top of page

The Central Bank of Ireland discovers flaws in payment and e-money providers' AML/CFT screening

THE CENTRAL BANK OF IRELAND (CBOI) has issued a "Dear CEO" letter to banks, warning that it has discovered flaws in the AML/CFT risk protocols of Payment and E-Money firms.

The CBOI letter reaffirms that the entities are designated persons under Ireland's Money Laundering and Terrorist Financing Act 2010.

According to the central bank, lenders must continue to consider risk variables that can enhance ML/TF risk. “These factors include, but are not limited to, high transaction limits, the use of cash to fund transactions and the cross border nature of transactions.”

It also outlines its conclusions from recent supervisory engagements with the Payment and E-Money industry, as well as the CBOI's expectations for how firms can handle these.

Approach Based on Risk

According to the central bank, the risk-based approach used by some enterprises in this industry is immature. As a result of certain firms' lack of awareness of ML/TF risk, controls are not as rigorous as they should be, and are not proportionate to their level of risk exposure.

"A specific area of weakness found relates to the transaction monitoring measures used by some firms in this sector. When transaction monitoring controls are not configured correctly, it can lead to a failure to detect suspicious transactions and activity, as well as excessive alerts of potential suspicious activity, which can impact the timeliness of reporting of ML/TF suspicions where firms have formed a suspicion of ML/TF," according to the CBOI.

‘Where distributors and agents carry out AML/CFT controls on behalf of firms, it is imperative that this is completed in line with the firms’ own ML/TF risk assessment and AML/CFT policies and procedures’

“Further development of the risk-based approach is needed to ensure that there is a more comprehensive understanding as to how the products and services of the firm could be used for ML/TF purposes,” it demands

According to a letter from the Director of Credit Institutions Supervision, Mary-Elizabeth McMunn, the bank's AML/CFT controls should be risk sensitive and adapted to the risks identified as part of the firm's ML/TF risk assessment.

“For example, transaction monitoring controls should be configured to detect where the ML/TF risks identified as part of the ML/TF risk assessment are materialising,” it says.

Distribution Routes

Distributors and agents are common in the Payment and E-Money sector, and they frequently conduct out AML/CFT preventive actions on behalf of enterprises, such as customer due diligence (CDD).

Weaknesses were discovered, particularly in the oversight of these relationships. The regulator stated that when distributors and agents perform AML/CFT controls on behalf of firms, it is critical that they do so in accordance with the firms' own ML/TF risk assessment and AML/CFT policies and procedures.

"It is critical for businesses to recognise that agents and distributors are an extension of the company itself. "We have identified instances where firms have not understood this and have viewed agents and distributors as their customers, despite the fact that they are undertaking activities defined in the legislation on behalf of the firm and under the firm's full and unconditional responsibility," the CBOI warns.

“Where there is an inappropriate level of oversight of the agents and distributors, it can lead to a situation where firms do not have a full understanding of the ML/TF risks presented by their actual customers, i.e. those that avail of the products

and services,” it says.

The central bank requires enterprises to exert reasonable oversight of agents and distributors, as well as to perform a suitable amount of continuing assurance.

"Firms must conduct proper assessments of their agents and distributors who perform activities on their behalf. The results of any testing performed as part of the oversight of these arrangements should be included in management information generated for the Board of Directors and senior management.

"However, it is critical that enterprises recognise that the obligation for carrying out customer risk assessments and CDD on the end user of the products and services ultimately remains with firms," it reads.

Derogation for Electronic Money and Simplified Due Diligence

The Irish AML Act has a CDD exception for certain e-money products, and the CBOI claims it has uncovered certain instances of this concession being misused.

According to the bank, this misunderstanding of simplified due diligence (SDD) resulted in an inaccurate level of CDD being applied to consumers in specific cases.

“E-Money firms should only avail of the derogation [contained in Section 33A] in circumstances where it is appropriate to do so and where all the criteria have been met. Firms should be aware that the derogation is not available where other high risk factors are present, for example, where the customer is a politically exposed person (PEP) or where the customer concerned is established, or resident in, a high-risk third country,” says the CBOI.

"We want simplified due diligence to be performed only where appropriate and where the firm has conducted a risk assessment of each particular relationship, and where doing so is justified on the basis of the reduced level of risk provided," the regulator concludes.

According to the central bank, it is attempting to find a balance that will allow the advantages of innovation and growth to be realised while ensuring that risks are handled and mitigated.

"Firms must not overlook the identification and control of additional potential risks that may result in consumer harm or have an impact on their financial and operational health," it states.

"The Central Bank expects all enterprises in the sector to consider this letter with their Board, and to reflect on the supervisory conclusions called forth.

"Firms shall progress the completion of a specific audit of compliance with the safeguarding requirements under the PSR/EMR as specified in section 2 above, which should be reported to the Central Bank by 31 July 2023.

"We want enterprises to take proactive measures to ensure robust and adequate governance and control structures are in place, so that Payment and E- Money firms can grow safely and sustainably, and contribute to the financial ecosystem in a constructive way.

"In the context of our strategic theme of being 'Open and Engaged' we will continue to engage with firms, and representative bodies of the Payment and E-Money sector, to deepen our own understanding of this evolving sector and enhance transparency around our approach to, and judgements around, regulation and supervision. Furthermore, we plan to continue to proactively publish our supervisory findings in order to stimulate improvements to enterprises' governance, risk management, and internal control frameworks, notably concerning sectoral safeguarding," it continues.



bottom of page