2.2. ML/FT Risks for LFIs Providing Services to Payment Sector Participants
Many traditional LFIs, including banks, are full participants in the Payment Sector. Banks serve for example as issuers and acquirers in credit, debit, and prepaid card schemes, and are actively involved in developing new payment methods to better serve their customers. When banks play such roles, they are directly exposed to the determinants of risk discussed in section 2.1 above, and should thus conduct appropriate CDD on all Payment Sector participants. Banks and any other LFIs that offer services to other Payment Sector participants, or have customers who use these services, are exposed to specific forms of risk that include:
2.2.1. Correspondent and Correspondent-Type Risk
Because large-scale national clearing and settlement systems are often opened only to banks and other depository institutions, the majority of retail payments will ultimately pass through a bank generally as part of batch settlement. In order to facilitate this activity, non-bank financial institutions involved in payments, as well as unregulated Payment Sector participants, generally maintain deposit accounts with banks. These accounts can be used to safeguard customer funds (for example funds that have been deposited with a prepaid scheme) or to aggregate customer funds before disbursing them directly to customer’s account (for example when a merchant acquirer aggregates multiple payments to a merchant partner before disbursing them in a single transfer). Correspondent Banking Relationships in which the correspondent’s customers’ funds flow through an account held at the respondent financial institution are particularly high risk, because they expose the respondent institution directly to any potentially illicit activity in which the correspondent’s customers are engaged. Because banks that offer services to correspondents have limited information on these transactions, they are reliant on the correspondent to implement an effective AML/CFT program. Please see section 3.4.2 for the respective preventive measures.
2.2.2. Other Risks Related to Intermediation
Even banks that view themselves as having limited to no exposure to NPPS may in fact have indirect exposure through customers who link their bank accounts to payment apps, or use their bank accounts to fund SVF accounts or wallets (or withdraw funds received in such wallets to their accounts), or withdraw funds as cash and use it to purchase other prepaid instruments. Account activity of this type poses unique challenges for account and customer surveillance, because frequently the bank will be aware only of the immediate source or destination for the transaction, rather than the entire transaction chain. This can allow customers to deliberately thwart transaction monitoring programs and prevent the bank from understanding and assessing the activity on the customer’s account to determine whether it is in fact in line with the customer profile. Examples of how intermediation can limit a bank’s ability to identify suspicious or unusual behavior include:• Many banks have automated transaction rules designed to identify possible unlicensed money transfer activity by alerting on accounts that receive multiple small deposits from different sources, followed by a single large cross-border transaction. A customer could thwart this surveillance by having associates deposit the funds to be transferred in an SVF wallet, and then moving those funds to a linked bank account in order to execute the cross-border transfer. From the bank’s perspective, it would appear that the customer received only one deposit. Relatedly, the provider of SVF could not know that the funds were ultimately transferred across borders. • Many banks use watchlists to identify transactions that may be illegal or in violation of bank policy, such as the use of gambling websites. A customer seeking to evade these restrictions could use a foreign payment app linked to their account to purchase the assets; this transfer would likely appear on the bank’s records as a debit in favor of the operator of the payment app. The operator, in turn, may not be responsible for enforcing the laws of the jurisdictions where its foreign customers are based. It is therefore important for banks to identify foreign payment apps in order to appropriately assess the risks of the transactional activity. • A customer that generates a high quantity of illicit proceeds in cash can evade surveillance the bank applies to cash deposits by depositing the cash with a provider of NPPS (including both SVF and any other payment app that accepts cash inputs) and then withdrawing the funds from the payment service to his/her linked bank account.
2.2.3. Risks Related to Outsourcing
Banks often serve as the backbones of PPS such as credit, debit, and prepaid schemes without serving as the administrator or governing body of the scheme. In these situations, banks provide their reputation, stability, ability to hold deposits, and access to national payment systems while program administrators actually manage the movement of funds throughout the scheme. Because program operators have more direct contact with customers and more insights into the movement of funds, banks involved in these schemes often outsource CDD and other elements of the AML/CFT program to the program operators. But as banks continue to be exposed to funds involved in the program, they remain responsible for implementing an effective and compliant AML/CFT program, even if transactions flow through third parties that may or may not be subject to AML/CFT requirements. LFIs should therefore adopt policies to mitigate risks arising from reliance on outside service providers, including ones that operate in high-risk countries. Where roles and responsibilities are not clearly assigned, or where the program administrator does not implement an effective program, illicit actors can exploit the cracks in the program, and the bank and the program operator together will likely be less effective than if either party were operating alone. In such cases, LFIs should maintain a contingency arrangement as necessary.