DNB & the AFM jointly inform you about the state of affairs regarding the European sanctions against Russia. This news item only relates to new sanctions and/or changes to existing sanctions regimes concerning the situation in Ukraine.Read more
Due diligence requirements for account information services (service 8)
On 1 March 2021, the European Banking Authority (EBA) published the final revised Guidelines on money laundering and terrorist financing (ML/TF) risk factors. The EBA has included new ML/TF risk factors. We have amended these Q&As on the basis of the revised Guidelines.
Do account information service providers (AISPs) have to perform customer due diligence (CDD)?
AISPs must perform customer due diligence to prevent their services from being used for money laundering and terrorist financing. These service providers fall under the Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme – Wwft) pursuant to Section 1a(1) of that act. An AISP must take into account all data available to it for which customers1 have given their explicit consent. Simplified CDD is the standard approach for AISPs, given the low risk inherent in their services. The CDD must be documented in customer files and comprise at least the following elements:
An AISP must identify its customers on the basis of Section 3(2) under a of the Wwft. There is no prescribed format for identifying customers. This information can also be used for screening customers against relevant sanctions lists. A natural or legal person holding connected payment accounts qualifies as a customer.
Customer identity verification
An AISP must verify its customers’ identity on the basis of Article 3(2) under a of the Wwft. A risk-based approach can be used for verification. In view of the low risk of money laundering and terrorist financing inherent in account information services, a single independent and reliable source can be used to verify the identity of a natural person, such as (personal) data taken from the bank API. This less stringent requirement for AISPs differs from those that apply to other payment service providers.
Purpose and intended nature of the business relationship
Pursuant to Section 3(2) under c of the Wwft, an AISP must establish the purpose and intended nature of the business relationship. Each time an account is added to an account overview, the AISP must verify whether the account is the customer's own account, a shared account, or a legal entity’s account to which the customer has access. It must use this information to obtain knowledge of the customer and to establish the customer's risk profile, but also to conduct adequate risk monitoring.
Review of customer representative
When a natural person states they are acting as a representative of a customer, an AISP must also determine whether this person is authorised to do so. For legal entities, the representatives are often the board members. When a natural person claims to indirectly represent a legal person (whereby the legal person is the customer), the chain of representative authority must be determined. An extract from the Trade Register of the Chamber of Commerce may for example be used for this purpose. When this authorisation has been established, the customer must be subjected to the CDD as set out in Section 3 of the Wwft. The natural person acting as representative must also be identified and their identity verified. A single independent and reliable source can be used to verify the identity of a natural person, such as an extract from the Trade Register of the Chamber of Commerce.
Identifying ultimate beneficial owners (UBOs)
An AISP must carry out CDD which enables it to identify the customer's ultimate beneficial owner (UBO). An AISP must also take all necessary and reasonable measures to verify the identity. There is no prescribed format for identifying customers, but this can for example be done through a UBO declaration or an organisation diagram. In the case of simplified CDD, a risk-based approach can be taken to the verification of UBOs, but this must not result in the UBO's identity not being verified.
Investigation of politically exposed persons (PEPs)
Pursuant to Section 8(5) of the Wwft, an AISP must have adequate risk management systems in place with risk-based procedures to determine whether a customer or UBO is a politically exposed person (PEP). In practice, this must result in an AISP conducting a PEP review at the start of the business relationship, or at suitable point after the start of the business relationship, for example when certain risk factors increase or when a time limit has expired. External sources or tools can be used for this purpose.
Section 1(1) of the Wwft defines a customer as the natural or legal person with which a business relationship is entered into or on whose behalf a transaction is conducted.
- Payment institutions