EBA finds ineffective management of EU payments firms’ money laundering/terrorist financing risks

What’s the background to the EBA’s risk assessment?

Article 9a(5) of Regulation (EU) 1093/2010 (EBA founding regulation) mandates the EBA to perform risk assessments on significant ML/TF risks affecting the EU’s financial sector.

The EBA drew on a number of sources to inform this risk assessment, including:

• the findings of the EBA peer review on authorisation of PIs under the revised Payment Services Directive (2015/2366/EU) (PSD2);
• data extracted from the EBA’s anti-money laundering/counter terrorist financing (AML/CFT) database, EuReCA (available here);
• questionnaire responses;
• bilateral interviews with selected EU supervisors;
• national and supervisory assessments of ML/TF risks in the sector; and
• other information available to the EBA through its work on ML/TF risks and supervision.

What was the aim of the EBA’s risk assessment?

The objective of the EBA’s 2022 assessment of ML/TF risks in the PIs sector was to better understand:

• the scale and nature of the ML/TF risk associated with the PIs sector;
• the extent to which PIs’ AML/CFT systems and controls are adequate and effective in tackling those risks; and
• the extent to which current supervisory approaches to tackling ML/TF risk in PIs are effective.

What were the EBA’s main findings?

PIs’ risk management is not always effective in view of the sector’s high inherent ML/TF risks

According to the EBA’s report, AML/CFT supervisors across Europe consider that PIs, as a sector, represent high inherent ML/TF risks. However, the systems and controls that PIs put in place to mitigate those risks are not always robust enough to mitigate the ML/TF risks identified. ML/TF risk awareness within the sector is also perceived to be limited.

Some AML/CFT supervisors don’t adjust supervisory approach to reflect level of ML/TF risks

The EBA found that not all AML/CFT supervisors base the frequency and intensity of on-site and off-site supervision on the ML/TF risk profile of individual PIs, and on the ML/TF risks in that sector.

There is inconsistent assessment of AML/CFT components of PI authorisation processes

Supervisory practices at authorisation vary significantly, and AML/CFT components are not assessed consistently. This means that PIs with weak AML/CFT controls can operate in the EU, for example by establishing themselves in Member States where authorisation and AML/CFT supervision processes are less stringent and then passporting their activities cross-border.

Use of agents by PIs carries a significant inherent ML/TF risk

There is no EU-level common approach to the AML/CFT supervision of agent networks, or the AML/CFT supervision of PIs with widespread agent networks. The use of agents by PIs carries a significant inherent ML/TF risk, especially in a cross-border context.

Impact on integrity of the EU’s financial system and on de-risking

The report points out that failure to manage ML/TF risks in the PIs sector can impact the integrity of the EU’s financial system. In addition, failure to address those risks will undermine efforts to improve access by PIs to payment accounts as ML/TF risks are a ‘root cause of de-risking’.

What action should be taken as a result of the report?

More robust implementation of existing EBA Guidelines by national supervisors and PIs

As several of the report’s findings relate to issues addressed in current EBA Guidelines - in particular the risk factor guidelines and the guidelines for risk-based supervision - the EBA states that more robust implementation by supervisors and institutions of provisions in these guidelines will go some way towards mitigating the sector’s exposure to ML/TF risks.

Changes to the EU legal framework

However, the EBA makes it clear that other findings require changes to the EU legal framework, for example:

• establishing a more consistent approach to assessing the AML/CFT component of the authorisation of PIs;
• reinforcing the consideration of ML/TF risks in the process of passporting notifications and ultimately establishing clear and coherently interpreted provisions for objection, on ML/TF risk grounds, in the passporting context; and
• ensuring more consistent treatment, by Member States, of agents of PIs in the cross-border context, including a more coherent approach to the AML/CFT supervision of such agents across Europe.

The EBA’s technical advice on the review of PSD2 and the EBA’s peer review on authorisation under PSD2 contain further detail on these points.

Further assessment of emerging ML/TF risks

The emerging ML/TF risks identified by national competent authorities - namely ‘white labelling’, virtual IBANs and third-party merchant acquirers - will need further assessment by the EBA.

Next steps

Findings of the EBA’s risk assessment will be fed into its bi-annual ML/TF risk assessment exercise under Article 6(5) of the Fourth Anti-Money Laundering Directive ((EU) 2015/849). See also the points identified under ‘What action should be taken as a result of the report?’ above.

If you would like to discuss any aspect of the EBA’s risk assessment findings, please get in touch with one of the lawyers listed above or your usual Hogan Lovells contact.

Authored by Virginia Montgomery.