News

Regulators across the EU have identified virtual IBANs and other complex arrangements in the digital payments sector that mimic correspondent banking as acutely vulnerable to illicit finance, the European Banking Authority disclosed Friday.

In a 28-page report, the agency disclosed that a review of findings from 32 national anti-money laundering supervisors, national and EU-wide risk assessments and other sources found that the bloc’s 900 licensed remittance firms, payment services providers and electronic money institutions frequently maintain weak AML programs and lack oversight.

“Supervisory practices at authorization vary significantly, and [AML] components are not consistently assessed,” the EBA concluded. “As a result, payment institutions with weak … controls operate in the EU and may establish themselves … where the authorization process is perceived as less stringent to passport their activities cross-border afterwards.”

Friday’s report echoes concerns European investigators and compliance officers have voiced over virtual IBANs, unique codes of up to 34 characters that fintechs and other platforms that hold “master accounts” with other, typically larger, mainstream financial institutions can issue to clients across the world, giving them indirect access to the global banking system.

National regulators likewise view virtual IBANs as highly exposed to money launderers, fraudsters and other criminals, according to the EBA, because the institutions that provide the master accounts that underpin them often have no insight into the true originators and beneficiaries of the payments they facilitate.

“This risks creating gaps in supervisory coverage,” the EBA found. “It can also mean that payment institutions do not comply with the applicable [AML] framework.”

Other emerging risks in the digital payments sector, according to the EBA, include “white labeling,” whereby one fintech makes its license available to an “independent agent,” typically a second fintech, which uses the relationship to handle transactions for customers and other financial services with little to no screening.

Licensed payment platforms that outsource the process of winning new merchant clients to third-party acquirers, or TPAs, also expose the EU to money launderers, terrorist financiers and fraudsters, according to the report, as they sometimes fail to sufficiently vet new customers when onboarding them and display other flaws in their AML programs.

“TPA transactions cause a segmentation of the acquiring business resulting in an increased ML/FT [money laundering and financing-of-terrorism] risk, including transaction-based laundering, or risk of other fraudulent activities,” the EBA found.

In the context of compliance, “segmentation” tends to refer to the separation of the onboarding process from other aspects of a company’s AML program.

“Transaction laundering” meanwhile entails disguising payments from illegal gambling websites or online vendors that sell illicit drugs as low-risk transfers from, for example, an IT company or florist.

Recent months have seen European regulators cast an increasingly wary eye towards fintechs that sell other fintechs access to their payment rails amid concerns that they frequently neglect to vet their customers’ customers.

On June 1, Lithuania’s central bank fined Transactive Systems, one of the country’s most successful electronic money institutions, or EMIs, €280,000 and revoked the company’s operating license for “systemically” failing to stay onside of sanctions and conduct adequate due diligence on cryptocurrency exchanges, brokerages and other high-risk clients.

The “large overall volume and high speed of transactions” in which EMIs and other digital payment institutions engage—combined with their tendency to partner with other high-risk clients and onboard customers remotely—fuels a perception among regulators that they pose a “significant or very significant” risk, according to the EBA.

Despite that general perception, regulators tend to subject traditional, mainstream financial institutions to onsite examinations more often than they do digital payment platforms. Mainstream institutions and their senior compliance officers also face more scrutiny before obtaining a license, the EBA found.

“Addressing these points will be essential to protecting the EU’s single market from financial crime,” the organization concluded Friday. “It will also help improve access by payment institutions to payment accounts by addressing a root cause of de-risking.”

National regulators, according to the EBA, attributed most of the AML violations that emerged in the digital payment sector last year to subpar customer identification programs and risk assessments, and flawed ongoing-monitoring processes and reporting of suspicious transactions.

“The emphasis should be on proper governance, competence—in terms of the people responsible for anti-financial crime as well as competence at the level of the board—and a closer relationship with the regulator,” Gregory Dellas, chief compliance officer of ECOMMBX, a payments firm in Nicosia, Cyprus, told ACAMS moneylaundering.com. “Hence the importance of uniformity across Europe in terms of authorization and monitoring.”

Contact Koos Couvée at kcouvee@acams.org