A new report from the European Banking Authority (EBA) has found that anti-money laundering (AML) and counter terrorist financing (CTF) risks are “not managed effectively” among European payments firms.
After assessing the scale and nature of ML/TF risks in the payments sector during 2022, new research by the EBA indicates that “generally” payment firms do not manage AML/CTF risks adequately.
During its research, the EBA considered how Europe’s approximately 900 regulated payment firms identify and manage AML/CTF risks, and what AML/CTF supervisors do to mitigate those risks when applying for regulatory authorisations.
Ultimately, the EBA found that AML/CTF internal controls are often insufficient to prevent money laundering and terrorist financing within the payments sector, despite the high inherent risk to which the sector is exposed.
As part of its research, the EBA surveyed 32 European AML/CTF supervisors and obtained risk assessments from member state regulators. The research also drew on the EBA’s Payment Services Directive 2 (PSD2) peer review of regulated payment firms.
Regulatory arbitrage
For regulators, the EBA said its findings indicate “not all” agencies are “doing enough” to supervise the payments sector effectively.
For example, the EBA found that payment firms with weak AML/CTF controls operate within the EU by establishing themselves in member states where authorisation and AML/CTF supervision processes are less stringent.
Once established, these firms with weak controls are then able to “passport” their activities cross-border with little oversight.
The EBA found that supervisory practices at the authorisation stage “vary significantly” between member states, and AML/CTF components are not consistently assessed.
For example, some regulators interpreted “reasonable grounds for concern with regard to [A]ML/[C]TF” as amounting to suspicion of criminal activity, rather than AML/CTF risk, which makes a refusal unlikely.
“As a result, some payment institutions appear to have made use of regimes that they perceived to be more permissive to obtain authorisation and passport their services into other member states,” said the EBA.
Building a risk heat map
The EBA noted that “some” AML/CTF supervisors indicated that, following engagement with the EBA, their AML/CTF controls have “slightly improved” compared with previous years.
However, the EBA said these changes have “not translated into improved overall residual risk ratings yet.”
Due to the high AML/CTF risks that are inherent to the payments sector, the EBA said that both firms and regulators must do more to ensure that controls are properly applied.
At present, the payments sector is the second-most reported sector to EURECA, the EBA’s AML/CTF database, after credit institutions.
As shown in the report, the most common breaches reported are those related to ongoing transaction monitoring (62 percent), followed by customer risk assessment and internal AML/CTF controls and policies (33 percent respectively).
Among individual customers, the EBA is particularly concerned about non-residents, politically exposed persons (PEPs) and those who have been “de-risked” from the banking sector.
Among institutional customers, the EBA is particularly concerned about gambling companies and crypto-asset service providers (CASPs).
“A general perception of AML/CTF supervisors is that payment institutions tend to have a higher risk appetite than, for instance, retail banks,” said the EBA.
EBA proposals going forward
The EBA said several of its findings relate to issues addressed in the EBA Guidelines, whose provisions it said are not being implemented as intended by payment firms.
The EBA therefore encouraged payment firms and AML/CTF supervisors to take steps to ensure a more “robust implementation” of the EBA Guidelines, in order to mitigate the sector’s risk exposure.
Likewise, the EBA said that regulators should adjust the “frequency and intensity” of on-site and off-site supervision to reflect the outcomes of their AML/CTF risk assessments.
Finally, the EBA said that other findings will require changes to the EU’s legal framework. If these changes are pursued, the EBA said they should aim to establish a more “consistent approach” to authorisation of payment firms and passporting risks across member states.