Decoding ML/TF Key Risks and Mitigation Measures in Payments
In the dynamic landscape of electronic payments, the swift advancement of technology has paved the way for Electronic Money Institutions (EMI) to claim a seat at the table, along with credit institutions. The evolution of digital finance though, with the transformations it carries, comes hand in hand with a series of challenges for EMI entities, to maintain economic stability and ensure trust in financial relationships.
Whether the sector of firms issuing electronic money is riskier than other financial sectors, essentially depends on the individual characteristics that e-money products possess and the ability of redeeming and allocating e-money using third parties. Throughout this article, we explore the Money Laundering and Terrorism Financing (ML/TF) risk factors and measures to be taken by EMI entities through the relevant European Banking Authority’s (EBA) Guidelines.
In the below commentary, the SALVUS Regulatory Compliance team discusses:
We regularly share bite-sized insights on LinkedIn such as those found in this article
1. What is an EMI?
Electronic Money Institutions or Electronic Money Issuers are digital alternatives to banks. They operate through an online platform and are licensed to manage transactions and issue debit cards. EMI customers can use either the platform or their issued debit card to carry out payment transactions. To operate as an EMI and provide payment services across the European Union, a company is required to acquire an EMI license. This license allows the institution, in addition to the payment services offered by Payment Institutions (PI), to issue electronic money, a monetary value represented by a claim on the issuer which is:
- stored electronically, including magnetically,
- issued on receipt of funds to make payment transactions, and
- accepted by a natural or legal person other than the electronic money issuer.
2. Risks emerging from EMI entities
To evaluate the ML/TF risk they are subject to, all financial regulated entities shall take into account four primary factors:
- the first factor reviews the features of the products and services offered, as well as the transactions taking place,
- the second factor is related to the customer onboarding procedure and the customers’ nature and behaviour,
- the third factor considers the distribution channels used to disseminate the service or product, and
- the fourth factor evaluates the customer’s or the product’s connection to different countries or jurisdictions.
Relevant examples that may increase or decrease the ML/TF risk of the four primary risk factors are demonstrated below.
- Products, services and transactions
Considering the ML/TF risk emanating from the use of specific products and services, the risk can be categorised into three groups:
Various thresholds – The ML/TF risk is increased if, for example, there is a presence of a high number of payments or payments with high values.
Funding method of the products – If the product offered can be purchased with relative anonymity, or from third parties that aren’t identified, then the ML/TF risk is increased.
Utility and negotiability of the product – If the product is designed in a way that can be used by people in cross-border transactions or generally accepted by most merchants, the ML/TF risk of the transaction may increase. Likewise, if the product’s nature facilitates cash withdrawals of significant value.
On the other hand, if the product limits payments to their volume and value, the threshold set is reducing the ML/TF risk. In addition, if the product compels the funds to derive from verified accounts held in customers’ names coming from European Economic Area (EEA) member states, this reduces the risk the transaction carries when using the specific product.
The following cases are illustrations where the ML/TF risk is increased with the sole presence of a risk factor. For example, if a customer:
- uses the product in a way that wasn’t intended when it was designed.
- purchases several e-money products from the same issuer, without an investment or economic rationale.
- frequently changes of personal identification data, such as home or IP address.
- executes transactions below the reporting thresholds.
Unlike the above, if the product is only available to specific categories of customers, i.e. the employees of a company, the ML/TF risk is reduced.
- Distribution channels
When the distribution of the product is conducted on a non-face-to-face basis, the risk of a transaction is increased. Similarly, the ML/TF risk is increased, when the distribution is performed via intermediaries not evaluated on the efficiency of their Anti-Money Laundering and Combatting the Financing of Terrorism (AML/CFT) measures.
Before proceeding to sign a distribution agreement with a merchant, firms shall make sure that the latter has in place and enforces adequate AML/CFT measures.
- Countries or geographical areas
If the product, service or transaction takes place or has links to a jurisdiction with higher ML/TF risks, this sole fact should urge the firm to assess the risk of the business relationship of higher risk.
3. The need for measures to be established
When electronic money products or services are being used, Customer Due Diligence (CDD) measures, such as ensuring that all the information required is collected and is up to date, it must be applied both to the owner of the account and to any cardholders. Firms must ensure that the CDD measures applied, are both effective and adequate for locating the emerging ML/TF risks.
Where business relationships or transactions involve high-risk third countries, or in any case the relationship or the transaction is assessed with high risk, EMI entities are obliged to apply Enhanced Due Diligence (EDD) measures. Some of the proposed measures obliged entities can adopt are:
- Requesting more detailed customer information, to ensure that the source of wealth and funds is understood, and the purpose of the business relationship is well established.
- Monitoring the transactions more frequently and closely, watching out for any evidence that will suggest the presence of ML/TF indication. This can be achieved through requesting and acquiring information about the merchant and enforcing identity fraud checks to verify the customer’s identity.
Unlike EDD, when the risk assessment of a transaction or a business relationship is deemed to be low, Simplified Due Diligence (SDD) measures are applicable, to the extent permitted by national legislation. A few cases of measures that can be affected, concern the verification process which can be:
- Carried out at a later stage, after the business relationship is created, when the transaction exceeds a certain threshold set out by the firm.
- Conducted based on fewer or less reliable sources or even using unconventional verification methods.
4. How can SALVUS assist your EMI to ensure compliance with AML requirements
Once your EMI business is successfully licensed under the Central Bank of Cyprus (CBC), the SALVUS Regulatory Compliance team collaborates closely with you to activate your license and ensure compliance with all regulatory requirements. Our post-license services include the establishment of appropriate policies and procedures, as well as fulfilling reporting obligations.
The SALVUS Payment Services Licensing team possesses extensive expertise in acquiring licenses for EMI entities of various business models. The team employs a project management approach to understand the operational model and identify the payment services that align with our client’s business strategies and objectives. Through our EMI licensing service, we support our customers throughout the entire application process until acquiring their operational license. We collaborate closely with our client’s team to collect the necessary information and documentation, ensuring a comprehensive and well-supported application that meets licensing requirements.
Contact us at firstname.lastname@example.org if you require support in ensuring compliance with the AML requirements; we look forward to being of value.
Should you be interested in reading previously authored articles regarding electronic money and AML reporting, please visit the selected articles below:
- Establishing a Payment Services Firm in Cyprus in 2022
- AML compliance for CySEC regulated entities
- AML risk-based approach for CySEC & CySEC regulated entities
The information provided in this article is for general information purposes only. You should always seek professional advice suitable to your needs.