ECSH64080 - Regulation 64 - Obligations of payment service providers
| Category Heading |
Description |
|---|---|
| The Law |
https://www.legislation.gov.uk/uksi/2017/692/regulation/64
|
| What it means |
MSB money transmitters (money remitters for the purposes of the
Information of payer Transfer of Funds Regulations (FTR)), Bill Payment Service
Providers (BPSPs) and Telecommunications, digital, IT Payment Services
Providers (TDITPSPs) must be in a position to RESPOND FULLY AND RAPIDLY to
requests for ANY and ALL of the information they are required to take as per
the (FTR) to HMRC, Scottish Ministers, Financial Investigators and any other
law enforcement authorities. |
| Purpose |
Ensure that the business are able to quickly assist investigations where
relevant activity falls into scope of the FTR, meaning that key stakeholders
can fully and accurately investigate and prevent Money Laundering, Terrorist
Financing and Proliferation Financing (ML/TF/PF). |
| Time Line |
Up to 31.12.2020 payment service providers had to take into account of
any guidelines issued by the European Supervisory Authorities under Article 25
of the funds transfer regulation in determining what measures were required to
comply with that regulation. A link to EU Regulation has been provided at the
bottom of the page where required. To ensure compliance, Part 7 of the Money
Laundering regulations were established to formalise the EU Regulations into UK
Statute. Despite EU Exit, from 31.12.2020, payment service providers must still
adhere Regulation 2015/847/EU of the European Parliament and of the Council of
20th May 2015 on information accompanying transfers of funds – this is
confirmed within The Money Laundering and Transfer of Funds (Information) (Amendment)
(EU Exit) Regulations 2019 paragraphs 10,14 and 15 to 19 which amends the
wording of the EU regulations for UK Law and maintains the Funds transfer
regulations as in scope for UK payment service providers. |
| What to establish |
Whether the business is able to RESPOND FULLY AND RAPIDLY to requests
for ANY and ALL information which they were required to gather under the FTR to
HMRC. To do so, officers will need to understand whether the business has first
gathered the correct information under the FTR (explained further below), and
if they have, when the officer requests it, can the business respond fully and
rapidly to the request. Where a business isn’t able to FULLY OR RAPIDLY
respond to the requested information (required under the FTR), this is a relevant
requirement therefore they are in breach of Regulation 64(2) of the
MLRs. Whether the business is sending (on behalf of the payer), receiving (on behalf of the payee) or an intermediary (acting between one or more payment service providers (sender and receiver) to facilitate the transfer of funds on behalf of the payer and payee). Whether the payment service is SOLELY occurring in the UK, or whether there is any going to or from any other country. Where the payment service is SOLELY internally within the UK, the requirements on payment service providers are relaxed (in line with Article 5 of the FTR). Whether payment services are paid out or received in cash or anonymous e-money (such as Cryptocurrency or digital currencies). Where the business “Firm Status” is showing as an Authorised Payment Institution (API) or registered small payment institution (SPI), officers will need to check the HMRC MLR registers to ensure that the business DOES appear therefore HMRC is the supervisor as a payment service provider for the purposes of the Transfer of Funds Regulations (REGULATION (EU) 2015/847 – Information of payer Transfer of funds regulations). Officers will therefore need to determine whether the business complies with Regulation 64 of the MLRs. If it DOES NOT appear on the HMRC MLR Register (or officers are needing to ensure that they don’t have dual supervision or require supervision by the FCA instead), officers will need to review the “Activities and Services” section of the FCA website to see whether the business provides any other services than Payment Services. For example the “Activities and Services” section may show dropdowns for Payments Services & E-Money, Banking, Insurance, Mortgages and Home finance, Consumer Credit, Pensions, Investments or Other Services (where the dropdown will open up to describe the other services provided). IF the “Activities and Services” section of the FCA website contains anything IN ADDITION to “Payment Services” the FCA is the supervisor for the purposes of the Transfer of Funds Regulations (REGULATION (EU) 2015/847 – Information of payer Transfer of funds regulations AND HMRC are not the business supervisor for these purposes. Whether the business has the ability to link transactions (or understand what a linked transaction is and then subsequently monitors for linked transactions). If they understand and have the ability to link transactions, what are the parameters for doing so. Officers will need to establish whether the business has linked transactions which exceed 1,000 Euros (or equivalent in any currency). Whether the business understands the risks of ML/TF/PF in relation to payment services sufficiently to identify where ML/TF/PF may be occurring. As required by Article 4 of the FTR, establish whether the payment service provider solely sends money on behalf of the payer, do they alternatively receive money and pay out to the payee, or a combination of both. IF the business is a payment service provider and send money on behalf of the payer, officers will need to determine what information is gathered and verified on the payer. Payment service providers sending on behalf of the payer, are required to gather and verify (through a reliable and independent source) the following information on the payer under the FTR, and subsequently ensure that this information then accompanies the payment to the pay out partner at the destination (with the only exception being when the transmission is from UK to UK described further below); - name; - payment account number and; - address, Where the address of the payer isn’t gathered, the payment service provider must identify and verify the payers official personal document number, customer identification number or date and place of birth. In addition to the above, the payment service provider will also need to gather the name and payment account number of the payee (recipient of the money being transmitted). For the payer and payee, where the payment service provider doesn’t have a payment account number for either party from and to which the money is being transmitted, the payment service provider will need to also ensure that the funds are sent with a unique identification number which allows for the linking of the transaction to the sender and receiver. As referred to above, where the payment service being provided is from UK to UK, the requirements on the payment service provider for the payer MAY be reduced meaning that the information accompanying the transfer could be limited to the payment account numbers or unique transaction number for the payer and payee. This reduced requirement is in place where the funds being transferred don’t exceed 1,000 Euros (or equivalent in any currency) as a single transaction or several which appear to be linked, aren’t in cash or where there are not reasonable grounds for suspecting ML/TF/PF. Where the transaction(s) (where linked) exceed 1,000 Euros (or equivalent in any currency), the above requirement on information on payer and payee remain in place in full. Where this requirement is in place, compliance officer must ensure that the business can both receive information from a PSP and provide requested information to the requestor (HMRC, Scottish Ministers, Financial Investigators, or any other law enforcement authorities) within 3 working days. In all situations, the information on payer and payee is required, however the reduced requirements concern only the information which is accompanying the transaction. IF the business is a payment service provider and receives money on behalf of the payee to pay out, either on its own or in addition to sending on behalf of the payer, officers will need to establish whether the business has effective procedures to determine whether the information gathered and required for the purposes of the FTR (discussed above) have been completed in line with the payers payment service provider systems, and monitors (in real time or post transaction) for where information on the payer or payee is missing in line with the requirements of the FTR. Officers will also need to establish that for transactions exceeding 1,000 Euros (or equivalent in any currency) as a single transaction or several which appear to be linked, whether the payment service provider receiving money on behalf of the payee, verify (via data or information from reliable and independent sources) the accuracy of the information on the payee before crediting the payees account or paying out. Where the transaction(s) don’t exceed 1,000 Euros (or equivalent in any currency), the payment service provider doesn’t need to verify the information unless the pay out of funds is in cash or anonymous E-money, or they have reasonable grounds for suspecting ML/TF/PF. Whether the payment service provider has risk-based procedures to determine when to cancel or suspend transactions where the complete information on payer or payee is missing, or requires follow up actions. Where the payment service provider is doing so on behalf of the payee, and the information on the payer or payee is missing or incomplete, the payment service provider should reject the transaction or asked for the information either before or after completing the transaction on a risk sensitive basis. Where this occurs numerous times from the sending payment service provider, the receiving payment service provider will take steps to address that this information is consistently being omitted, such as; - Warning and setting deadline on the sending payment service provider - Rejecting future transactions from the sending payment service provider - Restricting or terminating the business relationship with the sending payment service provider - Report these failures to HMRC Whether the business has appointed someone responsible for compliance with AML/CFT rules and ensure that they are supervised by HMRC/FCA and be a central point of contact for HMRC when requesting documents and information as required by EU 2015/849 - on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing. Whether the business fully complies with GDPR in respect to the processing of personal data as part of providing payment services, and that the information is processed for the prevention of ML/TF/PF. Additionally, officers need to establish whether the business is notifying its customers before the business relationship of the information concerning its legal obligations under GDPR and that the information is processed for the purposes of prevention of ML/TF/PF. |
|
How to test compliance and evidence to obtain |
Gather and review the businesses Policies, Controls and Procedures
(PCPs) to determine whether they ensure adherence with the FTR, and whether the
controls in place would identify circumventions of the policies and procedures.
Also consider whether the PCPs appear to ensure that the information gathered
for the purposes of providing the payment service adheres with Article 4 of FTR
as per the above, that they have PCPs for linking transactions (where needed),
and that that they also have PCPs for cancelling/suspending transactions where
the information on payer or payee is not complete. Once established, as part of undertaking CDD/EDD testing, officers will need to gather/review the transactional information from the business. When requesting/reviewing/analysing this information, officers should ensure that the information contains (as a minimum); - Payer Name - Payer payment account number OR unique transaction number (where no account has been used) - Payer address OR official personal document number, customer identification number or date and place of birth (these should be identified and verified) - how the payer made payment (eg. cash, anonymous e-money, bank transfer, etc.), - value of transaction when payer made payment and the currency (officers will utilise this to review transactions greater than 1,000 Euros as a one off transaction or added together as linked transactions) - Payee name - Payee location (country or city/town), - Pay out method (eg. cash, anonymous e-money, bank account, etc.) - Payee account number or unique transaction number (where no account has been used) - Whether the transaction has been completed, cancelled or suspended As part of reviewing and analysing the transactional information, and as part of discussions with the business, officers will need to identify; - Whether all transactions are made and paid to payers and payees in the UK, whether they allow UK to UK transactions to be paid in cash and the information they gather, and whether they request and receive all information within 3 days from the sending money transmitter where required. - Whether as part of doing money transmission they act on behalf of the payer, the payee, both, are an intermediary payment service provider (therefore may act on behalf of one or more payment services providers). - Where the business only offers payment services on behalf of the payer, officers will need to ask who the pay out partner is at the destination(s) (may be another payment service provider or a bank), how the money moves from them to the destination country (for example do they employ the services of an intermediary payment service provider such as a Forex Company, another money transmitter, cash courier or bank), and how they facilitate the transactional information to the pay-out partner, along with what information is sent to accompany the payment. - Where the business is only paying out money transmission, officers will need to ask about what information they receive and how from the sending payment service provider. - What the business considers as a linked transaction (HMRC suggest 90 days in guidance) and therefore officers need to identify transactions which could be linked, are below 1,000 Euros (or equivalent in any currency) but then once linked go above the 1,000 Euros limit. - One off transactions of 1,000 Euros or greater (or equivalent in any currency). Officers should look at the highest value transactions, especially those where there is anonymous sources of funding such as where payment has been made in cash. Gather, review and analyse the transactional information to determine whether any information is missing, or does not conform with the requirements of the internal system (for the purposes for adhering with the FTR) and FTR. Where officers identify that the information on the payer/payee is missing/incomplete or does not conform to the sending payment servicer provider of their internal systems, officers will need to ask questions to determine; - whether the transactions have been transmitted and paid out (all of the information would need to have been gathered prior to transmitting and paying out), - whether the transactions were/are suspended or rejected/cancelled (as should occur where any information is missing/incomplete), - why the information is missing or inaccurate – particularly if the business has said the transactions did go through so that the officer can ensure that the business hasn’t got the information elsewhere, - whether the business had previously identified it - if they have when; either at the time or afterward the transaction, subsequently whether the business has paused or cancelled the transactions. - how often transactions are sent or received with missing or inaccurate information, whether there are specific customers or sending payment service providers where this is regularly occurring and the actions the business has taken to address this. Finally, officers will need to ask whether the business found this suspicious. Officers will need to note the business’ responses and subsequently review evidence to confirm what the business has stated as being correct. During the intervention, officers will need to ask what controls the business has in place to monitor AND link transactions (where required – for example linking transactions under 1,000 Euros), and when this occurs. Officers may need to ask about what management information (MI) or analysis is conducted on transactions to link transactions (if any). Where the business states that they do link transactions, gather management information or conduct analysis, officers should ask how this is done, how frequently and ask to see historic examples (from the testing period) of when this has occurred. These controls should be written in the business PCPs, therefore it is imperative officers fully note what the business has said and review this against the business PCPs and anything which is in the PCPs but which the business hasn’t stated, officers should challenge to ascertain whether these controls are still in place. When conducting the analysis of the business transactions, officers will need to use the same parameters as those in the PCPs to determine transactions which meet the business criteria of linking transactions (and general controls such as financial thresholds). Officers then need to review/test what CDD/EDD has been done on the selected transactions, asking the business; - whether they flagged these transactions for review and consequently the actions they may have taken, - whether they were able to determine the transactions were genuinely linked and where required, did the business suspend the transaction to gather more information. Officers will need to consider whether the transactions have been undertaken in an unusual way to potentially circumvent any controls the business has in place (for example by splitting transactions) or as a way of facilitating ML/TF/PF. Where the business does not have the transactional information in a digital format, officers will need to ask how the business monitors its transactions to ensure that it links transactions (where required), and how it reviews the transactions for the purpose of identifying and mitigating ML/TF/PF. Officers will need to ask the business questions around what they may find suspicious concerning transactions which may prompt them to raise a SAR. If it isn’t mentioned, ask whether they would find missing or incomplete information on the payer or payee suspicious. Where the business doesn’t say this or think that it is suspicious, ensure that they are aware that under Article 9 of the FTR that they are required to consider whether this is suspicious. |
|
Scenario |
During a compliance intervention with an MSB Money Transmitter to ensure
that they are complying with the MLRs, a HMRC officer requests to see the
information on the name of the customer, the verification details on the name
and address of the payer, and the name of the payee and their unique
transaction reference. The MSB Money Transmitter explains that this information is not currently available and that they will have to get their compliance team in Pakistan to locate the transaction as the information is stored in paper records. They will then send this information to MSB Money Transmitter to provide this information to HMRC as they don’t have this information readily available, and aren’t able to access this information at this time without the support of the compliance team. The Money transmitter explains that it may take a couple of weeks to locate and send this information to the HMRC officer. As the business isn’t able to fully and rapidly respond to enquiries concerning information required by or under the Funds Transfer Regulations, this is a breach of regulation 64(2). The officer will need to consider the appropriate sanction. |
|
AMP |
Not Relevant to this sector |
|
ASP |
Not Relevant to this sector |
|
EAB |
Not Relevant to this sector |
|
LAB |
Not Relevant to this sector |
|
HVD |
Not Relevant to this sector |
|
MSB |
Officers will ideally need to request the transactional information
ahead of the visit to allow them the opportunity to undertake analysis of the
transactions ahead of the visit with the business. This is so that officers are
able to identify potential areas of non-compliance or higher risk, allowing
officers to focus their questioning on where they have identified the business
may be non-compliant and where the highest risks lay if unmitigated. Where officers are conducting an unannounced visit, they should consider taking a FIS Data Handler with them to upload the transactional information. |
|
TCSP |
Not Relevant to this sector. |
|
Further Reading |
Reg 61. Interpretation of Transfer of Funds
(Information on the Payer) Regulations |
|
Reg 62. Transfer of funds supervisory authorities | |
|
Reg 63. Duties of transfer of funds supervisory
authorities | |
|
Reg 54 – Duty to maintain registers of certain
relevant persons | |
|
HMRC Guidance on Funds Transfer Regulations | |
|
The Money Laundering and Transfer of Funds
(Information) (Amendment) (EU Exit) Regulations 2019 | |
|
Regulation EC 1781/2006 – Information of payer
Transfer of Funds Regulations | |
|
REGULATION
(EU) 2015/847 – Information of payer Transfer of funds regulations | |
|
Payment Services Regulations 2009 | |
|
Payment
Services Regulations 2017 | |
|
Directive
(EU) 2015/849 – on the prevention of the use of the financial systems for the
purposes of money laundering or terrorist financing |