4MLD – impact of a new KYC regime for the e-money sector


“4MLD obliges EU member states and financial institutions to develop their own risk assessments concerning certain electronic money products. These risk assessments will impact sales and compliance processes and must be objective and balanced in order to provide growth opportunities for industry” says John Fernandez, Senior Legal Counsel & Head of Regulatory Affairs at PPRO.

The Fourth Money Laundering Directive (4MLD) introduces a raft of changes to anti-money laundering (AML) regulation within Europe. These include obliging member states to implement central registers of beneficial ownership, expanding the definition of politically exposed persons (PEPs) to include domestic PEPs and introducing tighter rules on customer due diligence/know your customer (CDD/KYC) obligations.

Risk assessments of money laundering and terrorist financing are central to 4MLD, and will be required at firm, member state and supranational level. For the e-money sector there are specific changes that re-work the risk based approach to CDD which will impact the sale and distribution of e-money products and services. These changes broadly effect two product categories: Non-reloadable and reloadable products.

Non-reloadable vs reloadable products

Certain CDD exemptions previously afforded to e-money products under the third money laundering directive (3MLD) have all but disappeared under 4MLD. Under the new directive, CDD may only be waived for non-reloadable products subject to member state approval and only where the product meets all of the following risk-mitigating conditions: (i) it has a maximum storage value of EUR 250; (ii) it can only be used for purchasing goods or services; (iii) it cannot be funded using an anonymous e-money product (iv); transaction monitoring must be carried out by the issuer to enable detection of suspicious transactions; and (v) a redemption limit of EUR 100 imposed. If all of these criteria are met, an issuer is entitled sell the product while foregoing CDD.

For reloadable products which are intended to be sold without CDD, the above criteria also apply however the EUR 250 cap becomes a monthly spend limit and the product must be restricted to domestic use only – i.e. spend within the member state that is allowing the CDD exemption . This monthly threshold cannot be exceeded without first applying CDD measures although 4MLD does provide member states the discretion to increase the monthly limit to EUR 500.
Impact of the exemptions
The business impact of these changes is three-fold. Firstly, it will become more difficult for issuers, especially those active in the physical point of sale (POS) market segment to acquire customers due to the attractiveness of the product being diminished: product functionality is restricted (e.g. a potential lack of ATM access, inability to use the product for non-domestic transactions) while CDD obligations are imposed at lower thresholds. The additional friction for customers at POS caused by the changes will inevitably lead to lower uptake of e-money products within the market.

Secondly, the compliance overhead associated with upfront CDD requirements at an earlier stage of product usage will place an extended cost burden on issuers. If they have already not done so, issuers will need to adjust budgets and resource planning to incorporate CDD being carried out at a much earlier stage of the product life cycle.

Finally, issuers will be placed on the back foot in terms of competing against established banking products. The more permissive CDD exemptions in 3MLD provided issuers – predominantly fintech companies – a fighting chance against incumbent banks to acquire new customers and promote innovative payment solutions within Europe. The new rules may drive consumer behaviour towards bank issued products or more likely towards cash usage and away from innovative payment technology options.

The SDD approach

These impacts could invariably dampen sales for many issuers. However 4MLD does provide an alternative approach in the form of a simplified due diligence (SDD) regime albeit subject to interpretation on a member state by member state basis.

4MLD allows issuers to conduct SDD in situations that are identified as being low risk. SDD is not an exemption of CDD but rather an obligation to collect certain information on customers that constitute identity – for example name, date of birth and address – but coupled with a delayed obligation to verify that information or the possibility of applying a lighter degree of verification based on risk. The degree of risk is determined by the issuer and is based on certain factors listed in the annexes to 4MLD. These risk factors include customer, geographical, product and delivery channel risks .

Some industry players may fear an SDD approach in relation to POS distribution would still be too cumbersome a process. While entitled to postpone ID verification to a later stage or apply a lighter degree of verification, it would nevertheless require issuers to collect at least basic ID information upfront from customers. This not only causes friction for the customer at the POS but presents its own unique set of operational challenges – what information should be collected, how should it be stored, how are POS staff to be trained, what data protection implications are there?

These are not straightforward propositions to deal with and issuers may need to consider the use of technical solutions or commercial collaborations to help gather requisite ID information where this is needed. Leveraging additional time at the product purchase stage to fully verify ID does however provide some potential to maintain reasonable compliance costs without compromising on an uncomplicated customer experience. Critical to this approach will be the manner in which issuers set out their e-money risk assessments and how these are viewed or accepted by member state regulatory authorities who have final say on the matter.

Outcomes – what’s in store for industry?

While 4MLD removes the more permissive CDD exemptions for e-money that were in place under 3MLD, there is an opportunity for regulators to balance the impact of this change by conducting fair and objective risk assessments concerning e-money. Based on these risk assessments, issuers could be afforded an opportunity to employ less restrictive SDD on customers.

The challenge that industry faces will be the level of subjectivity afforded to regulatory authorities in terms of their risk assessments. This may lead to a fragmented and non-harmonised approach to the adoption of SDD across EU member states. Issuers based in member states with a risk averse approach to e-money would need to adapt their sales and compliance strategies otherwise may be left dealing with curtailed business opportunities. Regulatory authorities must therefore be pragmatic yet objective when considering such risk assessments in order to further industry developments and support growth and competition within the single market.

Another challenge for industry is dealing with uncertainty as the European Commission has indicated its intention to impose additional restrictions on e-money products in the wake of the recent terrorist attacks perpetrated in Europe. This means even further developments are in store for the e-money regulatory landscape in 2016. It is not yet clear what these developments may entail but it could reasonably be expected that a decrease in the hard exemption (load/redemption) limits will be proposed. The European Commission is looking to fast track implementation of any requisite legislative changes regarding additional restrictions and has also requested that member states transpose 4MLD into national law by the end of 2016.

Given the scope and timing of upcoming regulatory changes, e-money issuers should start reviewing and planning their own product risk assessments in a manner that is objective and proportionate to the risk the business faces. Issuers would be well placed to also consider alternative methods of collecting customer ID information in a manner that helps minimise potential friction at the POS. Although there is some degree of uncertainty regarding the extent of change facing industry, what is clear is that issuers will need to start considering their own risk assessments, sales and compliance strategies in order to adequately cope with the new regulations.