Shortly after the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) came into force, the FCA embarked on a review of the control frameworks in place at 13 Electronic Money Institutions (EMIs). The impetus behind the review was a desire for the FCA to increase its understanding of the key risks faced by the e-money sector and the controls in place to mitigate the risks of money laundering and terrorist financing.
What is e-money?
E-money is broadly defined by the European Central Bank as an electronic store of monetary value on a device which can be used for making payments and which does not necessarily involve bank accounts in transactions. Prepaid cards are the obvious example of e-money, but there is also no need for a physical product; entirely web-based payments services also constitute e-money.
What’s the risk?
E-money products attract a heightened risk of money laundering and terrorist financing for a few reasons:
– The requirements to conduct customer due diligence in respect of e-money users are not as stringent as in respect of many traditional banking products, meaning that many products can be obtained anonymously, and by multiple ‘cardholders’.
– Many products do not have a limit on usage, or the monetary value which can be ‘loaded’ onto them.
– Use of agents and distributors (Programme Managers (PMs)) to distribute products may lead to potential outsourcing risks, such as poor governance and oversight.
The FCA’s Findings
The review focused on e-money products, including prepaid cards and digital wallets. The scope of the review excluded other services (such as money remittance) and activities outside of the FCA’s supervisory remit (including gift cards that can be used only within a limited network, or any prepaid product denominated in a virtual currency).
Governance, culture and management information
Generally the FCA found that the EMIs exhibited “a positive culture and a good awareness and understanding of their financial crime obligations”. The formality and scale of the systems used to escalate and manage the risks depended on the relative size of the EMI, but the FCA considered this did not seem to impact on the effectiveness of the systems. Most EMIs produced monthly or quarterly management information reports, a practice viewed positively by the FCA.
Risk Assessment
Most EMIs had a comprehensive “business-wide risk assessment” in place to identify risks, but the appropriate control measures were not always implemented. Risks documented included factors such as card usage in high-risk countries and the use of PMs to distribute products. For “customer risk assessment”, the FCA found all EMIs were screening for Politically Exposed Persons (PEPs) and sanctioned individuals. However, the FCA noted that the risk tools to calculate individual customer risk were not always used effectively to trigger enhanced due diligence (EDD) and ongoing monitoring.
Customer Due Diligence (CDD) and EDD
For CDD, all EMIs were identifying and verifying customers in accordance with the MLRs. Most onboarding happened online, with recourse to a manual process if the online process failed. In some cases the CDD was outsourced to PMs. The EMIs’ CDD was adequate when onboarding corporate customers and PMs. Most EMIs were screening for PEPs and sanctioned individuals at onboarding, but the frequency of re-screening was less consistent.
EDD is required for higher risk situations. The MLRs amended the previous scope of a PEP, although only a minority of EMIs onboarded PEPs. PEPs which were onboarded made up a relatively small proportion of the EMIs’ customer bases. EMIs usually conducted EDD when onboarding business customers, and some EMIs did this before establishing the business relationship.
Policies and procedures
Most EMIs had revised and updated their policies and procedures to comply with the MLRs. The EMIs took different, but successful, approaches to complying with the changes introduced by the MLRs, including tightening up on CDD.
Training, Communication and awareness
All 13 EMIs had mandatory annual anti-money laundering and sanctions training for staff and new joiners. The training method varied across the EMIs (examples included computer-based training and external consultants). The content of the training also differed, but at one EMI the content was too basic because it focused only on reporting suspicious transactions, whereas it should also have included the changes introduced by the MLRs and an explanation of their impact and significance to the EMI.
Ongoing monitoring
Most EMIs fulfilled their transaction monitoring obligations through automated technical solutions. The FCA noted that sophisticated electronic systems were not required to monitor effectively, but such systems did allow the EMIs to deal effectively with larger volumes of transactions. In larger EMIs, the monitoring was in ‘real-time’ and generated alerts when unusual activity was detected. These alerts were followed up in most cases. Most EMIs carried out periodic reviews of high-risk relationships. Implicit in the review is the FCA’s support of automated monitoring, which allows for greater accuracy and efficiency.
Outsourcing
Five EMIs outsourced marketing and distribution of e-money to PMs. CDD was generally conducted by the PMs, although the legal responsibility remains with the EMI. The extent of the outsourcing to the PMs differed among these EMIs. Outsourcing to PMs was effective when the EMIs displayed a robust governance and oversight of the PMs and conducted effective audits of the PMs. Some EMIs visited PMs on-site regularly, whilst others conducted file reviews or requested management information on the screening process. It was found that the majority of EMIs which did outsource the distribution of e-money and compliance to PMs had “adequate governance and audit measures to manage the risks”.
EMIs approached compliance in different ways, which was supported by the FCA who took a substance over form approach. Going forward, the FCA intends to continue to monitor e-money firms. The full Thematic Review can be accessed here: https://www.fca.org.uk/publications/thematic-reviews/tr18-3-money-laundering-and-terrorist-financing-risks-e-money-sector.
