Customer due diligence requirements for payment initiation services (service 7)

On 1 March 2021, the European Banking Authority (EBA) published the final revised Guidelines on money laundering and terrorist financing (ML/TF) risk factors. The EBA has included new ML/TF risk factors. We have amended these Q&As on the basis of the revised Guidelines.

Answer:

Account information service providers (PISPs) must perform customer¹ due diligence to prevent their services from being used for money laundering and terrorist financing. These service providers fall under the Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme – Wwft) pursuant to Section 1a(1) of that act.

Simplified CDD is the standard approach for PISPs, given the low risk inherent in their services. A PISP must take into account all data available to it for which customers have given their explicit consent. The CDD must be documented in customer files and comprise at least the following elements:

Customer identification

A PISP must identify its customers on the basis of Section 3(2) under a of the Wwft. There is no prescribed format for identifying customers. This information can also be used for screening customers against relevant sanctions lists. If a PISP has a business relationship with a customer that offers a payment service user (PSU) the opportunity to use the relevant PISP's to initiate a single or one-off transaction, the PSU does not qualify as the PISP's customer.

Customer identity verification

A PISP must verify its customers’ identity on the basis of Article 3(2) under a of the Wwft. A risk-based approach can be taken to verification. We consider it necessary for a PISP to make use of at least two independent and reliable sources. This could include (personal) data taken from the bank API, as well as information from an extract from the Trade Register of the Chamber of Commerce (a certified copy or obtained via an API from the Chamber of Commerce), or a passport scan.

Purpose and intended nature of the business relationship

Pursuant to Section 3(2) under c of the Wwft, a PISP must establish the purpose and intended nature of the business relationship. When the PISP has identified risk factors for a customer, it must further investigate the purpose and intended nature of the business relationship and the transactions conducted during the relationship. The purpose of this is to monitor whether the customer's behaviour is consistent with these statements. In the absence of such risk factors, the PISP can apply simplified CDD and assume the purpose and nature of the business relationship.

Review of customer representative

When a natural person states they are acting as a representative of a customer, a PISP must also determine whether this person is authorised to do so. For legal entities, the representatives are often the board members. When a natural person claims to indirectly represent a legal person (whereby the legal person is the customer), the chain of representative authority must be determined. An extract from the Trade Register of the Chamber of Commerce may for example be used for this purpose. When this authorisation has been established, the customer is then the subject of the CDD measures set out in Section 3 of the Wwft. The natural person acting as representative must also be identified and their identity verified. Verification must occur by means of two independent and reliable sources. An extract from the Trade Register of the Chamber of Commerce may for example be used for this purpose, combined with a second source, such as personal data obtained from the bank API.

Identifying ultimate beneficial owners (UBOs)

A PISP must carry out CDD which enables it to identify the customer's ultimate beneficial owner (UBO). A PISP must also take all necessary and reasonable measures to verify the identity. There is no prescribed format for identifying customers, but this can for example be done through a UBO declaration or an organisation diagram. In the case of simplified CCD, a UBO's identity can be verified using a risk-based approach, based on various types of sources, but this must not result in the UBO's identity not being verified.

Review of politically exposed persons (PEPs)

Pursuant to Section 8(5) of the Wwft, a PISP must have adequate risk management systems in place with risk-based procedures to determine whether a customer or UBO is a politically exposed person (PEP). In practice, this must result in a PISP conducting a PEP review at the start of the business relationship, or at a suitable point after the start of the business relationship, for example when certain risk factors increase or when a time limit has expired. External sources or tools can be used for this purpose.

[1]Section 1(1) of the Wwft defines a customer as the natural or legal person with which a business relationship is entered into or on whose behalf a transaction is conducted.