee shall implement effective risk-based procedures, including procedures based on the risk-sensitive basis referred to in Article 13 of Directive (EU) 2015/849, for determining whether to execute, reject or suspend a transfer of funds lacking the required complete payer and payee information and for taking the appropriate follow-up action. Where the payment service provider of the payee becomes aware, when receiving transfers of funds, that the information referred to in Article 4(1) or (2), Article 5(1) or Article 6 is missing or incomplete or has not been filled in using characters or inputs admissible in accordance with the conventions of the messaging or payment and settlement system as referred to in Article 7(1), the payment service provider of the payee shall reject the transfer or ask for the required information on the payer and the payee before or after crediting the payee's payment account or making the funds available to the payee, on a risk-sensitive basis.
Also article 25 states: “High risk transfers of funds should be monitored in real time”.
And article 16: …“which transfers have to be monitored in real-time, and which can be monitored ex-post, and why;”
The obligation to monitor real-time will have serious impact on the business.
Paragraph 29
“The type of information missing gives rise to concern”. We feel that this is AML related. With the funds transfer regulation banks have to take care that the required information is present and if not they need to know how to act. So all information should be equally important.
“There are other indicators that suggest that the transaction presents a high ML/TF risk or gives rise to suspicion of ML/TF.” AML/TF screening and risk assessment are done by specialised AML (compliance) departments and not by payment departments.
Paragraph 32
When asking for missing information, the PSP should set a reasonable timeframe, within which the sending PSP should answer. The timeframe should be set out in the PSP’s procedures. This should not exceed 3 working days for intra-EEA transfers, and 5 working days for transfers of funds from outside the EEA. The PSP should notify the sending PSP that the transfer has been suspended. We note that this is new. The Regulation (EU) 2015/847 requires a reply within 3 working days. This means that a distinction must be made.
Paragraph 38
The EBF considers that a deadline of three or five working days is too short, as several payment service providers can be involved in the payment chain. This is especially important in the light of increased requirements on intermediate PSPs and the administrative burden connected with requests for information on complex transactions. It should be at least seven days for Intra-Union or more for payment from outside the Union as defined in the CEBS/CEIOPS/CESR Common Understanding of October 2008 (paragraphs 23 and 24).
Paragraph 45
We assume that repeatedly failing to supply information on the transfer and the follow up request for information is meant here. Or is it just repeatedly failing to provide the initial transfer information (without taking into account that the information is always supplied on request)? It is also important to be clear on what is meant by ‘repeatedly’, because different supervisors use various interpretations. EBA should come up with a clear number.
Paragraph 51
Reporting on a monthly basis appears to be excessive as it increases the amount of information on payments that needs to be collected, analyzed and reported. A three-month-period as applied today in many Member States seems sufficient. It should also be clarified that reporting can be done on an aggregated basis and not for each single transaction.
Paragraph 52
Reporting in such as detailed fashion appears excessive. It should not be required to report each period of time for which breaches were identified and the reasons a PSP may have given to justify repeated failures.
Finally, we would like to highlight that, according to the table provided in annex 1, not all the information on the payer listed by the Regulation is required to accompany a transfer of funds. The information laid down in the Regulation 2015/847/EU - the payer's address, official personal document number, customer identification number or date and place of birth - seems to be required unlike under the previous Regulation. We would therefore like to have a confirmation of this interpretation because Regulation 2015/847/EU is not clear on this. Indeed, a different interpretation, which implies that all the information concerning the payer listed by the Regulation has to accompany the transfer, would cause a huge increase in compliance risks and costs."
Question 3: Do you agree with the provisions for intermediary PSPs in Chapter III? If you do not agree, clearly set out your rationale and provide supporting evidence where available. Please also set out how you think intermediary PSPs can meet their obligations in Article 10 of Regulation (EU) 2015/847 instead.
The EBF agrees with the provisions for intermediary PSPs except with the one related to the need to ensure that all information on the payer and the payee that accompanies a transfer of funds is retained with that transfer (point 59). It cannot be guaranteed that messages are not truncated by the systems used today when they convert information of ISO 20022 messages into SWIFT FIN messages. It is not possible to ensure this requirement today.Question 4: Do you agree with the provisions for PSPs of the payee in Chapter IV? If you do not agree, clearly set out your rationale and provide supporting evidence where available. Please also set out how you think PSPs of the payee can meet their obligations instead.
In cases of payments over 1000 EUR where the PSP of the payer is domiciled in the EU the verification of an Identification number is deemed sufficient by national supervisors in accordance with Article 7 paragraph 2 a) in combination with Article 5.In cases where the domicile is outside of the EU it is however also required to check the account number of the payee and the correctness of his/her name. This means at least the obligation to cross-check the name (or the payment transaction number) of the payee mentioned in the transfer against the name of the holder of the receiving account.
The provisions regarding the PSP of the payee in the regulation may create confusion regarding the normally redundant obligation for payments within the EU to check if an account number matches the account holder’s name. The confusion is not removed by the wording “always” in the Annex 2 and that “Without prejudice to batch file transfers, in which case the information provided is in respect of that batch file”.
The EBF considers that the wording “without prejudice to the information requirements laid down in Regulation (EU) No 260/2012, where applicable” should not create extra obligations in this respect and in particular does not lead to the obligation to check if an account number matches the account holder’s name. This should be clarified by the ESAs in these guidelines.
In paragraph 61, we read that “PSPs of the payee should follow the guidance in Chapter II.2 and II.3 of these guidelines also in relation to information that is incomplete”. A clarification to which articles this refers to (Chapter II starts with 19) is needed.