We would value hearing your views if you have noticed overlap in the information and reporting requests from AFM and DNB. We have made a survey on this subject available to help us identify possible duplication.Read more
Transaction monitoring requirements for account information services (service 8)
On 1 March 2021, the European Banking Authority (EBA) published the final revised Guidelines on money laundering and terrorist financing (ML/TF) risk factors. The EBA has included new ML/TF risk factors. We have amended these Q&As on the basis of the revised Guidelines.
Do account information service providers (AISPs) have to perform transaction monitoring?
Pursuant to Section 3(2) of the Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme – Wwft), AISPs must monitor transactions conducted by their customers1 to prevent their services from being used for money laundering or terrorist financing.
The Financial Supervision Act (Wet op het financieel toezicht - Wft) defines an account information service as:
“an online service for providing consolidated information on one or more payment accounts held by a payment service user with one or more other payment service providers”.
These service providers fall under the Wwft pursuant to Section 1a(1) of that act. We qualify the risks of money laundering and terrorist financing inherent in this specific type of service provider as low. This is because an AISP does not conduct any transaction itself or hold any funds for a payment service user. Nevertheless, AISPs have aggregated data from multiple sources at their disposal, providing opportunities for monitoring transactions that are related to money laundering or terrorist financing. Even when the data received is limited on an aggregated level, it provides additional possibilities for identifying specific patterns that can be used to detect unusual transactions. Accordingly, the low risk inherent in this type of payment institution means that it has to take less far-reaching measures in terms of customer due diligence and transaction monitoring than institutions with an elevated risk.
Information available to an AISP
Under PSD2, banks are not required to share all available data with an AISP. The requirement relates to information that the bank shares with the account holder. The exact data depends on the bank's policy. As a result, the information the account information service provider receives is of a varied and dynamic nature. Information from bank A may be different to that from bank B. The data used by the AISP for transaction monitoring can therefore differ from one bank to another. We require AISPs to take appropriate measures to identify and assess the risk of money laundering and terrorist financing related to their services, taking into account all data available for with payment service users have given their explicit consent.
Using the information from the payment service provider offering the account, it will be possible for the AISP to monitor transactions between linked accounts and transactions to third parties, taking at least the following risk factors into account:
- The customer receives funds from, or sends funds to, jurisdictions associated with higher ML/TF risk or from/to someone with known links to those jurisdictions.
- The customer connects payment accounts held at multiple account servicing payment service providers.
- The customer connects payment accounts held in the name of multiple persons in more than one jurisdiction.
- The customer transfers funds from different payment accounts to the same payee that, together, amount to a large sum without a clear economic rationale.
- The customer receives funds in different payment accounts from the same payer that, together, amount to a large sum without a clear economic rationale.
- The customer receives funds in different payment accounts from the same payer that give the AISP reasonable grounds to suspect that the customer is trying to evade specific monitoring thresholds.
- The customer transfers funds from different payment accounts to the same payee that give the AISP reasonable grounds to suspect that the customer is trying to evade specific monitoring thresholds.
Further risk factors that can be considered:
- The number of transactions per period
- Amounts that differ from the transaction pattern
- The currency of each transaction
- The value of the transaction
- The transaction volume per period
- The number of accounts that are connected
- The banks where these accounts are held The number of banks whose accounts are connected
Connected payment accounts held in a country in the European Economic Area (EEA) could contribute to a lower risk.
Pursuant to Section 3(2) under d of the Wwft, AISPs must monitor transactions conducted between accounts connected by the customer in the account overview for unusual features. They must also monitor transactions to and from third parties for unusual features. These are mostly subjective indicators, such as deviating amounts, unusual frequency of payments, multiple payment accounts to and from which funds are sent and received, and the absence of logic or economic rationale underlying transactions. Transaction monitoring processes must always be risk-based. The foregoing warrants the conclusion that monitoring must be of a higher intensity as more risk factors apply. Conversely, the fewer risk factors apply, the lower the intensity of transaction monitoring can be.
Section 1(1) of the Wwft defines a customer as the natural or legal person with which a business relationship is entered into or on whose behalf a transaction is conducted.
- Payment institutions