Outdated browser

You are using an outdated browser. DNB.nl works best with:

07 November 2019 Supervision Supervision label Q&A

Question:

Must payment initiation services (service 7) meet the customer due diligence (CDD) requirements?

Answer:

Yes, Payment initiation service providers (PISPs) must perform customer due diligence to prevent their services from being used for money laundering and terrorist financing purposes. This enables them to verify that the user of their services, in most cases the merchant, is the same (legal)person as the holder of the linked (payment) account, which is important, given the sensitivity to fraud and the payment institutions' obligation to perform sanctions screening.

A PISP must know its customers if it wants to screen them against sanctions lists and discontinue its services in the event of a hit. Sanction rules are the sanction regulations issued by the Council of the European Union and the Dutch Ministry of Foreign Affairs. Well-known examples include sanction measures imposed on Al-Qaeda/ISIS, Iran, Ukraine and North Korea, and the national terrorism list.

Customer due diligence must be based on risk weighting in accordance with the Fourth Anti-Money Laundering Directive (AMLD4) in accordance with the risk factors set out in the Guidelines on risk factors, issued by the EBA1. The SIRA conducted by the PISP must serve as a basis.

A PISP must perform a risk assessment before entering into a business relation. If the assessment demonstrates that the risk of money laundering and terrorist financing is low, it is sufficient for the PISP to take simplified customer due diligence measures. If the risk is high, however, enhanced customer due diligence is required. This may be different for each customer or group of customers. Customer due diligence must always take place, but the scope of the measures taken must be commensurate with the risk inherent in a particular customer, relation, product or transaction. The institution must determine the most appropriate scope on a case-by-case basis.

Simplified customer due diligence

A customer due diligence examination may be simplified in various ways, such as:

  • Changing the timing of the examination
  • Changing the amount of information gathered to identify the customer, verify its identity or monitor its transactions
  • Changing the quality or the source of information gathered to identify the customer, verify its identity or monitor its transactions
  • Changing the frequency of CDD updates and of reviews of the business relation
  • Changing the frequency and scope of transaction monitoring

More information about simplified CDD can be found in Annex 1 below.

Enhanced customer due diligence

The risk assessment may also indicate a high risk necessitating enhanced customer due diligence. In such cases, an institution must perform an intensified customer due diligence examination. It will need to gather and verify more information so it can adequately control the high risk2. The elements that can be reduced in simplified CDD will need to be increased in enhanced CDD.

Annex 1

Simplified customer due diligence

A customer due diligence examination may be simplified in various ways, such as:

  • Changing its timing, for example if the nature of the product, service or intended transaction limits the possibilities for money laundering or terrorist financing. This could be done as follows:
    1. Verifying the identity of the customer or the UBO when the business relation is entered into
    2. Verifying the identity of a UBO only after a specified transaction limit or a reasonable time limit has been exceeded.
      1. This must never result in CDD being effectively avoided. Institutions must see to it that a UBO's identity is ultimately verified.
      2. The transaction or time limit may not be set unreasonably high.
      3. Institutions must have systems in place to detect when such a limit is reached.
      4. In situations in which the law requires that institutions gather relevant information upon commencement of the business relation, they must not defer CDD or slow down the gathering of information.

  • Changing the amount of information gathered to identify the customer, verify its identity or monitor its transactions. This could be done as follows:
    1. Verifying identifies based on information from a single reliable, credible and independent source
    2. Assuming the purpose of a business relation because the product involved is designed for one particular type of use, such as a shopping card for a specific shopping centre

  • Changing the quality or source of information gathered to identify the customer, verify its identity or monitor its transactions. This could be done as follows:
    1. Accepting information provided by the customer, rather than by an independent source, to verify the UBO's identity. This is not permitted when verifying the customer's own identity.
    2. Trusting the source of the funds, if the risks related to all aspects of the business relation are low, to comply with specific CDD requirements. This could be done, for example, if funds originate from a state or are transferred from an account in the customer's name held by a company located in the European Economic Area (EEA).

  • Changing the frequency of CDD updates and of reviews of the business relation, for example by conducting such reviews only when triggered by specific circumstances or once a transaction limit is exceeded. This requires that institutions must have an adequate transaction monitoring system in place that detects these circumstances. Similarly, institutions must see to it that this does not exempt them from the obligation to keep their customer files up to date.

  • Changing the frequency and scope of transaction monitoring for example by monitoring transactions only in excess of specific transaction limits. The transaction limit may not be set unreasonably high. In addition, the transaction monitoring system must detect linked transactions that together exceed the applicable limit.

_____

[1] Final Guidelines on Risk Factors

[2]
Amendments to the Wwft and several other acts in connection with the implementation of Directive (EU) 2015/849 (AMLD4), Draft Explanatory Memorandum, p. 9.

sector

  • Banks
  • Electronic money institutions
  • Exchange transaction
  • Payment institutions