Payment institutions are commonly associated with higher ML / TF risks. The EBA, in its 2021 Opinion on ML / TF risk factors affecting the European Union’s financial sector, noted that more than two-thirds of all AML / CFT supervisors considered that the sector poses significant or very significant ML / TF risks. It also noted that the significant risk profile associated with this sector did not always appear to be matched with a commensurate level of supervisory activity in all cases.
The European Commission, in its 2022 supranational risk assessment, considered that payment institutions are inherently exposed to both ML and TF risks and they ‘appeared to be most vulnerable to risks arising from weaknesses in AML / CFT systems and controls’. Payment institutions are impacted, as customers, by de-risking. ‘De-risking’ refers to decisions taken by financial institutions to refuse to onboard or to discontinue servicing existing customers that they associate with higher ML / TF risks.
This raises concerns about the robustness of the overall implementation, by payment institutions, of AML / CFT measures; and the adequacy and proportionality of the level of resources allocated by national competent authorities to the AML / CFT supervision of the payment institutions sector.
In April 2022, the EBA decided to assess the scale and nature of ML / TF risk associated with the sector, the extent to which payment institutions’ AML / CFT systems and controls are adequate and effective in tackling those risks, and the extent to which current supervisory approaches to tackling ML / TF risk in payment institutions are effective. The EBA’s findings suggest that ML / TF risks in the payment institutions sector may not be assessed and managed effectively.
The report highlights the risks associated with ML / TF in the payments institutions sector. It specifically talks about:
The report further assesses the implementation of AML / CFT measures taken by payment institutions to mitigate the above-mentioned risks as a counter-measure. But despite that the report finds that there are several weaknesses in the AML / CFT practices, such as:
A Poor Overall Awareness of ML / TF Risk
Lack of rigorous training on AML / CFT issue.
Insufficient Transaction Monitoring
Transaction monitoring systems deficient or not in place at all.
Insufficient Suspicious Transaction Identification and Reporting (STR)
Lack of awareness of ML / TF risk and deficiencies in ongoing transaction monitoring, relying on the STR reporting systems of the credit institutions with which the PIs bank, rather than implement their own as would be required under the applicable EU legal framework.
Failure to Implement Systems and Controls to Comply with Restrictive Measures
Poor or insufficient implementation, and a limited understanding, by the sector, of restrictive measures regimes, sporadic ongoing screening of customers and transactions or none at all.
Weak Internal Governance Arrangements
Lack of application of a clear three-lines-of defense system as well as a relatively high turnover of staff in the key function holder positions, active participation of shareholders in the running of the business, which could interfere with the institution’s sound and prudent ML / TF risk management.
TF Risks are Poorly Understood and Managed
Limited understanding, by the sector of TF risks, and reliance on sanctions screening as the only TF risk mitigating tool.
Remote / Online Onboarding without Appropriate Safeguards
Specific weaknesses stemming from the remote onboarding of customers in the sector, without appropriate safeguards, fails to identify high-risk customers, including PEPs.
EBA’s survey on ML / TF risks associated with payment institutions also reports that AML / CFT supervisors have indicated that most breaches in the sector are related to ongoing monitoring, internal controls and overall AML / CFT policies and procedures, customer identification and verification of ID, and customer and business-wide risk assessment. This is broadly in line with the quality of controls that competent authorities were generally concerned about in the sector.
European supervisors responsible for the authorization of payment institutions are therefore expected to scrutinize the documentation to satisfy themselves that: