Clari5 Market Insights

European Union

European Banking Authority

Report on ML / TF Risk for Payment Institutions

EBA has Published a Report on ML / TF Risks Associated with Payment Institutions.

By when must Payment Institutions (PIs) comply with the guidelines?

PIs must meet the EBA guidelines with immediate effect.

Why has the EBA issued the new guidelines?

Payment institutions are commonly associated with higher ML / TF risks. The EBA, in its 2021 Opinion on ML / TF risk factors affecting the European Union’s financial sector, noted that more than two-thirds of all AML / CFT supervisors considered that the sector poses significant or very significant ML / TF risks. It also noted that the significant risk profile associated with this sector did not always appear to be matched with a commensurate level of supervisory activity in all cases.  

The European Commission, in its 2022 supranational risk assessment, considered that payment institutions are inherently exposed to both ML and TF risks and they ‘appeared to be most vulnerable to risks arising from weaknesses in AML / CFT systems and controls’. Payment institutions are impacted, as customers, by de-risking. ‘De-risking’ refers to decisions taken by financial institutions to refuse to onboard or to discontinue servicing existing customers that they associate with higher ML / TF risks.

This raises concerns about the robustness of the overall implementation, by payment institutions, of AML / CFT measures; and the adequacy and proportionality of the level of resources allocated by national competent authorities to the AML / CFT supervision of the payment institutions sector. 

In April 2022, the EBA decided to assess the scale and nature of ML / TF risk associated with the sector, the extent to which payment institutions’ AML / CFT systems and controls are adequate and effective in tackling those risks, and the extent to which current supervisory approaches to tackling ML / TF risk in payment institutions are effective. The EBA’s findings suggest that ML / TF risks in the payment institutions sector may not be assessed and managed effectively.

Highlights of the guidelines

The report highlights the risks associated with ML / TF in the payments institutions sector. It specifically talks about:

  • Risks linked to customers of payment institutions
  • Geographical risks linked to payment institutions
  • Risks linked to the types of products and services offered by payment institutions
  • Risks linked to delivery channels and the use of intermediaries (agents)
  • Risks emanating from outsourcing of AML / CFT-related tasks of PIs
  • Other risk factors like Brexit
  • Emerging risks in the PIs sector

The report further assesses the implementation of AML / CFT measures taken by payment institutions to mitigate the above-mentioned risks as a counter-measure. But despite that the report finds that there are several weaknesses in the AML / CFT practices, such as:

A Poor Overall Awareness of ML / TF Risk
Lack of rigorous training on AML / CFT issue.

Insufficient Transaction Monitoring
Transaction monitoring systems deficient or not in place at all.

Insufficient Suspicious Transaction Identification and Reporting (STR)
Lack of awareness of ML / TF risk and deficiencies in ongoing transaction monitoring, relying on the STR reporting systems of the credit institutions with which the PIs bank, rather than implement their own as would be required under the applicable EU legal framework.

Failure to Implement Systems and Controls to Comply with Restrictive Measures
Poor or insufficient implementation, and a limited understanding, by the sector, of restrictive measures regimes, sporadic ongoing screening of customers and transactions or none at all.

Weak Internal Governance Arrangements
Lack of application of a clear three-lines-of defense system as well as a relatively high turnover of staff in the key function holder positions, active participation of shareholders in the running of the business, which could interfere with the institution’s sound and prudent ML / TF risk management.

TF Risks are Poorly Understood and Managed
Limited understanding, by the sector of TF risks, and reliance on sanctions screening as the only TF risk mitigating tool.

Remote / Online Onboarding without Appropriate Safeguards
Specific weaknesses stemming from the remote onboarding of customers in the sector, without appropriate safeguards, fails to identify high-risk customers, including PEPs.

EBA’s survey on ML / TF risks associated with payment institutions also reports that AML / CFT supervisors have indicated that most breaches in the sector are related to ongoing monitoring, internal controls and overall AML / CFT policies and procedures, customer identification and verification of ID, and customer and business-wide risk assessment. This is broadly in line with the quality of controls that competent authorities were generally concerned about in the sector.

European supervisors responsible for the authorization of payment institutions are therefore expected to scrutinize the documentation to satisfy themselves that:

  • The PI’s ML / TF risk assessment is appropriate and complete
  • The PI has or will put in place adequate systems and controls to ensure that the ML / TF risks associated with its branches, agents or distributors are managed effectively
  • The person designated as responsible for the PI’s compliance with AML / CFT requirements has sufficient AML / CFT expertise to carry out their functions. As per the points mentioned, Payment Institutions need to improve their AML / CFT measures and systems.

How Clari5 helps EU’s PIs quickly comply with EBA’s guidelines

Need More Information?