The European Banking Authority (EBA) has provided answers to two more Q&As relating to the revised Payment Services Directive (PSD2) and strong customer authentication (SCA) rules.
In the latest round of clarifications to be released by the EBA, the regulator has continued to try and make sense of the EU payments ecosystem’s many queries with the payments compliance rules.
The latest, among other things, address the interplay between anti-money laundering (AML) rules and PSD2 — a topical issue, considering the EBA’s recent push for AML to be addressed in the upcoming PSD2 review.
In a question submitted by Dutch law firm Eurius, the EBA was asked to what extent do account information service providers (AISPs) need to comply with the obligations in relation to money laundering and terrorist financing under the 4th Anti-Money Laundering Directive (4th AMLD).
In addition, it asked for clarification on whether it is a requirement for AISPs on the basis of national law and national supervisory practices to submit to their national competent authority a description of the internal control mechanisms with regard to AML regulations.
On the basis of Article 33 in PSD2, Article 5 of the 4th AMLD does not apply to AISPs, according to the law firm.
This means that AISPs, to receive authorisation as a payment institution, do not need to submit a description of the internal control mechanisms with regard to AML regulations.
However, in the Netherlands, the competent authority has taken the position that AML requirements apply to AISPs and requires that a description of the internal control mechanism with regard to such requirements is submitted as part of the licence application.
In its response, the EBA said that AISPs are not exempt from AML requirements. However, like other obliged entities, they are able to adjust their AML/CTF systems and controls on a risk-sensitive basis.
Considering that the inherent risk of money laundering or terrorist financing associated with these financial institutions is limited due to the fact that AISPs are not involved in the payment chain and do not hold payment service user’s funds, previous guidelines set by the EBA recommend that simplified due diligence measures are appropriate in most situations.
The EBA also agreed that AISPs are exempt from Article 5 of the 4th AMLD. However, the EBA has steered clear of overruling the Dutch regulator’s compliance rules, considering that the PSD2 and AML law depends on national transposition and, therefore, can be gold-plated and/or interpreted differently depending on the member state.
Contactless vending machines
The other question that the EBA has answered looks at whether contactless-only devices can be mounted on general goods-vending machines.
“In this case, where a vendor mounts an unattended 'contactless only' device without pinpad on a general goods-vending machine, the customer has no way to insert any strong customer authentication (SCA) method when he purchases,” the question says.
There are many examples of mounted unattended cashless devices, the question continues. “These are mounted on many thousands of general goods-vending machines throughout Europe, and applying SCA on these is impossible.”
The question, which was submitted in mid-2020, points out that changing these devices comes with a big price tag for merchants, and says that there are no devices with compatible dimensions to replacing those installed.
If you enter your PIN into a vending machine, this is less secure than making low import payments without SCA, the person asking the question says.
The EBA, in turn, responded by pointing out that such payments could be exempt through diktats that already exist. For example, there is an exemption for contactless payments in the PSD2’s Delegated Regulation, and the exemption for low-value transactions may also be able to be applied.
However, the EBA summarises: “[I]t is for each vendor to decide whether to mount a contactless only terminal without a pinpad on vending machines.
“In case the payment service user is requested to apply SCA, the PSU, depending on the SCA approach provided by the PSP, may not be able to initiate the payment transaction.”