ECSH51180 - Obligations of payment service providers

Regulation 64 of The Money Laundering, Terrorist Financing and Information on the Payer (Transfer of Funds) Regulations 2017 (MLR 2017) require a payment service provider (PSP), being a money remitter for the purposes of Regulation (EU) 2015/847 – Information of payer Transfer of funds regulations (FTR) to be able to respond fully and rapidly to requests for any and all of the information they are required to take as per the (FTR) to HMRC, Scottish Ministers, Financial Investigators and any other law enforcement authorities.

FTR is relevant to payment service providers in the UK as the EU FTR were incorporated into UK law by virtue of section 3 EU (Withdrawal) Act 2018 (incorporation of direct EU legislation) and was amended by the Money Laundering and Transfer of Funds (Information) (Amendment) (EU Exit) Regulations 2019 (https://www.legislation.gov.uk/uksi/2019/253/regulation/10/made. The amendments ensure the EU FTR operate effectively in a UK-only context.

Where a business is included in the register maintained by the Financial Conduct Authority as an authorised payment institution (API) or registered small payment institution (SPI) and does not provide any services other than payment services, it is a PSP and must be registered with HMRC for supervision under MLR 2017 and the FTR and comply with its obligations under these regulations.   

Purpose

Gathering and maintaining the information from the FTRs ensures that PSPs are able to quickly assist investigations where relevant activity falls into scope of the FTR in line with regulation 64 MLR 2017, meaning that key stakeholders can fully and accurately investigate and prevent money laundering, terrorist financing and proliferation financing (ML/TF/PF).

What information should be obtained under FTR

PSPs sending money on behalf of the payer, are required to gather and verify (through a reliable and independent source) the following information on the payer under the FTR and subsequently ensure that this information then accompanies the payment to the pay out partner at the destination:

  • Name.
  • Payment account number.

And at least one of the following:

  • Address, official personal document number, customer identification number or date and place of birth.

The verification of this information must be done in accordance with regulation 28 MLR 2017 and records must be maintained in accordance with regulation 40 MLR 2017.

For UK to UK transactions, the name and address of the payer do not need to be verified, unless the transaction is funded by cash or anonymous e-money, or there is reasonable grounds to suspect ML/TF/PF. More detail on the information that should accompany UK to UK transactions can be found later in this guidance.

In addition to the above, the PSP will also need to gather the name and payment account number of the payee (recipient of the money being transmitted).

For the payer and payee, where the PSP does not have a payment account number from and to which the money is being transmitted, it will need to also ensure that the funds are sent with a unique identification number which allows for the linking of the transaction to the sender and receiver.

What to establish

Whether the PSP has gathered the correct information under the FTR and if it has, what process it has to retrieve the information in order for it to comply with the obligation to respond fully and rapidly to any request – this process should be detailed in the polices, controls and procedures developed and maintained under regulation 19(3)(d) MLR2017.  Where it is not able to respond to respond fully and rapidly to provide this information, it will be in breach of regulation 64(2) MLR 2017.  

Whether the business is sending (on behalf of the payer), receiving (on behalf of the payee) or an intermediary (acting between one or more PSP (sender and receiver) to facilitate the transfer of funds on behalf of the payer and payee.

Whether the payment service is solely occurring in the UK.  If so, see below, on the requirements in line with Article 5 FTR.

UK to UK payments – information to accompany transactions

Where the PSP is undertaking transactions solely within the UK, the requirement in relation to the FTR may be reduced.  This means that the information accompanying the transfer could be limited to the payment account numbers or unique transaction number for the payer and payee. This reduced requirement is in place where the funds being transferred don’t exceed 1,000 Euros (or equivalent in any currency) as a single transaction or several which appear to be linked, aren’t in cash, or where there are no reasonable grounds to suspect ML/TF/PF. Where the transaction(s) (where linked) exceed 1,000 Euros (or equivalent in any currency), the above requirement on information on payer and payee remain in place in full.

Where the reduced requirement applies, the PSP of the payer must be able to comply with the requirement to respond fully and rapidly to any and all requests within 3 working days. This includes requests from the payees PSP or any intermediary PSPs.

In all situations, the information on payer and payee is required, however the reduced requirements concern only the information which accompanying the transaction.

FTR requirements on PSP

For transactions exceeding 1,000 Euros (or equivalent in any currency) as a single transaction or several which appear to be linked, the PSP receiving money on behalf of the payee, must verify (via data or information from a reliable and independent sources) the accuracy of the information, and that the information has been filled in appropriately and correctly (e.g. typing errors or letters in a date of birth field) on the payee before crediting the payees account or paying out, in line with FTR Article 7(3).

Where the transaction(s) does not exceed 1,000 Euros (or equivalent in any currency), the PSP does not need to verify the information unless the pay out of funds is in cash or anonymous E-money, or they have reasonable grounds for suspecting ML/TF/PF.

The PSP of the payee should have risk-based procedures to determine when to cancel or suspend transactions where the complete information on payer or payee is missing or requires follow up actions.

Where the payment being handled by the PSP is on behalf of the payee, and the information on the payer or payee is missing or incomplete, it must obtain the information before completing the transaction or reject the transaction.  Where this occurs numerous times from the sending PSP, the receiving PSP should take appropriate steps to deal with the consistent incomplete/missing information, such as 

  • Warning and setting a deadline on the sending PSP.
  • Rejecting future transactions from the sending PSP.
  • Restricting or terminating the business relationship with the sending PSP.
  • Report these failures to HMRC and the Financial Conduct Authority (FCA).
  • Submit a suspicious activity report (SAR).

Obligations for intermediary payment service providers (IPSPs)

PSPs acting as an intermediary payment service provider have some additional obligations which must be followed:

  • Information received on the payer and payee that accompanies the transfer of funds is retained with the transfer.

This means an IPSP must transfer both the information as well as the funds as they were received by the IPSP.

  • Have in place effective procedures to verify (via data or information from a reliable and independent sources) the accuracy of the information, and that the information has been filled in appropriately and correctly (e.g. typing errors or letters in a date of birth field.)

and

  • Have in place effect procedures (including real-time monitoring) to detect whether the following information on the payee is missing:
    • For a UK to UK transaction, at least the payment account number of both the payer and the payee.
    • For a UK to non-UK transaction, the name of the payer, the payer’s payment account number and either the payer's address or official personal document number, customer identification number or date and place of birth. For a batch file transfer, this information must also accompany and reflect the batch file.

IPSPs must establish effective risk-based procedures for determining whether to execute, reject or suspend a transfer of funds lacking the required payer and payee information and for taking the appropriate follow up action.

Where an IPSP identifies that any of the information detailed in the above bullets is missing or does not appear to have been entered accurately or correctly it must do one of the following:

  • Reject the transfer, or
  • Ask for the required information on the payer and the payee before or after the transfer of funds, taking a risk based approach when determining when to ask for the required information.

Where a PSP repeatedly fails to provide the required information, the IPSP must take steps before rejecting any future transfer of funds or restricting or terminating its relationship with that PSP. These steps may include warnings regarding the failure to provide the information and its accuracy, and the setting of deadlines to provide missing or incomplete information.

The IPSP must report that failure to HMRC and the FCA.

An IPSP must take into account missing information on the payer or the payee as a factor when assessing whether a transfer of funds, or any related transaction, is suspicious, and whether to submit a suspicious activity report.

PSPs and data protection

FTR specifies that the processing of personal data is subject to the Data Protection Act 2018 (DPA).

PSPs must only process personal data for the purposes of the prevention of ML/TF/PF.

In accordance with Article 13 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, PSPs must provide new customers with the following information as a data controller before establishing a business relationship, or carrying out an occasional transaction:

  • The identity and the contact details of the controller and, where applicable, of the controller's representative.
  • The contact details of the data protection officer, where applicable.
  • The purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
  • Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party.
  • The recipients or categories of recipients of the personal data, if any.
  • Where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

PSPs must ensure the confidentiality of the data they collect and process is respected.