2.1. ML/FT Risks of the Payment Sector
2.1.1. Characteristics of the Movement of Funds
PPS, and NPPS in particular, are extremely attractive to illicit actors because of the rapid movement of funds between Payment Sector participants and across borders. The risks of a specific payment network or application however can vary based on the features that make it more or less attractive to illicit actors, such as:• Transaction speed. Are transactions instantaneous, or do they take hours or days? The quicker the transaction, the easier it is for illicit actors to conduct multiple transfers, further obscuring the origin of the funds, before coming to the attention of the authorities.
• Transaction limits. Does the PPS have transaction caps or limits? Smaller-value payments are not without risk, especially in the terrorist financing context, but they do make it more difficult to move illicit funds on a large scale.
• Closed vs open loop system. PPS, primarily SVF, can be “closed” or “open” loop. In a closed loop system, the payment method can only be used for payments to a specific payee. Examples include transit passes and store gift cards. In an open loop system, the payment method can be used to pay a wide variety of payees, and can be linked to other payment methods that further expand its reach. Although it is certainly possible to use closed loop systems for ML/FT (for instance, if a terrorist group collects store gift cards and uses them to purchase equipment), the restrictions on their use makes them less attractive to illicit actors.
• Methods of funding and access to cash.3 The methods by which a PPS can be funded (such as by cash, through another payment service, a prepaid model, or by third-party funding from anonymous sources) may increase risk. The inputs and outputs of a given PPS are therefore an important consideration when assessing risk, including whether the funding source is located internationally such as a high-risk country. For example, illicit actors may seek to place cash in the financial system or to obscure transaction trails by converting funds in and out of cash. PPS that permit users to fund their accounts with cash, or that allow users to withdraw cash, may be higher risk. In addition, as discussed above in the context of open loop systems, the more open and porous the PPS, the higher the risk it may present. PPS that allow users to fund accounts from multiple sources, and to withdraw funds using multiple methods, are likely to be more attractive to illicit actors, and will be harder to effectively monitor.
• Payment transparency. NPPS often have aggregated payments and settlement accounts involving multiple parties and long payment chains thereby potentially causing LFIs to have reduced visibility into payment activity taking place through the PPS as well as obscuring an LFI’s ability to identify the ultimate payer and payee for all transactions.
• Ability for one person to create multiple accounts. Some PPS allow customers to create multiple accounts using the same ID. These may be individual accounts or created on behalf of minors or other family members. Illicit actors may seek to rapidly cycle funds through accounts (whether or not these take the form of virtual ‘wallets’ or other SVF) in order to obscure payment trails. They may also seek to open multiple accounts to facilitate fraud and other criminal activity. Restricting a customer to one account does not eliminate risk, since illicit actors often work in groups, but it makes it more difficult for a single person to launder funds by conducting a self-transfer.
• Non-face-to-face relationships. Does the payment method allow for a non-face-to-face business relationship? What are the payment method’s characteristics? Can the relationship be established through agents, online or through a mobile payment system? The absence of contact and/or anonymity may increase the risk of identity fraud or customers providing inaccurate information.
• Use of virtual assets.4 As interest in virtual assets grows, more and more payment methods and schemes are integrating with virtual assets. For example, a global payments firm allow users in some countries to purchase virtual assets using the funds in their account, although not to use them directly for payments. Payment methods and schemes that integrate virtual assets could expose financial institutions to the specific risks of this sector.
3 For details on the vulnerabilities of cash and alternatives to cash, please consult the CBUAE’s Guidance for Licensed Financial Institutions providing services to Cash-Intensive Businesses
4 Please note that the risks relating to Virtual Assets/Virtual Assets Service Providers are out of the scope of this guidance and addressed in a separate guidance to be issued by the CBUAE.
2.1.2. Peer-to-Peer Payments
NPPS have revolutionized the ability to make payments or transfer funds. Where cash transactions previously required face-to-face interaction and bank transfers involved transactions’ fees and an execution time in the past, NPPS allow participants to send money that will be instantly available to the beneficiary, reducing the need for trust in the relationship. As a result, the availability of convenient, inexpensive PPS has led to a decreasing use of cash, particularly in highly developed countries. Bringing transactions into the formal financial system has many advantages from the perspective of combating illicit finance. These transactions can flow through third parties that are in many cases subject to AML/CFT requirements. In most cases, the payments that involve such third parties include information on the payer and the payee and are permanently recorded by a financial institution, making it easier for law enforcement to track transactions. But the use of PPS for peer-to-peer payments also creates risk for financial institutions because it means that many smaller illicit transactions that once took place in cash are now being conducted via PPS, particularly NPPS.
2.1.3. Cross-Border Movement
One of the principal features of many NPPS is that they can be used globally for making payments or transferring funds. While the usefulness of cash and cheques is limited outside the jurisdiction where they were issued, many PPS are internet-based services and specialize in conducting transfers between countries and currencies. For example, a UAE bank that offers checking accounts to UAE residents may have no ATMs or branches outside the UAE. But, if users link their accounts to global or regional payment apps, they can conduct transactions with persons over the world and can use their smartphone as a payment instrument in countries where the bank has no presence, thus introducing new geographical exposure potentially to high-risk countries. And unlike cross-border wires, which carry full identifying information, the bank will frequently only see the customer’s transactions with the payment network itself, rather than their location or ultimate destination. Many illicit finance schemes involve the cross-border movement of funds. Criminals may seek to finance terrorism in other countries, move funds out of sanctioned jurisdictions, or evade the attention of law enforcement in the jurisdiction where a proceeds-generating offense was committed. PPS that allow or facilitate cross-border movement of funds may therefore be particularly attractive to illicit actors.
2.1.4. Global Regulatory Gaps
Countries take a variety of approaches to regulating the Payment Sector and there is no one widely accepted classification of participants. As a result, two regulators in two different jurisdictions may subject a single company to very different requirements based on each jurisdiction’s regulatory framework. The company may be regulated as a financial institution in one jurisdiction, and thus subject to AML/CFT requirements, but treated as a tech company in another with no requirement to apply preventive measures. Companies may provide services to customers in a given country without being regulated in that country at all. Even where Payment Sector participants are fully regulated and subject to stringent AML/CFT requirements, supervisors’ expectations for this sector may be lower than for traditional financial institutions such as banks. And participants, as relatively new market entrants, may lack the experience, expertise, or commitment to apply fully effective preventive measures. These entities may be less able to protect themselves and their partners, and thus vulnerable to abuse by illicit actors.
2.1.5. Intermediation
The Payment Sector may be complex with a number of participants potentially involved in a single transaction. As a result, many payment transactions will be highly intermediated, with multiple financial institutions involved in a funds transfer. Additional entities (some of which may not be financial institutions) can potentially facilitate the transaction through the exchange of information. Intermediated transactions create risk because no regulated entity participating in the transaction has the visibility necessary to fully understand the transaction and the participants. Illicit transactions may have red flags when viewed as a whole, but may appear legitimate when seen from the perspective of each of the financial institutions involved. This creates a vulnerability that illicit actors can exploit.
For example, consider the hypothetical transaction below, a purchase on an online marketplace that allows individual sellers to sell items directly to customers:In this transaction, the customer is using a credit card to purchase goods from the merchant, but the merchant is not a participant in the credit card scheme. A number of Payment Sector participants help to bridge this gap and facilitate the transaction:• The marketplace uses a payment gateway that accepts the customer’s credit card credentials, encrypts them, and validates them against data held by the credit card scheme operator. The marketplace may also integrate with providers that provide ‘one-click’ payment information to the payment gateway without requiring the customer to enter his or her credit card details. In the UAE, these providers would be classified as conducting payment account information services, but in many other jurisdictions they are not regulated as financial institutions.
• The credit card scheme operator validates the customer information provided by the payment gateway, conducts initial fraud checks, and informs the payment gateway that the credit account is in good standing and the credit limit has not been exceeded.
• The payment gateway informs the marketplace’s payment processor that a transaction of an identified value can proceed using the customer’s credit card details.
• The marketplace payment processor informs the merchant that the transaction has been confirmed and instructs the credit card scheme operator to debit the customer’s account for the purchase price, in favor of the marketplace.
• The credit card scheme operator passes this payment instruction on to the bank that issued the customer’s credit card (the issuing bank). Meanwhile, the merchant ships the customer the merchandise purchased.
• The issuing bank transfers funds in the purchase value to the marketplace’s bank (this transfer may in fact go through the marketplace payment processor’s account at the same bank).
• The marketplace bank transfers the purchase funds to the merchant’s fintech (likely a provider of SVF), which in turn transfers the funds to the merchant’s account. The marketplace’s payment processor likely facilitates this transaction by instructing the bank where to send the funds.
It is unlikely that any of the Payment Sector participants in this transaction have full visibility into the funds transfer chain. The banks are unlikely to have information on anyone other than their immediate customers or correspondents. The payment gateway likely does not identify the merchant. The fintech likely does not identify the customer. The marketplace payment processor is likely aware that the customer and merchant are engaging in a transaction, but may not know where the customer’s funds are coming from or where the merchant’s funds are going. And because the marketplace payment processor does not hold funds at any point in the transaction, it may not be regulated as a financial institution in all jurisdictions. In this instance, a marketplace payment processor may apply certain conditions on what types of customers and merchants it engages. For more information on how LFIs can mitigate and manage ML/FT risks related to this sector, including the risks arising from the use of NPPS, please see section 3 “Mitigating Risks.”2.1.6. Nesting
Nesting is a form of intermediation that presents specific risks. In most Correspondent Banking Relationships that involve nesting, the respondent financial institution is not aware of individual transactions ordered by the ultimate customer; instead, the respondent sees bulk activity in the correspondent’s account that represents aggregate customer orders and perhaps also proprietary transactions by the correspondent. As a result, the transaction is intermediated because the respondent cannot see—nor assess the risk of— the original customer.
Although nesting can occur in the context of any financial service, some features of the Payment Sector— the long payment chains and the involvement of multiple parties—can increase the likelihood that nesting will take place. In particular, some Payment Sector participants specialize in providing financial services to dubious merchants or customers who would be rejected by larger financial institutions. A participant servicing these customers, frequently offering merchant acquiring or payment aggregation services, will establish a nested relationship with a third participant that in turn has a Correspondent Banking Relationship with a bank. Although all the parties involved must and may claim to perform appropriate merchant due diligence, in practice, the risk may be that the bank is relying on its correspondent, which is in turn relying on the nested financial institution, with the first two parties not having full visibility into the nested financial institution’s customer base or due diligence practices.
2.1.7. Use of Agents and Affiliates
Payment Sector participants often interact in a dense web of agency and affiliate relationships, with each participant playing a defined role. A large number of entities involved in the NPPS, in particular when involving several countries, may increase the ML/FT risk.For example, entities involved in the provision of SVF through a prepaid card scheme could include:5• The issuer of the SVF, such as the issuer of prepaid cards, who is accountable to the customer for holding the funds they have loaded into the SVF (issuers are often banks that maintain program funds in a single program account); • The merchant acquirer (or acquirers), who establishes a direct relationship with merchants, distributes and maintains the payment gateway, collect funds on their behalf, and distributes them to merchants; • The program manager, who operates the network and provides services to the issuer (because all program funds are generally maintained in a single account, program managers often maintain the electronic records that track the “movement” of funds into and out of customer’s individual wallets); • The retailer, who sells SVF devices like prepaid cards to customers; • The network operator, who maintains the link between merchants’ point of sale devices, or other payment gateways, and the program manager; and • Persons, who act as agents for the scheme, such as by accepting cash in exchange for topping up wallet balance.
Another example includes the provision of mobile payment services. The roles of Payment Sector participants depend largely on the business model of the mobile payment service. Furthermore, various roles may be carried out by a single entity or through agents. Entities involved in the provision of mobile payments may include the following:• The network operator, who provides the platform to allow access to the funds through a mobile phone. • The distributor (including retailer), who sells or arranges for the issuance of funds on behalf of the issuer to customers. • The issuer of the SVF, or the electronic money issuer, who issues electronic money, which is defined here as a record of funds or value available to a customer stored on a payment device, such as a prepaid card or mobile phone.
This interplay between different entities can lead to risks resulting from intermediation as discussed above. But it can also give rise to risks when the participating entities have not assigned clear responsibility for compliance with AML/CFT requirements. The PPS risk’s exposure may then be dependent on multiple actors who may have a deficient understanding of AML/CFT obligations. For example, in the prepaid card scheme described above agents could facilitate money laundering by accepting large volumes of cash and breaking the value of the deposit up across several wallets, thus avoiding scrutiny related to large cash deposits. The entities acting as merchant acquirers could be aware that the merchants are providing illegal goods or services or are fraudulent, but conceal this knowledge in order to continue to receive fees related to transactions involving the merchants in its network.The risks created by the use of agents and affiliates increase when agents and affiliates are responsible for sensitive steps in the system (customer or merchant onboarding, or cash acceptance) and when there are multiple agents or affiliates between the customer and the ultimate provider of payment services. For example in card schemes, merchant acquirers will frequently work with contractors who identify merchants and bring them to the acquirer in return for a fee. Depending on the relationships involved, the financial institution that maintains the merchant accounts may not have any actual direct contact with and have a limited visibility of the merchant, as the relationship is intermediated through the merchant acquirer and also the merchant acquirer’s contractor. Since contractors do not get paid unless the financial institution accepts the merchant as a customer, they may be incentivized to help the merchant conceal the true nature of its business.5 Please note that one entity can hold various roles related to the provision of SVF (e.g., an issuer of the SVF can also be a program manager). The risk is extended where different agents are involved in the provisioning of a prepaid card.
2.1.8. Merchant Risks
All merchants accept payments in one form or another, and most merchants today are at least considering integrating NPPS into their financial arrangements. On the other end of the spectrum, NPPS lower the barriers for merchants to access financial services, making it easier to start and operate a small business, particularly in the e-commerce sector. These lower barriers to entry however can also create risks when merchants are not properly vetted. Globally, Payment Sector participants including providers of NPPS have been abused by or directly complicit with merchants who offer fraudulent or illegal goods or services, or whose business models pose reputational risks to financial institutions. These can for example include traffickers in narcotics who disguise their transactions as financial activity related to a supposedly legitimate small business. They can also include businesses that are legal in some jurisdictions but not others (such as gambling websites) and seek to accept payments from customers resident in jurisdictions where the business is illegal. Finally, they may include sites that are legal in many jurisdictions but that pose reputational risk, and that are therefore outside a financial institution’s risk appetite, or online marketplaces that do not thoroughly police their merchants and thus could themselves be abused by illicit actors.
Any factors—particularly intermediation, nesting, and the use of agents and affiliates—that prevent a financial institution from understanding exactly what merchants or what types of merchants it is serving when it provides a PPS, increase the risks. Risks may be higher in cross-border networks, as businesses may be legal in some jurisdictions and illegal in others, while customers can use the PPS to purchase services that would be illegal in their jurisdiction. Relying on third parties to conduct customer due diligence (CDD) on merchants can also increase risk if the relationship is not well-governed.