On 1 March 2021, the European Banking Authority (EBA) published the final revised Guidelines on money laundering and terrorist financing (ML/TF) risk factors. The EBA has included new ML/TF risk factors. We have amended these Q&As on the basis of the revised Guidelines.
Do account information service providers (AISPs) have to perform customer due diligence (CDD)?
AISPs must perform customer due diligence to prevent their services from being used for money laundering and terrorist financing. These service providers fall under the Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme – Wwft) pursuant to Section 1a(1) of that act. An AISP must take into account all data available to it for which customers1 have given their explicit consent. Simplified CDD is the standard approach for AISPs, given the low risk inherent in their services. The CDD must be documented in customer files and comprise at least the following elements:
An AISP must identify its customers on the basis of Section 3(2) under a of the Wwft. There is no prescribed format for identifying customers. This information can also be used for screening customers against relevant sanctions lists. A natural or legal person holding connected payment accounts qualifies as a customer.
An AISP must verify its customers’ identity on the basis of Article 3(2) under a of the Wwft. A risk-based approach can be used for verification. In view of the low risk of money laundering and terrorist financing inherent in account information services, a single independent and reliable source can be used to verify the identity of a natural person, such as (personal) data taken from the bank API. This less stringent requirement for AISPs differs from those that apply to other payment service providers.
Pursuant to Section 3(2) under c of the Wwft, an AISP must establish the purpose and intended nature of the business relationship. Each time an account is added to an account overview, the AISP must verify whether the account is the customer's own account, a shared account, or a legal entity’s account to which the customer has access. It must use this information to obtain knowledge of the customer and to establish the customer's risk profile, but also to conduct adequate risk monitoring.
When a natural person states they are acting as a representative of a customer, an AISP must also determine whether this person is authorised to do so. For legal entities, the representatives are often the board members. When a natural person claims to indirectly represent a legal person (whereby the legal person is the customer), the chain of representative authority must be determined. An extract from the Trade Register of the Chamber of Commerce may for example be used for this purpose. When this authorisation has been established, the customer must be subjected to the CDD as set out in Section 3 of the Wwft. The natural person acting as representative must also be identified and their identity verified. A single independent and reliable source can be used to verify the identity of a natural person, such as an extract from the Trade Register of the Chamber of Commerce.
An AISP must carry out CDD which enables it to identify the customer's ultimate beneficial owner (UBO). An AISP must also take all necessary and reasonable measures to verify the identity. There is no prescribed format for identifying customers, but this can for example be done through a UBO declaration or an organisation diagram. In the case of simplified CDD, a risk-based approach can be taken to the verification of UBOs, but this must not result in the UBO's identity not being verified.
Pursuant to Section 8(5) of the Wwft, an AISP must have adequate risk management systems in place with risk-based procedures to determine whether a customer or UBO is a politically exposed person (PEP). In practice, this must result in an AISP conducting a PEP review at the start of the business relationship, or at suitable point after the start of the business relationship, for example when certain risk factors increase or when a time limit has expired. External sources or tools can be used for this purpose.
[1]Section 1(1) of the Wwft defines a customer as the natural or legal person with which a business relationship is entered into or on whose behalf a transaction is conducted.
How does one bring the professional oath to life in daily practice? Representatives from the financial sector and the supervisory authorities tackled this question at the DNB seminar on the professional oath in late 2022.
Read more The professional oath in daily practice
In view of our continued support for a deeper and more integrated European Capital Markets Union (CMU), De Nederlandsche Bank (DNB) and the Dutch Authority for the Financial Markets (AFM) present next steps to shape the right policies and create a competitive European capital market.
Read more DNB and AFM: recommendations for a strong European Capital Markets Union
Effective 1 March 2024, Aerdt Houben will be our new Director of the European Banks Supervision Division, while Pieter Reinier Maat succeeds him as Director of the Financial Markets Division. Lex van 't Spijker succeeds Pieter Reinier as Director of the National Institutions Supervision Division.
Read more DNB appoints new divisional directors
Supervisory authority De Nederlandsche Bank (DNB) is submitting a new anti-money laundering approach to financial institutions and other stakeholders as part of a public consultation. In a policy document presented today [...]
Read more DNB submits new anti-money laundering approach to financial sector
