As we move into 2018, the fourth European AML (Anti Money Laundering) Directive is effective.
This has in fact, been the case since last summer.
Some have called the upgrade the most sweeping European AML legislation changes seen in several years and many member states are currently working hard to implement the new obligations.
And when it comes to determining which entities must comply, for payment service providers, this must be done in reference to the first Payment Services Directive (PSD) and also PSD2.
Let’s look at the detail
Article 3(2) of the AML Directive gives us a useful but outdated definition of a ‘financial institution’; making reference to the first PSD still.
It defines such an entity as, ‘an undertaking other than a credit institution which carries out one or more of the activities listed in points (2) to (12), (14) and (15) of Annex I to Directive 2013/36/EU…”.
As I understand it, this could mean that the fourth AML Directive also applies to the new TPP (Third Party Providers) payment players under PSD2: AISPs (Account Information Services Providers) and PISPs (Payment Initiation Service Providers) that is, if the definitions under the AML Directive or PSD2 remain unaltered.
There has been fierce but fun discussion on this when I posted the question to my network (Should TPPs comply with AML laws?) with different people choosing different sides.
Having studied the detail, taking into account (counter) arguments, I am however of the opinion, that TPPs should not be required to comply.
I have three arguments to support this view.
1: AISPs are not required to submit AML policy
The EBA (European Banking Authority) Guidelines on Authorisation and Registration include a guideline on internal control mechanisms outlining the compliance obligations relating to money laundering and terrorist financing (AML and CFT Combatting Financing of Terrorism).
Because AISPs do not have to submit an AML policy, the implication is that they do not have to comply with AML obligations.
However, because PISPs fall under chapter 4.1 (where the guideline is mentioned), this could potentially mean they are not excluded from the AML Directive’s scope.
An argument can be made to say that PISPs should be required to comply.
In my view however this is not within the spirit of the law.
Here’s my second reason why I believe TPPs – so also PISPs, should not be required to comply.
2: No possession of funds
Because money laundering involves (to put it simply) ‘the conversion of illegally acquired property and the concealment and use of them’; without actual possession of funds (property) a party cannot be held responsible.
When it comes to the essential transactions that TPPs facilitate such as payment initiation and account information services, it is important to emphasise that at no point in time, is property possessed.
In addition, payment providers are actually prohibited to hold funds under PSD2.
Through TPP services therefore, there is no possibility for the flow of illicit money. The AML Directive stipulates under its first recital that, “Flows of illicit money can damage the integrity, stability and reputation of the financial sector, and threaten the internal market of the Union as well as international development.”
The intention of the directive is to stop illicit money flows.
Understanding the difference
I believe that it’s important to distinguish between parties that hold customer funds and parties that do not.
This differentiation is also a key element under the PSD, as all regulated entities do possess funds.
PSPs that operate as a gateway only and therefore do not hold funds do not require a license.
The distinction is further emphasized by the renewed PSD2 scope exclusion of technical service providers and the renewed commercial agent. There are many PSPs out there that own the merchant relationship but are not required to be licensed as a Payment Institution (once again, because they don’t hold funds). They are therefore, also not ‘a financial institution’ under the AML Directive, as they do not render the services of the Annex of PSD.
Does EBA provide the definitive answer?
The EBA takes no firm position on whether PISPs should comply with AML obligations and instead, leave this to local legislators.
During the consultation on PSD2, EBA stated: ‘PSD2 does not provide for any exemption for PISPs in relation to AML.’ It might be the case that they are obliged entities under national law: there are other entities that do not enter into possession of funds and are subject to AML regulation.’ (feedback number 85).
I’m not sure if the EBA argument stands ground, because nearly all obliged persons under the AMLD enter into possession of funds (banks, payment institutions, lawyers, trust companies).
The ones that do not (auditors) have such a close position to assets and reviewing these, as well as the company’s (financial) procedures, they are very well placed to detecting money laundering.
I am not sure if the same can be said for PISPs.
3: On the basis of what data?
I further question whether PISPs have the data to act as the gate keeper.
Unless the merchant itself is the TPP initiating the payment (this is a viable option for bigger merchants), any TPP only performing payment initiation would not have much more information on the payment obligation than the bank/ASPSP.
They’d only have this if they provide other payment services and operate as a full PSP.
Let’s also remember that a PISP, by law, may only collect the data that’s absolutely necessary, to enable it to perform its function.
To conclude, I argue that for both AISP and PISP there is no money laundering risk relating to the services of TPPs.
TPPs therefore, should not have to abide by AML obligations.
Do remember that a TPP customer will have already been identified by the bank (the ASPSP) with AML checks at the start of the relationship.
Further, the PSP will have performed these checks on the merchant prior to setting merchant accounts where the consumer makes the purchase.
Both parties involved in the transactions are already therefore, vetted.
We now must wait to see how local legislators/regulators respond and the rulings they take.
Will a consensus be reached or will regional legislators adopt their own compliance standards?
Once again it is a case of… watch this space!
Want to read the full discussion? Go here: https://www.linkedin.com/feed/update/urn:li:activity:6332907897671999488