On 3 November, the Danish Financial Supervisory Authority (Danish FSA) issued revised AML Guidelines (Danish AML Guidelines) under the Danish Act no. 380 on Measures to Prevent Money Laundering and Financing of Terrorism of 2 April 2020 (Danish AML Act). The Danish AML Guidelines include several changes and guidance on AISP and PISP AML requirements.
Revised AML Guidelines
The changes in the Danish AML Guidelines were initiated as part of the implementation of Directive 2018/843/EU of 30 May 2018 (5th Anti-Money Laundering Directive) and the two Danish political agreements of 19 September 2018 and 27 March 2019 which aim to strengthen preventive measures against money laundering and financial crime. The Danish AML Guidelines feature several changes including: enhanced customer due diligence procedures, reporting obligations to companies’ board of directors, and adjustments regarding obtaining and verifying identity information on beneficial owners.
Guidance on AISP AML requirements
According to the Draft Guidelines issued under Articles 17 and 18(4) of Directive 2015/849/EU (4th Anti-Money Laundering Directive) on customer due diligence and the risk factors (Draft Risk Factors Guidelines) which were published for public consultation on 5 February 2020, both AISPs and PISPs are subject to the requirements under the 4th Anti-Money Laundering Directive. It is, however, emphasized in the Draft Risk Factors Guidelines that the inherent ML/TF risk associated with AISPs and PISPs is limited, which should be taken into consideration as part of the risk assessment.
The Danish AML Guidelines explicitly state (in line with the Danish AML Act), that companies that are only providing account information services (AISPs), cf. Article 60 of the Danish Payments Act, are not subject to the requirements in the Danish AML Act.
The Danish FSA’s stand on AISPs seems pragmatic considering that AISPs are not involved in the payment chain and do not hold customer funds.
Most European countries have (in line with the Draft Risk Factors Guidelines), not explicitly excluded AISPs from national AML requirements, as done by the Danish FSA and some European countries, e.g. UK, Italy and the Netherlands, both the law and the position of the regulators are clear that AISPs are subject to national AML requirements.
Guidance on PISP AML requirements
The Danish AML Act and the Danish AML Guidelines explicitly state that payment initiating service providers (PISPs) are subject to the requirements in the Danish AML Act.
According to the Danish AML Guidelines, PISPs must consider (taking into account their business models) whether to establish a customer relationship with customers. This could include online businesses that regularly receive payments for goods and services from customers through payment initiating services or, natural persons using PISPs (often combined with account information services) to manage different accounts potentially maintained by different account servicing payment service providers (ASPSPs).
The Danish AML Guidelines emphasise that unlike other payment service providers, PISPs do not execute payment transactions and are not in possession of customer funds which means, that the risk of money laundering may be low. PISPs should in their risk assessments include other risk factors than providers of other types of payment services. Further, it is emphasized that PISPs cannot solely rely on the fact that ASPSPs are subject to the requirements in the Danish AML Act.
As a general rule PISPs must always carry out a risk assessment of the customer relationship which take into account geographical factors, e.g. the final destination of these payments and their origin, or a payment account maintained in a high-risk country. PISPs should also include matters concerning the customer, including:
i) where a customer initiates a number of payments to the same payee, regardless of whether this is done from one or several accounts;
ii) where a customer initiates large transaction; and
iii) where a customer’s transactions are otherwise unusual.
Finally, the Danish AML Guidelines mention that the technical design of APIs – used by PISPs to communicate with ASPSPs – may limit the information that is available to PISPs e.g. information about the identity of the payer. Despite this, that a PISP is not obligated beyond what an API makes possible, a PISP must continuously monitor and assess the transactions initiated by its customers and consider if these give rise to further investigation in accordance with its “duty to investigate” under the Danish AML Act.
Should you have any questions about the above, please do not hesitate to contact Annette Printz Nielsen from our Danish office or any other member of the Bird & Bird global payments team.
If you would like to receive our regular Payments alerts in your inbox, click here.