The Italian Banking Association (ABI) appreciates the opportunity offered by the European Supervisory Authorities (ESAs) to participate in the consultation on the draft guidelines for adoption of Regulation EU 847/2015.
Generally, and with the exception of a number of detailed comments in response to the 4 questions asked by the Authorities (referring to Title II of the guidelines), ABI agrees with the indications contained in the draft guidelines.
However, ABI had hoped that these guidelines would provide greater clarifications on application of the Regulation to transfer of funds via direct debit. The scope of Regulation EU 847/2015 does, in fact, also include direct debits, but this has not been sufficiently taken into account in the Regulation wording. The definitions of “Receiving PSP” and “Sending PSP” which are introduced in the draft guidelines – probably with the intention of resolving these doubts – are not, in our opinion, sufficient to clarify the obligations which the Regulation places on PSPs, (either in the role of Payee's PSP which sends the direct debit transaction or in the role of Payer's PSP which receives the direct debit transaction).
In particular, from ABI point of view, it is important to analyze the different interpretations of the obligations of the PSPs (Payer’s and Payee’s PSPs) for SDD transactions.
In order to address the problem, ABI believes that it is necessary to support a process of amendment of the relevant Articles in Regulation 847/2015 to ensure that the specificities of direct debit as a payment instrument are reflected in the revised Articles of the Regulation. For this reason the different possible readings of the current text are listed and, for each of them, the doubts that should be resolved are highlighted.
1) First reading:
• the Payer’s PSP is the PSP originating (or sending) the transfer of funds and where the payment transaction is initiated by or through the payee, is the PSP of the payee;
• the Payee’s PSP is the PSP receiving the transfer of funds and where the payment transaction is initiated by or through the payee, is the PSP of the payer.
The definition of the Payer and Payee is the one indicated in the Regulation:
• Payer means a person that hold a payment account and allows a transfer of funds from that payment account or where there is no payment account, that gives a transfer of funds order;
• Payee means a person that is the intended recipient of the transfer of funds.
This scenario is the one that seems more in line with the objective of the AML Directive.
In this context, the Payer's PSP (Creditor bank of a direct Debit) shall ensure that transfers of funds are accompanied by the information of the Payer (Debtor) and of the Payee (Creditor - its customer) under art. 4. With regard to the Payer’s (Debtor’s) information the Payer’s PSP (Creditor’s PSP) is able to transmit in the direct debit collection the information received by the Payee/Creditor as indicated by the Payer/Debtor in the direct debit mandate.
1. Does the mandate provide all the necessary information that the Payer’s PSP has to transmit for both intra and extra UE transfer of funds? It should be noted that for extra UE transaction exceeding EUR 1000 the address or the official personal document number or customer identification number or date and place of birth has to be sent.
2. How should the Payer’s PSP/Creditor’s PSP in the context of an SDD transaction verify, before transferring the funds, the accuracy of the information referred to in Article 4(1) on the basis of documents, data or information obtained - from a reliable and independent source? What if e.g. the address of the debtor stated (in the mandate) in the DS-04 interbank collection dataset does not match with the verified information contained in the debtor PSP’s customer database?
3. How to comply as Payer’s PSP/Creditor’s PSP with Article 4 (6) of the Regulation requiring that the payer’s PSP shall not execute any transfer of funds before ensuring full compliance with Article 4?
4. How to comply as Payee’s PSP/Debtor’s PSP with Article 7 (3)? How should the Payee’s PSP in the context of an SDD transaction exceeding EUR 1000, verify the accuracy of the information on the payee before crediting the payee's payment account or making the funds available to the payee? In this scenario, the Payee’s PSP is the Debtor’s PSP so it debits the account of the debtor (it doesn’t credits the payee) and it is unable to check the information of the Payer/Creditor since he is not its customer.
2) Second reading:
• the Payer’s PSP is the PSP originating (or sending) the transfer of funds;
• the Payee’s PSP is the PSP receiving the transfer of funds.
• Payer means a person that hold a payment account and allows a transfer of funds from that payment account or where there is no payment account, that gives a transfer of funds order;
• Payee means a person that is the intended recipient of the transfer of funds. This scenario is the one that seems more in line with the objective of the AML Directive.
Where the payment transaction is initiated by or through the payee (direct debit context):
• The obligations of the Payer’s PSP under Regulation have to be referred to the Creditor PSP
• The obligations of the Payee’s PSP under Regulation have to be referred to the Debtor PSP
• The Payer is the Creditor (so the customer of the Payer’s PSP)
• The Payee is the Debtor (so the customer of the Payee’s PSP)
In this context, the Payer's PSP shall ensure that transfers of funds are accompanied by the information of the Payer and of the Payee either in case of credit transfer transaction or in case of a direct debit one.
Both PSPs (Payer’s and Payee’s PSPs) are also able to verify the accuracy of the information as requested in Article 4(3) and in Article 7(3).
1. Is this interpretation acceptable and in line with the objective of the AML Directive?
2. How to comply with the provision of the Article 7(3) referred to action of “crediting the payee's payment account or making the funds available to the payee” if in the direct debit context, the Payee’s PSP is the Debtor PSP who has to debit its customer?
In addition, it is noted that, according to Art. 25 of Regulation 847/2015, the guidelines should be issued by 26 June 2017. Considering that the competent national supervisory Authorities, according to Art. 16(3) of EU Directive no. 1093/2010, should comply with the Guidelines by incorporating them into their supervisory practices as appropriate and have two months from the above mentioned date of issuance to notify the AEV whether or not they intend to comply with the guidelines, ABI considers that a period of at least 6 months, after the Regulation enters into force (26 June 2017), is necessary to allow the PSPs to carry out all the necessary implementations, in a regulatory context which still leaves the uncertainties mentioned, as said, with regard to direct debits.
Several general comments unrelated to Title II follow:
• ‘Meaningless information’ - there are clear operational difficulties in identifying ‘Meaningless information’ if it is not clearly defined, since it is necessary to assess addresses in non-standard format, rather than numerical values referring to other fields, particularly in cases where the information is channelled through non-structured formats. Equally critical is the analysis of foreign names of Asian or Arab origin, for example;
• ‘person-to-person transfer of funds’ - with respect to Reg. 1781/2006, Art. 3 of the Regulation introduces into paragraph 12, the definition of ‘person-to-person transfer of funds’, meaning transactions between natural persons, acting as consumers, for purposes other than trade, business or profession. It is requested here that the criteria be specified through which to distinguish P2P transactions carried out for purposes other than business activity from those carried out, also as natural persons, as part of their business/profession. It would also be useful to understand how top-up transactions on prepaid cards are to be considered.
• there is a possible misprint in the heading of columns no. 7 to no. 11, since a regulatory reference to Articles 4, 5 and 6 is made, whereas the reference should be to Art. 7 for table 2 and to Art. 11 for table 3.
Q1: Do you agree with the general considerations in Chapter 1? In particular, do you agree that these are necessary to ensure an effective, risk-based and proportionate approach to complying with Regulation (EU) 2015/847?
ABI agrees with the general considerations in Chapter 1. However, despite the declared scope of the guidelines being “to assist PSPs in determining which transfers of funds are within the scope of the Regulation”, there are no indications in the document on several critical aspects, on which greater clarity is requested:
• Benefiting from exemptions from Regulation (EU) 2015/847 – Point 11
It is noted that point 11 clarifies the need for PSPs to comply with Regulation 847/2015 for all transactions involving electronic transfers of funds and irrespective of the messaging and payment and settlement systems used. Clarification of whether or not virtual currency transactions are also included in the scope of the Regulation is requested.
• Linked transaction - Point 13
Point 13 defines “linked transactions” as transactions being sent from the same payment account or by the same payer to the same payee, within a short time-frame, for example within six months. This clarification is not considered sufficient to allow the correct identification of linked transactions". Furthermore, the reference period proposed, namely 6 months, although only an example, is considered too long. Reference could be made, to quantify the concept of “short time-frame”, to the one (7 days) used, for example in Italian national regulations with reference to split transactions, which, due to their characteristics, would appear to be identifiable as linked transactions as defined by point 13 of the document in question.
Italian regulations, in fact, define a split transaction as “a single transaction from an economic viewpoint, of an equal or higher value to the limits established by the national anti-money laundering regulation, carried out through several transactions, lower than said limits if taken individually, carried out at different times and within a limited time-frame of seven days, when the elements necessary to consider it as a split are present”.
On the one hand, it is considered untimely to carry out checks on transactions performed up to six months beforehand (with possible launching of processes to recover missing or non-conforming data) and, on the other, the structured check on this time-frame makes any exemptions for transactions under EUR 1000 inapplicable.
Furthermore, an interpretation of the definition of linked transactions would seem to imply that these also include direct debits, precisely due to their recurrent nature based on an authorized mandate between the Payee and the Payer. In this regard, the request above for clarification of the role of the Payer's PSP and the Payee's PSP in direct debit transactions, is relevant in this point as well.
• Policies and procedures - Point 16
Concerning the policies and procedures which PSPs must adopt, described in point 16, it is suggested that the determination of the criteria used for inclusion of the individual payment services should not be delegated to the individual PSP; conversely a detailed list of guidelines should be provided. The opportunity of having a common list guarantees greater uniformity and harmonisation of the activities which the PSPs must adopt at European level.
Concerning the definition of transfer of funds which must be monitored in real-time, it is suggested that the notion of real-time monitoring should be broadened, distinguishing between monitoring of completeness of the messaging fields and data conformity and reliability. Monitoring of completeness of compilation of the fields is, in fact, already implicit in the procedures themselves, whereas real-time monitoring of reliability would have a heavy impact on IT (due to the extraction rules of individual types of transactions) and processes (due to the urgency of processing preliminary inquiries).
The aforementioned clarifications in terms of SDD are also requested with regard to this point. Until the role of the two PSPs involved in the SDD is clear, it is difficult to apply the correct monitoring for a direct debit transaction."
Generally speaking, the guidelines appear, in chapter II, to place an excessive burden specifically on the Intermediary PSP, particularly when the Intermediary PSP and the Payee's PSP are established in the same jurisdiction. Indeed, the framework provided by the draft of the guidelines may cause a huge increase of requests due to missing information, regarding the same transfer of funds, which would be requested by both the intermediary PSPs and PSPs of the payee. This is the reason why ABI suggests that the guidelines embrace the solution adopted by the Basel Committee on Banking Supervision in 2009 which entails that the intermediary PSPs should be subject to the new obligations only when the PSPs payer/payee are established in different jurisdictions. Therefore, according to the solution adopted by the Basel Committee on Banking Supervision, in the case of a transaction involving several intermediary PSPs established in the same jurisdiction, the new obligations should be applied only to the first one involved in the transaction.
• Detection of inadmissible characters or inputs (Article 7(1) and Article 11(1) of Regulation (EU) 2015/847)
This point requires PSPs to monitor the transfers of funds in real-time to detect whether the data indicated is admissible, while point 24 requires PSPs to use procedures which include ex-post and real-time monitoring of the presence of missing information. Attention is focused here, in the first place, on the fact that “admissible” or “inadmissible” characters are defined by payment schemes, so it is unclear what type of monitoring the individual PSP is being asked to perform. Perhaps point 19 is intended to allow the PSP to monitor the significance of the text fields (particularly of the Payee), but, in this case, it is necessary to identify a set of easily implementable standard checks (e.g. including the use of black words, syntax controls, etc.).
In conclusion, it is noted that the distinction made in the guidelines between these two aspects is not present in Regulation 847/2015, which deals with completeness and reliability of the information in the message in a single article (art. 7). Generally speaking, it is requested that the guidelines stick as closely as possible to the Regulation and not include distinctions which could cause further confusion. Furthermore, in support of the above, it is emphasised that PSPs, depending on their volume of transactions processed daily and on their own internal organisation, must be able to choose the most efficient monitoring method (real-time or ex-post).
A clearer specification is requested on whether the first bullet point of point 20 is extending the scope of the Regulation to also include SEPA transactions. This aspect is relevant to sending of the minimum information required by Articles 5 and 6. It would appear from reading the Regulation that, for example, Art. 6 covers transactions between Italy and the Republic of San Marino (since this is a transfer of funds between an EU country and a non-EU country). However, it emerges from reading point 20 of the guidelines that the above said transaction is actually covered by Art. 5 of the Regulation. A full clarification of this aspect is crucial to allowing PSPs to respect correctly the requirements of the Regulation. The second and third bullet points, which state: “Automatically prevents the sending or receiving of payments should inadmissible characters or inputs be detected” and “Flags rejected payments for manual review and processing”, lead to the assumption that PSPs must automatically be able to prevent sending or receiving payments with inadmissible characters or inputs, with rejection of the transaction and subsequent manual analysis. Art. 8 of the Regulation, on the other hand, allows PSPs either to refuse the transaction (in line with the guidelines) or to request information before or after the payment transaction has taken place. It is requested that the guidelines contemplate all the possibilities offered by the Regulation.
• Detection of missing information on the payer or the payee (Article 7(2) and Article 11(2) of Regulation (EU) 2015/847)
Point 25 would appear to introduce the activities which PSPs must perform for real-time monitoring (either through real-time monitoring itself or through entry of alerts warning the PSP that may trigger real-time monitoring).
ABI suggests, in line with the opinion of EBF, that requirements on real-time monitoring should not lead to effects in contrast with proper functioning of the payments market and should not affect the certain execution times envisaged by other directives (see PSD2 art. 88). Furthermore, ABI does not share the interpretation that high-risk transfers of funds should be monitored in real time in particular on the basis of a criterion of a certain (high) value. The possibility offered by the Regulation 847/2015 to choose between ex-post and real time monitoring should be maintained for transfers of funds that exceed a certain (high) value. Indeed, the assessment of whether or not the amount of a specific transaction is high depends on the business activity rather than on a general threshold applicable in all circumstances. Having in place such systems would imply triggering an important amount of real-time alerts where processing in real-time will be impossible. In the end, such a system would be ineffective.
• Action to be taken to manage transfers of funds with missing information on the payer or the payee, or inadmissible characters or inputs
Point 28 and subsequent points
The points in question refer to the procedures which PSPs must adopt to determine whether to execute, reject or suspend the payments if the real-time monitoring reveals inadequacies and to what PSPs must do in the various cases (e.g. reject the transaction, suspend it, etc.). It is suggested here that a payment should not be rejected or suspended if the minimum requirements provided for the schemes for the transaction are satisfied.
Furthermore, it is noted that the communication standard to use to request and receive the missing information is not indicated.
It is proposed that the words “will be subject” in point 39) should be replaced with “could be subject”, since the obligations envisaged in this case only apply when a specific quantity of “failed” transfers is reached, and that point 37) should be changed, since it does not consider that fund transfers are processed via automatic IT procedures. Monitoring could be procedural only or performed in a targeted and ex-post manner.
• PSPs that are repeatedly failing to provide the required information and steps to be taken (Articles 8.2 and 12.2)
The point indicates examples of quantitative criteria to determine whether a PSP is repeatedly failing. In consideration of the number of transactions processed daily by PSPs, it is requested that, as an alternative to the criterion: “the percentage of transfers with missing information sent by a specific PSP within a certain timeframe”, the possibility of considering the percentage of transfers with a specific amount of missing information” be inserted. Point 49, on the other hand, cites the qualitative criteria to determine whether a PSP is repeatedly failing. It would be useful here to add a further parameter to clarify which information ESAs consider most significant.
This point fixes the limit of one month (or less where envisaged by national regulations) for notifying the Authorities of a repeatedly failing PSP. It is believed that definition of the time within which to make this notification should be based solely on national regulations, in order to bring it into line with those envisaged for other similar notifications to the same competent Authority."
In principle, ABI agrees with the indications provided by the guidelines on additional obligations of the intermediary PSP.
However, the provisions increase the complexity of the intermediary PSP's role; the implementation and execution of the provisions set out by the Regulation are particularly onerous. Specifically, reference is made to points 59 and 60, which respectively require: i) PSPs should satisfy themselves of their system’s ability to convert information into a different format without error or omission; ii) PSPs should only use payment or messaging systems that permit the onward transfer of all information on the payer or the payee, irrespective of whether this information is required by Regulation (EU) 2015/847.
Satisfying these requirements is particularly onerous and it is not considered adequate to extend the obligations of the Regulation also to further information which the Regulation itself does not contemplate.
Generally speaking, ABI agrees with the provisions of chapter 4 of the Guidelines, but they are not considered to be comprehensive as far as direct debits are concerned, due to the doubts already raised here above.
• Verification of information on the payee – point 62
The indications under point 62 do not take into due consideration the effects they could have if applied to direct debit transactions. More specifically, it is noted that “recurrent” direct debit transactions could be considered as linked transactions per se and point 62 therefore places an excessive burden on the PSP, which would have to perform the monitoring for each recurrent direct debit transaction. This point should be revised to adapt it to the context of direct debit transactions.
More generally speaking, it is emphasised (as said under point 13) that there are no clear indications on the principles for determining the concept of linked transactions for an amount under EUR 1000. This could lead to widely varying behaviour in the market, to the detriment of efficiency. It is suggested that more explicit and objective criteria be defined, within a more limited time-frame.