Top Takeaways from the EBA’s Report on the ML/TF Risks of Payment Institutions The European Banking Authority (EBA) recently released a report on its 2022 review of the money laundering/terrorist financing (ML/TF) risks of European payment institutions (PIs). There are nearly 900 authorised PIs in the EU which are subject to Directive (EU) 2015/849 (‘AMLD’) for anti-money laundering and terrorist financing (AML/CFT) purposes. While many of the EBA’s findings are specific to the supervisory regimes in the EU member countries and the enhancements that are needed to improve oversight of the PI industry, the industry-specific findings have broad implications for PIs across the region and globally. Topics Interne Revision und Corporate Governance Risk Management and Regulatory Compliance The following are our key takeaways: PI ML/TF Risks While not all payment institutions are exposed to the same level of ML/TF risk, the ML/TF risk of the payments industry is generally viewed as High. Despite some improvement in recent years, the ML/TF control frameworks for payment institutions are still insufficient and do not result in reducing the residual risks of these companies. In addition to internal risks (including, but not limited to the transactional vs. relationship nature of the business, high volume and high speed of activity, geographic risk, distribution channels which rely on agents and intermediaries, and the growth in virtual vs. in person business), PIs are highly vulnerable to third-party outsourcing risk, including outsourcing to third-party merchant acquirers. The industry also faces emerging risks, such as the growth of “white labeling” whereby PIs make their licenses available to independent agents which develop their own products under the license of the regulated financial institution; and the use of virtual IBANs which creates ML/TF risk because they obfuscate the geography where the underlying account is located and this risk creates gaps in supervisory coverage. The industry also currently faces “Brexit risk” related to the relocation of institutions, previously headquartered in the UK, to locations in the EU. The relocation of PIs previously authorised in the UK led to an increased number of authorisation requests within a limited timeframe, potentially resulting in some players being authorised with requirements that they uplift their ML/TF programmes. Until their programmes are uplifted, these PIs are exposed to greater ML/TF risks. PI ML/TF Controls Common control deficiencies identified included the following: A poor overall awareness and understanding of ML/TF risk. Insufficient transaction monitoring and identification/reporting of suspicion transactions. Limited understanding of and failure to implement systems and controls to comply with restrictive measures. Weak internal governance arrangements, including a lack of application of a robust three-lines of defense system. High staff turnover, including individuals in key positions. Remote/online onboarding without proper controls. Actions for the PI to Consider Review current ML/TF risk assessment methodology and results and ensure there are actionable steps being taken to bring any results outside of risk appetite back in line to an acceptable and manageable level of risk. Review existing ML/TF risk and control frameworks to help ensure risks are identified timely and evenly understood throughout relevant functions, and mitigating controls are subject to ongoing evaluation of strengths, gaps and weaknesses. Evaluate the efficacy of the existing transaction monitoring programme to ensure it deploys appropriate and adequately tuned scenarios for identifying potentially suspicious activity; determine whether data analytics and/or the adoption of innovative tools could significantly improve monitoring capabilities. Conduct assessment of third-party and/or agency outsourcing effectiveness, governance, and oversight. Assess consistency of centralised control frameworks across Member States, and stand-up alignment initiatives where appropriate to help ensure strength of controls, jurisdiction specific controls and overarching global policies and procedures reflect the current process and are sufficiently documented. Consider additional training to educate staff on the ML/TF risks of PIs and their roles in protecting the PI. If you would like to discuss the takeaways, please contact Bernadine Reese or Christine Reisman.