Do the customer due diligence (CDD) requirements apply to payment initiation service providers (PISPs)?
On 1 March 2021, the European Banking Authority (EBA) published the final revised Guidelines on money laundering and terrorist financing (ML/TF) risk factors. The EBA has included new ML/TF risk factors. We have amended these Q&As on the basis of the revised Guidelines.
Account information service providers (PISPs) must perform customer1 due diligence to prevent their services from being used for money laundering and terrorist financing. These service providers fall under the Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme – Wwft) pursuant to Section 1a(1) of that act.
Simplified CDD is the standard approach for PISPs, given the low risk inherent in their services. A PISP must take into account all data available to it for which customers have given their explicit consent. The CDD must be documented in customer files and comprise at least the following elements:
A PISP must identify its customers on the basis of Section 3(2) under a of the Wwft. There is no prescribed format for identifying customers. This information can also be used for screening customers against relevant sanctions lists. If a PISP has a business relationship with a customer that offers a payment service user (PSU) the opportunity to use the relevant PISP's to initiate a single or one-off transaction, the PSU does not qualify as the PISP's customer.
A PISP must verify its customers’ identity on the basis of Article 3(2) under a of the Wwft. A risk-based approach can be taken to verification. We consider it necessary for a PISP to make use of at least two independent and reliable sources. This could include (personal) data taken from the bank API, as well as information from an extract from the Trade Register of the Chamber of Commerce (a certified copy or obtained via an API from the Chamber of Commerce), or a passport scan.
Pursuant to Section 3(2) under c of the Wwft, a PISP must establish the purpose and intended nature of the business relationship. When the PISP has identified risk factors for a customer, it must further investigate the purpose and intended nature of the business relationship and the transactions conducted during the relationship. The purpose of this is to monitor whether the customer's behaviour is consistent with these statements. In the absence of such risk factors, the PISP can apply simplified CDD and assume the purpose and nature of the business relationship.
When a natural person states they are acting as a representative of a customer, a PISP must also determine whether this person is authorised to do so. For legal entities, the representatives are often the board members. When a natural person claims to indirectly represent a legal person (whereby the legal person is the customer), the chain of representative authority must be determined. An extract from the Trade Register of the Chamber of Commerce may for example be used for this purpose. When this authorisation has been established, the customer is then the subject of the CDD measures set out in Section 3 of the Wwft. The natural person acting as representative must also be identified and their identity verified. Verification must occur by means of two independent and reliable sources. An extract from the Trade Register of the Chamber of Commerce may for example be used for this purpose, combined with a second source, such as personal data obtained from the bank API.
A PISP must carry out CDD which enables it to identify the customer's ultimate beneficial owner (UBO). A PISP must also take all necessary and reasonable measures to verify the identity. There is no prescribed format for identifying customers, but this can for example be done through a UBO declaration or an organisation diagram. In the case of simplified CCD, a UBO's identity can be verified using a risk-based approach, based on various types of sources, but this must not result in the UBO's identity not being verified.
Pursuant to Section 8(5) of the Wwft, a PISP must have adequate risk management systems in place with risk-based procedures to determine whether a customer or UBO is a politically exposed person (PEP). In practice, this must result in a PISP conducting a PEP review at the start of the business relationship, or at a suitable point after the start of the business relationship, for example when certain risk factors increase or when a time limit has expired. External sources or tools can be used for this purpose.
[1]Section 1(1) of the Wwft defines a customer as the natural or legal person with which a business relationship is entered into or on whose behalf a transaction is conducted.
On Tuesday 5th November from 3:00-4:45 PM CET DNB will organize a physical information session about fit and proper assessments.
Read more Information session about fit and proper assessments DNB
Embedded finance offers customers the convenience of in-app payment options and on-the-spot insurance. This seamless integration of financial services, available exactly when and where they are needed, makes life simpler. But this innovation also entails new risks.
Read more Embedded finance: striking a balance between convenience and risk in the digital economy
On Tuesday 28th May from 3:00-4:45 PM CET DNB will organize an online information session about fit and proper assessments.
Read more Information session about fit and proper assessments DNB
The rapid development of artificial intelligence (AI) poses challenges for the supervisory work of the AFM and DNB. The supervisory authorities have published a report with criteria and areas of attention for shaping the supervision of AI.
Read more AFM and DNB publish report on the impact of AI on the financial sector and supervision
