DNB & the AFM jointly inform you about the state of affairs regarding the European sanctions against Russia. This news item only relates to new sanctions and/or changes to existing sanctions regimes concerning the situation in Ukraine.Read more
Customer due diligence of end users by providers of Payment service 8
Are account information service providers (AISPs, Service 8) required to perform customer due diligence on end users (account holders) of the service?
Yes. Account information service providers (AISPs, Service 8) are required by law to perform customer due diligence on the payment service user (PSU): the account holder who is the end user of the service. The aim is to prevent the AISP from being used for money laundering or terrorist financing purposes1.
Customer due diligence: customer identification and verification
Under Section 3 of the Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financiering van terrorisme – Wwft), AISPs must perform customer due diligence of all customers2 with which they enter into a business relationship3.
The most common situation is that the PSU enters into a direct relationship with the AISP. In another situation, the AISP collects information on an account holder's account on behalf of a third party.
Account holder A applies for a mortgage loan from credit provider B, who wants access to A's accounts to assess the application. B then engages the services of AISP C, who needs A's consent to deliver the required information to B.
In this example, AISP C has two customer within the meaning of the Wwft:
Natural person or legal entity B, with whom it enters into a business relationship, and Natural person or legal entity A (the PSU), who gives consent to a transaction. Whether A also enters into a business relationship with C depends on the type of consent that A gives to C. If C is given consent for downloading a single transaction overview, this is considered a one-off transaction that does not qualify as a business relationship. However, if C is given consent to access A's accounts more than once, this does qualify as a business relationship, which means C must perform customer due diligence on both B and A.
Since the end user/account holder usually gives consent for a specific period (e.g. 90 days), in practice this means that a business relationship usually exists.
This means the AISP must also perform customer due diligence on account holders if it only collects “raw” payment data from account holders on behalf of a non-licensed party that compiles these data into overviews for the account holder.
1 The inherent risk of money laundering or terrorist financing through AISPs is low. The customer due diligence requirements for account information services (service 8) are therefore lower. More information
2 The customer is the natural or legal person with whom a business relationship is entered into or who has a transaction effected (Section 1(1) of the Wwft). A transaction is defined as follows: “An act or a combination of acts performed by or on behalf of a customer of which the institution has taken note in the provision of its services to that customer (Section 1(1), under b, of the Wwft)”. Providing an account overview also qualifies as a transaction.
3 A business relationship is a professional or commercial relationship between an institution and a natural person, legal entity or partnership firm, which is related to the professional activities of the institution and is expected to continue for a certain period from the moment the relationship is entered into. (Section 1(1), under b, of the Wwft).
- Payment institutions