OBLIGATIONS IN THE CASE OF GIRO PAYMENTS AND TRANSFERS OF FUNDS
The provisions to which professionals are subject are set out in Regulation (EU) 2015/847 on information accompanying transfers of funds and repealing Regulation (EC) No1781/2006. Those provisions entered into force on 26 June 2017.
“Regulation (EU) 2015/847 ensures the uniform implementation of FATF Recommendation 16 on wire transfers throughout the European Union. (…) (It) lays down rules regarding the information on payers and, henceforth (which is new as compared to the old Regulation (EC) No 1781/2006), on payees, that shall accompany transfers of funds, in any currency, where at least one of the payment service providers involved in the transfer of funds is established in the European Union.”
Taking into account the direct effect of Regulation (EU) 2015/847, the CSSF invites professionals to “adjust, where applicable, (their) internal AML/CFT procedures and processes in order to comply with its requirements”.
In addition, CSSF Circular 18/680 of 23 January 2018 refers to the joint guidelines of the three European Supervisory Authorities on the measures payment service providers should take to detect missing or incomplete information on the payer or the payee.
Regulation (EU) 2015/847 applies to transfers of funds, in whatever currency, sent or received by a payment service provider or an intermediary payment service provider established in the Union.
The European Banking Authority’s latest guidance on AML/CFT risk factors specifies that payment initiation service providers (“PISPs”) as well as payment service providers providing account information (“AISPs”) are subject to AML/CFT rules, even though they are not in possession of customer funds.
Derogations from the application of Regulation (EU) 2015/847
“This Regulation shall not apply to transfers of funds carried out using a payment card, an electronic money instrument or a mobile phone, or any other digital or IT prepaid or post paid device with similar characteristics, where the following conditions are met:
(a) that card, instrument or device is used exclusively to pay for goods or services; and
(b) the number of that card, instrument or device accompanies all transfers flowing from the transaction.
However, this Regulation shall apply when a payment card, an electronic money instrument or a mobile phone, or any other digital or IT prepaid or post paid device with similar characteristics, is used in order to effect a person-to-person transfer of funds
This Regulation shall not apply to persons that have no activity other than to convert paper documents into electronic data and that do so pursuant to a contract with a payment service provider, or to persons that have no activity other than to provide payment service providers with messaging or other support systems for transmitting funds or with clearing and settlement systems.
This Regulation shall not apply to transfers of funds:
(a) that involve the payer withdrawing cash from the payer’s own payment account;
(b) transfer funds to a public authority as payment for taxes, fines or other levies within a Member State
(c) where both the payer and the payee are payment service providers acting on their own behalf;
(d) that are carried out through cheque images exchanges, including truncated cheques.”
The professional’s obligations will vary according to whether it is acting, as the case may be, as a payment service provider for the payer (Section 1), for the payee (Section 2) or where there is an intermediary payment service provider (Section 3).
Section 1. Compliance with Regulation (EU) 2015/847 on information accompanying transfers of funds
Subsection 1. Obligations of the payment service provider (“PSP”) of the payer
1. Information accompanying transfers of funds
“1. The payment service provider of the payer shall ensure that transfers of funds are accompanied by the following information:
(a) the name of the payer;
(b) the payer’s payment account number; and
(c) the payer’s address, official personal document number, customer identification number
or date and place of birth.
2. The payment service provider of the payer shall ensure that transfers of funds are accompanied by the following information:
(a) the name of the payee; and
(b) the payee’s payment account number.
3. By way of derogation from point (b) of paragraph 1 and point (b) of paragraph 2, in the case of a transfer not made from or to a payment account, the payment service provider of the payer shall ensure that the transfer of funds is accompanied by a unique transaction identifier rather than the payment account number(s).
The UTI is a combination of letters, numbers or symbols determined by the payment service provider, in accordance with the protocols of the payment and settlement systems or messaging systems used for the transfer of funds, which permits the traceability of the transaction back to the payer and the payee.
4. Before transferring funds, the payment service provider of the payer shall verify the accuracy of the information referred to in paragraph 1 on the basis of documents, data or information obtained from a reliable and independent source.
(…)
5. Without prejudice to the derogations provided for in Articles 5 and 6, the payment service provider of the payer shall not execute any transfer of funds before ensuring full compliance with this Article.”
It is important to note that the rules laid down concerning the data to be provided by the PSP of the payer are subject to a significant exception, where all the PSPs involved in the payment chain are established in the EU: only the payment account numbers of the payer and the payee have to accompany the transfer (Article 5 of the Regulation, below).
In practice, the name of the payer is normally given.
2. Transfers of funds within the Union
“1. By way of derogation from Article 4 (1) and (2), where all payment service providers involved in the payment chain are established in the Union, transfers of funds shall be accompanied by at least the payment account number of both the payer and the payee or, where Article 4 (3) applies, the unique transaction identifier, without prejudice to the information requirements laid down in Regulation (EU) No 260/2012, where applicable.
2. (…) the payment service provider of the payer shall, within three working days of receiving a request for information from the payment service provider of the payee or from the intermediary payment service provider, make available the information:
(a) for transfers of funds exceeding EUR 1 000, whether those transfers are carried out in a single transaction or in several transactions which appear to be linked, the information on the payer or the payee in accordance with Article 4 (see above);
(b) for transfers of funds not exceeding EUR 1 000 that do not appear to be linked to other transfers of funds which, together with the transfer in question, exceed EUR 1 000, at least:
(i) the names of the payer and of the payee; and
(ii) the payment account numbers of the payer and of the payee or, where Article 4(3) applies, the unique transaction identifier.”
(…) ».
The Regulation thus lays down thresholds for transfers (1 000 €) according to which the information to be given by the professional will vary.
The PSP of the payer will not be required to verify the accuracy of the information concerning the payer in the case of transfers of funds within the EU which do not exceed 1000 €, the PSP has received the funds to be transferred in cash or in anonymous electronic money, or where it has reasonable grounds to suspect money laundering or terrorist financing.
3. Transfers of funds outside the Union
“1. In the case of a batch file transfer from a single payer where the payment service providers of the payees are established outside the Union, Article 4(1) (information concerning the payer and the payee) shall not apply to the individual transfers bundled together therein, provided that the batch file contains the information referred to in Article 4(1), (2) and (3), that that information has been verified in accordance with Article 4(4) and (5), and that the individual transfers carry the payment account number of the payer or, where Article 4(3) applies, the unique transaction identifier.
2. By way of derogation from Article 4(1), and, where applicable, without prejudice to the information required in accordance with Regulation (EU) No 260/2012, where the payment service provider of the payee is established outside the Union, transfers of funds not exceeding EUR 1 000 that do not appear to be linked to other transfers of funds which, together with the transfer in question, exceed EUR 1 000, shall be accompanied by at least:
(a) the names of the payer and of the payee; and
(b) the payment account numbers of the payer and of the payee or, where Article 4(3) applies, the unique transaction identifier.
By way of derogation from Article 4(4) (verification of the accuracy of the information), the payment service provider of the payer need not verify the information on the payer referred to in this paragraph unless the payment service provider of the payer:
(a) has received the funds to be transferred in cash or in anonymous electronic money; or
(b) has reasonable grounds for suspecting money laundering or terrorist financing.”
Here again, a threshold below 1000 € for a transfer outside the EU will allow the PSP of the payer to identify only the names of the payer and the payee accompanied by the payment account numbers.
The PSP of the payer will not be required to verify the information on the payer unless the funds to be transferred have, in particular, been received in cash or in anonymous electronic money or there are reasonable grounds to suspect money laundering or terrorist financing.
Subsection 2. Obligations of the payment service provider of the payee
1. Detection of missing information concerning the payer or the payee
“1. The payment service provider of the payee shall implement effective procedures to detect whether the fields relating to the information on the payer and the payee in the messaging or payment and settlement system used to effect the transfer of funds have been filled in using characters or inputs admissible in accordance with the conventions of that system.
2. The payment service provider of the payee shall implement effective procedures, including, where appropriate, ex-post monitoring or real-time monitoring, in order to detect whether the following information on the payer or the payee is missing:
(a) for transfers of funds where the payment service provider of the payer is established in the Union, the information referred to in Article 5;
(b) for transfers of funds where the payment service provider of the payer is established outside the Union, the information referred to in Article 4(1) and (2);
(c) for batch file transfers where the payment service provider of the payer is established outside the Union, the information referred to in Article 4(1) and (2), in respect of that batch file transfer.
3. In the case of transfers of funds exceeding EUR 1 000, whether those transfers are carried out in a single transaction or in several transactions which appear to be linked, before crediting the payee’s payment account or making the funds available to the payee, the payment service provider of the payee shall verify the accuracy of the information on the payee referred to in paragraph 2 of this Article on the basis of documents, data or information obtained from a reliable and independent source (…).
4. In the case of transfers of funds not exceeding EUR 1 000 that do not appear to be linked to other transfers of funds which, together with the transfer in question, exceed EUR 1 000, the payment service provider of the payee need not verify the accuracy of the information on the payee, unless the payment service provider of the payee:
(a) effects the pay-out of the funds in cash or in anonymous electronic money; or
(b) has reasonable grounds for suspecting money laundering or terrorist financing.”
The principles governing the non-verification of the data concerning the payee where a transfer is made in a sum not exceeding 1000 € are the same as those explained above (under the heading “Transfers of funds outside the Union”) with regard to the obligations of the PSP of the payer.
Regulation (EU) 2015/847 does not describe how PSPs of payees may detect missing information; CSSF Circular 18/680 of 23 January 2018 reiterates the joint guidelines of the European Supervisory Authorities concerning the measures PSPs should take to detect missing or incomplete information regarding transfers of funds (the “Guidelines”).
CSSF Regulation 12/02 as amended recalls the rules of Regulation (EU) 2015/847 by referring to the common guidelines of the European supervisory authorities on the measures that payment service providers must take to detect missing or incomplete information on the payer or payee, as well as the procedures that must be put in place to handle a transfer of funds that is not accompanied by the required information.
1.1 Procedures with regard to missing and incomplete information
- Principles
PSPs (…) must implement effective procedures to detect if the required information on the payer or the payee is missing.
To be effective, these procedures should:
a) enable the PSP or IPSP to spot meaningless information;
b) employ a combination of real-time monitoring and ex-post monitoring; and
c) alert the PSP (…) to high-risk indicators.”
- Obligations and recommendations
“In order to detect and manage these transfers of funds with missing or incomplete information, PSPs and IPSPs shall notably establish, and maintain through regular review, effective policies and procedures that are proportionate to the nature, size and complexity of their business. These policies and procedures shall also be proportionate to the ML/TF risks to which the PSPs and IPSPs are exposed. Thus, they shall, for instance, set out clearly which transfers of funds have to be monitored in real time and which transfers of funds can be monitored on an ex-post basis.”
“The PSPs [of payees] (…) are thus requested to refer to the Guidelines for information on:
– the factors [they] should consider when establishing and implementing procedures to detect and manage transfers of funds that lack required information on the payer and/or the payee”.
1.2 “Meaningless” information
“PSPs (…) should treat meaningless information as though it was missing information
Examples of meaningless information include strings of random characters (e.g. ‘xxxxx’, or ‘ABCDEFG’) or designations that clearly make no sense (e.g. ‘An Other’, or ‘My Customer’), even if this information has been provided using characters or inputs in accordance with the conventions of the messaging or payment and settlement system.
Where PSPs (…) use a list of commonly found meaningless terms, they should periodically review this list to ensure it remains relevant. In those cases, there is no expectation that PSPs (…) manually review transactions to detect meaningless information.”
Professionals are recommended to configure their IT systems so that they are able to detect meaningless information.
1.3 Risk indicators
In the context of setting up procedures to detect missing information, PSPs should take due account of the risk factors referred to in Chapter 1 “Risk-based approach”.
2. Management of transfers of funds in respect of which information on the payer or payee is missing or incomplete
“The payment service provider of the payee shall implement effective risk-based procedures, including procedures based on the risk-sensitive basis referred to in Article 13 of Directive (EU) 2015/849, for determining whether to execute, reject or suspend a transfer of funds lacking the required complete payer and payee information and for taking the appropriate follow-up action.
Where the payment service provider of the payee becomes aware, when receiving transfers of funds, that the information referred to in Article 4(1) or (2), Article 5(1) or Article 6 is missing or incomplete or has not been filled in using characters or inputs admissible in accordance with the conventions of the messaging or payment and settlement system (…), the payment service provider of the payee shall reject the transfer or ask for the required information on the payer and the payee before or after crediting the payee’s payment account or making the funds available to the payee, on a risk-sensitive basis.”
The PSP will be required to determine whether to execute/refuse/suspend a transfer of funds in accordance with the procedures in force, on the basis that it will take due account of the risks involved in that transfer of funds before deciding what course is to be followed.
The professional must assess whether the missing information raises concerns regarding money laundering.
“Where a PSP (…) decides to reject a transfer of funds, it does not have to ask for the missing information but should share the reason for the rejection with the prior PSP in the payment chain.”
“Where a PSP (…) decides to suspend the transfer of funds, it should notify the prior PSP in the payment chain that the transfer of funds has been suspended and ask the prior PSP in the payment chain to supply the information on the payer or the payee that is missing, or to provide that information using admissible characters or inputs.” (…)
Where the requested information is not provided by the set deadline, the PSP (…) should, in line with its risk-based policies and procedures:
(a) decide whether to reject or execute the transfer;
(b) consider whether or not the prior PSP in the payment chain’s failure to supply the required information gives rise to suspicion; and
(c) consider the future treatment of the prior PSP in the payment chain for AML/CFT compliance purposes.”
It is thus for the professional to determine the outcome of a transfer in light of any missing/incomplete information.
3. Assessment and reporting
“The payment service provider of the payee shall take into account missing or incomplete information on the payer or the payee as a factor when assessing whether a transfer of funds, or any related transaction, is suspicious and whether it is to be reported to the Financial Intelligence Unit (FIU) in accordance with Directive (EU) 2015/849.”
“PSPs (…) should assess whether or not a transfer of funds is suspicious, taking into account any criteria set out in Union law, national legislation and their own, internal AML/CFT policies and procedures.
PSPs (…) should note that missing or inadmissible information may not, by itself, give rise to suspicion of ML/TF. When considering whether or not a transfer of funds raises suspicion, the PSP or IPSP should take a holistic view of all ML/TF risk factors associated with the transfer of funds (…), to the extent that these are known, and pay particular attention to transfers of funds that are likely to present a higher risk of ML/TF.
PSPs (…) should be able to demonstrate that they comply with directly applicable Union law and national legislation in the area of AML/CFT.”
Subsection 3. Obligations of intermediary payment service providers (“IPSPs”)
The obligations incumbent on IPSPs are similar in many ways to those of the PSP of the payee.
1. Retention of information on the payer and the payee accompanying the transfer
“Intermediary payment service providers shall ensure that all the information received on the payer and the payee that accompanies a transfer of funds is retained with the transfer.”
IPSPs must ensure that data are not altered.
2. Detection of missing information on the payer or payee
“The intermediary payment service provider shall implement effective procedures to detect whether the fields relating to the information on the payer and the payee in the messaging or payment and settlement system used to effect the transfer of funds have been filled in using characters or inputs admissible in accordance with the conventions of that system”.
In the case of “meaningless information”, an IPSP wilI be subject to the same obligations as the PSP of the payee in the same situation (see above).
“IPSPs should monitor transfers of funds to detect whether or not the characters or inputs used to provide information on the payer and the payee comply with the conventions of the messaging or payment and settlement system that was used to process the transfer of funds. These checks should be carried out in real time.
IPSPs may assume that they comply with (…) point (1) of Article 11 of Regulation (EU) 2015/847 (…) if they are satisfied, and can demonstrate to their competent authority, that they understand the messaging or payment and settlement system’s validation rules (…).”
“The intermediary payment service provider shall implement effective procedures, including, where appropriate, ex-post monitoring or real-time monitoring, in order to detect whether the following information on the payer or the payee is missing:
(a) for transfers of funds where the payment service providers of the payer and the payee are established in the Union, the information referred to in Article 5;
(b) for transfers of funds where the payment service provider of the payer or of the payee is established outside the Union, the information referred to in Article 4(1) and (2);
(c) for batch file transfers where the payment service provider of the payer or of the payee is established outside the Union, the information referred to in Article 4(1) and (2), in respect of that batch file transfer.”
3. Transfers of funds in respect of which information on the payer or payee is missing
“(…) IPSPs must implement effective procedures to detect if the required information on the payer or the payee is missing.
To be effective, these procedures should:
(a) enable the (…) IPSP to spot meaningless information;
(b) employ a combination of real-time monitoring and ex-post monitoring; and
(c) alert the (…) IPSP to high-risk indicators.”
“The intermediary payment service provider shall establish effective risk-based procedures for determining whether to execute, reject or suspend a transfer of funds lacking the required payer and payee information and for taking the appropriate follow up action.
(…)”
The obligations incumbent on IPSPs in the management of transfers of funds in respect of which information on the payer or payee is missing or incomplete are the same as those indicated above for the PSP of the payee (points 33 to 38 of the Guidelines).
Professionals are recommended to configure their IT systems so that they are able to detect suspicious or doubtful transactions.
4. Assessment and reporting
“The intermediary payment service provider shall take into account missing information on the payer or the payee as a factor when assessing whether a transfer of funds, or any related transaction, is suspicious, and whether it is to be reported to the FIU in accordance with Directive (EU) 2015/849.”
Subsection 4. Information, data protection and retention of information
1. Communication of information to the authorities
“Payment service providers shall respond fully and without delay, including by means of a central contact point in accordance with Article 45(9) of Directive (EU) 2015/849, where such a contact point has been appointed, and in accordance with the procedural requirements laid down in the national law of the Member State in which they are established, to enquiries exclusively from the authorities responsible for preventing and combating money laundering or terrorist financing of that Member State concerning the information required under this Regulation”.
In certain circumstances, “host Member States may require electronic money issuers and payment services providers that have establishments in their territory in forms other than a branch, and whose head office is situated in another Member State, to appoint a central contact point (…)”.
The central contact point plays a role of “central coordinator” between the PSP that appoints it and its establishments, and between the PSP and the competent authorities of the Member State in which those establishments are established.
2. Data protection
“The processing of personal data under this Regulation is subject to Directive 95/46/EC (…).
Personal data shall be processed by payment service providers on the basis of this Regulation only for the purposes of the prevention of money laundering and terrorist financing and shall not be further processed in a way that is incompatible with those purposes. The processing of personal data on the basis of this Regulation for commercial purposes shall be prohibited. (…)”
“Payment service providers shall provide new clients with the information required pursuant to Article 10 of Directive 95/46/EC before establishing a business relationship or carrying out an occasional transaction. That information shall, in particular, include a general notice concerning the legal obligations of payment service providers under this Regulation when processing personal data for the purposes of the prevention of money laundering and terrorist financing.”
“Payment service providers shall ensure that the confidentiality of the data processed is respected.”
Reference should be made to the relevant provisions of the GDPR relating to the “information to be provided where personal data are collected/have not been obtained from the data subject” (Articles 13 and 14).
The general notice must contain, in particular, the pre-contractual information to be provided to new customers (“data subjects”) as indicated in the ABBL guidelines entitled “Steps forward in implementing the GDPR”. Reference should be made to the professional obligations contained in, inter alia, the Law and to which the professional is subject, and the lawfulness of the processing of customer data in compliance with a legal obligation to which the professional (the “controller”) is subject.
3. Retention of information
“1. Information on the payer and the payee shall not be retained for longer than strictly necessary. Payment service providers of the payer and of the payee shall retain records of the information referred to in Articles 4 to 7 for a period of five years.
2. Upon expiry of the retention period referred to in paragraph 1, payment service providers shall ensure that the personal data is deleted, unless otherwise provided for by national law, which shall determine under which circumstances payment service providers may or shall further retain the data. Member States may allow or require further retention only after they have carried out a thorough assessment of the necessity and proportionality of such further retention, and where they consider it to be justified as necessary for the prevention, detection or investigation of money laundering or terrorist financing. That further retention period shall not exceed five years.”
As stated above, Article 3(6) of the Law provides that “professionals shall retain the supporting evidence and records of transactions which are necessary to identify or reconstruct transactions, for a period of five years after the end of a business relationship with their customer or after the date of an occasional transaction”.
The Law thereby lays down a provision “otherwise provided for by national law” within the meaning of Regulation (EU) 2015/847, requiring professionals to retain supporting evidence of transactions of their customers for a period of five years after the end of the business relationship with the latter.
Subsection 5. Sanctions
“Without prejudice to the right to provide for and impose criminal sanctions, Member States shall lay down the rules on administrative sanctions and measures applicable to breaches of the provisions of this Regulation and shall take all measures necessary to ensure that they are implemented. The sanctions and measures provided for shall be effective, proportionate and dissuasive and shall be consistent with those laid down in accordance with Chapter VI, Section 4, of Directive (EU) 2015/849.
Member States may decide not to lay down rules on administrative sanctions or measures for breach of the provisions of this Regulation which are subject to criminal sanctions in their national law. In that case, Member States shall communicate to the Commission the relevant criminal law provisions. (…)”
In the event of a breach of (certain) provisions (…) of Regulation (EU) 2015/847, the CSSF may impose administrative fines (…) on the entities in question (…) and on the members of their management body and/or de facto managers, or on any other person who is responsible for the breach.
Section 2. Fraud relating to transfers of funds: false transfer orders
Professionals must ask themselves whether the matter may potentially be one of the specific cases pinpointed by the FIU.
1. Types of fraud found to have occurred
- Fraud on the chief executive (“CEO fraud”), whereby a fraudster, passing himself off as the CEO, succeeds in persuading the accounts department of an undertaking to carry out a transfer to an account located abroad;
- False invoices of various different kinds may be utilised, addressed to the accounts department of a company. For example, a fraudster may hack into the IT system of an undertaking in order to gain knowledge of parties contracting with it and payments falling due to the latter by a given deadline or deadlines;
- Attack via a “middleman” (that is to say, a hacker intercepting electronic communications);
- “Pirated” e-mails (for example, those purportedly sent by financial intermediaries) designed to prompt the professional to execute non-authorised transfer orders.
2. The craftiness of fraudsters
Fraudsters invariably have recourse to social engineering to deceive their victims, having won their trust and preventing them from asking themselves questions regarding the legitimacy of the transfers executed.
In most of the cases analysed by the FIU, the customer did not inform his bank or lodge a complaint with the police or the public prosecutor until several days after the event. The chances of recovering the funds several days after the transfer was made tend to be zero. The first 24 hours are crucial for the possibility of recovering the funds. Intervention within 72 hours can sometimes still lead to a satisfactory result.
Only increased vigilance of the customer’s transactions by the financial institution concerned is likely to prevent the customer from failing to react.
3. Preventive measures
Various indicators exist for spotting fraudulent transfers. Those indicators may be generally applicable and may involve, in particular:
- the fact that substantial/high amounts are demanded as the price payable for the execution of high-value contracts. According to the FIU, it is not uncommon for the transfer to involve sums in excess of EUR 100,000 or even EUR 100,000;
- the use of payee accounts, already known about, in the context of false transfer orders;
- the use of “money mules” (a person who transfers funds obtained unlawfully between different bank accounts or other accounts, very often located in different countries, for the account of another).
There also exist criteria relating to the victim’s account or the account of the perpetrator (holder of the payee account):
Holder of the payee account:
- inconsistency of the amount of the transaction
- inconsistency with the customer’s business
Account of the victim/unusual behaviour/other factors:
- existing business relationship but inconsistent payee account
- new payee account
- urgency/confidentiality of the transaction
- failure to respect the “four eyes” principle
- unusual/inconsistent supporting evidence in the documentation provided
- phishing/pharming: instructions come from an email account that closely resembles the customer’s email account (e.g. contact@abc.com instead of contact@abc.lu)
- instruction given by the boss of a new employee or instructions given only by e-mail.
WHAT TO DO?
In order to pre-empt false transfer orders, the professional may initiate procedures whereby the customer is automatically contacted as soon as the amount involved in a transfer order reaches a pre-defined threshold.
4. Reporting by the professional to the FIU
The professional with whom the victim’s account is held must react quickly in order to maximise the chance of recovering the funds.
After informing the payee financial institution, the professional must immediately submit a suspicious operations report (SOR) to the FIU.
Where the transfer has been executed within the last 72 hours, the professional:
- may lodge a summary SOR, accurately providing all the information concerning the suspicious transaction(s), together with a statement of reasons in a few words. The professional is required to provide all further details within 24 hours.
- Contact the FIU by telephone after sending the SOR.
The professional the suspicious account is held must immediately submit a SOR to the FIU. The FIU will decide on a freezing order.
***