Latest EU AML risk assessment reviewed

As part of the EU commitment to improving AML controls, the European Commission and its individual member states are required to produce regular reports on the levels and typologies of AML and TF threats which exist and are active in the EU.
 
This is because individual firms alone are not capable of assessing all of the current and active threats and trends across Europe, purely because they do not have access to the intelligence or data that could allow them to develop such a risk assessment.
 
The resulting report assesses the different industries and assesses how significant (on a scale of lowly significant (1) to very significant (4)) the Commission believes the money laundering and terrorist financing threat and vulnerabilities within the product are and highlighting the typologies that firms should be aware of.
 
It should be noted that the final report for 2017 was produced pre-4 MLD and highlights the weaknesses that come from simplified due diligence, which is a loophole that has been reduced heavily under 4MLD and will be compacted even further by 5MLD. As such our focus has been on aspects not already addressed by 4MLD. 
 
The following is a summary of the prime risks associated with payments, e-money and currency exchange.
 

Payments 

The report states it includes  a number of different payment services including money value transfer services’ (MVTS) and card issuing,  but covers a number of different industries inside of the heading of payments, which impedes the strength and usability of the assessment for firms slightly.
 
The prime risk noted is that ‘payment services allow cross-border transactions that may rely on different mechanisms of identification (depending on national legislation) that may lead the terrorists to use false identity’. While it is noted that specific skills are needed by terrorist and criminal groups to do this, these skills are widespread and known within terrorist groups and money laundering circles. 
 
The risks identified are ascribed to the use of new payment methods and delivery channels such as mobile or internet payment, which increase the capacity of individuals to be anonymous. This, when combined with the interactions of high-risk customers in high-risk locations are considered to be the biggest risks.
 
Further consideration was also paid to payment service providers who utilise agent relationships, focusing on ensuring agents are fully aware of and committed to their AML requirements and ensuring member states put emphasis on the supervisor of the agent relationship to regularly inspect and review both the onsite provisions and the training of the agents in the relationship.
 
Overall the risk of payment services is considered to be only moderately significant, whereas the risks associated with MVTS is considered to be very significant.  The prime difference in outcomes is that MVTS are typically associated with high street, cash based remittance services that allow funds to be sent anonymously to higher risk locations with limited due diligence. 
 
The provisions of 4MLD and revised EU wire regulations sought to reduce these risks further by requiring that ID is provided for all transactions which are initiated in cash and so this risk has been largely closed.
 
The report also suggests that all member state supervisors should carry out an inspection of the sector within the next two years, which could lead to a large increase in the level of regulatory oversight that remittance firms are seeing.
 

Electronic money 

It should be noted that for electronic money, the assessment points out that ‘certain e-money products require identification of the owner, others allow owners to remain anonymous,’ which is a risk that has been reduced under 4MLD. However, the report highlights that non-anonymous products where limited or no identification processes are performed are open to abuse through  ‘circumvention of verification measures by using fake or stolen identities, or using straw men or nominees etc.’.
 
The result is that ‘perpetrators can load multiple cards under the anonymous prepaid card model. This multiple reloading could lead to substantial values which can then be carried out abroad with limited traceability’.
 
In short, the highly limited levels of due diligence being applied under simplified due diligence meant that individual users were able to take out multiple cards, using either fake or limited due diligence and then use these cards overseas.
 
It is noted that the low barrier to entry for e-money products and a lack of specialist knowledge in the circumvention of controls makes it attractive to both money launderers and terrorists, but also notes that owing to a limited barrier to entry ‘cash is still the preferred option to finance travels to war zones… but may be an option which is more attractive when cash transactions are not an available option’. The issue appears to come from the inconsistencies in application of AML and CTF controls across multiple e-money issuers offering a variety of diverse products – ‘inherent risks of e-money depend on the structure of the product, the nature of the operator and its capability in managing these new technologies to effectively identify and report suspicious transactions’.
 
Regulators noted that the capacity and capabilities of e-money firms is uneven from one operator to another, and that in many cases where no due diligence (no identification and verification), or simplified due diligence is applied, the level of ongoing monitoring and transaction monitoring  is not enhanced sufficiently to identify suspicious transactions or transaction patterns.to mitigate the risks created by reducing the due diligence.
 
The report concludes that once simplified due diligence is reduced, it believes that the risks of e-money will reduce, but notes that the level of controls in the sector are insignificant and this is clearly shown in the number of SARs filled. It is considered  a moderately significant TF and ML threat and vulnerability.  
 

Currency exchange 

While the report deals primarily with currency exchange, such as smaller bureau de change found at airports as opposed to FX brokerages (the key difference being in the size of the transaction and typically whether it involves the use of cash or bank transfers), the report highlights a key risk that exists across all financial services offerings, notably that regulated entities ‘have been infiltrated by criminal organisations to run their activities’, which is a common threat which can also affect regulated FX firms who have lapse employee onboarding controls.
 
It is also noted that a low regulatory barrier to entry, combined with a lack of knowledge of CTF and AML rules in this industry results in a low volume of SARs being reported.
 
Overall, since obtaining foreign currency was an essential part of a terrorist fighter’s 5 phase profile (see the Egmont report on Terrorist Fighter typologies), currency exchange has been considered to be at severe risk of threat and vulnerability.
 
The Commission has also advised for member states to set a threshold at a national level similar to the one for occasional transactions for transfers of funds as defined in article 4MLD is considered as commensurate to the risk (i.e. EUR 1,000).
 

Outcome and takeaways

Firms should look at the risks associated with its own sector, but  should also look at their correspondent relationships, providers and partners and look at the risks associated with their chosen funding sources and pay-out methods as part of its overall product risk assessments by reviewing other relevant industries. Where firms note a high level of risk associated with a specific funding method, they should assess how this may impact their overall product risk assessment.
 
The full report can be found at – europeanmemoranda.cabinetoffice.gov.uk/files/2017/07/10977-17-ADD-2.pdf. 

If you have any questions on how this report is applicable to your business risk assessment, contact me or one of my colleagues.

This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.

Related Posts

CASS Audit

TISA CASS Compliance Survey

Earlier this year, TISA launched a CASS compliance survey in association with fscom, aiming to gather insights on key areas of interest related to CASS

Read More