There are 900 payment institutions in the EU – and most are incapable of managing the risk of money laundering efficiently, according to a study published by EBA (European Banking Authority). Insufficient risk knowledge and low efficiency of transaction monitoring then lead to payment institutions failing to recognize and report suspicious transactions on time, even though they risk facing fines by the Czech National Bank (ČNB) or even losing the license.

Just like banks, payment institutions are licensed by the Czech National Bank, but unlike banks, they only act as transaction intermediaries, never actually accepting any client deposits.

In June 2023, the EBA published its report on money laundering and terrorist financing (ML/TF) risks within payment institutions, assessing how effectively these risks are managed. In 2022, a total of 32 EU authorities supervising financial institutions took part in the investigation (with the Czech Republic represented by the ČNB). The findings show that payment institutions are incapable of managing these risks efficiently. The investigation also found that according to the supervising authorities, there are almost 900 authorized payment institutions in the EU that could represent a high risk.

Cross border transactions and new technologies – that’s where the risks are

EBA has found that, unlike other entities who must abide by the AML (Anti-money laundering) rules – like banks – the payment institutions often deal with high numbers of international payments. These can be made into high-risk third countries that don’t have strong anti-money laundering policies or are facing international sanctions.

Payment institutions usually also deal with riskier client portfolios:

  • Clients from high-risk countries
  • Clients who were refused by traditional banks
  • Clients doing business in high-risk industries, like gambling or crypto

The payment institutions sector is also more open to using new technology, like one-time transactions that don’t require an account, virtual IBANs, or remote verification of new clients, with remote identification seen as a hazardous KYC (know your customer) method from the AML perspective.

Payment institutions also work with third parties much more often than banks do. For instance, when they choose to outsource client identification, it’s the payment institution’s responsibility to ensure that their subcontractor meets all AML legal requirements, and they can use tools like sanctions to demand compliance. However, in many cases, payment institutions fail to use these tools effectively.

Low risk awareness and missing three lines of defence

The study states that payment institutions have a low general awareness of risks related to money laundering, referencing the European Commission’s working document from 2022. Lack of training for both employees and third parties could be one of the reasons.

In some cases, entire ML/TF risk management systems showed serious flaws, with payment institutions lacking the “three lines of defence” – employees who check and verify clients, an AML or compliance department working as a second set of eyes, and an internal auditing department.

National supervising authorities have also found transaction monitoring to be lacking in efficiency, noting some payment institutions that had no system to monitor client transactions at all. Due to low awareness level and inefficient transaction monitoring, payment institutions then fail to identify and report suspicious transactions on time.

Supervising authorities have identified the following shortcomings:

  • Inadequate training on ML/TF issues and prevention, particularly when intermediaries are used.
  • Inadequate transaction monitoring: transaction monitoring systems of payment institutions were either lacking or absent completely.
  • Insufficient identification and reporting of suspicious transactions: payment institutions rely on transaction monitoring systems of the banks they work with rather than implementing their own systems as required by the EU legal framework.
  •  Failure to carry out controls to comply with restrictive measures. Screening of customers and transactions was sporadic or non-existent in some institutions.
  • Weak internal policies. Active involvement of shareholders in business operations which could undermine sound and prudent management of ML/TF risks.
  • Low awareness of TF risk management. This risk is linked to specific features of the products and services offered, like their financial nature, wide geographical reach, and the fact that these services usually involve low value transactions.
  • Online client onboarding. Payment institutions have often failed to follow procedures to identify high-risk clients or politically exposed persons.

Make sure that these shortcomings do not plague your company

Want to make sure that your payment institution is clear of all those shortcomings you just read about? KPMG can help you evaluate the efficiency of your internal AML/CFT (Anti-money Laundering/ Combating the Financing of Terrorism) management and control systems and risk assessment system according to the scope of your products and services.

We’ll review your onboarding, KYC (Know Your Client), and EDD (Enhanced Due Diligence) processes, assess your transaction monitoring and how you screen international transactions, and help you set up a better system for transaction monitoring and sanctions screening.

We’ll also help you choose the best processes to assess factors related to high or increased AML/CFT risk and assist in setting up client risk profiles and removing shortcomings found by the supervising authority.

We are also ready to assist with any other AML/CFT issues.

Got questions about AML/CFT? Feel free to reach out to our experts Maroš Holodňák or Lenka Ďurišová.