By Samantha Sheen, AML Director Europe, ACAMS
27 April, 2017

Consultation Paper: Draft Guidelines on the measures payment services providers should take to detect missing or incomplete information on the payer or the payee, and the procedures they should put in place to manage a transfer of funds lacking the required information

or

ESA: Proposed Guidance for PSPs

Never trust a person that has let you down more than 2 times.  Once was a warning, twice was a lesson and anything more than that is simply taking advantage. (Anon)

Introduction

On 5 April 2017, the European Supervisory Authorities (the “ESAs”) published the Guidance for PSPs for consultation.  The proposed Guidance follows on from EU Regulation 2015/847 (“PSP Regulation”). 

The PSP Regulation specifies the information that must accompany a fund transfer about both the payer and the payee. The PSP Regulation also requires that effective procedures be in place to detect when transfers lack information about the payer or payee, when this information has been omitted and, based on this, whether to execute, reject or suspend the transfer. Its requirements are designed to ensure that the identity of the both the payee and payer can be identified.

The Guidance for PSPs

The Guidance builds upon the previous guidance with the somewhat longer title, “Common understanding of the obligations imposed by European Regulation 1781/2006 on the information on the payer accompanying funds transfers to payment service providers of payees“.

What is important to note, however, is that the Guidance is expected to form the basis by which regulators who supervise PSPs assess the adequacy of the measures they adopt in order to comply with a number of the requirements in the PSP Regulation. In this blog I’ll be using the terminology used in the Guidance document, so you can find the definitions there rather than my replicating them here in this blog. 

Messages with Missing or Incomplete Information

Practice Note: Complete information about the payee and payer is necessary to effectively monitor and screen parties against economic sanctions and other financial crime related databases. Wire striping and the entry of “nonsense” data instead of the actual names of payer/payees onto fund transfer forms are some of the techniques used to circumvent these controls.

The part of the Guidance which has piqued my interest is in how PSPS should manage situations where a fund transfer does not include information about the payer and payee. The Guidance describes the steps that should be taken:

Step 1

The sending PSP should be asked to provide the missing information. It’s assumed here that the transfer will be suspended pending receipt of the information. A reasonable timeframe should be set in which the information must be provided.  The Guidance suggests that this would be up to 3 days for intra-EEA transfers and 5 days for transfer from outside the EEA. 

The PSP should consider how this failure (including the sending PSP’s attitude to responding to the request), affects the PSP’s money laundering or terrorist financing risks and where, appropriate, carry out real time monitoring of any other transactions received from that sending PSP.

Step 2 – No Answer Provided

If the sending PSP doesn’t answer, the PSP should consider sending a reminder or warning, telling them that if they do not answer, they will be classified as “repeatedly failing” and then be subject to high risk monitoring measures and also be told that all future transactions may be rejected.

Step 3 – Still No Answer Provided

At this point, a PSP can do one of three things: (1) reject the transfer and potentially terminate the relationship, (2) suspend the transfer until the information shows up and take the measures described in Step 2 above or (3) execute the transfer.

If the PSP elects to reject the transfer, it should explain why (e.g. information about the payee was missing), but is not required keep chasing after the missing information. The PSP should also decide whether to file a SAR. The Guidance also suggests that before terminating a relationship, especially whether the sending PSP is a respondent bank from a third country, the PSP should consider whether it can manage the risk in other ways, such as by applying EDD as required under the 4AMLD.

The PSP can elect to suspend the transfer, however the Guidance does not say how long it needs to wait for an answer before it can decide whether to reject or execute the transfer.

The PSP can decide to execute the transfer and maintain its business relationship with the sending PSP.  On what basis might this be acceptable?  FATF Recommendation 5, for example, requires that where a financial institution is unable to comply with its stated CDD requirements (i.e. identifying the customer and, where relevant, beneficial owner), the institution should not commence business relations, perform the transaction or terminate the business relationship. So how is it possible for a PSP to continue a business relationship with a sending PSP who is unable/unwilling to provide information about the payee or payer?

The Guidance encourages a slightly different approach by asking PSPs to take a cumulative approach in deciding whether a sending PSP should be classified as “repeatedly failing”.  This includes considering the sending PSP’s overall level of cooperation to previous requests for missing information, the type of missing information, the percentage of transfers with missing information in the past and the percentage of follow-up requests that went unanswered.

Furthermore, having executed the transfer, the PSP should still try ex-post to obtain the missing information with records being kept of these attempts. This information should be used in deciding whether a sending PSP should be classified as “repeatedly failing” and thus classified as high risk.

This all seems to suggest that a softer approach is encouraged by the Guidance as compared that described by FATF Recommendation 5.  And it doesn’t quite seem to align with the measures proposed in Step 2 above where the PSP is supposed to warn the sending PSP that they will be reclassified as “repeatedly failing” when, in fact, this may not be the actual outcome given the quantitative and qualitative factors to be considered before assigning this classification.  There could be instances where this warning is given but follow-though is not possible as it is not supported by the available information held about the sending PSP.

Conclusion

It is admirable that the ESA has taken the brave step of recognising that de-risking could be the unintended consequence of complying with the measures proposed in the Guidance. I also agree that direct engagement and explaining what information is required is a more constructive way to resolve these matters. I further agree that terminating relationships for isolated events caused by mistake could be seen as an extreme and disproportionate response.

But I’m still not sure that warning PSPS that they could be essentially classified  as high risk will really have the intended effect, unless there is evidence that this forms a part of a repeated and escalating pattern of conduct.  Otherwise, these warnings may simply fall on deaf ears.

Also, I am not sure about the suggestion that the risks posed by missing payee/payer information might be instead addressed by conducting EDD. If a PSP is unable or unwilling to provide information about a payer/payee, this raises a red flag about the adequacy of their AML controls. Not being able or being unwilling to identify the payer/payee compromises a PSP’s ability to effectively undertake transaction monitoring and sanction screening. Without that information, which is often the crux of most CDD enquiries, it is difficult to see how effective EDD measures can be undertaken without it.

It might be that the reason why information is missing is down to the resourcing (i.e. not enough staff or automated tools at the sending PSP) or poor training.  But the AML risks remain the same. And it’s open to question how many PSPs would be willing to continue a relationship with a sending PSP who has a habit of leaving crucial information off of fund transfer messages, especially where a single transaction with a designated party under an economic sanction is sufficient to attract liability for the PSP who has processed the transaction.

I’m looking forward to reading the responses from PSPs to the Guidance.  The deadline to submit comments is 5 June 2017.

For a copy of the full text of the Guidance for PSPs, see:  http://www.eba.europa.eu/news-press/calendar?p_p_id=8&_8_struts_action=%2Fcalendar%2Fview_event&_8_eventId=1807811

For a copy of the PSP Regulation, see: >http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015R0847

For a copy of  the “Common understanding of the obligations imposed by European Regulation 1781/2006 on the information on the payer accompanying funds transfers to payment service providers of payees“, see: >http://www.eba.europa.eu/-/the-three-level-3-committees-publish-today-their-common-understanding-in-relation-to-the-information-on-the-payer-of-accompanying-fund-transfers-to-payees