Anti-money laundering and terrorist financing controls are less than 10% effective in reducing the financial crime risks of payment firms. That is according to EU anti-money laundering and counter-terrorist financing (AML/CTF) supervisors that gauged the sector’s inherent and residual risk levels. In a recent report, the European Banking Authority (EBA) stated that payment firms are not doing enough to manage money laundering and terrorist financing (ML/TF) risk, and not all EU member states are doing enough to supervise the sector effectively either. Because of variance and uneven supervision across the EU, payment institutions can establish themselves in member states with less robust oversight and authorisation procedures and access the rest of the EU market through passporting.
The report highlights some of the sector’s key risk areas, including a specific call out for remote onboarding without appropriate safeguards, cross-border activity and exposure to high risk geographies, and the risks associated with agent networks.
Key findings
Despite a slight improvement in the quality of business-wide and individual risk assessments, there is a poor overall awareness of ML/TF risks.
Remote onboarding often lacks appropriate safeguards, leading payment institutions to fail to identify high-risk customers, including politically exposed persons (PEPs).
Many transaction monitoring systems are deficient or not in place at all.
“Emerging threats” include white labelling (i.e. where payment institutions make their licence available to independent agents that develop their own produce under the licence of the regulated financial institution) virtual IBANS, and third-party merchant acquiring.
The report stresses the risks associated with the use of networks of intermediaries, including agents. There is no common EU-wide approach to the supervision of agent networks by payment institutions, or of payment institutions with widespread agent networks by regulators. Agents’ core business is not always linked to the financial services industry, and many serve one or more payment institutions at the same time, making oversight difficult. The EBA believes the risk has “crystallised” and that there is a high probability that agents are being exploited by criminals or criminal networks.
Comparison with the FCA
The release of the EBA’s paper comes only months after the UK’s Financial Conduct Authority (FCA) published a ‘Dear CEO letter’ outlining risks and priorities for payment firms.
While some issues are flagged by both supervisors, such as sanction screening and lack of governance for scaling firms, there are some variances. The one glaring difference is the EBA’s lack of focus on fraud. Fraud levels are endemically high In both the UK and mainland Europe and are unlikely to decline given the current economic backdrop. As payment institutions are particularly vulnerable to this type of illicit activity, fraud’s absence in the EBA report is somewhat surprising. Additionally, the EBA’s explicit inclusion of remote onboarding as a risk suggests that certain EU institutions still struggle with this, despite comprehensive guidelines issued by the EBA and the endorsement of remote onboarding by multiple organisations including FATF.
Here are some comparative findings of common issues:
What do payment firms need to do?
As outlined above, the FCA and EBA have both highlighted key problem areas for payment institutions. While there are some differences in focus, it’s clear that both will require standards to be improved and risks to be better mitigated across the sector.
As European supervisory authorities will likely increase scrutiny on the payment sector following the EBA’s report, payment firms can avoid expensive remediation and painful regulatory enforcement down the line by assessing their compliance programme and strengthening their controls now.