The due diligence challenge for the payments industry
With the payments industry betting big on modernisation, cloud computing, mergers and acquisitions and collaboration with other industry players, there also comes a need to play it safe by conducting due diligence whenever they bring onboard new business customers to combat payments fraud and to enforce anti-money laundering. This is particularly crucial when payments service providers potential customers emanate from high-risk areas.
Yet despite the onslaught of regulation, designed to protect everyone within the payments ecosystem – particularly legitimate customers, Deloitte says the market will continue to expand and evolve, “with digital payment vehicles and transaction volumes growing across the globe.” To remain competitive, many payments providers will need to modernise their organisations and infrastructure to support new service offerings, and they will need to identify new revenue streams.
Deloitte says this will require investing in “cloud computing and other digital technologies to more rapidly address evolving customer preferences and mitigate risk and regulatory obligations”, and traditional players will need to branch out by collaborating with, merging or acquiring Fintech companies to tackle the challenge of cross-border payments – adding capabilities and talent to improve the “end-to-end payment experience, multi-payment integration, and business-to-business (B2B) payments.”
So, the “big bets” won’t just be about regulatory compliance. There will be a need to evolve strategies that will allow partnering to evolve. Deloitte explains that this means the focus will either be on a targeted set of preferred partners and platforms; or be about developing a broader strategy to service the payments ecosystem. With the right strategies new opportunities will be created in 2020, but there will also be significant challenges for those seeking to master “this dynamic market.”
New regulations, such as the second revision of the European Union’s Payment Service Directive (PSD2) and the Fifth Money Laundering Directive (5AMLD), present both an enormous challenge and on opportunity. 5AMLD came into force on 10th January 2020, and Accenture says: “This new Directive introduces changes to the 4th Money Laundering Directive, further-preventing financial systems from being exploited for money laundering and terrorist financing.”
“These changes and new provisions should strengthen and enrich the existing preventative framework, whilst encouraging European countries to adhere to international standards set by the Financial Action Task Force (FATF).”
It also requires more prepaid instruments to be subject to customer due diligence (CDD), and the threshold at which CDD can be waived has been dropped from 250 euros to 150 euros. Furthermore, cryptocurrency exchanges and custodian wallets are now classified as obliged entities and will have to perform the same anti-money laundering (AML) checks.
Each EU member state is required to produce a Clarification of Politically Exposed Persons (PEPs) too – a list of persons entrusted with prominent public functions. Payments providers need to conduct due diligence on PEPs because they are viewed as being of a higher risk of involved in bribery and corruption by virtue of their standing and influence. PEP is often used to refer to customers in the financial services industry, and yet care is needed to be taken over third-party relationships in all industries.
People defined as PEPs could pose a reputational risk to a payments provider. It is therefore vital to use media databases – not just Google – to research the backgrounds of certain potential customers to ensure that they are not involved in fraud, corruption or any kind of crime. There are also countries that are subject to sanctions, meaning they may to do business with certain individuals or entities that might be legally prohibited. The challenge is therefore to gain as much information about business customers as possible, looking for adverse media coverage to enable action to be taken to decide whether a customer poses any potential risk, or to enable action to mitigate risk. Fortunately, this process is made easier by using technology solutions that look for adverse media coverage, provide updates on sanctions, enable alerts about suspicious activities, and about PEPs.
With technology, payments providers can improve their customer due diligence, KYC and risk management. With regards to customer due diligence, Her Majesty’s Revenue and Customs (HMRC) says it must be applied whenever a business establishes a new business relationship (as part of the onboarding process); when a business executes an ‘occasional transaction’ worth 15,000 euros or more; whenever there is suspicious activity making anyone suspect money laundering or terrorist financing; whenever there are doubts about a customer’s identification information that you obtained previously; and when it’s necessary for existing customers – for example if their circumstances change.
Ultimate Beneficial Ownership (UBO) registers of company ownership now have to be publicly available, and the UBO reporting requirements have been extended to any legal arrangement. KPMG, referring to AMLD 4, describes the UBO register and defines what is meant by an Ultimate Beneficial Owner: “…a country-specific central register that lists beneficial owners of companies, trusts, foundations, and other legal arrangements similar to trusts. In the case of corporate entities, the beneficial owner is defined as the natural person who ultimately owns or controls, directly or indirectly, more than 25% of the shares or voting rights, or controls the entity through other means.”
Another regulation that requires attention is the Payment Services Directive 2 (PSD2). Like with many financial services regulations, the aim is to modernise the payment services for the benefit of both customers and businesses. The European Commission states this is also about making electronic payments and online banking safer for consumers/customers, while promoting more secure online and mobile payments. And better customer protection.
The Commission adds: “At the same time, the directive aims to improve the level-playing field for payment service providers – including new players or Fintechs – and contribute to a more integrated and efficient European payments market.” It also hopes that PSD2 will facilitate innovation, improve competition and efficiency in the EU online payments market, while also marking the completion of the digital single market. However, as seen at Sibos 2019, PSD2 will has far-reaching implications for all payments providers across the globe – especially those with customers in the EU.
With PSD2, which came into force on 13th January 2018, there is a Strong Customer Authentication (SCA) requirement. SCA compliance is a challenge, but it will be worth it because there is a relentless threat of fraud and cyber-attacks that are pressurising the banking and financial service industry more than ever before. So due diligence is no longer just about conducting AML and KYC checks, because it is also about Know Your Enemy to protect your customers, to avoid hefty fines levied after data breaches (e.g. as disclosed by GDPR), and to ultimately protect business relationships and reputations.
So while customer due diligence – including adverse media, AML and KYC checks – may seem burdensome, they are an opportunity to bring on new business customers that will add value to payment providers, while also protecting their customers and avoiding fines. For example, under GDPR the maximum penalty is up to 4% of annual global turnover or 20 million euros – whichever is greater – for organisations that infringe its requirements. Larger penalties can be occurred for non-compliance to other regulations, designed to prevent theft, fraud and anti-money laundering. From a payment providers’ perspective, it’s therefore worth investing in solutions that enforce compliance.