Increasingly, we are seeing enquiries from firms wishing to become licensed by the Financial Conduct Authority (FCA) to provide the payment services of ‘account information services’ (AISP) and ‘payment initiation services’ (PISP). Whilst the application process may look different for each payment service, depending on whether it is to be provided in isolation or alongside other payment services, one key question is regularly asked: “I don’t come into possession of client funds, so do the AML requirements apply to me?”
Whilst the ‘possession of funds’ argument is a compelling one – if I don’t come into possession of funds, then I certainly cannot come into possession of illicit funds - the answer unfortunately is, yes, they do.
Whether you look at the 3rd, 4th or 5th Money Laundering Directives for your inspiration (it really matters not, it’s just a question of timing), they all include ‘financial institutions’ as obliged entities caught within scope of the legislation and requirements. Remember, the timing point. At various stages ‘financial institution’ meant something slightly different, but, today, it includes payment service providers. Sorry, I should really say, all payment service providers. And yet. PSD2 appears to exempt AISPs from supplying AML/CFT information as part of their authorisation application (Arts 33(1) and 5(1(k) – in that order – if you’re interested).
EBA Guidelines
From an application perspective, the starting point is the European Banking Authority (EBA) ‘Authorisations Guidelines’. Don’t start crying ‘Brexit’ at me, the FCA has built in the relevant information requirements into its various application packs and, since this is not primary legislation subject to any ‘on-shoring’, it is unlikely to change in the short term.
Guideline 14 (applicable to payment institutions, including PISPs) is titled ‘Internal control mechanisms to comply with obligations in relation to money laundering and terrorist financing (AML/CFT obligations), and contains a number of information requirements relating to AML/CFT. There is no ‘carve out’ that distinguishes PISPs from any other payment services, and thus requires PISPs to submit such information.
However, the same is not true for AISPs. The applicable guidelines for them make absolutely no mention of AML/CFT compliance. This would suggest that the EBA was on the ball and at least made that interpretation for AISPs (but then I would say that, having been part of the EBA working group that developed the Guidelines!). But perhaps that’s being over generous, as we have already established that PSD2 did indeed build in a carve-out.
It is indeed consistent with an earlier EBA feedback statement which recognised that PISPs would indeed be obliged entities, but made absolutely no mention of AISPs, presumably for the reason just stated.
Danish experience
Recently, we have seen that Denmark has bolted from the ranks and come out and explicitly stated that companies providing only Account Information Services are not subject to the Danish AML legislation. So, no obligation to develop policies and procedures if not in scope.
The same can’t, however, be said for PISPs. Here, the Danish legislation firmly land PISPs in scope. But, the crucial difference between what has happened in Denmark versus elsewhere in the EEA, is that a supporting set of ‘AML Guidelines’ provide PISPs with helpful guidance to ensure that they consider the risk to which they are exposed and develop a risk assessment framework proportionate and appropriate to that business activity.
In practice
From a UK perspective though, it’s very much a case of ‘as you were’. Absent any legislative change from HMT (post-expiry of the transition period, of course) or any formal policy change from the FCA, then UK applicant firms wishing to carry on only Account Information Services or Payment Inititiation Services will have to adopt an AML/CFT policy and procedures, proportionate and appropriate to their business and the risks to which they are exposed.
That means understanding and articulating the payment flows and the information to which you have access. It is then a question of identifying and articulating the AML/CFT risks that arise. Write them down, as this will be the basis of your policy and risk-based approach. Submit to your Board for consideration and approval, and Bob’s your uncle.
If, of course, you would appreciate a fresh perspective, we’d be more than happy to discuss your business model with you and the suitability of your AML/CFT plans and documentation.
Contact our payment services team
Related resources
All resources
Identifying the weaknesses in firms’ transaction reporting governance and control frameworks
Bitesize webinar: Establishing a robust prudential monitoring framework
Operational Resilience: regulatory guidelines for critical third parties aim to avoid systemic disruption
Press Release: Cosegic launches new Consumer Duty audit.