Over the Bank Holiday I thought I'd take the time to sit down and read through the Financial Action Task Force (FATF) document "Guidance for a Risk-Based Approach to Prepaid Cards, Mobile Payments and Internet-Based Payment Services". Remember, I do this so you don't have to. I was specifically looking to see if the proposed risk-based approach might overcome the fundamental problem that new payment systems run into: that compliance imposes such a huge burden on new retail and interpersonal payment systems that it stops them from being viable even when they deliver a great new service that customers want (and that might reduce the overall social costs of payments).
So here were go.
First of all, let's be clear about the scope. The document slightly jumbles the technology and the service to my nerdish gaze. I'm a bit of a purist so I would prefer to seem them separated. I don't think the technology should be part of the regulation. A prepaid account should have the same regulation irrespective of whether it is on a plastic card or on a mobile phone or in the cloud or wherever.
To ensure that the guidance in this paper is relevant and practical, it will focus particularly on three categories of NPPS: (1) Prepaid cards; (2) Mobile payment services; and (3) Internet-based payment services. It is important to note that NPPS are increasingly interconnected, both between these three categories and with traditional payment methods.
The regulations that are under discussion are Know Your Customer (KYC), Anti-Money Laundering (AML) and Anti-Terrorist Financing (ATF) are brought together under the acronym CDD or "customer due diligence". I think I'll switching to using this handy acronym from now on as well.
The G20 Principles for Innovative Financial Inclusion… allow countries to apply a risk-based approach allowing, for example, the application of reduced or simplified customer due diligence (CDD) measures for certain lower-risk products or even, in justified cases, for an exemption from CDD measures.
Now this is, in principle, a very good thing. Assuming that we agree that low-value payment products (I prefer using LVPs as the relevant acronym) are low risk, then a risk-based approach would exclude them from CDD altogether.
Countries should require financial institutions to undertake the following steps for CDD in line with Recommendation 10: (i) identification and verification of the customer’s identity; (ii) identification of the beneficial owner; (iii) understanding the purpose of the business relationship; and (iv) on-going monitoring of the relationship.
This makes no sense in a great many countries because the identification at the root of CDD is non-existent, so getting rid of it for LVPs is an immediate and significant benefit to the less well-off and should be encouraged.
Where NPPS are lower risk and sufficiently low loading or usage limits are applied, countries should still require financial institutions to give sufficient attention to the detection of surfing and structuring schemes intended to circumvent the thresholds and suspicious reporting requirements.
Which is fair enough. In my head, this means that we should let anyone who wants one have an LVP and then use "big data" to look for unusual patterns. This is an infinitely more effective law enforcement technique than creating barriers to LVPs and then having no data to analyse. The obvious question is, then, about the LVP boundary. When it comes to discussing cross-border wire transfers, the document suggests a thousand dollars as the breakpoint, which seems reasonable to me as that would mean most of the remittance traffic that directly benefits people in developing countries. For LVPs in general, a maximum account balance of something in the region of $1,000 seems similarly reasonable.
Should that be a firm boundary? When the document comes to discuss (qualitative) risk factors, it does acknowledge (in Table 1) that setting transaction and account limits is a means to lower the risk factors. I couldn't agree more. So let us set firm limits below which no CDD burdens apply and make the CDD more diligent above those thresholds.
As an example, the closer the functionality of a NPPS is to a bank account, the greater the need to apply comparable regulation, including the application of full CDD measures.
I wasn't sure what "comparable" means because words such as "closer" don't have a precise meaning. Right now, something is either a bank account or it isn't, and I don't really see a problem with that. The idea of transaction accounts or payment accounts that are regulated separately from bank accounts makes sense. but the idea of assessing risk on how close these are to bank accounts doesn't. If they are bank accounts (if, for example, they allow overdrafts), regulate them as bank accounts. If not, and if they have limits as discussed, then don't.
The European regulator acknowledged the claims of the operators and allowed single Member States to apply a simplified CDD for electronic money up to certain thresholds: EUR 150 when electronic money could not be reloaded and a yearly turn-over of up to EUR 2,500 when electronic money could be reloaded. The second electronic money Directive in 2009 raised the threshold for electronic money which cannot be reloaded to a maximum of EUR 250.
The limit of €2,500 per annum is probably on the low side and I'd prefer something in the region of €5,000 but it is tolerable. For a Polish worker sending €500 per month back home then it is too low, but for a teenager spending €100 per month music and games and clothes it is more than enough.
The U.S. requires all providers of "Money or value transfer services" (MVTS), wherever they may be based in the world, to be licensed and registered in the U.S. if the MVTS provider offers services in the U.S. This obligation has particular relevance for Internet-based MVTS providers that may have no easily identifiable physical business presence anywhere.
To me this sounds like a tremendous barrier to innovation, but that's for another post some time. I wanted to move on to make a point about risk in a risk-based approach. One risk that doesn't seem to be addressed in the document is the risk that high CDD barriers to LVPs will mean that criminals, money launderers and terrorists will carry on using cash and therefore be invisible to law enforcement agencies. I have argued before that it is more important to be able to track the flows than to know, for certain, who the endpoints are. FATF quite correctly say that
Unique to a mobile payment are the phone numbers of the sender and receiver as well as the sender, and potentially the receiver’s, SIM card information. There may also be information captured by the MNO regarding the exact location of the sender and receiver’s phones at the time of the transaction. Depending on the size and nature of the transaction, location information may be a useful component of the transaction record.
Now, to me, that amount of information suggests that we should be doing everything we possibly can to persuade people to use mobile payments at all times and in all circumstances even if we haven't the slightest idea who they are because the information exhaust from the transactions is so valuable, and not only for law enforcement. Therefore, the regulators should exempt LVP from CDD and immediately boost the take-up of a wide variety of mobile payment systems around the world. That is the logical step to take in a risk-based approach. They can then focus their attention (and resources) on larger transactions and, within reasonable bounds, use "big data" to do the heavy lifting on LVP transaction analysis to look for suspicious patterns.