Transfers of funds: Comments and recommendations by the NBB
1. European regulations on transfers of funds
The purpose of the European regulations on transfers of funds is to prevent payment systems from being used to launder money or finance terrorism.
1.1. Regulation 2015/847
Transfers of funds are governed by Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds (hereinafter "Regulation 2015/847"), which repealed the former Regulation (EC) 1781/2006. The purpose of this Regulation 2015/847 is to ensure the traceability of payments and to specify the obligations of the various payment service providers involved in transfers of funds..
More specifically, Regulation 2015/847 lays down rules with regard to the information on payers and payees that must accompany transfers of funds, in any currency, where at least one of the payment service providers involved in the transfer of funds is established in the European Union.
It lays down the obligations of financial institutions where they act as:
- the payment service provider ("PSP") of the payer;
- the PSP of the payee; and
- the intermediate PSP involved in the execution of a transfer of funds ("IPSP").
1.2. ESAs guidelines
Regulation 2015/847 has been supplemented by the ESAs Joint Guidelines on the measures payment service providers should take with regard to transfers of funds they receive to detect missing or incomplete information on the payer or the payee, and the procedures they should put in place to manage a transfer of funds lacking the required information.
Point 1(a) of these guidelines specifies that the guidelines apply to:
- financial institutions in their capacity as PSPs, as defined in Article 3(5) of Regulation 2015/847, where they act as the PSP of the payee; and
- financial institutions in their capacity as IPSPs, as defined in Article 3(6) of Regulation 2015/847.
The NBB therefore recommends that financial institutions acting as the PSP of the payee and/or as IPSP as referred to above, give full consideration to the above-mentioned ESAs joint guidelines, in particular in determining:
- the factors that should be considered when establishing and implementing procedures to detect and manage transfers of funds that lack required information on the payer and/or the payee; and
- the measures they should take to manage the ML/FT risk where the required information on the payer and/or the payee is missing or incomplete.
However, the NBB notes that the general considerations set out in points 8 to 20 of these guidelines are also relevant for financial institutions in their capacity as PSPs of payers. It therefore expects financial institutions to also take full account of these general considerations when defining and implementing their policies, procedures and internal control measures relating to their activities in their capacity as PSPs of payers.
2. Obligation to have a monitoring system
In accordance with Article 23 of the Anti-Money Laundering Regulation of the NBB, financial institutions should set up a monitoring system to monitor compliance with the provisions of Regulation 2015/847.
More specifically, the purpose of this monitoring system is to ensure that all transfers of funds received by financial institutions in their capacity as IPSPs or PSPs of payees systematically carry complete information on the payer and the payee, as required under Regulation 2015/847.
2.1. Scope of the obligation to have a monitoring system
The obligation to have a monitoring system for transfers of funds applies to financial institutions providing payment services (in particular in their capacity as PSP of the payee or as IPSP).
2.2. Expectations of the NBB regarding the monitoring system
On the one hand, the NBB expects financial institutions where they act as the PSP of the payer to implement effective internal control mechanisms to ensure that all transfers of funds in which they are involved in that capacity systematically carry information on the payer and the payee, in accordance with Articles 4 to 6 of Regulation 2015/847. The NBB expects financial institutions to reject a transfer of funds where the required information is missing or incomplete.
On the other hand, where the financial institution acts as IPSP or as PSP of the payee, the Anti-Money Laundering Regulation of the NBB provides that the system for monitoring transfers of funds received should:
- cover all customers’ accounts and contracts and all their transactions;
- allow rapid detection of any infringements of the provisions of Regulation 2015/847;
- be automated, unless the obliged financial institution can demonstrate that the nature, number and volume of transactions to be monitored do not require it; and
- be subject to an initial validation procedure and a regular review.
The NBB expects this monitoring system to allow financial institutions to effectively carry out all the controls described in the above-mentioned ESAs joint guidelines, under the conditions specified therein, so that an alert is generated where transfers of funds received do not carry all the information required in accordance with Regulation 2015/847, enabling the financial institution to implement the required measures to manage transfers of funds where the information is missing or incomplete or has been provided using inadmissible characters or inputs.
Furthermore, the financial institution is expected, in accordance with Articles 8, § 2, and 12, § 2, of Regulation 2015/847 to inform the NBB of cases where a PSP repeatedly fails to provide the required information on the payer or the payee, and of the measures it has taken as a result thereof. In order to assess when a PSP should be considered to be ‘repeatedly failing’ to provide the required information, please refer to the quantitative and qualitative criteria laid down in the ESAs Joint Guidelines (see points 47 et seq.). These guidelines also list the information to be provided, where appropriate, to the competent supervisory authorities. This information should be communicated to the NBB's AML/CFT supervision team at the following e-mail address: [email protected]. The NBB itself will subsequently inform the EBA.
2.3. Management of alerts generated by the monitoring system
The NBB considers that the proper management, in accordance with Regulation 2015/847 and the above-mentioned joint guidelines, of the alerts generated by the monitoring system referred to above is the responsibility of the AMLCO.
For the sake of efficiency, the financial institution's internal procedures may instruct its operational services to conduct a preliminary analysis of the alerts generated by the system for monitoring transfers of funds to ensure that they are apparently relevant. Where this preliminary analysis does not support the conclusion that the alerts are false, the transactions concerned must be referred to the AMLCO, in order for him to determine the measures for managing such alerts that should be taken in accordance with Regulation 2015/847, the ESAs joint guidelines and the internal procedures.
In addition, the AMLCO should, under his responsibility, put in place a process to analyse, as quickly as possible, alerts generated by the systems for monitoring transfers of funds, in order to determine, in accordance with Articles 9 and 13 of Regulation 2015/847, whether or not there are any suspicions of ML/FT. For more information about this analysis process, see the pages “Analysis of atypical transactions” and “Reporting of suspicions”. In this respect, see also points 44 to 46 of the ESAs joint guidelines on this subject.
In general, the NBB also recommends that financial institutions ensure that, in accordance with Regulation 2015/847, all decisions and follow-up actions taken (and the reasons behinds the decisions taken) are documented.
3. Internal policy and procedures with regard to transfers of funds
3.1. Integration of aspects relating to transfers of funds into the financial institution's AML/CFTP policy
The NBB expects all financial institutions to set out, in their AML/CFTP policy established pursuant to Article 8 of the Anti-Money Laundering Law, their strategy regarding:
- compliance with the obligations relating to the information accompanying transfers of funds executed on behalf of their customers in their capacity as payers;
- the management of transfers of funds received by a financial institution in its capacity as IPSP or PSP of a payee, where the required information is missing or incomplete or has been provided using inadmissible characters or input; and
- the identification of PSPs or IPSPs that repeatedly fail to provide the required information and the measures to be taken with regard to these service providers.
In accordance with the principle of proportionality, the above policy should be more detailed in financial institutions that specialise in payment services.
3.2. Establishment of a procedure for monitoring transfers of funds
As indicated on the page “Policies, procedures, processes and internal control measures”, all financial institutions that execute transfers of funds should put in place a procedure for monitoring transfers of funds, taking into account in particular the above-mentioned joint guidelines of the ESAs.
This procedure should include the following:
-
the internal control measures implemented to ensure that the transfers of funds executed on behalf of their customers in their capacity as payers carry all the information required;
-
the criteria and process to identify transfers of funds received by a financial institution in its capacity as PSP of the payee or as IPSP that should be subject to real-time monitoring and those that may be monitored ex post;
-
the analysis, decision and management process for the measures to be taken in accordance with Articles 7 and 8(1) of Regulation 2015/847 and the aforementioned joint guidelines, where the financial institution acts as the PSP of the payee, and Articles 11 and 12(1), where
-
the financial institution acts as IPSP, where its system for monitoring transactions detects a transfer of funds received lacking the required complete information on the payer and the payee; the NBB expects these financial institutions to set up an operational system enabling them to immediately reject the said transfer of funds if necessary;
-
the process to detect payment service providers of payers or intermediaries involved in transfers of funds who repeatedly fail to provide the required information on the payer or payee, and the process to decide on the measures to be taken in this case in accordance with Articles 8(2) and 12(2) of Regulation 2015/847;
the process to submit transfers of funds received lacking the required information to the AMLCO for examination, in accordance with Articles 9 and 13 of Regulation 2015/847, in order for him to determine if there are any suspicions of ML/FT; see also the page “Reporting of suspicions”.
If the financial institution concerned specialises in payment services, its procedure for transfers of funds should be more detailed, while remaining proportionate to the nature, size and complexity of its activities and ML/FT risks.
3.3. Record retention process
Regulation 2015/847 provides that information that allows to precisely identify the payer and the payee should be retained for a period of five years, which may be extended in certain circumstances, in order to be able to respond later to any requests from the competent authorities. In this context, the NBB expects financial institutions to take the necessary measures to comply with the record retention requirements of Regulation 2015/847, while complying with the legislation on the processing of personal data.
Furthermore, it should be noted that Article 60 of the Anti-Money Laundering Law imposes a retention period of ten years from the end of the business relationship with the customer or the date of execution of the occasional transaction, for the identification data of customers, agents and beneficial owners, where appropriate updated in accordance with Article 35 of the Anti-Money Laundering Law, as well as for the copy of the supporting documents or of the result of consulting an information source. By complying with the ten-year period provided for in the Anti-Money Laundering Law, the obligation set out in the European Regulation on transfers of funds to retain information on the payer and payee for a period of five years is automatically met.
4. Internal control measures
Financial institutions are expected to monitor periodically and on an ongoing basis that their transfers of funds policy and procedures are properly complied with and that the processes for implementing the organisational and operational obligations set out above are adequate.
With regard to the system for monitoring transfers of funds, the NBB recommends that the internal audit function pay particular attention to:
-
the effectiveness of the monitoring system, taking into account in particular the number of alerts generated;
-
the effectiveness of the process for analysing alerts generated by the system, taking into account the number of cases of information being reported to the AMLCO and the number of suspicious transaction reports related to a transfer of funds issue;
-
the adequacy of the human and technical resources made available to the operational services responsible for analysing the alerts generated by the monitoring system for transfers of funds and to the AMLCO.