Should Payment Initiation Services and Account Information Services be subject to AML regulations?
One of the most discussed changes, which PSD2 introduces to the European payment landscape, is two new payment services: Payment Initiation Services (”PIS“) and Account Information Services (”AIS“). Obviously, these services existed before PSD2 but now they are being made subject to a regulatory regime.
What does that actually entail? Apart from the usual drill of obtaining authorization from or registering such services with the competent regulatory authority, the first thing that comes to mind is compliance with anti-money laundering (“AML”) obligations. Surely one of the most onerous burdens on a regulated entity and – where full customer identification is required – also a major obstacle to customer conversion.
But are AIS and PIS made subject to full AML compliance? Let’s take a look at the law.
AMLD4 provides that all “financial institutions” are obliged entities for purposes of AML compliance. A financial institution is defined by reference to Annex I of Directive 2013/36/EU (“Capital Requirements Directive”), which in turn makes reference to PSD1 and finally to the Annex of PSD1, which lists all currently known payment services with the exception of AIS and PIS. With AMLD4 pre-dating PSD2, the reference could only be made to the status of PSD1 but what happens once PSD2 replaces PSD1?
The transposition into national laws does not shed more light on the situation.
An informal poll about the situation in different jurisdictions in our lawyer network unearthed the following:
In Germany, the AML law provides that all payment institutes are considered obliged entities (cf. Sec. 2 (1) Nr. 2 GwG). This would include AIS and PIS providers because they are payment institutes under the law that transposes PSD2 into German law (cf. Sec. 1 (1) No 1 ZDUG). However, the current AML law refers to a paragraph in the German payment law the numbering of which will not exist any longer after the PSD2 transposition law takes effect. Therefore, the legislator will have to make some adjustments.
In the Netherlands, an obliged entity is, according to the Dutch AML/CFT Act, amongst others, a payment service provider as defined in the Dutch Financial Supervision Act. A payment service provider is anyone who renders payment services in the course of their business. Payment services are defined as those activities mentioned in the annex to the PSD, which – once the PSD2 is implemented – means the PSD2.
In Belgium, the situation is very similar. Under the current Belgian AML4 transposition bill, payment service providers providing AIS and PIS would have to be considered “obliged entities” and therefore would have to comply with full AML compliance obligations. However, the Belgian PSD2 transposition law has not been published yet and may effect further changes.
In the UK, the picture is still unclear as well and there appears to be no clear guidance on those questions as of yet, while the market expectations appear to be that AIS will be exempt but PIS will be subject to AML compliance regulations.
Some exceptions for AIS in PSD2 that indicate that they may not be subject to AML compliance
PSD2 exempts AIS from having to submit a description of the internal control mechanism which the applicant has established in order to comply with AML obligations. It seems very likely that where internal control mechanisms are not made part of the application, no such obligations should apply. This exemption does not, however, apply to PIS.
What should the law look like?
So, if the laws have not yet been written in a way that decides the issue at hand, it is fair to ask what the law should look like.
The purpose of AML obligations, in particular customer due diligence, is to combat the flows of illicit money that is being laundered and terrorist financing. This can only happen where money is moved and the customer’s identity remains unknown.
In the case of AIS, which only provide consolidated information on one or more payment accounts, no money is moved by the AIS. The service may not be used to touch the money or change any data in the account. Exempting AIS from AML obligations would therefore not compromise the purpose of AMLD4.
The case becomes a bit trickier with regard to PIS. On first sight, it appears that PIS do move money as they initiate a payment. Taking a closer look, though, a PIS only initiates a payment order, it does not execute a transaction; the latter is done solely by the account servicing payment provider. The AML risk is therefore not increased by the use of a PIS as compared to the customer submitting the payment order herself. The risk that a third person may misuse the account for illegal purposes is also not increased because the access to accounts by the PIS is subject to the same regulation as the direct access to online banking. Also, the risk of an account takeover is not a specific AML risk but a general risk of online accessible accounts and thus does not warrant AML compliance for PIS.
Moreover, in case of PIS, the customer will have been identified by the account servicing payment provider. In light of this, doubling the KYC obligations seems unnecessarily onerous not only on the PIS but also on the customer.
Vive la France!
In France, the legislator seems to have followed the above reasoning.
Entities providing only AIS will not qualify as obliged entities under applicable French AML regulation because the list of obliged entities has not been amended with the transposition of PSD2. Consequently, they will not be subject to the identification, monitoring or reporting obligations applicable to other payment services providers.
Where payment institutions provide AIS and other payment services, the AIS service is not subject to AML. This derogation, created by the transposition ordinance of PSD2, applies only to the perimeter of AIS.
Payment institutions providing PIS benefit from a different derogation. Pursuant to a decree published soon after the transposition ordinance, PIS qualify as a low-risk service under the AML regulation. Consequently, if the licensed provider does not suspect money-laundering, no identification of the customer is required. How such a suspicion would be raised in the context of a PIS though, where there is more often than not a permanent business relationship between PIS and customers, remains to be seen in practice.
Hoping for harmony in the EU
While PSD2 is a fully harmonized Directive and thus its implementation into local laws does not leave much room for member state variations, this is not the case in the realm of AML laws. A consistent legal landscape across the EU should be the goal of legislators so as to avoid a distortion of competition between AIS and PIS domiciled in different member states.
Many thanks to our colleagues from the Fintech Lawyers Network who provided the input on their respective country’s legislation:
Titelbild / Cover picture: Copyright © fotolia