Prepaid Cards

• Prepaid cards began as a device used to pay for goods and services where the issuer does not need to conduct any analysis on the cardholder’s credit standing, or bear the costs for opening and managing a payment account.
• Many prepaid cards may now be used to withdraw cash from automated teller machines (ATMs) including internationally.
• Some provide the possibility of person-to-person transfers.
• AML/CFT risks
  i. Prepaid cards have evolved from a replacement for store gift certificates and limited purpose closed loop applications to, in some cases, embody all the functionalities of a payment instrument tied to a payment account.
  • Closed-loop prepaid cards—(Low Risk)
    • gift cards that can only be used for purchases at a single, or among a limited network, of merchants
    • do not provide access to the global ATM network and are not able to have cash refund through merchants (commonly known as “cash back”)
  • Open-loop prepaid cards—(High Risk)
    • payment network-branded cards that allow transactions with any merchant or service provider participating in the payment network
    • customers use the prepaid cards to access the related funds which are held in an associated payment account
    • Some prepaid cards can be funded using cash and other electronic payment instruments, offer similar options to those provided by a payment account and related instruments to move funds, may allow cash access via ATMs globally and, in some cases, allow person-to-person funds transfers between users.
• Many entities can be involved in the provision of prepaid cards, which can create regulatory challenges in determining where to place appropriate responsibility for AML/CFT controls.
  • Acquirer– The entity which maintains the relationship with the retailer, provides the infrastructure needed for accepting a card payment (e.g. access to the point of sale (POS) terminal or the payment services supporting an e-commerce website) and normally operates the account in which the proceeds of the sale transaction are deposited.
  • Distributor (including retailer)– The entity that sells, provides, or arranges for the sale of, prepaid cards on behalf of the issuer to consumers. Distributors may also offer a range of services to their customers.
  • Payments network operator– The entity that provides the technical platform to perform transactions with the card at ATMs or points of sale at merchants.
  • Issuer– The entity that issues prepaid cards and against which the customer has a claim for redemption or withdrawal of funds
  • Programme manager– The entity responsible for establishing and managing the prepaid card programme in cooperation with a bank or electronic money institution. The programme manager usually markets the prepaid cards and establishes relationships with banks and distributors or customers, and in many cases provides the data processing capability. Some prepaid card issuers also manage their card programmes themselves (i.e. without using programme managers).
  • Agent –Any natural or legal person providing prepaid card services on behalf of another entity involved in the provision of prepaid cards, whether by contract with or under the direction of the entity.

Mobile Payments

• Mobile money products are often linked to prepaid accounts, where non-banking entities such as telecommunications providers have been successful mobile money issuers
• Popular in emerging markets where mobile payments are growing and contributing to financial inclusion as these provide under-served and unbanked people with access to a broad range of formal financial services. (Blog post idea connect to facebook penetration and libra)
• The financial institutions that facilitate mobile payments, including person-to-business (P2B), person-to-person (P2P) or government-to-person (G2P) transactions, can be traditional payment service providers (banks or depository institutions) or non-bank payment service providers, designated in the FATF glossary as money or value transfer services (MVTS).
• Service Providers:
  • mobile network operators (MNOs)
  • mobile telephone equipment manufacturers
  • telecommunications industry standards setting groups
  • payment networks
  • software developers
  • technology used
    • text messaging
    • mobile Internet access
    • near field communication (NFC)
    • programmed subscriber identity module (SIM) cards
    • unstructured supplementary service data (USSD).
• Entities involved in providing mobile payment services (where to place appropriate AML/CFT compliance burdens)
  • MNO– The entity that provides the technical platform to allow access to the funds through their mobile phone.
  • Distributor (including retailer)– The entity that sells, or arranges for the issuance of funds on behalf of the issuer to consumers, if such funds can be used for payments.
  • Electronic money issuer– The entity that issues electronic money. Electronic money is a record of funds or value available to a consumer stored on a payment device such as chip on a prepaid card, mobile phones or on computer systems as a non-traditional account with a banking or non-banking entity.
• Bank-Centric Mobile Payment model
  • the customers are account holders of the bank which offers the mobile payments service
  • The role of the MNO here is limited to providing the telecommunication network facility for the transfer of payment messages. Since it does not manage or hold the customer’s funds at any stage, the MNO would not require a financial services license as the bank is the payment service provider.
• MNO-centric Mobile Payment model
  • MNOs offer mobile payment services as a means to add value to their core communications service
  • customer funds are held in a prepaid account by the MNO itself or a subsidiary
  • A partner bank may formally holds the license
    • In such partnership, the MNO retail outlets and other storefront retailers offer similar services to those of limited-purpose bank branches, signing up customers, taking in deposits, and paying out cash to settle mobile payment transactions. The payment service may be branded under the name of the bank or under the name of the MNO.
  • MNOs are often international companies with the ability to extend their services across borders
    • MNOs can partner with electronic funds transfer networks to allow domestic customers to access ATMs for cash withdrawals by entering a code, instead of card swipe.
    • To allow customers international access to cash, MNOs can partner with payment card issuers to offer open-loop prepaid cards.
  • The creation, sale, transfer or consumption of pre- or post- paid customer ‘airtime’ balance by MNOs can be regarded as an alternative currency

Internet Based Payments

• Internet-based payment services intermediate between online buyers and sellers (P2B) and for personal transfers (P2P) transactions.
• Customers access, via the Internet, pre-funded accounts which can be used to transfer the electronic money or value held in those accounts to other individuals or businesses which also hold accounts with the same provider.
• The recipient then redeems the value from the issuer by making payments or withdrawing the funds. Withdrawals occur by transferring the funds to a regular bank account, a prepaid card, or another money or value transfer service. While typically customers hold funds in pre-paid accounts, customers are not required to do so. When the account needs to be funded, this can happen with a debit from a bank account or payment card account, or supplied via another funding source as needed.
• Users access services such as digital wallets, digital currencies, virtual currencies, or electronic money.
• Internet-based payment services may also be interconnected with other payment methods such as prepaid cards.
• Digital currency providers may allow third parties to undertake the exchange of national currencies with the electronic currency or value.
  • Virtual bureau de change model where they make their money charging for account-to-account transfers. Exchangers sell digital currency from their accounts, transferring the value from their account to the customer’s account. The reverse occurs when a payment recipient wants to cash out
  • Digital Currency backed by Precious Metals: service providers sell virtual gold or silver at market prices, claiming to hold actual precious metals on behalf of the customer. Intermediaries, or exchangers as they are often called, buy and sell digital precious metals for their own accounts in transactions with customers.
  • Pre-funded accounts that consumers use for online auction payments are among the most dominant Internet-based payment services.
  • Internet-based payment services may also be associated with online gambling or virtual worlds for which only a proprietary form of currency can be used to conduct transactions.

ENTITIES COVERED BY THE FATF RECOMMENDATIONS

• As a range of entities are involved in the NPPS sphere and their business models can be complex, it can be difficult to determine which entity is responsible for the implementation of AML/CFT preventive measures.
• Providers of NPPS fall within the definition of financial institution by conducting money or value transfer services, or by issuing and managing a means of payment, and therefore should be subject to AML/CFT preventive measures as required by the FATF Recommendations, including, for example, customer due diligence, record keeping, and reporting of suspicious transactions.
• The Interpretive Note to Recommendation 1: two situations in which countries may decide not to apply some of the FATF Recommendations requiring financial institutions to take certain actions:
  • (a) provided there is a proven low risk of money laundering and terrorist financing; or
  • (b) when a financial activity (other than the transferring of money or value) is carried out by a natural or legal person on an occasional or very limited basis (having regard to quantitative and absolute criteria), such that there is low risk of money laundering and terrorist financing.
  • MVTS cannot benefit from the exemption due to financial activity being conducted on an occasional or very limited basis.

RISK ASSESSMENT AND RISK MITIGATION OF NPPS

• Recommendation 15 which requires countries and financial institutions to identify and assess the ML/TF risks that may arise in relation to the development of new products and business practices, and the use of new or developing technologies (also prior to the launch)
• countries should consider the FATF Guidance for ML/TF risk assessment.20 In addition, countries and financial institutions should consider the risk factors outlined in the Interpretive Note to Recommendation 10 on customer due diligence.
• Risk Factors:
  • Non-face-to-face relationships and anonymity
    • Customer identification and verification measures need to adequately address the risks associated with non-face to face contact, which entail high risks of impersonation fraud, heightened the ML/TF risks, and also entails difficulty to trace the funds.
      • Effective monitoring and reporting mechanisms depend on good CDD program
    • Prepaid cards—risks posed by anonymity (not identifying the customer) can occur when the card is purchased, registered, loaded, reloaded, or used by the customer.
      • AML/CFT risk mitigation measures can include measures such as funding or purchasing limits, reload limits, cash access, and whether the card can be used outside the country of issue.
      • Can easily be passed on to third parties that are unknown to the issuer, including, but not restricted to, ‘twin cards’ which are specifically designed to allow third parties remittances, and may advertise anonymity as a feature of the product. This amplifies the risks when the providers of these products are based in countries where prepaid card providers are insufficiently regulated and supervised for AML/CFT purposes, but sell their products internationally.
    • Mobile payments: The risks occur when the mobile payment service is used or reloaded. Risk is relative to the functionality of the mobile payment service and the existence of AML/CFT risk mitigation measures such as CDD or funding thresholds.
    • Internet-based payment services typically have no face-to-face customer contact. Risks include identity fraud or customers providing inaccurate information potentially to disguise illegal activity.
      • Mitigate risks by adopting alternative identification mechanisms. The risks posed are relative to the functionality of the service, the funding mechanisms (if funds come from a regulated account the risks can be substantially reduced) and the existence of AML/CFT measures.
  • Geographical reach
    • Open-loop prepaid cards, especially ones with global reach, amplify AML/CFT risks
      • Can be used to purchase goods and services, access cash, transfer funds from person-to-person—risks amplify when this can be done internationally.
      • The compact physical size of such cards also makes them vulnerable to misuse by criminals who use them to transport value across national borders.
      • Under Recommendation 32 certain prepaid access products, such as prepaid cards, may qualify as bearer negotiable instruments.
    • Global Mobile and Internet-based payment services pose high ML/TF risks
      • Can be used to transfer funds globally, or can be used in a wide geographical area, with a large number of counterparties
      • NPPS providers located in one jurisdiction may offer these services to customers located in another jurisdiction where they may be subject to different/weak AML/CFT obligations and oversight.
  • Methods of funding
    • Anonymous funding methods obscure the origin of the funds, creating a higher ML/TF risk.
    • Cash poses the highest potential risk as cash is anonymous and provides no transaction history.
    • Funding a NPPS product via another payment service that does not verify customer identification can also create an anonymous funding mechanism.
    • NPPS that use a prepaid model means that the absence of credit risk for the provider may reduce the incentive for providers to conduct comprehensive CDD, thereby increasing the ML/TF risk.
    • Criminals can use prepaid cards as a means to launder the proceeds of crime by placing those proceeds into the financial system/transport funds across borders.
    • Mobile payment services allow funding in different ways; some draw funds from a bank (lower risk) or payment card account, others allow cash funding through a network of agents (high risk).
      • Cash and non-bank payment options open up payment system access but also obscure the origin of the funds creating a heightened risk for ML/TF.
      • Account-to-account transfers and funding through third parties increase the ML/TF risk.
    • Internet-based payment services that allow third party funding from anonymous sources face an increased risk of ML/TF.
      • A special case of third party funding is the use of exchangers or virtual bureaux de change. Such exchangers can circumvent an Internet-based payment service provider’s ban on certain funding methods (e.g.a ‘no cash funding’ policy) if they accept the banned payment methods when reselling the issued digital currency or electronic money funds.
  • Access to cash
    • Access to cash through the international ATM network, using for e.g. prepaid cards increases the level of ML/TF risk.
  • Segmentation of services
    • i. NPPS commonly requires a complex infrastructure involving several parties.
    • ii. when such parties are spread across several countries, the ML/TF risk rise due to the potential of segmentation and the potential loss of customer and transaction information.
      • It may not be clear which of the entities involved are subject to AML/CFT obligations, who is responsible for complying with such obligations, and what country among those involved in the transaction process is responsible for regulating and supervising for compliance with AML/CFT measures. the multiple parties involved in the chain of information could create difficulties in tracing the funds
      • relying on unaffiliated third parties for establishing customer relationships, issuance or redemption and reloading raises potential ML/TF risks
      • Parties such as MNOs may not be familiar with AML/CFT controls leading to CDD issues
      • while a bank settling wholesale transactions between NPPS providers has CDD obligations in relation to the NPPS provider, it has no, or limited visibility into the NPPS providers’ customers and is unable to oversee transactions between the NPPS provider and their customers.

Non-face-to-face relationships and anonymity

• Customer identification and verification measures need to adequately address the risks associated with non-face to face contact, which entail high risks of impersonation fraud, heightened the ML/TF risks, and also entails difficulty to trace the funds.
  • Effective monitoring and reporting mechanisms depend on good CDD program
• Prepaid cards—risks posed by anonymity (not identifying the customer) can occur when the card is purchased, registered, loaded, reloaded, or used by the customer.
  • AML/CFT risk mitigation measures can include measures such as funding or purchasing limits, reload limits, cash access, and whether the card can be used outside the country of issue.
  • Can easily be passed on to third parties that are unknown to the issuer, including, but not restricted to, ‘twin cards’ which are specifically designed to allow third parties remittances, and may advertise anonymity as a feature of the product. This amplifies the risks when the providers of these products are based in countries where prepaid card providers are insufficiently regulated and supervised for AML/CFT purposes, but sell their products internationally.
• Mobile payments: The risks occur when the mobile payment service is used or reloaded. Risk is relative to the functionality of the mobile payment service and the existence of AML/CFT risk mitigation measures such as CDD or funding thresholds.
• Internet-based payment services typically have no face-to-face customer contact. Risks include identity fraud or customers providing inaccurate information potentially to disguise illegal activity.
  • Mitigate risks by adopting alternative identification mechanisms. The risks posed are relative to the functionality of the service, the funding mechanisms (if funds come from a regulated account the risks can be substantially reduced) and the existence of AML/CFT measures.

Geographical reach

• Open-loop prepaid cards, especially ones with global reach, amplify AML/CFT risks
  • Can be used to purchase goods and services, access cash, transfer funds from person-to-person—risks amplify when this can be done internationally.
  • The compact physical size of such cards also makes them vulnerable to misuse by criminals who use them to transport value across national borders.
  • Under Recommendation 32 certain prepaid access products, such as prepaid cards, may qualify as bearer negotiable instruments.
• Global Mobile and Internet-based payment services pose high ML/TF risks
  • Can be used to transfer funds globally, or can be used in a wide geographical area, with a large number of counterparties
  • NPPS providers located in one jurisdiction may offer these services to customers located in another jurisdiction where they may be subject to different/weak AML/CFT obligations and oversight.

Methods of funding

• Anonymous funding methods obscure the origin of the funds, creating a higher ML/TF risk.
• Cash poses the highest potential risk as cash is anonymous and provides no transaction history.
• Funding a NPPS product via another payment service that does not verify customer identification can also create an anonymous funding mechanism.
• NPPS that use a prepaid model means that the absence of credit risk for the provider may reduce the incentive for providers to conduct comprehensive CDD, thereby increasing the ML/TF risk.
• Criminals can use prepaid cards as a means to launder the proceeds of crime by placing those proceeds into the financial system/transport funds across borders.
• Mobile payment services allow funding in different ways; some draw funds from a bank (lower risk) or payment card account, others allow cash funding through a network of agents (high risk).
  • Cash and non-bank payment options open up payment system access but also obscure the origin of the funds creating a heightened risk for ML/TF.
  • Account-to-account transfers and funding through third parties increase the ML/TF risk.
• Internet-based payment services that allow third party funding from anonymous sources face an increased risk of ML/TF.
  • A special case of third party funding is the use of exchangers or virtual bureaux de change. Such exchangers can circumvent an Internet-based payment service provider’s ban on certain funding methods (e.g.a ‘no cash funding’ policy) if they accept the banned payment methods when reselling the issued digital currency or electronic money funds.

Access to cash

• Access to cash through the international ATM network, using for e.g. prepaid cards increases the level of ML/TF risk.

Segmentation of services

• i. NPPS commonly requires a complex infrastructure involving several parties.
• ii. when such parties are spread across several countries, the ML/TF risk rise due to the potential of segmentation and the potential loss of customer and transaction information.
  • It may not be clear which of the entities involved are subject to AML/CFT obligations, who is responsible for complying with such obligations, and what country among those involved in the transaction process is responsible for regulating and supervising for compliance with AML/CFT measures. the multiple parties involved in the chain of information could create difficulties in tracing the funds
  • relying on unaffiliated third parties for establishing customer relationships, issuance or redemption and reloading raises potential ML/TF risks
  • Parties such as MNOs may not be familiar with AML/CFT controls leading to CDD issues
  • while a bank settling wholesale transactions between NPPS providers has CDD obligations in relation to the NPPS provider, it has no, or limited visibility into the NPPS providers’ customers and is unable to oversee transactions between the NPPS provider and their customers.

Risk Mitigation Measures

The overall degree of risk of a particular NPPS is the cumulative effect of combining each of the various risk factors. So procedures to mitigate risk should be proportionate to the level of risk posed by the product or service.

• Customer due diligence
  • CDD is an effective measure to mitigate ML/TF risk associated with NPPS.
  • Measures to identify and verify their customer’s identity will vary depending on the level of risk posed by the product (i.e. risk based approach)
  • Simplified CDD for low risks
  • The greater the functionality of the NPPS, the greater the need may be for more enhanced CDD. Non-face-to-face verification of customer identity often requires corroborating information received from the customer with information in third party databases or other reliable sources, and potentially tracing the customer’s Internet Protocol (IP) address, and even searching the Web for corroborating information, provided that the data collection is in line with national privacy legislation.
    • In non-face- to-face scenarios, financial institutions should verify the identity of the customer following the establishment of the business relationship (rather than before or during the course of establishing a business relationship) when essential to not interrupt the normal conduct of business and provided that the ML/TF risks are effectively managed
  • Transaction monitoring and suspicious activity reporting is essential.
• Loading, value and geographical limits
  • Placing limits on NPPS can be an effective mechanism to mitigate ML/TF risk, as long as it is combined with other AML/CFT measures such as account and transaction monitoring, and the filing of suspicious transaction reports.
  • Limiting the functionality of a NPPS product to certain geographical areas or setting reloading limitations also mitigates the risk that NPPS may be misused for ML/TF purposes.
    i. such limitations can also limit the attractiveness of the product generally, including limitations on legitimate customer activity.
  • Given that the ML/TF risk increases as the functionality of the NPPS increases, financial institutions could consider establishing individual tiers of service provided to customers.
    i. the extent of CDD and other AML/CFT measures should increase as the functionality, and therefore risk, increases.
  • Prepaid cards: use threshold limits to mitigate ML/TF risks
    • Implement loading and duration limits
    • limit the prepaid amount that is accessible via the card as well as restrict the ability to reload funds onto the prepaid card.
    • Limit person to person transfer and also treat such prepaid cards like cash equivalent
  • Mobile Payment Services: use threshold limits to mitigate ML/TF risks
    • the maximum amount that can be held in a mobile payment account;
    • the maximum amount allowed per single transaction, including cash withdrawals;
    • the frequency or cumulative value of transactions and cash withdrawals permitted per day/week /month/ year;
    • set geographical or purchasing limits
  • vi. Internet-based payment services: provide services in a tiered structure to customers
    • Closed system digital currencies have limited ML/TF risks
    • Open system (Convertible Virtual currencies), like cryptocurrencies, pose high risk
• Source of funding
  • Anonymous sources of funding such as cash, or even other NPPS that are anonymous, increase ML/TF risk.
    i. When cash is used, for which there are limited safeguards, the NPPS provider could consider requiring the person to be identified if the cash exceeds a predetermined cash load limit either for an individual account, either for one or a series of transactions in a day.
• Record keeping, transaction monitoring and reporting
  • At a minimum the transaction record of a payment or funds transfer should include information identifying the parties to the transaction, any account(s) involved, the nature and date of the transaction, and the amount transferred.
  • The records that are retained should be sufficient to allow the tracing of funds through the reconstruction of transactions.
  • keep all records relating to transactions and CDD information for a minimum period of 5 years, as is required by Recommendation 11, or the length required by the laws in the applicable country
  • mobile payment are the phone numbers of the sender and receiver as well as the sender, and potentially the receiver’s, SIM card information. There may also be information captured by the MNO regarding the exact location of the sender and receiver’s phones at the time of the transaction.
    i. providers could consider this, provided that the collection of this data is in line with national privacy legislation,
  • Monitoring: Put in place transaction monitoring systems which can detect suspicious activity based on money laundering and terrorism financing typologies and indicators.
    • Such monitoring systems should take into consideration customer risks, country or geography risks, and product, service transaction or delivery channel risks.
    • The transaction monitoring system could also be used to identify multiple accounts or products held by an individual or group, such as holding multiple prepaid cards.
    • NPPS providers should consider analysing the information and records retained to determine unusual patterns or activity.
    • NPPS should report suspicious activities to the relevant financial intelligence

Customer Due Diligence

• CDD is an effective measure to mitigate ML/TF risk associated with NPPS.
• Measures to identify and verify their customer’s identity will vary depending on the level of risk posed by the product (i.e. risk based approach)
• Simplified CDD for low risks
• The greater the functionality of the NPPS, the greater the need may be for more enhanced CDD. Non-face-to-face verification of customer identity often requires corroborating information received from the customer with information in third party databases or other reliable sources, and potentially tracing the customer’s Internet Protocol (IP) address, and even searching the Web for corroborating information, provided that the data collection is in line with national privacy legislation.
  • In non-face- to-face scenarios, financial institutions should verify the identity of the customer following the establishment of the business relationship (rather than before or during the course of establishing a business relationship) when essential to not interrupt the normal conduct of business and provided that the ML/TF risks are effectively managed
• Transaction monitoring and suspicious activity reporting is essential.

Loading, value and geographical limits

• Placing limits on NPPS can be an effective mechanism to mitigate ML/TF risk, as long as it is combined with other AML/CFT measures such as account and transaction monitoring, and the filing of suspicious transaction reports.
• Limiting the functionality of a NPPS product to certain geographical areas or setting reloading limitations also mitigates the risk that NPPS may be misused for ML/TF purposes.
  i. such limitations can also limit the attractiveness of the product generally, including limitations on legitimate customer activity.
• Given that the ML/TF risk increases as the functionality of the NPPS increases, financial institutions could consider establishing individual tiers of service provided to customers.
  the extent of CDD and other AML/CFT measures should increase as the functionality, and therefore risk, increases.
• Prepaid cards: use threshold limits to mitigate ML/TF risks
  • Implement loading and duration limits
  • limit the prepaid amount that is accessible via the card as well as restrict the ability to reload funds onto the prepaid card.
  • Limit person to person transfer and also treat such prepaid cards like cash equivalent
• Mobile Payment Services: use threshold limits to mitigate ML/TF risks
  • the maximum amount that can be held in a mobile payment account;
  • the maximum amount allowed per single transaction, including cash withdrawals;
  • the frequency or cumulative value of transactions and cash withdrawals permitted per day/week /month/ year;
  • set geographical or purchasing limits
• vi. Internet-based payment services: provide services in a tiered structure to customers
  • Closed system digital currencies have limited ML/TF risks
  • Open system (Convertible Virtual currencies), like cryptocurrencies, pose high risk

Source of funding

• Anonymous sources of funding such as cash, or even other NPPS that are anonymous, increase ML/TF risk.
  i. When cash is used, for which there are limited safeguards, the NPPS provider could consider requiring the person to be identified if the cash exceeds a predetermined cash load limit either for an individual account, either for one or a series of transactions in a day.

Record keeping, monitoring and reporting

• At a minimum the transaction record of a payment or funds transfer should include information identifying the parties to the transaction, any account(s) involved, the nature and date of the transaction, and the amount transferred.
• The records that are retained should be sufficient to allow the tracing of funds through the reconstruction of transactions.
• keep all records relating to transactions and CDD information for a minimum period of 5 years, as is required by Recommendation 11, or the length required by the laws in the applicable country
• mobile payment are the phone numbers of the sender and receiver as well as the sender, and potentially the receiver’s, SIM card information. There may also be information captured by the MNO regarding the exact location of the sender and receiver’s phones at the time of the transaction.
  i. providers could consider this, provided that the collection of this data is in line with national privacy legislation,
• Monitoring: Put in place transaction monitoring systems which can detect suspicious activity based on money laundering and terrorism financing typologies and indicators.
  • Such monitoring systems should take into consideration customer risks, country or geography risks, and product, service transaction or delivery channel risks.
  • The transaction monitoring system could also be used to identify multiple accounts or products held by an individual or group, such as holding multiple prepaid cards.
  • NPPS providers should consider analysing the information and records retained to determine unusual patterns or activity.
  • NPPS should report suspicious activities to the relevant financial intelligence

Financial Inclusion

• FATF Guidance: Anti-money laundering and terrorist financing measures and financial inclusion
• Guidance refers to mobile payments and prepaid cards as payment instruments that may facilitate financial inclusion.
• Some governments promote financial inclusion by using NPPS, such as prepaid cards, to pay public subsidies as these methods may be more accessible by the beneficiaries of subsidy payments.
• So design AML/CFT measures that meet their goal of financial inclusion, without compromising the measures that exist for the purpose of combating crime.
• The G20 Principles for Innovative Financial Inclusion
• Refers to the proportionality principle: the right balance between risks and benefits by tailoring regulation to mitigate the risk of the product without imposing an undue regulatory burden that could stifle innovation.
• The proportionality criteria allow countries to apply a risk-based approach allowing, for example, the application of reduced or simplified CDD measures for certain lower-risk products or even, in justified cases, for an exemption from CDD measures.
• Recognizes the specific relevance of prepaid cards as a potential tool for financial inclusion (the un-banked/under-banked), recommending an ad-hoc regulatory regime geared to the risks inherent in the type of service involved.

Regulation, Supervision & the Risk-Based Approach

• Risk-Based Approach to AML/CFT Measures and Supervision
  • Use Risk Based approach to NPPS: The general principle of a risk-based approach is that where there are higher risks, countries must require financial institutions to take enhanced measures to manage and mitigate those risks, and that correspondingly where the risks are lower (and there is no suspicion of money laundering or terrorist financing) simplified measures may be permitted.
• Customer Due Diligence
  • NPPS operate in similar ways to an account as referred to in Recommendation 10.
    • In particular, open-loop reloadable prepaid cards increasingly operate in many similar ways to an account as their functionality has increased.
    • Internet-based payment services also commonly hold and manage funds on behalf of their customers
    • Providers of mobile payment services, whether prepaid or post-paid, typically establish business relationships with customers as envisaged by Recommendation 10 as well.
  • Countries should require financial institutions to undertake the following steps for CDD in line with Recommendation 10:
    • identification and verification of the customer’s identity;
    • identification of the beneficial owner;
    • understanding the purpose of the business relationship; and
    • on-going monitoring of the relationship.
  • A requirement of Recommendation 10 is that countries should not allow financial institutions to keep anonymous accounts or accounts in obviously fictitious names.
  • The use of thresholds is an important consideration with respect to CDD and NPPS.
    • Thresholds can be used as an effective risk mitigant for a particular product,
    • Even for low risk, require financial institutions to give sufficient attention to the detection of smurfing and structuring schemes intended to circumvent the thresholds and suspicious reporting requirements.
    • countries may consider applying a so called “progressive” or “tiered” KYC/CDD approach whereby low transaction/payment/balance limits could reduce ML/TF vulnerabilities.
  • Accounts should be required to conduct ongoing CDD to detect suspicious activity.
  • Consider placing restrictions on the number of cards sold in a single transaction difficult to enforce;
  • Requiring retailers to carry out CDD risks inaccurate customer identification (without adequate training)
  • CDD via electronic verification should ensure information is accurate and from reliable sources.
  • Financial institutions that hold funds on behalf of NPPS providers should carry out CDD on the NPPS provider as required by Recommendation 10, in proportion to the risks posed by the NPPS provider.
• Licensing / Registration
  • Where NPPS fall within the definition of MVTS in the Glossary to the FATF Recommendations, the provider should be licensed or registered, supervised and subject to AML/CFT measures.
  • In particular, as Internet-based MVTS are not subject to territorial boundaries, it is important that countries make clear in both law and guidance that the jurisdictional licensing and/or registration criteria that applies to brick-and-mortar MVTS also applies to Internet-based MVTS, even if the service provider is headquartered offshore
• Wire Transfers
  • Prepaid cards that offer person-to-person transfers have a functionality that is similar to wire transfers and should therefore be subject to Recommendation 16.
  • Mobile payment service and Internet-based payment service providers that are MVTS providers should be subject to Recommendation 16.
• Supervisory Approach and Identification of the Competent Jurisdiction
  • Adopt a risk-based approach where, at a minimum, NPPS providers that are MVTS providers should be licensed or registered and subject to effective monitoring systems.
  • Ensure that the NPPS entity which relies on agents to carry out AML/CFT measures should include those agents in its AML/CFT programme, without exception, and monitor them for compliance.
  • Establish competent authority responsible for the AML/CFT supervision of the NPPS providers with adequate powers to supervise or monitor, and ensure compliance by NPPS providers with the AML/CFT requirements in accordance with Recommendation 27.
  • In relation to mobile payment services model given that MNOs are not traditionally supervised by public authorities that are responsible for the supervision of AML/CFT obligations, if the relevant communications authority is made into the supervising entity for AML/CFT, then training and education in AML/CFT would be required to develop the required expertise.
  • Internet-based payment services pose challenges to countries in AML/CFT regulation and supervision because their cross-border functionality means that providers can be headquartered in a different country to its customers.
  • This is particularly a concern when providers base themselves in jurisdictions where they may not be subject to adequate AML/CFT regulation and supervision.
  • In line with Recommendation 14, countries should require the licensing or registration of providers of MVTS, and they should take action to identify natural or legal persons that carry out MVTS without such a licence or registration.
  • May prohibit Internet-based payment services from offering services in their jurisdiction without a physical presence, in the form of a local office or agent, in that jurisdiction.

RBA to AML/CFT measures and supervision

• Use Risk Based approach to NPPS: The general principle of a risk-based approach is that where there are higher risks, countries must require financial institutions to take enhanced measures to manage and mitigate those risks, and that correspondingly where the risks are lower (and there is no suspicion of money laundering or terrorist financing) simplified measures may be permitted.

Customer Due Diligence

• NPPS operate in similar ways to an account as referred to in Recommendation 10.
  • In particular, open-loop reloadable prepaid cards increasingly operate in many similar ways to an account as their functionality has increased.
  • Internet-based payment services also commonly hold and manage funds on behalf of their customers
  • Providers of mobile payment services, whether prepaid or post-paid, typically establish business relationships with customers as envisaged by Recommendation 10 as well.
• Countries should require financial institutions to undertake the following steps for CDD in line with Recommendation 10:
  • identification and verification of the customer’s identity;
  • identification of the beneficial owner;
  • understanding the purpose of the business relationship; and
  • on-going monitoring of the relationship.
• A requirement of Recommendation 10 is that countries should not allow financial institutions to keep anonymous accounts or accounts in obviously fictitious names.
• The use of thresholds is an important consideration with respect to CDD and NPPS.
  • Thresholds can be used as an effective risk mitigant for a particular product,
  • Even for low risk, require financial institutions to give sufficient attention to the detection of smurfing and structuring schemes intended to circumvent the thresholds and suspicious reporting requirements.
  • countries may consider applying a so called “progressive” or “tiered” KYC/CDD approach whereby low transaction/payment/balance limits could reduce ML/TF vulnerabilities.
• Accounts should be required to conduct ongoing CDD to detect suspicious activity.
• Consider placing restrictions on the number of cards sold in a single transaction difficult to enforce;
• Requiring retailers to carry out CDD risks inaccurate customer identification (without adequate training)
• CDD via electronic verification should ensure information is accurate and from reliable sources.
• Financial institutions that hold funds on behalf of NPPS providers should carry out CDD on the NPPS provider as required by Recommendation 10, in proportion to the risks posed by the NPPS provider.

Licensing / Registration

• Where NPPS fall within the definition of MVTS in the Glossary to the FATF Recommendations, the provider should be licensed or registered, supervised and subject to AML/CFT measures.
• In particular, as Internet-based MVTS are not subject to territorial boundaries, it is important that countries make clear in both law and guidance that the jurisdictional licensing and/or registration criteria that applies to brick-and-mortar MVTS also applies to Internet-based MVTS, even if the service provider is headquartered offshore

Wire Transfers

• Prepaid cards that offer person-to-person transfers have a functionality that is similar to wire transfers and should therefore be subject to Recommendation 16.
• Mobile payment service and Internet-based payment service providers that are MVTS providers should be subject to Recommendation 16.

Supervisory Approach and Identification of the Competent Jurisdiction

• Adopt a risk-based approach where, at a minimum, NPPS providers that are MVTS providers should be licensed or registered and subject to effective monitoring systems.
• Ensure that the NPPS entity which relies on agents to carry out AML/CFT measures should include those agents in its AML/CFT programme, without exception, and monitor them for compliance.
• Establish competent authority responsible for the AML/CFT supervision of the NPPS providers with adequate powers to supervise or monitor, and ensure compliance by NPPS providers with the AML/CFT requirements in accordance with Recommendation 27.
• In relation to mobile payment services model given that MNOs are not traditionally supervised by public authorities that are responsible for the supervision of AML/CFT obligations, if the relevant communications authority is made into the supervising entity for AML/CFT, then training and education in AML/CFT would be required to develop the required expertise.
• Internet-based payment services pose challenges to countries in AML/CFT regulation and supervision because their cross-border functionality means that providers can be headquartered in a different country to its customers.
• This is particularly a concern when providers base themselves in jurisdictions where they may not be subject to adequate AML/CFT regulation and supervision.
• In line with Recommendation 14, countries should require the licensing or registration of providers of MVTS, and they should take action to identify natural or legal persons that carry out MVTS without such a licence or registration.
• May prohibit Internet-based payment services from offering services in their jurisdiction without a physical presence, in the form of a local office or agent, in that jurisdiction.

Appropriate AML/CFT Regulation Which Addresses the Risks

• Level of AML/CFT Measures Proportional to the Level of Risk
  • The level of AML/CFT measures required should be in proportion to the risk posed by the NPPS. The closer the functionality of a NPPS is to a bank account (determined by the factors below), the greater the need to apply comparable regulation, including the application of full CDD measures.
    • the NPPS can be reloaded an unlimited number of times;
    • no or very high funding, loading or spending limits are envisaged;
    • it is possible to make and receive funds transfers cross-border, and within the country where product is issued;
    • the NPPS can be funded through cash, and cash can be withdrawn through the ATM network; or
    • the ability to add or withdraw funds to the account using cash or cash equivalents, whether directly or through another provider or intermediary.
• Issues to Consider when Determining the NPPS Provider Subject to AML/CFT Obligations
• Where there are multiple entities involved in the provision of the NPPS or service, countries should consider the following factors in determining the appropriate NPPS provider(s) for AML/CFT obligations:
  • the entity which has visibility and management of the NPPS;
  • the entity which maintains relationships with customers;
  • the entity which accepts the funds from customer, and
  • the entity against which the customer has a claim for those funds.
• Prepaid Cards
  • Place burden on who maintains relationships with the customers, has the visibility and/or manages of the provision of the prepaid cards
  • a programme manager, i.e. agent of the issuer
  • the issuer that acts as the programme manager
  • Prepaid card providers that use distributors or agents retain ultimate responsibility for complying with the AML/CFT measures. The distributor of a prepaid card is considered an agent of the prepaid card provider, whether or not the prepaid card is considered an MVTS.
  • where there is no contractual relationship between the distributors, and NPPS providers; or that entity is located in another country which creates difficulties in effectively supervising that entity, the distributors or agents would be subject to legal liability and are directly supervised by the respective supervisory authority.
• Providers of Mobile Payment Services
  • Mobile payment services that allow P2P transfers are MVTS within the definition of financial institution
  • Mobile payment services that provide for P2B transfers fall within the FATF Recommendations as the providers are issuing or managing a means of payment.
  • Under the bank-centric mobile payment model, the bank which manages the funds and the relationships with customers is the financial institution and should be subject to AML/CFT measures.
  • In the MNO-centric mobile payment model, the MNO or its subsidiary is the financial institution for the purposes of the FATF Recommendations.
    The MNO, or its subsidiary provides the service, manages the relationship with the customer, holds the customers’ funds, and the customer holds a claim to the funds against the MNO or its subsidiary.
  • The distributor has direct contact with customers at the point of sale, and can be delegated with carrying out activities on behalf of the mobile payment service provider and would therefore be considered an agent of that entity, whether or not the mobile payment service is considered an MVTS.
• Providers of Internet-based Payment Services
  • Internet-based payment services that allow P2P transfers and are MVTS within the definition of financial institution (Rec 14 license requirements apply)
  • Internet-based payment services that issue electronic currency as a means of payment for goods and services, and do not allow P2P transfers, fall within the FATF Recommendations as they are issuing or managing a means of payment. (Rec 14 license requirements do not apply)

Level of AML/CFT Measures Proportional to the Level of Risk

• The level of AML/CFT measures required should be in proportion to the risk posed by the NPPS. The closer the functionality of a NPPS is to a bank account (determined by the factors below), the greater the need to apply comparable regulation, including the application of full CDD measures.
  • the NPPS can be reloaded an unlimited number of times;
  • no or very high funding, loading or spending limits are envisaged;
  • it is possible to make and receive funds transfers cross-border, and within the country where product is issued;
  • the NPPS can be funded through cash, and cash can be withdrawn through the ATM network; or
  • the ability to add or withdraw funds to the account using cash or cash equivalents, whether directly or through another provider or intermediary.

Issues to Consider when Determining the NPPS Provider Subject to AML/CFT Obligations

• Where there are multiple entities involved in the provision of the NPPS or service, countries should consider the following factors in determining the appropriate NPPS provider(s) for AML/CFT obligations:
  • the entity which has visibility and management of the NPPS;
  • the entity which maintains relationships with customers;
  • the entity which accepts the funds from customer, and
  • the entity against which the customer has a claim for those funds.
• Prepaid Cards
  • Place burden on who maintains relationships with the customers, has the visibility and/or manages of the provision of the prepaid cards
  • a programme manager, i.e. agent of the issuer
  • the issuer that acts as the programme manager
  • Prepaid card providers that use distributors or agents retain ultimate responsibility for complying with the AML/CFT measures. The distributor of a prepaid card is considered an agent of the prepaid card provider, whether or not the prepaid card is considered an MVTS.
  • where there is no contractual relationship between the distributors, and NPPS providers; or that entity is located in another country which creates difficulties in effectively supervising that entity, the distributors or agents would be subject to legal liability and are directly supervised by the respective supervisory authority.
• Providers of Mobile Payment Services
  • Mobile payment services that allow P2P transfers are MVTS within the definition of financial institution
  • Mobile payment services that provide for P2B transfers fall within the FATF Recommendations as the providers are issuing or managing a means of payment.
  • Under the bank-centric mobile payment model, the bank which manages the funds and the relationships with customers is the financial institution and should be subject to AML/CFT measures.
  • In the MNO-centric mobile payment model, the MNO or its subsidiary is the financial institution for the purposes of the FATF Recommendations.
    The MNO, or its subsidiary provides the service, manages the relationship with the customer, holds the customers’ funds, and the customer holds a claim to the funds against the MNO or its subsidiary.
  • The distributor has direct contact with customers at the point of sale, and can be delegated with carrying out activities on behalf of the mobile payment service provider and would therefore be considered an agent of that entity, whether or not the mobile payment service is considered an MVTS.
• Providers of Internet-based Payment Services
  • Internet-based payment services that allow P2P transfers and are MVTS within the definition of financial institution (Rec 14 license requirements apply)
  • Internet-based payment services that issue electronic currency as a means of payment for goods and services, and do not allow P2P transfers, fall within the FATF Recommendations as they are issuing or managing a means of payment. (Rec 14 license requirements do not apply)

Prepaid Cards

• Place burden on who maintains relationships with the customers, has the visibility and/or manages of the provision of the prepaid cards
• a programme manager, i.e. agent of the issuer
• the issuer that acts as the programme manager
• Prepaid card providers that use distributors or agents retain ultimate responsibility for complying with the AML/CFT measures. The distributor of a prepaid card is considered an agent of the prepaid card provider, whether or not the prepaid card is considered an MVTS.
• where there is no contractual relationship between the distributors, and NPPS providers; or that entity is located in another country which creates difficulties in effectively supervising that entity, the distributors or agents would be subject to legal liability and are directly supervised by the respective supervisory authority.

Mobile Payments

• Mobile payment services that allow P2P transfers are MVTS within the definition of financial institution
• Mobile payment services that provide for P2B transfers fall within the FATF Recommendations as the providers are issuing or managing a means of payment.
• Under the bank-centric mobile payment model, the bank which manages the funds and the relationships with customers is the financial institution and should be subject to AML/CFT measures.
• In the MNO-centric mobile payment model, the MNO or its subsidiary is the financial institution for the purposes of the FATF Recommendations.
  The MNO, or its subsidiary provides the service, manages the relationship with the customer, holds the customers’ funds, and the customer holds a claim to the funds against the MNO or its subsidiary.
• The distributor has direct contact with customers at the point of sale, and can be delegated with carrying out activities on behalf of the mobile payment service provider and would therefore be considered an agent of that entity, whether or not the mobile payment service is considered an MVTS.

Internet Payments

• Internet-based payment services that allow P2P transfers and are MVTS within the definition of financial institution (Rec 14 license requirements apply)
• Internet-based payment services that issue electronic currency as a means of payment for goods and services, and do not allow P2P transfers, fall within the FATF Recommendations as they are issuing or managing a means of payment. (Rec 14 license requirements do not apply)