The Second Information Accompanying Transfers of Funds Regulation

Cooley Alert

Background

"The full traceability of transfers of funds can be a particularly important and valuable tool in the prevention, detection and investigation of money laundering and terrorist financing, as well as in the implementation of restrictive measures … It is therefore appropriate, in order to ensure the transmission of information throughout the payment chain, to provide for a system imposing the obligation on payment service providers [(PSPs)] to accompany transfers of funds with information on the payer and the payee"—recital (9) to the second Information Accompanying Transfers of Funds Regulation (IATF2).

"By reason of the scale of the action to be undertaken, the Union should [also] ensure that the International Standards on Combatting Money Laundering and the Financing of Terrorism and Proliferation adopted by [the Financial Action Task Force (FATF)] on 16 February 2012 … and, in particular, FATF Recommendation 16 on wire transfers … are implemented uniformly throughout the Union and that … there is no discrimination or discrepancy between … payments within a Member State and … cross-border payments between Member States"—recital (3) to IATF2.

However, "… the … approach should be targeted and proportionate and … in full compliance with the free movement of capital, which is guaranteed throughout the Union"—recital (6) to IATF2.

IATF2 was adopted by the European Parliament (EP) on 20 May 2015 and the final act was signed on the same date. IATF2 is now pending publication in the Official Journal and will come into force 20 days after publication. For the purposes of this client alert, we have assumed that when IATF2 enters into force, it will be in materially the same form as the text adopted by the Council of the European Union (Council) on 20 April 2015, which is available here.

Scope1

IATF2 will apply to "transfers of funds, in any currency, which are sent or received by a [Payment Services Provider (PSP)], or an intermediary [PSP], established in the [EU]".

However:

  • A Member State may choose not to apply IATF2 to transfers of funds within its territory, where the payment is solely for the provision of goods or services and the following conditions are met:
    • The payee's PSP is subject to the fourth Anti-Money Laundering Directive (AMLD4);
    • The payee's PSP is "able to trace back through the payee, by means of a unique transaction identifier, the transfer of funds from the person who has an agreement with the payee for the provision of goods or services"; and
    • The transfer does not exceed €1000.
  • IATF2 does not apply in almost all of the circumstances where the Payment Services Directive does not apply either.
  • IATF2 does not apply to transfers of funds:
    • Where the payer withdraws money from his own payment account;
    • To a public authority within a Member State, where the transfer is to pay taxes, fines or other levies; or
    • Where both the payer and payee are PSPs acting on their own behalf.
  • IATF2 does not apply to transfers of funds carried out using a payment card, an electronic money instrument or mobile phone, or any other digital or IT prepaid or post-paid device with similar characteristics (Device), if:
    • The Device is used exclusively to pay for goods or services; and
    • The number of the Device accompanies all transfers flowing from the transaction.

However, it will apply if the Device is used to effect a person to person transfer of funds.

  • IATF2 does not apply to those who have no activity other than:
    • To convert paper documents into electronic data, if they do this under a contract with a PSP; or
    • To provide PSPs with messaging or other support systems for transmitting funds, or with clearing and settlement systems.

Definitions2

For the purposes of IATF2:

"batch file transfer" means

a "bundle of several individual transfers of funds put together for transmission";

"intermediary payment services provider" means:

a PSP that "is not the [PSP] of the payer or of the payee and that receives and transmits a transfer of funds on behalf of the [PSP] of the payer or of the payee or of another intermediary [PSP]";

"transfer of funds" means

"any transaction at least partially carried out by electronic means on behalf of a payer through a [PSP], with a view to making funds available to a payee through a [PSP], irrespective of whether the payer and the payee are the same person and irrespective of whether the [PSP] of the payer and that of the payee are one and the same, including: (a) a credit transfer…; (b) a direct debit …; (c) a money remittance …; (d) a transfer carried out using a [Device]"; and

"unique transaction identifier" means

"a combination of letters, numbers or symbols determined by the [PSP], in accordance with the protocols of the payment and settlement systems or messaging systems used for the transfer of funds, which permits the traceability of the transaction back to the payer and the payee".

Obligations of PSPs

The payer's PSP must3:

  • Ensure transfers of funds are accompanied by the following information about the payer: name, payment account number, and "the payer's address, official personal document number, customer identification number or date and place of birth";
  • Verify the information on the payer, using "documents, data or information obtained from a reliable and independent source", and
  • Ensure that transfers of funds are also accompanied by the name of the payee and the payee's account number;

Unless:

  • The transfer is not being made from or to a payment account—in which case, the transfer must be accompanied by a unique transaction identifier instead of the payment account number(s);
  • The funds are being transferred within the EU and:
    • All of the PSPs are established in the EU—in which case, it may be enough to include the payment account numbers of the payer (as verified) and payee, or the unique transaction identifier, instead; and/or
    • The funds being transferred do not exceed €10004—in which case, there is no need to verify the information on the payer, unless his PSP "has received the funds … in cash, or in anonymous electronic money", or has reasonable grounds for suspecting money laundering or terrorist financing; or
  • The funds are being transferred to outside the EU:
    • By "batch file transfer from a single payer where the [PSPs] of the payees are established outside the [EU]"—in which case, there's no need to include the payer information in the individual transfers that have been bundled together, if:
      • The batch file includes the information about the payer; the payee and a unique transaction identifier;
      • That information has been verified; and
      • The individual transfers carry the payment account number of the payer or, if the transfer is not made from or to a payment account, unique transaction identifier; and/or
    • The funds being transferred do not exceed €1000—in which case:
      • Including the payer and payee's names and payment account numbers (or unique transaction identifier where applicable) will suffice; and
      • There is no need to verify the information on the payer, unless his PSP "has received the funds … in cash, or in anonymous electronic money", or has reasonable grounds for suspecting money laundering or terrorist financing.

The payee's PSP must5:

  • Have effective procedures to detect whether:
    • The payer and payee information fields in the messaging or settlement system used to effect the transfer of funds have been competed using characters that are admissible under the conventions of that system; and/or
    • Particular payer and payee information is missing.
  • Verify the name of the payee, his payment account number and the unique transaction identifier, using documents, data or information obtained from a reliable and independent source, where transfers of funds exceed €1000, before the PSP credits the payee's account or makes the funds available to the payee. Verification of this information is not required in other cases, unless the payee's PSP:
    • Effects the pay-out of the funds in cash, or in anonymous electronic money; or
    • Has reasonable grounds for suspecting money laundering or terrorist financing.
  • Reject a transfer of funds, or ask for the required information on the payer or payee before or after crediting the payee's payment account or making funds available to the payee, on a risk sensitive basis, when it becomes aware that certain payer or payee information is missing or incomplete, or has not been filled in using characters or inputs that are admissible under the conventions of the relevant messaging or payment and settlement system.
  • Issue warnings, set deadlines, reject transfers, or restrict or terminate its relationship with a PSP that repeatedly fails to provide the required payer and payee information, and report that failure and the steps it has taken to the relevant authorities.

An intermediary PSP must6:

  • Ensure that all of the information received on the payer and payee that accompanies a transfer of funds is retained with the transfer.
  • Have procedures in place to detect whether particular information is missing, or has been completed using characters that do not meet the conventions of the relevant messaging or payment and settlement system.
  • reject transfers or ask for required information on the payer and payee on a risk-sensitive basis before or after the transmission of the funds, where it becomes aware that information is missing or has been completed using inadmissible characters.
  • Issue warnings, set deadlines, reject transfers, or restrict or terminate its relationship with a PSP that repeatedly fails to provide the required payer and payee information, and report that failure and the steps it has taken to the relevant authorities.

Other obligations

Records retention7

The PSPs of the payer and payee shall keep records of information on the payer and payee for five years. PSPs are required to delete this information "upon expiry of the retention period". However, Member States may choose to extend the retention period by a further five years after carrying out "a thorough assessment of the necessity…of such further retention…for the prevention, detection or investigation of money laundering or terrorist financing".

Sanctions and monitoring8

IATF2 requires member states to "lay down rules on administrative sanctions" for breaches of IATF2, to "ensure that they are implemented" and to notify the EC and the Joint Committee of ESAs of these rules. Member states are required to:

  • Ensure that sanctions can be taken against:
    • Natural legal persons such as members of a PSP's management body; and
    • Legal persons where breaches are "committed for their benefit" by individuals in a leading position within the legal person or caused by a "lack of supervision or control" by such individuals.
  • Ensure that sanctions for breaches of Arts. 4, 5, 6, 8, 11, 12 and 16 of IATF2 include those specified in Art. 59(2) and (3) of AMLD4.

IATF2 requires "competent authorities [to] have all the supervisory and investigatory powers…necessary for the exercise of their functions" and requires competent authorities to:

  • "Cooperate…to ensure that…administrative sanctions…produce the desired results and coordinate their action when dealing with cross-border cases";
  • Publish details of sanctions imposed "including information on the type and nature of the breach and the identity of the person responsible, if necessary and proportionate after a case by case evaluation" in accordance with Art. 60 AMLD4; and
  • Exercise their powers directly, in collaboration with other authorities, by delegation to other authorities, and by application to competent judicial authorities.

IATF2 also requires member states to encourage PSPs to report breaches to the competent authorities and to cooperate with the competent authorities to "establish appropriate internal procedures for their employees…to report breaches internally".

Key changes

IATF2 will replace and repeal the Information on the Payer Accompanying Transfers of Funds Regulation (IATF), which was first introduced as part of an EU Plan of Action to tackle money-laundering and terrorist financing. This section compares IATF2 with the current IATF regime, and summarises the key changes that will be introduced by IATF2 after it comes into force.

IATF Art. Ref

IATF2 Art. Ref

IATF

IATF 2

Definitions

Art. 2(5) and (7)

Art. 3(5) and (9)

PSP is defined as "a natural or legal person whose business includes the provision of transfer of funds services"

Transfer of funds is defined as "any transaction carried out on behalf of a payer through a [PSP] by electronic means, with a view to making funds available to a payee at a [PSP], irrespective of whether the payer and the payee are the same person".

A new definition of PSP is given that refers to "the categories of [PSP] referred to in Article 1(1) of PSD" or those that have a waiver under Article 26 of PSD or Article 9 of the E-money Directive9

A new definition of transfer of funds is given as follows: "any transaction at least partially carried out by electronic means on behalf of a payer through a [PSP], with a view to making funds available to a payee through a [PSP], irrespective of whether the payer and the payee are the same…and…whether the [PSP] of the payer and…the payee are… the same, including:

  1. a credit transfer…
  2. a direct debit…
  3. a money remittance…
  4. a transfer carried out using a payment card, an electronic money instrument, or a mobile phone, or any other digital or IT prepaid or post-paid device with similar characteristics."

Information on the payer and the payee

Art.4

Art.5(1)

Art.4(1)

Art.4(2)

The payer's PSP must ensure that transfers of funds are accompanied by the payer's name, account number (or unique identifier) and address (which can be substituted by date and place of birth of payer, the customer identification number or the national identity number).

In addition to the information on the payer requirements under IATF, the payer's PSP must also ensure that the name and account number (or unique transaction identifier) of the payee accompanies the transfer.

Derogation from obligation to provide information on the payer and the payee

Art.6(1)

Art.7(1)

Art.5(1)

Art.6(2)

Transfers of funds within the EU only need to be "accompanied…by the account number of the payer or a unique identifier", but transfers of funds to outside the EU "shall be accompanied by complete information on the payer".

Transfers only need to be "accompanied by at least the payment account number of both the payer and the payee or…the unique transaction identifier":

for transfers of funds within the EU; or

for transfers of funds outside the EU where the transfer does not exceed €1000.

Obligation to provide payer/payee information upon request

Art.6(2)

Art. 5(2)

Notwithstanding the derogation above, if the payee's PSP requests complete information on the payer, the payer's PSP is obliged to provide it within three working days.

The payer's PSP is only obliged to provide complete information on the payer and the payee "for transfers of funds exceeding EUR 1000". For transfers of less than €1000, the payer's PSP is only obliged to provide the payer and payee's names and their account numbers (or a unique transaction identifier).

Verification of payer and payee identity

Art 5(2)-(4)

Art.4(4)

Art.5(3)

Art.6(2)

Art. 7(3) and (4)

The payer's PSP "shall verify the accuracy of the information" on the payer "on the basis of documents, data or information obtained from a reliable and independent source". However "in the case of transfers…not made from an account, the [payer's PSP] shall verify the information on the payer only where the amount exceeds EUR 1000"

The payer's PSP "shall verify the accuracy of the information" on the payer and the payee's PSP "shall verify the accuracy of the information on the payee" ... "on the basis of documents, data or information obtained from a reliable and independent source".

However, the payer's PSP "need not verify the information on the payer" and the payee's PSP need not "verify the information on the payee" where transfers of funds do not exceed €1000, unless:

  1. the payer's PSP "received the funds to be transferred" or the payee's PSP "effects the pay-out of the funds" "in cash or in anonymous electronic money"; or
  2. the payer's or payee's PSP "has reasonable grounds for suspecting money laundering or terrorist financing".

Detecting missing information on the payee and the payer

Art.8

Art.9

Art.10

Art 8

The payee's PSP "shall detect whether, in the messaging or payment or settlement system…the fields relating to the information on the payer have been completed". Where information is missing or incomplete the payee's PSP is expected to take the following follow-up action:

  • "reject the transfer" or ask for the required information;
  • Where a PSP "regularly fails to supply the required information…take steps, which may initially include the issuing of warnings and setting of deadlines, before either rejecting any future transfers… or restrict[ing] or terminat[ing] [the] business relationship";
  • "report [the above] to the authorities responsible for combatting money laundering or terrorist financing" and
  • "consider missing information…as a factor when assessing whether the transfer…is suspicious, and whether it must be reported"

The obligations in relation to the detection of missing information are largely the same, except that IATF2 introduces a higher requirement on the payee's PSP to "implement effective risk-based procedures, including procedures based on the risk-sensitive basis referred to in Article 13 of [AMLD4], for determining whether to execute, reject or suspend a transfer of funds lacking the required complete payer and payee information and for taking the appropriate follow-up action". The follow-up action to be taken under IATF2 is largely the same as the follow-up action required under IATF.

Enhanced duties of intermediary PSPs

Art.12

Art. 13

Art.10

Art.11

Art. 12

Art. 13

Intermediary PSPs are required to retain with the transfer "all information received on the payer that accompanies a transfer".

Article 13 allows intermediary PSPs within the EU to "use a payment system with technical limitations which prevents information on the payer from accompanying the transfer of funds to send transfers to the [payee's PSP]" where the payer's PSP is outside the EU.

Intermediary PSPs are required to retain with the transfer "all information received on the payer and the payee that accompanies a transfer…"

Intermediary PSPs "shall implement effective procedures to detect" missing information on the payer and payee and "shall establish effective risk-based procedures for determining whether to execute, reject or suspend a transfer of funds lacking the required complete payer and payee information and for taking the appropriate follow-up action", which is the same type of follow-up action that the payee's PSP would be expected to take (see above).

The provision allowing for systems with technical limitations has been removed.

Record retention

Art 5(5)

Art.11

Art.16

The PSPs of the payer and payee shall keep records of information on the payer for five years.

The payer and payee PSPs are now obliged to retain records of information on both the payer and payee for five years, and there is a new requirement to delete this information afterwards. However, Member States are given the option to extend the retention period for the purposes of investigating, detecting or preventing money laundering or terrorist financing.

Data protection

N/A

Art. 15

There are no data protection provisions in IATF.

IATF2 introduces new data protection provisions:

  • the processing of personal data under IATF2 is subject to the Data Protection Directive10 and Regulation11, including the obligation in Art.10 of the Directive to provide data subjects with certain information "prior to establishing a business relationship or carrying out an occasional transaction";
  • "Personal data shall be processed by [PSPs]…only for the purposes of the prevention of money laundering and terrorist financing"
  • "[PSPs] shall ensure that the confidentiality of the data processed is respected."

Sanctions and monitoring

Art.15

Arts.17 to 20

Art. 22

IATF requires member states to "lay down the rules" for "effective, proportionate and dissuasive" penalties; to "take all measures necessary to ensure that they are implemented"; and to notify the EC of those rules.

Member states must "require competent authorities to effectively monitor, and take necessary measures with a view to ensuring, compliance with the requirements of [IATF]"

More detailed sanctions and monitoring requirements are introduced by IATF2, which are described in the "Other obligations" section above.

Reporting of breaches

N/A

Art. 21

There are no reporting of breaches provisions in IATF.

Member states must "establish effective mechanisms to encourage the reporting to competent authorities of breaches" which include the mechanisms referred to in Art. 61(2) AMLD4. PSPs are also required "in cooperation with competent authorities, [to] establish appropriate internal procedures for their employees…to report breaches internally".

Transfers of funds to non-profit organisations

Art. 18

N/A

IATF permits member states to exempt transfers of funds of €150 or less to non-profit organisations within the territory of the member state.

The exemption relating to transfers of funds to non-profit organisations within a member state has been removed.

Final thoughts

IATF2 is expected to be published in the Official Journal in June or July this year and will come into force 20 days after publication12. It is expected that IATF2's application date will be delayed to match the date of transposition into national law of AMLD4 (expected in mid-2017). This is not surprising given that IATF2 was announced as part of a package that includes AMLD4, and that several provisions of IATF2 are stated to be carried out in accordance with provisions in AMLD4.

This client alert is accurate as at 26 May 2015 and will be updated over time. Interim updates are available on our practice blog here.

Notes
  1. See articles 1 and 2 of IATF2
  2. See article 3 of IATF2
  3. See articles 4 – 6 of IATF2
  4. References to transfers of funds that exceed or do not exceed €1000 includes transfers "carried out in a single transaction or in several transactions which appear to be linked"
  5. See articles 7 – 9 of IATF2
  6. See articles 10 – 13 of IATF2
  7. See article 16 of IATF2
  8. See articles 17 to 23 of IATF2
  9. Directive 2009/110/EC on the taking up, pursuit and prudential supervision of the business of electronic money institutions
  10. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
  11. Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data
  12. See article 27 of IATF2
Related Practices & Industries

Financial Services Regulatory