European Banking Authority Finds Payment Sector AML/CFT Controls Lacking

Concluding an assessment performed in 2022, the European Banking Authority (EBA) has found that firms in the payments sector are deficient in their controls against money laundering and terrorist financing (ML/TF). It also found that, despite the significant ML/TF risks facing the sector, certain European Union (EU) authorities are not sufficiently supervising the sector’s anti-money laundering and combatting the financing of terrorism (AML/CFT) management. This makes it possible for firms lacking proper AML/CFT measures to conduct business in the EU by establishing themselves in countries with insufficient supervision. 

The assessment was conducted per the EBA’s founding regulation, which requires the regulator to perform sectoral risk assessments establishing “significant risks” in the European financial sector.

AML/CFT Risks and Weaknesses Identified

The report noted several elevated risk areas for the payments sector that should be fully considered in firms’ AML/CFT risk assessments and risk management frameworks. These risks are connected to realities inherent to the payments industry, including the high use of cash, high-volume/high-speed transactions, shorter-term business relationships, and operation in riskier jurisdictions.

In light of these risks, the report also identified seven key areas of weakness that need to be addressed in the payment sector:

• Poor AML/CFT awareness – This area remains a fundamental weakness despite some overall improvements over time. One reason for this shortcoming was inadequate AML/CFT personnel training.
• Insufficient transaction monitoring – Cited as a “pervasive” shortcoming by multiple supervisors in the sector, with some firms lacking monitoring entirely.
• Insufficient detection and reporting of suspicious transactions – The sector’s poor understanding of related risks limits what can be effectively identified as suspicious. In addition, it appears certain firms rely on credit partners’ controls rather than implementing their own as EU law requires.
• Failure to implement systems and controls to comply with restrictive measures – Connected to a lack of understanding regarding restrictive measures, this shortcoming relates specifically to ongoing customer and transaction screening, which is either sporadic or nonexistent.
• Weak arrangements for internal governance – Particularly for new firms prioritizing rapid growth, there is a lack of AML/CFT systems based on clearly-established lines of defense, and a high turnover combined with inappropriate involvement of shareholders further undermines sound risk governance.
• Poorly understood and managed TF risks – Despite the payments sector’s higher TF risks, understanding of said risks are lacking, and an over-reliance on sanctions screening without additional TF risk control measures.
• Lack of appropriate safeguards for remote onboarding – Supervisors in the sector highlighted a chronic failure to identify high-risk customers – such as politically exposed persons (PEPs) – at onboarding.

Data from the EBA survey indicated that the sector’s top AML/CFT breaches occur in ongoing monitoring and transaction monitoring, customer risk assessments, and internal AML controls, policies, and procedures. This data was corroborated by information from the EU’s early warning tool, EuReCA, which indicated the same top three categories. As a tool established in 2022, this resource is already showing promise as it contributes to information needed to improve the EU’s overall AML/CFT risk framework.

Emerging Risks

In addition to the risks and weaknesses highlighted, the regulator emphasized three emerging issues that should be on firms’ radars in the payments sector. They are:

• White labeling – When a payment firm engages in “white labeling,” it provides its license to an independent third party for business purposes. Because this allows the third party to create their own product under that label, firms should be aware of the increased TF risks accompanying this practice.
• Virtual international bank account numbers (IBANs) – Because a virtual IBAN cannot hold a balance, they cannot serve as an account in their own right and only function as intermediaries while transferring funds from one place to another. Their virtual status can enable funds’ origins to be obscured and heighten the risk of ML/TF.
• Third-party merchant acquiring – when a payment processor (the “merchant acquirer”) outsources part of the process to a third party (a “third-party acquirer” or TPA), this means that for the outsourced processes, the acquirer is dependent on the third-party’s existing AML/CFT controls (or lack thereof) rather than their own. This segmentation makes it more likely that illicit transactions will be processed through the TPA.

Key Takeaways

In responding to this assessment, firms operating in the EU payments sector should take full stock of the current state of their AML/CFT framework, beginning with an enterprise-wide risk assessment (EWRA) that takes the EBA’s top sectoral risks into account. This EWRA should further specify which unique risks a given firm is most exposed to in order to target AML/CFT processes most effectively. 

As part of this process, firms should conduct a full independent audit of their AML/CFT program to identify weaknesses or oversights in light of their established risks. This should include a view of any third-party partners that may be partially responsible for risk management over specific vital processes, such as any TPA partners. It should also include a clear idea of personnel and supporting technology needed for effective AML risk management. This entails comprehensive training for all risk management personnel, as well as plans to upgrade outdated systems that cannot effectively keep up. 

An artificial intelligence overlay may be a cost-effective yet efficient starting point for firms not yet ready to overhaul an older system. It can help supercharge existing transaction monitoring systems by prioritizing the riskiest alerts – so analysts’ investigative time is spent more effectively.