Does the European Commission want to get non-bank PSPs into de-risking? (An AML/CFT-related comment on the EC’s EUR instant payment proposal)

The EC’s October 2022 Proposal for Regulation on Instant Payments

On the 26 of October 2022 the European Commission (EC) presented its proposal for a Regulation of the European Parliament and of the Council amending Regulations (EU) No 260/2012 and (EU) 2021/1230 as regards instant credit transfers in euro[1]. Since then, the proposal has been already discussed within the Council of the European Union (the process can be traced at the dedicated EUR-Lex page[2]) and is to be prepared for the presentation to the European Parliament during the current Swedish Presidency.

According to the EC, the proposal is going to be a booster in the EUR instant payment usage within the internal market. This change is to be effected by, inter alia, imposition of offering EUR instant payments on banks throughout EU as a mandatory obligation. There are several very important elements of this proposal, which I am not going to tackle with here. The readers are kindly advised to get acquainted with them in the Q&A published by the EC[3] or in the article written by Ms. Katarzyna Kobylińska-Hilliard from the Retail Financial Services Unit at the EC[4].

What I am going to do is to explore one of the assumptions made by the EC, which I consider unfortunate, related to the very sensitive subject of instant payments: the AML/CFT or rather the sanctions screening.

?

The Instant Payments and the Sanctions Screening Problem

What is the most obvious and the most troublesome problem of instant payments in the light of anti- money laundering, terrorist financing and the regulatory sanctions of another nature? It is the sanctions breaking risk that the payment service provider (PSP) faces when sending an instant payment or when crediting it the account of its customer. Again, it is not my intention to explain the sanctions related obligations of the obliged entities (the primary subjects of the AML/CFT regulations), esp. PSPs, here. The 10 seconds timeframe, which is to be the not extendible, has been found to be too short not only to accept the instant payment order, to debit sender’s account, to release it, to transfer the message between banks via an instant clearing (messaging) system, accept it and credit the account of the payee but also to verify – on the sides of both PSPs – whether the payment does not violate multiple sanctions which the PSPs are to be the guardians of.

This matter has been the subject of studies and analyses of multiple institutions and experts teams. In brief: the European Central Bank ’s (EBC) survey of 2021 regarding this issue has proven that the standard sanctions screening obligations as imposed on the PSPs within the risk-based approach assumed by AML/CFT regulatory framework will remain the obstruction to the wider adoption and to the service quality of the instant payments.

The respective stages of the a/m identifying and verifying the problem as well as of the search for its solution have been documented and can be found at the proper site of the ECB[5]. There are 3 documents from AMI-Pay (Joint Advisory Group on Market Infrastructures for Payments) meetings dedicated to the sanctions screening issue which document this journey well:

1.??????The ECB presentation to the AMI-Pay meeting of the 3rd December 2020[6], which indicated, inter alia, the “lack of screening time”, the “multiplication of embargo lists”, the “51% of banks reporting a high rate of false-positives” and the “$27 billion in fines to financial institutions for non-compliance with AML, KYC and sanctions regulations” within the past 10 years. This resulted in the prospect of too many instant payments being suspended or stopped (esp. in cases of cross-border credit transfers) thereby not only unleashing the hell in banks’ operations units but also ruining the trust of the customers in the service itself. The unsquareable circle… However, the search for the solution was not abandoned. One of the directions indicated in this document was “making each PSP responsible for its own clients”[7].

2.??????The next document is the presentation to the 7th December 2021 meeting of AMI-Pay[8]. It has been prepared by the “ECSAs Ad-Hoc Task Force on Sanctions Screening and Instant Payments”. The key suggestion was that the “current sanctions screening framework needs to be amended before instant payments can be scaled to the level of ‘new normal’” otherwise the “high level of false positive alerts generated in transaction screening, causing rejects”, at the rate of at least 3%÷15%, requiring time-consuming manual interventions would have disastrous effects. It is here where the idea, later adopted by the EC in the a/m proposal of the Regulation has been fully formulated: “The best way to resolve the issues created by sanctions screening of instant payments would be to rely solely on client database screening instead of transaction screening: create a common EU sanctions framework where each PSP screens its customers both at the onboarding and is obliged to perform daily screening of its client database, instead of screening every individual transaction”[9]. This statement has been supported by the declaration that since “all banks already apply customer screening when onboarding a client and most of the banks already conduct a daily screening of their client database, therefore very little additional implementation would be required”... It was underlined that “having a single, harmonized EU list would be the most optimal solution” otherwise “PSPs would still have to maintain transaction screening for national lists” even if “transaction screening will still have to be done by the banks subject to OFAC lists” as it “seems unlikely that reliance solely on client database screening could be established for OFAC lists”[10]. The argument of the level playing field (when suggesting the alternative) has also been mentioned: “card payments currently largely rely on client database screening instead of transaction screening”, suggesting the application of the measure already used for cards or similar payment instruments at the Point of Interaction. When discussing this document it is worth remembering that the proposal included the crucial element: that the PSP would be “obliged to perform daily screening of its client database, instead of screening every individual transaction” (underline mine – G.H.).

3.??????The last document to be found on the a/m list is the summary paper by the ECB of 13 May 2022[11]. It describes the works ordered and reported at AMI-Pay meetings and announces suggesting to the EC the double-proposal indicated already in the document 2: (i) “a common EU sanctions framework where each payment service provider both screens its customers at onboarding” “(which is already done)” “and is required to check its customer database daily, rather than checking every single transaction” and (ii) “to accompany client database screening by a single, harmonised EU list”. That was to be suggested to the EC in the light of its forthcoming proposal of the new Regulation on EUR instant payments.

The very proposal that emerged at the a/m AMI-Pay meetings obviously deserves analysis and discussion. However, I am going to skip it here as I am interested in the EC’s implementation of it in its October 2022 a/m proposal for the Regulation as regards instant credit transfers in euro.

?

The Proposal for Regulation and the Exemption for non-bank PSPs

In the proposed EC’s text we can find the following statements:

“Proportionality

Only PSPs offering a credit transfer service in euro to their customers are covered by the requirement to offer IPs in euro. (…) Furthermore, payment institutions and electronic money institutions are not covered since currently, under the Settlement Finality Directive (SFD), they cannot participate in settlement systems designated under that Directive, which includes many EU settlement systems widely used for credit transfers and IPs. This may be reconsidered in light of future amendments to SFD after it is reviewed. Nevertheless, under this proposal payment institutions and electronic money institutions will not be prevented from offering IPs to their PSUs on a voluntary basis. (…)”[12]

and so further, in the text of the proposed new articles:

“Screening IPs for EU sanctions (Article 5d)

(…)

PSPs are required to verify at least once a day whether any of their customers are designated persons or entities subject to EU sanctions, and in any event immediately after the entry into force of any new or amended designations.

A harmonised approach provides PSPs with much needed legal certainty and thus eliminate frictions that prevent the effective execution of euro IPs, while not compromising the overall effectiveness of sanctions screening.

(…)”[13]

?

The AML/CFT Risks Overlooked

Let me now come back to the title of my article. It asks the question whether EC, by intention or by overlooking the matter creates the new, potentially sensitive and dangerous (AML/CFT-wise) reason for banks to de-risk the non-bank PSPs.

Even if it may not necessarily be the case that, as we read in the above quoted proposal, “currently, under the Settlement Finality Directive (SFD), they cannot participate in settlement systems designated under that Directive, which includes many EU settlement systems widely used for credit transfers and IPs” (see the proper list of these designated systems[14] whereby the remaining ones should - in principle – be available to payment institutions or electronic money institutions), the overall exclusion of payment institutions (PI) and electronic money institutions (EMI) from all obligations under the proposed Regulation is unfortunate at least.

The reason for my claim is the fact that PIs and EMIs:

(i)?????????????????should be considered as bank customers in the sense of being able to order and receive payments (incl. instant payments), unless for some reason this service is being denied to them by their bank,

(ii)???????????????have their own customers who are unknown to the banks servicing these PIs and EMIs and who can be subject of sanctions equally as banks’ customers can.

Moreover,

(iii)??????????????if EU’s PIs and EMIs happen to service other payment or electronic money institutions through e.g. nested accounts, including the ones from third (non-EEA) countries then we immediately create an unguarded gateway for the sanctioned entities and individuals into the very heart of the EU most crucial retail payment system.

Therefore, if PIs and EMIs will remain exempted (as proposed by the EC) from the obligations indicated in the a/m art. 5d, namely from the duty to perform screening of all of their customers at onboarding and at least once a day, then we can predict one of unfortunate effects of such an important omission:

a)??????denial by banks to provide instant payments to PIs and EMIs being their clients on the grounds of the general lack of trust (de-risking) that instant payments ordered by the PIs and EMIs may be ordered by or received by the sanctioned individuals or entities, or

b)?????the introduction of some insufficiently screened payments sent by or received by sanctioned individuals or entities via the most important and modern pan-European payment system, thereby undermining the efforts of the same EC to tighten AML/CFT controls of the internal market and opening wide the unguarded gateway for the unscreened EUR payments to and from the third (non-EEA) countries.

?

Proportionality Is Not “Either-Or”

“Proportionality” is exactly the principle which says that obligations should not be imposed in the black-and-white or either-yes-or-not way only. If proportionality is to be considered in the context of this Regulation on instant payments, then it should consider that particular obligations can and maybe should be imposed on particular entities. If exemptions are to be introduced then they should be carefully analyzed as not always generalizations are appropriate.

What am I therefore advocating? I am suggesting to impose the obligation of the a/m art. 5d on all PSPs (incl. PIs and EMIs) or at least also on these non-bank PSPs which would be using instant payments - as banks’ customers - to provide payment services to their own clients (non-bank PSP’s users).

Whether these entities (being banks’ customers) should also require – in the proper written agreements – from their own cooperators or just clients, themselves being PSPs (esp. in the cases of the ‘nested relationships’) to daily screen all of their customers as well, against the EU harmonized sanctions list, should be at least considered. Why? Because, in my opinion, when revolutionizing the sanctions screening so deeply, we should not forget about the various aspects of ‘correspondent relationship’ considerations.

?

What are my motivations resulting in the above proposals? They are twofold:

·????????as a former AML/CFT financial supervisor I am aware of the risks resulting from the nested or similar relationships and I would like to see the new package of AML/CFT EU regulations not to be undermined by imperfect regulations introduced in the same time,

·????????as a banker servicing non-bank PSPs I would not like a new reason for de-risking to arise.

?

?

The above publication contains its author’s private opinions only.

?

Notes

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A52022PC0546R%2801%29

[2] https://eur-lex.europa.eu/procedure/EN/2022_341

[3] https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_6273

[4] https://protect2.fireeye.com/v1/url?k=92363d9a-cdaa5b09-92323c51-000babff6cbd-2698717076365b78&q=1&e=71d50d65-24c4-45f6-b319-3d179446181c&u=https%3A%2F%2Fwww.europeanpaymentscouncil.eu%2Fnews-insights%2Finsight%2Feuropean-commissions-proposal-regulation-instant-payments

[5] https://www.ecb.europa.eu/paym/groups/html/documents.en.html

[6] https://www.ecb.europa.eu/paym/groups/shared/docs/b776b-ami-pay-_2020-12-03_item_3.3_instant_payments_and_sanctions_screening.pdf

[7] ibidem, pp. 3 and 8

[8] https://www.ecb.europa.eu/paym/groups/shared/docs/49f55-ami-pay-2021-12-07-item-2.3-instant-payments-and-sanctions-screening.pdf

[9] ibidem, p. 5

[10] ibidem, p. 6

[11] https://www.ecb.europa.eu/paym/groups/shared/docs/d56c7-ami-pay-2022-05-19-item-5.2-update-on-sanctions-screening.pdf

[12] Document COM/2022/546 final/2, pp. 2-3

[13] ibidem, pp. 10-11

[14] https://www.esma.europa.eu/sites/default/files/library/sfd_designated_authorities_and_systems.xlsx