AMLA in the payments space

Anti-money laundering requirements have applied to payment services providers since the very First Anti-Money Laundering (“AML”) Directive (1991) in the case of banks. Other providers have been brought into scope as and when they emerged, with electronic money institutions expressly brought within scope under the Third AML Directive (2005), via an expanded definition of “financial institution,” which was also broad enough to capture payment institutions (first regulated under the first Payment Services Directive in 2007) when they emerged a little later.

As a result, payment service providers have been through several iterations of money laundering directive as the scope, conduct requirements, level of application, and customer due diligence requirements have developed.

As one would expect these entities will necessarily be affected by the general changes to policies and procedures, information sharing, due diligence and the beneficial ownership, and outsourcing requirements being introduced by the Sixth Money Laundering Directive (AMLD6) (covered in other articles on our AMLA Hub).

As discussed in these articles, uncertainty introduced by the legislative drafting, and draft Regulatory Technical Standards, makes certain aspects of these changes hard to deal with.

Banks and other payment firms may need to revisit their approach to KYC given:

• More prescriptive requirements relating to client identity verification,
• Specific requirements for ID&V in face to face, and crucially in non-face-to face, client on boardings,
• changes to the definition of ‘beneficial owner’ and the level of investigation potentially required (For example, Article 52 suggests that due diligence should include an assessment of “all shareholdings on every level of ownership” to determine who owns the corporate customer, and Article 53 defines control as the possibility to exercise significant influence.)

However, of particular importance to the payments landscape will be the new requirements relating to virtual IBANs.

What are virtual IBANs?

A virtual IBAN (“vIBAN”) is a unique, digitally-issued International Bank Account Number that functions like a regular IBAN for receiving payments, but doesn’t correspond to a physical bank account. Instead, it's linked to a master (real) bank account, allowing funds received to be automatically routed there.

Using vIBANs, businesses do not need to operate multiple bank accounts. Instead the business can hold just one account to which it can link customers, regions or purposes of payment by assigning different vIBANs. Since each customer or transaction can be tied to a unique vIBAN, tracking payments is easier and faster.

With specific reference to the payments landscape – vIBANs are a powerful tool, especially as the payments ecosystem becomes more digital, global, and complex.

For example, in the case of merchant acquiring, the acquirer intermediates between the card schemes (e.g. Visa and Mastercard), processing credit/debit card payments on behalf of its merchant and settling their transactions, rather than each merchant needing to engage with issuers via those schemes directly.

Virtual IBANs can be used by an acquirer to streamline settlement, reconciliation, and payouts in multi-merchant environments, with each merchant getting a dedicated virtual IBAN for receiving funds (e.g., from card scheme settlements). The acquirer can even assign one vIBAN per merchant, per currency, or even per payment method.

Their use enables instant identification of which merchant the funds belong to, and eliminates the need for complex reference matching. This can deliver faster reconciliation, meaning acquirers can offer faster settlement to merchants (e.g., same-day payouts).

They also enable the acquirer to grow its merchant base, with the ability to operate in multiple countries allowing (for example) a French merchant to receive payments using a FR IBAN even if the acquirer is based in the UK or Lithuania. This reduces reliance on slower, more costly, payment rails to effect cross-border transactions.

Consequently, vIBANs underpin reduced-friction, low-cost domestic and cross border e-commerce.

When do vIBANs present money laundering risks?

The use of vIBANs can present money laundering risks by facilitating less transparent payments from the perspectives of identifying the payee/payer and identifying the domestic/cross-border nature of the transaction. This can blind payment institutions to the risks of the transaction they are engaged in, and can be attractive to criminals seeking to exploit weaknesses in payment transparency.

Some of the challenges (and benefits) of vIBANs are summarised in the EBA Report on virtual IBANs.

What does AMLR do?

AMLR requires firms to identify and verify natural or legal persons using any vIBAN they issue and the associated bank or payment account. AMLR also requires the firm servicing the physical account associated with the vIBAN to put in place arrangements under which the firm can obtain that identification and verification information as it relates to any natural person using a vIBAN from the vIBAN issuer within 5 working days of request. (Article 22(3)).

Current drafting in the proposed RTS states the information that must be obtained and verified is:

• the information required under Article 22(1) to identify and verify the identity of the legal or natural person,
• the vIBAN number assigned to that person, and
• the dates on which the associated bank or payment account was opened and, where applicable, closed.

What clarity do firms need to implement these new requirements?

A key purpose of AMLR is to harmonise the approach taken to AML across the EU. However, for firms, and their local regulators, to remain harmonised in respect of the vIBAN requirements, there needs to be a consistent understanding of key words and phrases in Article 22. Specifically, clear guidance is needed to understand what is meant by the following words or phrases:

• “servicing”
• “issuing”
• “using the associated bank or payment account”
• “redirects payments”.

A lack of clear guidance could lead to material financial impacts for banking and payments firms, EU retailers and EU consumers. In particular, it could affect the ability for firms to compete on a level playing field.

When reading Article 22 in conjunction with the current draft RTS, we believe there could be three potential interpretations. These different interpretations can have very different outcomes, some of which could have material implications for online retail, as illustrated here:

Scenario 1

In the first scenario, we interpret "issuing" as referring to the entity with the regulatory permission to issue a payment instrument (i.e. the bank). In this scenario, the bank ‘issues’ the vIBAN to its commercial counterparty (the merchant acquirer) who, as ‘servicer’, in turn provides them to their customers (the merchants), who use them to receive payments from their underlying customers

Under this interpretation of Article 22, ID&V requirements are duplicated with both the Bank and the Merchant Acquirer required to perform ID&V on the underlying users (the merchants).

The Bank would be required to do this under Article 22, whereas the Merchant Acquirer would be required to do this under Article 20, in its capacity as the obliged entity holding a business relationship with the merchant. It is unclear in this scenario why Merchant Acquire would need access to the ID&V records of the Bank pursuant to Article 22, since it would have its own ID&V records to rely on due to its obligations as an obliged entity under AMLR in its own right.

This could have material costs consequences for the Bank. For example, if the Merchant Acquirer has 100 online businesses using its services, instead of screening just the name of the Merchant Acquirer and processing the results of that screening (which is how Banks would currently operate) the Bank would under this example now be screening 101 names in order to provide banking services to this merchant acquirer.

Additionally, the Bank will need to consider whether it needs (and has the contractual rights) to address the results of any such screening. For example, if a merchant is not eligible for an account with the Bank (due to divergence in laws or regulatory requirements applicable to the Bank from those applicable to the merchant acquirer), does the Bank need the right to require the merchant acquirer to exit its relationship with the online retailer? What happens if there are any legal prohibitions on the merchant acquirer effecting that exit (e.g. access to payments laws under which the Bank has legitimate grounds to exit the relationship, but the merchant acquirer does not)?

These costs and additional risks could have wider economic impacts, such as:

• the pass-through to EU retailers and consumers of any additional business costs charged by the Bank to the merchant acquirers, and
• costs to EU retailers and consumers arising from any reduced competition in the merchant acquirer market.

Competition impacts might arise where, for example, these additional requirements leave the Bank with a lower business or risk appetite for the number or type of merchant acquirer customers it is able to provide banking services to. Lower business or risk appetites from banks could affect:

• the availability of infrastructure services to merchant acquirers,
• higher practical barriers to market for new merchant acquirers, and
• the need for market consolidation in the merchant acquirer market.

This seems at odds with the EU’s agenda for swift, low-cost payments and avoiding unbundling. It essentially prevents EU retailers and their customers from accessing online payments services until the retailer has had ID&V performed by two different obliged entities.

Further, since a servicer could use its rights of access to ID&V information to perform its own ID&V, (although AMLA’s draft RTS suggests it could only do so for customers it has assessed as low risk (simplified due diligence)), where a Merchant Acquirer uses this right, this could lead to a lower costs model and competitive advantage for the Merchant Acquirer over the Bank’s own payments services.

Scenario 2

In the second scenario, we interpret "issuing" as referring to the entity actually distributing the vIBANs for use (i.e. the merchant acquirer), with the Bank acting as ‘servicer’.

Under this interpretation:

• Obligations to ID&V the merchant acquirer’s customers remain solely with the merchant acquirer.
• This approach appears consistent with the EU’s approach to payment transparency. For example, under the EU’s payment transparency regulations (Regulation EU 2023/1113) the bank is not expected to unbundle payments to look through to the individual payers. Further, this aligns with the EU’s drive to faster, cheaper payments for EU consumers as a cornerstone principle for the recent changes to EU rules for SEPA payments.
• In Scenario 2, “servicing” means the account administration activities of Bank, such as providing bank statements and processing the payment instructions of the merchant acquirer.
• Pursuant to its obligations under Article 21 the Merchant Acquirer will have the ID&V information on the merchants (the Users), which can be shared between FIUs under AMLD6 if the Bank’s local FIU needs this information. For example, to investigate any suspicious activity, trace cross-border transactions and/or prosecute bad actors.
• Via the registration requirements of AMLD6 Article 16(3), the Merchant Acquirer and its users local FIUs will have visibility over the account holder for the physical account into which the Merchant’s payments are being made. Article 16(3) requires Member States to include vIBANs and the identity of the holder of the physical account (i.e. the merchant acquirer) on the central bank account registers. AMLD6 also expects Member States to facilitate cross-border access to these registers for FIUs of other EU Member States.
• In combination, these principles appear to mitigate the risks arising from lack of visibility that the EBA identified in its report on virtual IBANs. It provides visibility over the parties using the vIBAN and the holder and location of the physical account. Further, it provides a legal framework through which the Bank can access the underling ID&V for any individuals using the account if it needs to (see in particular the risks and mitigants outlined in paragraphs 45 and 46 of the EBA’s report on virtual IBANs).

It is, however, unclear in this scenario why the Bank would need the dates of the opening and closing of the account from the Merchant Acquirer (per the requirements of the draft RTS) given the Bank's firsthand knowledge of this. The Bank already has this information to hand for the purposes of making the necessary registrations in the central bank account registry.

Scenario 3

A further scenario is a "hybrid of Scenarios 1 and 2, whereby "issuing" captures both the Bank (as the entity with permission to issue a payment instrument) and a Merchant Acquirer as the entity that onward distributes the vIBANs to the Merchants. Both the Bank and the Merchant Acquirer therefore being ‘issuers’, with the Bank also acting as ‘servicer’.

This would likely create similar outcomes to those described in Scenario 1, above, with duplicative requirements and increased cost for the Bank.

In our view, the risks identified in the EBA’s note could be mitigated through the adoption of the interpretation approach in Scenario 2, without creating any of the potentially unintended consequences outlined in Scenarios 1 and 3.

Under Scenario 2, even if the Merchant Acquirer were a non-EU merchant acquirer, under Article 22(3) the Bank would still be able to obtain the ID&V information on any individuals using the account within 5 working days. This mitigates the risks of the Bank not being able to fully satisfy any concerns it may have about the use of the account or the transactions going through the account for personal benefit of a bad actor. It also mitigates the risk for the FIU in the Bank’s Member State, as it allows them access to information concerning the individuals sitting behind the payment flow.

Further, the account holder’s information would still appear on the central banking register for the Merchant Acquirer's Member State, for the purpose of tracing the account holder and account bank, should that be needed for an FIU investigation, for example.

Of course, the scenarios above are simplistic descriptions of what is often a much more complicated network of counterparties consisting of merchant acquirers and sub-merchant acquirers (the draft RTS in the EBA’s initial call for evidence made express reference to the potential for multiple ‘issuers’ through a chain of payment service providers, although AMLA has not included this in its draft RTS). Any confusion as to what is meant by issuing could quickly lead to an extremely confused picture as different regulators take different views.

What steps should banks and payments firms be taking now?

Seeking clarity on the meaning of these words and phrases through AMLA’s current consultation on the draft RTS may be critical to avoiding any unintended consequences. In doing so, providing worked examples of the potential impacts of each interpretation gives AMLA the opportunity to make considered decisions that balance money laundering risk against any financial or access-to-service impacts on EU retailers and consumers.

For example, illustrating in your consultation response where:

• material changes in cost and resources could impact the charges passed through by the bank and/or the merchant acquirer to its customers (and ultimately to consumers), or
• to maintain effective financial crime controls, banks or merchant acquirers may also need to limit the number of relationships they are able to enter into, and the impact this might have on access to services for online retailers (and ultimately, consumers).

You may also want to use your consultation response to seek guidance on some of the practical requirements of Article 22(3), such as what “information verifying the identity” means. For example, if electronic ID&V tools were used, is the issuer providing a copy of the pass/fail log in its systems, or the information input at the front-end, or both?

Additionally, when considering how to operationalise the new requirements for vIBANs, you should also give some thought to the AMLR expectations for more robust (near) real-time transaction monitoring. Whilst vIBANS can help deliver this due to the additional layer of granularity they can provide, they are more demanding to operate:

• Acquirers will need to implement real-time monitoring systems, centralized data management, automated SAR filing tools,
• Additionally, they may need more specialized compliance personnel, ongoing training programs, and larger AML teams and will be required to make frequent, detailed reporting to regulators.
• Enhanced due diligence can slow onboarding, increase customer support costs, and require more resources to manage investigations or freezes.

This may mean more transparency, but it potentially brings more onboarding steps and potentially increased costs passed on from the acquirer in connection with the using of vIBANS.

For example, for the required CDD to be performed, it may be necessary to unbundle payments made through merchant acquirers, or using virtual wallets or money service businesses. This may create the costs and friction to consumers and online retailers the EBA was so careful to avoid in its guidance on the EU’s funds transfer regulations (EU Regulation 2023/1113).

Further, the cost of implementation (both in terms of investment and resources) should not be underestimated.

Authored by Charles Elliot and Ann Đoàn.