June 16, 2023. The European Banking Authority (hereinafter: “EBA”) has published a report on money laundering and terrorist financing risks in payment institutions (hereinafter: “ML/FT”). The article is a summary of the 2022 ML/FT risk assessment conducted in the payment services sector. In the course of developing the risk assessment, the EBA required supervisors to complete dedicated AML surveys, analyzed the European Commission’s supranational risk assessments, member states’ national risk assessments and supervisors’ sectoral risk assessments, and reviewed the authorizations for payment institutions in PSD2. The purpose of the risk assessment was to understand the scale and nature of ML/FT risks, assess the effectiveness of payment institutions’ internal systems and controls, the effectiveness of supervisory activities.

Conclusions of the EBA report

The report found the following risk factors with inherent high ML/FT risks associated with the payments industry:

• customer base, particularly non-residents and customers excluded for various reasons by the banking sector;
• the provision of a cash remittance service;
• the prevalence of occasional transactions over lasting business relationships;
• providing services in high-risk third countries;
• high volume and speed of transactions;
• using new technologies for remote customer onboarding;
• provision of services using intermediaries – in this regard, in particular, the EBA notes that some intermediaries do not operate in the financial sector, making their awareness of ML/FT risks at a lower level, which may have a direct impact on the payment institution’s control and supervisory capabilities over such an intermediary.

Outsourcing of professional services vs. “local essence”

An interesting thread in the report is the outsourcing of essential activities. EBA notes that outsourcing can help institutions gain access to specialized services and thus achieve better compliance results, often at competitive prices. However, without adequate safeguards, it can negatively impact an institution’s control and risk management framework.

In addition, outsourcing in a cross-border context could jeopardize the “local substance” of a payment institution, which is required by the PSD2 . “Local substance” refers to the need for payment institutions to be headquartered in the Member State where they apply for authorization and to conduct part of their business there, so that the institutions are effectively managed and controlled in the jurisdiction where they are authorized.

According to, the EBA, the lack of assurance of local substance means a lack of close ties to the jurisdiction in which the payment institution is established, and if the payment institution is not effectively managed and controlled in the jurisdiction in which it is established, this may contribute to limited oversight of the quality of the outsourcing service.

New risks in the ML/FT area

The EBA also identified three new ML/FT risks in the payment institutions sector, including:

• virtual IBAN, used only to redirect incoming transfers to the regular IBAN;
• “white labeling,” that is, payment institutions make their licenses available to independent entities that create their own financial products under that license;
• outsourcing part of the acquiring process to a TPA (third-party-acquirer).

However, it was noted that the aforementioned factors are new and need to be properly observed, so the EBA did not undertake a broader discussion of them in this report.

Awareness ML/FT risks

The report goes on to say that there is primarily a lower awareness of ML/FT risks in the payment institutions sector than in the banking sector.

In addition, the EBA is analyzing the level of misconduct in countering ML/FT by payment institutions, which has resulted in a finding:

• low overall awareness of ML/FT risks;
• lack or insufficient monitoring of transactions;
• insufficient identification and reporting of suspicious transactions;
• failure to implement or insufficiently implement systems of mitigation measures;
• lack of implementation of adequate internal management systems, including lack of use of the three lines of defense system (AML board member, MLRO, supervisor), high turnover in management positions;
• the use of remote onboarding of clients without adequate safeguards.

Conclusions

It should be stated that according to the EBA, the entire payment institutions sector is exposed to higher ML/FT risk overall.

This is due not only to the specifics of the sector, but also to the approach of payment institutions to AML/CFT issues.

However, the report stresses that the payment institutions sector is very diverse, making it impossible to establish a common ML/FT risk level for all payment institutions.

For example, a payment institution providing services only in the country where it is authorized will be less exposed to ML/FT risk than institutions providing services across borders, including to high-risk third countries.