Response to consultation on Guidelines to prevent transfers of funds can be abused for ML and TF
Go back
In particular, the last part of article 2 of the Regulation sets out that the PSPs cannot benefit from exemptions from Regulation when a payment card, an electronic money instrument or a mobile phone, or any other digital or IT prepaid or postpaid device with similar characteristics, is used in order to effect a person-to-person transfer of funds. Regarding the latter point, we wonder what kind of transactions should be considered as “person-to-person” transfer of funds and how PSPs should consider charging prepaid cards.
Further to the clarification made by the ESAs during the Public Hearing that took place in London on 19 may 2017, the EACB considers that SDD fall within the scope of Regulation 2015/847/EU. According to article 3.3 and 3.4 of the Regulation, the “payer” and the “payee’’ are defined in the following way:
• Payer holds a payment account and allows a payment order from that payment account;
• Payee is the intended recipient of funds which have been the subject of the payment transaction.
The EACB considers that these definitions applied to Direct Debits result in:
• The payer being the account holder who allows a transfer of funds (or debtor);
• The payee being the intended recipient who receives funds (or creditor).
A direct debit transaction is initiated by the beneficiary but the beneficiary cannot be considered under Regulation 2015/847/EU as being the payer in the sense of this text. The beneficiary initiates the transaction but only on the basis of a preliminary consent and a mandate of the payer. It is indeed the payer (or debtor) who allows" initially the transfer of funds from the account who must be considered as the payer under this Regulation.
Chapter I of the Draft Guidelines also deals with the concept of linked transactions in the framework of the exemptions applicable to the transfers of funds that do not exceed EUR 1000. Indeed, the Guidelines set out that transactions should be considered linked when they are sent from the same payment account or the same payer to the same payee and within a short time-frame (for example within 6 months). We consider that it is difficult to detect transactions that appear to be linked, because transactions are monitored separately. In this context, the EACB would particularly welcome further clarification about how such payments should be detected over a period of six months. Indeed, this requirement means that around 66 billion transactions would need to be reconciled each business day within Europe alone. The scope of such verification would be disproportionate. Instead, existing practice introduced with Regulation 1781/2006 – given the absence of any indications of this practice being insufficient – should be preserved, with no specific period defined in this paragraph."
The EACB agrees with the steps that intermediary PSPs and PSPs of the payee should take to detect transfers of funds with inadmissible characters or inputs. The Guidelines set out that these PSPs should ensure that its system:
• Contains all the fields necessary to obtain the information required by Regulation 2015/847/EU. For SEPA and intra-Union transactions, this includes the account number or IBAN of the payer and the payee or a unique transaction identifier;
• Automatically prevents the sending or receiving of payments should inadmissible characters or inputs be detected”.
However, we would like to make the following comments:
On the first point, we wonder whether all the SEPA transactions should be deemed as intra-Union transactions or if the transactions that involve countries such as Principality of Monaco, San Marino and Switzerland cannot be considered intra-Union transactions, as under the previous Regulation 1781/2006/EC.
Additionally, we suggest to remove the second point above because the PSP of the payee does not play a role in the sending of payments. Indeed, the PSP of the payee manages the receiving of payments. Furthermore, according to article. 8 (2) of Regulation 2015/847/EU, when the PSP of the payee becomes aware that the required information is missing in a transfer of funds or the information is incomplete or has been sent using characters or inputs inadmissible, it is required to reject the transfer or to ask for the information before or after crediting the payee’s payment account or making the funds available to the payee, on a risk-sensitive basis.
Regarding the detection of missing information, EACB agrees to make ex-post and real-time monitoring to detect whether the required information on payer or on payee is missing.
The EACB however would like to raise the point that meaningless information is not mentioned in Article 8 of Regulation 2015/847/EU. In addition, we consider that it is difficult to detect such kind of information because it is not technically possible to identify whether the information (letters, numbers, etc.) is meaningless or real.
Furthermore, we disagree with Guideline 25 stating that high-risk transfers of funds should be monitored in real time in particular on the criterion of a certain (high) value or where the payer or the payee are based in a country associated with high ML/TF risk. In both situations, the possibility offered by Regulation 2015/847/EU to choose between ex-post and real time monitoring should be maintained. Indeed, the assessment of whether or not the amount of a specific transaction is high depends on the business activity rather than on a general threshold applicable in all circumstances. Neither the mentioned certain (high) value" nor the high risk country transactions (payer or payee based in high ML/TF risk countries) are defined by the Transfer of Funds Regulation or by the 4th AML/CTF Directive as a trigger for real time screening obligation. The latter defines only Enhanced Due Diligence for natural/juridical persons located in high risk countries (Art. 18 (1)), but no specific action like real time screening. Moreover it brings unacceptable useless hits and stopped transactions to be handled manually in real time. Having in place such systems would imply triggering an important amount of real-time alerts which processing in real-time will be impossible. In the end, such a system would be ineffective.
Finally, we would like to highlight that, according to the table provided in annex 1, not all the information on the payer listed by the Regulation is required to accompany a transfer of funds. The information laid down in the Regulation 2015/847/EU - the payer's address, official personal document number, customer identification number or date and place of birth - seems to be required in an alternative way, as it was under the previous Regulation. We would like to have a confirmation of this interpretation because Regulation 2015/847/EU is not clear on this topic. Indeed, a different interpretation, which entails that all the information concerning the payer listed by the Regulation has to accompany the transfer, would cause a huge increase of the compliance costs."
Question 1: Do you agree with the general considerations in Chapter 1? In particular, do you agree that these are necessary to ensure an effective, risk-based and proportionate approach to complying with Regulation (EU) 2015/847? If you do not agree, clearly set out your rationale and provide supporting evidence where available. Please also set out what you consider to be the common principles that apply to both, the PSP of the payee and the intermediary PSP, and why.
The Draft Guidelines, as highlighted in the first part of the consultation document, aim to help PSPs to determine which transfers of funds fall within the scope of Regulation 2015/847/EU. Despite this statement, it seems that the Draft Guidelines do not provide indications to support PSPs for determining when a specific transaction is within the scope of Regulation 2015/847/EU.In particular, the last part of article 2 of the Regulation sets out that the PSPs cannot benefit from exemptions from Regulation when a payment card, an electronic money instrument or a mobile phone, or any other digital or IT prepaid or postpaid device with similar characteristics, is used in order to effect a person-to-person transfer of funds. Regarding the latter point, we wonder what kind of transactions should be considered as “person-to-person” transfer of funds and how PSPs should consider charging prepaid cards.
Further to the clarification made by the ESAs during the Public Hearing that took place in London on 19 may 2017, the EACB considers that SDD fall within the scope of Regulation 2015/847/EU. According to article 3.3 and 3.4 of the Regulation, the “payer” and the “payee’’ are defined in the following way:
• Payer holds a payment account and allows a payment order from that payment account;
• Payee is the intended recipient of funds which have been the subject of the payment transaction.
The EACB considers that these definitions applied to Direct Debits result in:
• The payer being the account holder who allows a transfer of funds (or debtor);
• The payee being the intended recipient who receives funds (or creditor).
A direct debit transaction is initiated by the beneficiary but the beneficiary cannot be considered under Regulation 2015/847/EU as being the payer in the sense of this text. The beneficiary initiates the transaction but only on the basis of a preliminary consent and a mandate of the payer. It is indeed the payer (or debtor) who allows" initially the transfer of funds from the account who must be considered as the payer under this Regulation.
Chapter I of the Draft Guidelines also deals with the concept of linked transactions in the framework of the exemptions applicable to the transfers of funds that do not exceed EUR 1000. Indeed, the Guidelines set out that transactions should be considered linked when they are sent from the same payment account or the same payer to the same payee and within a short time-frame (for example within 6 months). We consider that it is difficult to detect transactions that appear to be linked, because transactions are monitored separately. In this context, the EACB would particularly welcome further clarification about how such payments should be detected over a period of six months. Indeed, this requirement means that around 66 billion transactions would need to be reconciled each business day within Europe alone. The scope of such verification would be disproportionate. Instead, existing practice introduced with Regulation 1781/2006 – given the absence of any indications of this practice being insufficient – should be preserved, with no specific period defined in this paragraph."
Question 2: Do you agree that the expectations on intermediary PSPs and PSPs of the payee in Chapter II are proportionate and necessary to both comply with Regulation (EU) 2015/847 and ensure a level playing field? In particular, do you agree with: • The steps PSPs should take to detect and manage transfers of funds with missing information of inadmissible characters or inputs? • The steps PSPs should take to detect and manage PSPs that are repeatedly failing to provide the required information? If you do not agree, clearly set out your rationale and provide supporting evidence where available. Please also set out at what you believe PSPs should do instead, and why.
Regarding Chapter II, in our opinion, the expectations on intermediary PSPs are not proportionate to both comply with Regulation 2015/847/EU and ensure a level playing field, mostly when the intermediary PSPs and PSPs of the payee are established in the same jurisdiction. Indeed, the framework provided by the Draft Guidelines may cause a huge increase of the requests due to missing information regarding the same transfer of funds, which would be requested by both the intermediary PSP, and the PSP of the payee. Accordingly, we suggest that the Guidelines embrace the solution adopted by the Basel Committee on Banking Supervision in 2009 which entails that the intermediary PSPs should be subject to the new obligations when the PSPs payer/payee are established in different jurisdictions. In addition, according to the solution adopted by the Basel Committee on Banking Supervision, in case of a transfer of funds involving several intermediary PSPs established in the same jurisdiction, the new obligations should be applied just to the first one involved in the transaction.The EACB agrees with the steps that intermediary PSPs and PSPs of the payee should take to detect transfers of funds with inadmissible characters or inputs. The Guidelines set out that these PSPs should ensure that its system:
• Contains all the fields necessary to obtain the information required by Regulation 2015/847/EU. For SEPA and intra-Union transactions, this includes the account number or IBAN of the payer and the payee or a unique transaction identifier;
• Automatically prevents the sending or receiving of payments should inadmissible characters or inputs be detected”.
However, we would like to make the following comments:
On the first point, we wonder whether all the SEPA transactions should be deemed as intra-Union transactions or if the transactions that involve countries such as Principality of Monaco, San Marino and Switzerland cannot be considered intra-Union transactions, as under the previous Regulation 1781/2006/EC.
Additionally, we suggest to remove the second point above because the PSP of the payee does not play a role in the sending of payments. Indeed, the PSP of the payee manages the receiving of payments. Furthermore, according to article. 8 (2) of Regulation 2015/847/EU, when the PSP of the payee becomes aware that the required information is missing in a transfer of funds or the information is incomplete or has been sent using characters or inputs inadmissible, it is required to reject the transfer or to ask for the information before or after crediting the payee’s payment account or making the funds available to the payee, on a risk-sensitive basis.
Regarding the detection of missing information, EACB agrees to make ex-post and real-time monitoring to detect whether the required information on payer or on payee is missing.
The EACB however would like to raise the point that meaningless information is not mentioned in Article 8 of Regulation 2015/847/EU. In addition, we consider that it is difficult to detect such kind of information because it is not technically possible to identify whether the information (letters, numbers, etc.) is meaningless or real.
Furthermore, we disagree with Guideline 25 stating that high-risk transfers of funds should be monitored in real time in particular on the criterion of a certain (high) value or where the payer or the payee are based in a country associated with high ML/TF risk. In both situations, the possibility offered by Regulation 2015/847/EU to choose between ex-post and real time monitoring should be maintained. Indeed, the assessment of whether or not the amount of a specific transaction is high depends on the business activity rather than on a general threshold applicable in all circumstances. Neither the mentioned certain (high) value" nor the high risk country transactions (payer or payee based in high ML/TF risk countries) are defined by the Transfer of Funds Regulation or by the 4th AML/CTF Directive as a trigger for real time screening obligation. The latter defines only Enhanced Due Diligence for natural/juridical persons located in high risk countries (Art. 18 (1)), but no specific action like real time screening. Moreover it brings unacceptable useless hits and stopped transactions to be handled manually in real time. Having in place such systems would imply triggering an important amount of real-time alerts which processing in real-time will be impossible. In the end, such a system would be ineffective.
Finally, we would like to highlight that, according to the table provided in annex 1, not all the information on the payer listed by the Regulation is required to accompany a transfer of funds. The information laid down in the Regulation 2015/847/EU - the payer's address, official personal document number, customer identification number or date and place of birth - seems to be required in an alternative way, as it was under the previous Regulation. We would like to have a confirmation of this interpretation because Regulation 2015/847/EU is not clear on this topic. Indeed, a different interpretation, which entails that all the information concerning the payer listed by the Regulation has to accompany the transfer, would cause a huge increase of the compliance costs."