AML/CFT Requirements
In principle, provision of same services should be subject to same know-your-customer and other AML/CFT requirements to ensure a level playing field. Policymakers, regulators and the private sector should take collective responsibility for the interpretation of low and high risks.
Overview
Risk
Compared to cash, use of e-money increases certain money laundering (ML) and terrorist financing (TF) risks while reducing others.
Four key money laundering risks
- Anonymity: Customer’s identity is unknown.
- Elusiveness: Ability to disguise amount, origin, and destination.
- Rapidity: Speed at which funds are transferred.
- Oversight: Extent and quality of oversight.
Compared to cash, e-money poses greater risks with respect to rapidity but lower risks with respect to anonymity, elusiveness, and oversight.
E-MONEY VS. CASH
Vulnerabilities
- If identification processes are weak or absent, criminals may operate with a degree of anonymity and open/ operate multiple accounts.
- If identification processes exist but verification processes are weak (e.g. lack of reliable national identification), criminals may commit identity fraud.
Compensating factors
- Transactions are linked to a unique mobile number.
- The SIM card and customer are identified and located through the MSISDN and IMSI.
- Transactions recorded (sender’s mobile number, amount, receiver’s mobile number, date).
- Transactions traced.
- SIM card registration records make critical information available to identify the customer.
- If law enforcement officials wish to identify a particular unidentified client, the provider can supply a rich source of identifying details, like voice recordings and communication and transaction patterns.
Vulnerabilities
- Transactions are largely anonymous.
- There is neither a unique identifier for the user nor a way to trace the payment.
Compensating factors
- None.
Vulnerabilities
- Sharing a single handset, SIM, and/or mobile money account makes it harder to ensure the person conducting a transaction is the registered user.
- Smurfing allows criminals to use a number of small transactions to hide larger sums being transferred.
- Ubiquity of mobile phones eliminates requirement for sender and recipient to be in the same place at the same time.
Compensating factors
- Mobile money transactions are clearly traceable in a mobile operator’s system as part of standard business practice.
- Telephone number (sending and receiving), time, and the amount of the transaction are known to the mobile operator.
Vulnerabilities
- Amount, origin, and destination can all be disguised.
Compensating factors
- Sender and recipient (or an intermediary) must at some point be in the same place at the same time.
Vulnerabilities
-
Mobile money transactions typically occur in real time, allowing for rapid transaction layering (transferring funds among multiple accounts to obscure their origin).
Compensating factors
- Mobile money transactions are clearly traceable in a mobile operator’s system as part of standard business practice.
-
Telephone number (sending and receiving), time, and the amount of the transaction are known to the mobile operator.
Vulnerabilities
- Limited, since cash moves relatively slowly.
Compensating factors
- Transaction layering is more difficult and may require regular face-to-face interaction with bank personnel.
Vulnerabilities
- In some countries, mobile money service providers (and/or their agents) may not be unambiguously includeas “covered institutions” under the AML/CFT law and regulations.
- In some countries, financial regulators directly regulate and supervise a banking partner rather than the entity providing services on the ground, and may have the best understanding of the ML and TF risks.
- The quality of oversight can vary between jurisdictions.
Compensating factors
- Mobile money providers are regulated and supervised, but the extent and quality of supervision may vary between jurisdictions.
Vulnerabilities
- Pure cash transactions are not subject to oversight.
Compensating factors
- None.
MONEY LAUNDERING / TERRORIST FINANCING RISK
Risk
E-money raises specific ML/TF typologies that need to be properly mitigated.
Key e-money actors that may be involved in ML/TF
- Customers.
- Agents & Merchants.
- Employees.
KEY E-MONEY ML/TF TYPOLOGIES AND MITIGANTS
Customers
Typology | Mitigation Measures |
---|---|
Fraudulent registration | System controls, development of national ID |
Multiple registrations | Central ID verification database, development of national ID, limit of number of accounts per person, SIM registration |
Transfer of service after registration | ID requirement for certain transactions, geographic monitoring, PIN authentication. |
Loading with PoC | Risk-based transaction and balance limits, transaction monitoring systems, PIN authentication, ability to locate mobile device via MSISDN and IMSI. |
Transfer of PoC to co-conspirators | Risk-based transaction and balance limits, transaction monitoring systems to detect anomalous activity. |
Use of PoC to purchase from sellers | |
Pooling PoC in single account | |
Withdrawal of PoC | |
Transfer to/from terrorists | Use of international and domestic watchlists. |
Agents & Merchants
Typology | Mitigation Measures |
---|---|
Agent allows PoC to be cashed in or out from account | Proper criteria for agent selection, ongoing agent due diligence (automated transaction monitoring, in-person mystery shopping), sharing of agent blacklists. |
Agent fails to fulfill due diligence obligations | |
Agent allows customers to exceed cash-in or cash-out limits | Proper automated system controls that may not be overridden by agents. |
Complicit merchant received PoC | Sound criteria for merchant onboarding, proper ongoing due diligence (automated transaction monitoring, in-person mystery shopping). |
Fraudulent merchant misappropriates funds |
Employees
Typology | Mitigation Measures |
---|---|
Fraudulent registration of false accounts to facilitate ML/TF |
|
Theft of funds using internal access through, e.g., false transactions, creation of unbacked e-money, theft from dormant accounts | |
Allowing PoC to be cashed in or out from account |
|
Allowing customers to exceed cash-in/out limits |
|
GSMA (2015).PoC = Proceeds of Crime.
ACCOUNT TIERS AND MONETARY LIMITS FOR ELECTRONIC MONEY & SIMILAR DFS IN SELECT COUNTRIES
Tiered KYC
Introducing monetary amount-based risk tiers and simplifying the KYC requirements for lower- risk tiers is a practical and widely used way of risk-based KYC.
Account Type | Single Transaction Limit | Cumulative Daily Transaction Limit | Cumulative Monthly Transaction Limit | Maximum Account Balance |
---|---|---|---|---|
All accounts | GH¢S500 (OTC only, with | |||
Level 1: Minimum KYC account | GH¢300 (US$61) | GHS¢3,000 (US$612) | GH¢1,000 (US$204) | |
Level 2: Medium KYC account | GH¢ 2,000 (US$408) | GH¢20,000 (US$4,077) | GH¢ 10,000 (US$2,039) | |
Level 3: Enhanced KYC account | GH¢5,000 (US$1,019) | GH¢ 50,000 (US$10,193) | GH¢ 20,000 (US$4,077) |
Account Type | Single Transaction Limit | Cumulative Daily Transaction Limit | Cumulative Monthly Transaction Limit | Maximum Account Balance |
---|---|---|---|---|
All accounts | US$100 (OTC only) | |||
Level 1: Entry level accounts | US$250 | US$2,000 | US$1,000 | |
Level 2: Accounts with full KYC | US$1,000 | US$8,000 | US$4,000 | |
Level 3: Accounts with enhanced KYC | US$2,000 | US$20,000 | US$10,000 |
Account Type | Cumulative Daily Transaction Limit | Maximum Account Balance | Other Restrictions |
---|---|---|---|
Level 1: Low-value accounts | N50,000 (US$137) | N300,000 (US$822) | International funds transfer prohibited |
Level 2: Medium-value accounts | N200,000 (US$548) | N500,000 (US$1370) | International funds transfer prohibited |
Level 3: High-value accounts | N5,000,000 (US$13700) | Unlimited |
SIMPLIFIED DUE DILIGENCE REQUIREMENTS FOR LOW-VALUE DFS ACCOUNTS
Country and account | Simplified due diligence requirements for low-value DFS accounts | Full customer due diligence requirements for regular accounts |
---|---|---|
Colombia (e-deposits) | Full name, national ID number and issuance date (verified through access to biometric ID database). | Full name, ID number, address, telephone, occupation, employer information. |
Honduras (e-wallets) | Full name (as shown on ID card), address, phone number(s) (verified within 30 days through National Register of Persons). | 21 requirements, including full name, place/date of birth, type of ID, nationality, sex, address, phone number, occupation, income, assets, marital status and more. |
ELECTRONIC KYC (E-KYC) & SIM KYC FOR DFS ACCOUNTS
Country | How e-KYC works |
---|---|
India | Customer provides fingerprint and Aadhaar (unique ID) number and authorization to conduct e-KYC. Provider sends information to Unique Identification Authority of India’s server; if it matches, account can be opened instantly. |
Colombia | Banks have access to Registrar of Banks’ biometric ID database and can use this database to conduct e-KYC. |
Pakistan | All SIMs are biometrically verified and linked to customer identity in National Database and Registration Authority (NADRA). Biometrically verified SIMs can then be used to remotely open entry-level branchless banking accounts in a few seconds. |
Kenya | Banks are able to leverage KYC details obtained during SIM and e-money account registration to open entry-level mobile banking accounts remotely. Information obtained from the MNO/EMI is verified against information in the national ID database. |
Ghana | E-money issuers that have collected and retained customer ID information previously, e.g., during registration of SIM cards or bank accounts, are allowed to use this information for CDD. The data needs to be validated against the database of the National Communications Authority within 2 days. |
Main AML/CFT Obligations of E-money institutions
- Assessing the institutional ML/TF risks and applying a risk-based approach,
- Customer Due Diligence (simplified, standard, or enhanced, based on risk),
- Internal controls, compliance officer and organization,
- Screening for Politically Exposed Persons and terrorist entities (as-per UN TF Resolutions),
- Monitoring of unusual transactions,
- Suspicious transaction reporting,
- Due diligence and training of staff and agents,
- Record keeping.
- AML/CFT obligations and regulatory expectations should also be risk based. Especially in the low-risk tiers, the AML/CFT controls can be simplified. In proven low-risk situations exemptions from some AML/CFT obligations can be considered (by the regulators).
- Two AML/CFT obligations are particularly important in e-money context:
- IT capacity to monitor, detect, and analyze unusual transactions,
- Due diligence and training of the agents.
Proliferation Financing (PF) Risks
- In October 2020, the FATF revised its Standards to require countries and financial institutions (including e-money service providers) to identify, assess, understand and mitigate their proliferation financing risks. FATF has also issued a guidance on PF risk assessment and mitigation (FATF 2021). This guidance states that:
- There is no one-size-fits-all approach when assessing or mitigating proliferation financing risks. Countries and private sector entities should implement measures …. in a manner that is proportionate to the risks faced by relevant entities, and be consistent with other complementary objectives such as financial inclusion.
- The FATF Standards provide flexibility to countries to exempt a particular type of financial institution, DNFBP or VASP from the requirements to identify, assess, monitor, manage and mitigate proliferation financing risks, provided there is a proven low risk of proliferation financing relating to such private sector entities.
- With this revision, financial institutions have become directly subject to PF related obligations. However, the scope of this obligation is more focused than ML and TF and do not have cascading impact on broader set of AML/CFT obligations (such as STRs).
- Country’s PF risk assessment at national level (NRA) is of key importance and should inform the risk PF assessments of institutions.
- All references to AML/CFT in other parts of this document implicitly covers also Counter Proliferation Financing (CPF).
- This PF NRA, should also determine the regulatory expectations and guidance about institutional PF risk assessment and mitigation. Certain products or entities can be exempted from this obligation when there is proven-low risk.
- Countries and financial institutions can and should leverage their existing AML/CFT mechanisms to mitigate PF non-compliance risks.
In the context of Recommendation 1, “proliferation financing risk” refers strictly and only to the potential breach, non-implementation or evasion of the targeted financial obligations referred to in Recommendation 7. These R.7 obligations apply to two country-specific regimes for the Democratic People’s Republic of Korea (DPRK) and Iran, require countries to freeze without delay the funds or other assets of, and to ensure that no funds and other assets are made available, directly or indirectly to or for the benefit of
- Any person or entity designated by the United Nations (UN).
- Persons and entities acting on their behalf or at their direction.
- Those owned or controlled by them. (FATF 2021).
Considerations
Considerations for Regulators
- Multistakeholder approach: Regulations should be a product of close coordination among financial supervisors, telecom authority, Financial Intelligence Unit, national ID agency, and financial inclusion policy makers.
- Pro-active Regulatory Guidance: Regulators should provide clear guidance to e-money service providers about their risk-based AML/CFT obligations. Regulator should take initiative in interpretation of low and high risks (i.e. as in tiered KYC), rather than delegating the full responsibility to private sector.
- Level playing field: In principle, provision of same services should be subject to same KYC and other AML/CFT requirements to ensure a level playing field. Proportionality that is based on the risk-profile of institutions does not contradict with this principle and is in line with the spirit of risk-based approach.
- Risk-based account tiers and AML/CFT controls: Establishing different DFS account tiers with proportionate, risk-based Know Your Customer (KYC) requirements and transaction/ balance limits can promote both supply and demand of e-money services. This also relates to the allowed functions in each tier. i.e. if the demand is mostly for domestic transactions, limiting the international transactions for some tiers can reduce the risk significantly. G2P and P2G payments may also pose minimal ML/TF risks and can be the basis for further simplifications.
- Digital ID and e-KYC: Supporting the development of digital ID systems that enable remote customer verification (e-KYC) can help facilitate financial inclusion while effectively mitigating ML/TF risk. This can also promote service provision, by improving efficiency and reducing the operational costs. This may also reduce the fees for the end users.
- Transaction monitoring: ML/TF risk can be reduced by requiring EMIs to use transaction monitoring software with behavior profiling, geographic validation, and other features aimed at identifying suspicious behavior and transaction patterns. As feasible, using central databases and shared monitoring software for monitoring can have efficiencies.
Considerations for Supervisors
- Implementation of KYC and other AML/CFT controls and their effectiveness should be subject to ongoing supervision. Supervisory authorities should employ both off-site and on-site supervisions tools on a risk sensitive basis.
- Steps to strengthen AML/CFT supervision include
- Conducting national, sectoral, or product-based AML/CFT risk assessments.
- Building supervisory capacity.
- Adopting RegTech tools to improve data collection, processing and analysis in the AML/CFT supervisory context.
- Supervisory capacity building should also cover the skills and tools to examine the capabilities of monitoring /screening software of the e-money institutions. Where necessary, supervisory authorities should also authority to hire/benefit from external expertise.
- For additional information, refer to FATF’s Guidance on Risk-based Supervision