top of page

Emerging Risks in Payment Institutions: AML Concerns Highlighted by European Banking Authority

The European Banking Authority (EBA) has conducted a money laundering assessment of payment institutions and identified three main emerging risks. These risks are specifically related to "white labelling," virtual International Bank Account Numbers (IBANs), and third-party acquirers.

Emerging Risks in Payment Institutions: AML Concerns Highlighted by European Banking Authority

The EBA defines "white labelling" as a rising trend where payment institutions make their license available to independent agents who develop their own product under the regulated financial institution's license. The concern is that these agents may have control over the business relationship, including communication with payment service users, possession of funds, and control of the financial flow. This can increase the risk of money laundering and terrorist financing, especially if the payment institution is ill-equipped to manage such risks.

The issuance and use of virtual IBANs by payment institutions is another emerging risk highlighted by AML supervisors in various countries. Virtual IBANs resemble regular IBAN codes but cannot hold actual balances; they are used to reroute incoming payments to a regular IBAN linked to a physical bank account. The use of virtual IBANs can create ML/TF risks by obfuscating the geographic location of the underlying account, potentially leading to supervisory gaps and non-compliance with applicable AML/CFT frameworks.

Third-party merchant acquiring, where the merchant acquirer outsources certain parts of the acquiring process to a third-party acquirer, has also been identified as an emerging risk. The third-party acquirer (TPA) performs services for the merchant on behalf of the acquirer and is responsible for complying with AML/CFT laws. However, if the TPA's AML/CFT program is vulnerable to money laundering, terrorist financing, or sanctions violations, the acquirer can be exposed to the risk of indirectly processing illicit funds. This segmentation of the acquiring business increases ML/TF risks, including transaction-based laundering and other fraudulent activities.

Furthermore, the EBA outlined seven high inherent ML/TF risk factors associated with payment institutions, including the customer base, cash-intensive nature of services, prevalence of occasional transactions, high-risk jurisdictions, volume and speed of transactions, use of new technologies for remote customer onboarding, and the distribution channel used, particularly the network of intermediaries.

Payment institutions that provide cash-based money remittance services without entering into a business relationship triggering customer due diligence (CDD) measures are considered to have increased ML/TF risks. On the other hand, account information service providers (AISPs) are seen as having limited inherent ML/TF risks since they are not involved in the payment chain and do not hold customer funds. However, most AML/CFT supervisors assess payment institutions' AML/CFT controls as insufficient to effectively mitigate those risks.

The EBA also highlighted the risks associated with geographical factors, such as money remitters operating in areas where credit institutions are less present, creating higher levels of ML/TF risk in transfers to third countries. Risks linked to anonymity and cash transactions were also identified, including products and services allowing anonymity through new technologies, high-speed transactions, use of cash, and one-off transactions without associated payment accounts.

The use of intermediaries, including agents, in the delivery channels of payment institutions was deemed a significant risk by supervisors. The widespread use of intermediaries allows payment institutions to reach customers, especially in areas with limited access to financial services, but it also creates challenges in oversight and control, leading to AML systems and controls weaknesses.

Outsourcing was identified as another area of concern, as it can undermine the overall control and risk management framework of institutions. Cross-border outsourcing can jeopardize the "local substance" requirement, which refers to the need for payment institutions to have their head office in the jurisdiction where they obtained authorization. Failure to ensure local substance hinders effective management and control, contributing to limited oversight of outsourced services.

Brexit-related risks were also mentioned, particularly the relocation of payment institutions previously headquartered in the UK to the EU. The increased number of authorizations requested within a limited timeframe posed AML challenges, and some payment institutions that relocated to EU member states were found to have inadequate AML/CFT systems, controls, and compliance culture.



bottom of page