The Finnish Financial Supervisory Authority (FIN-FSA) published a summary of its sector-specific money laundering risk assessment on 24 August 2020. The FIN-FSA stated that the level of money laundering risk affecting the payment service sector as a whole is significant. This is the second highest risk level on a four-step scale from less significant to very significant. The risk assessment concerns the following groups:
- Payment institutions as defined in the Finnish Payment Institutions Act
- Finnish branches of foreign payment institutions
- Registered payment service providers (“PSPs”) as defined in the Finnish Payment Institutions Act
- MVTS providers, i.e. entities that provide money remittance services as their only payment service as defined in the Finnish Payment Services Act.
We have summarised below the findings of the assessment concentrating with a specific focus on payment institutions and registered payment service providers.
Increased risk of money laundering in the payment service sector as a whole
The sector-specific risk assessment addresses risk levels in two main categories: (1) the risk category and (2) the management method category. The risk category covers geographical risks as well as risks related to products and services, and customers and distribution channels. The management method category, on the other hand, covers a risk-based approach to operations, how operations are organised, customer due diligence, and monitoring.
The risk categories
Products and services
The products and services provided play a crucial role in how vulnerable a specific sector or individual entity can be to money laundering. The products and services assessed by the FIN-FSA included services specified in the Finnish Payment Services Act as well as currency exchange, virtual currency services, and electronic money. The inherent risk levels were determined in the summary of the supervisor-specific risk assessment of inherent risk published on 17 March 2020 by the FIN-FSA. The majority of the products and services used in the sector enable the transfer of funds from one place or person to another and were therefore assigned either a very significant or significant inherent risk rating.
The majority of entities in the payment service sector provide services related to the execution and acquisition of payment transactions, which involve a high level of inherent risk. Payment accounts are provided by relatively few PSPs and involve risk-mitigating elements in comparison to e.g. deposit accounts provided by deposit banks. The FIN-FSA considered the risk level for the products and services provided by both payment institutions and registered PSPs to be moderately significant.
In the geographical risk evaluation, the FIN-FSA took into consideration location, the provision of services in different geographical areas, and the geographical dimensions of payment traffic. Finnish payment institutions have relatively few branches, subsidiaries or agents that are located outside Finland, which, in turn, reduces the risk level. However, entities have notified a significant amount of services they provide on a cross-border basis within the EEA, which in turn increases the risk. As regards payment traffic, the majority of payment transactions were domestic transactions and the majority of the cross-border payment transactions took place in the EU/EEA. The FIN-FSA considered the risk level for both payment institutions and registered PSPs to be moderately significant.
The level of risk affecting customers depends on e.g. the number of foreign customers, high-risk customers, and customers in certain sectors involving a higher risk. Inconsistencies were identified in the data regarding customers, which results in a higher risk level. The FIN-FSA considered the risk level for both payment institutions and registered PSPs to be significant.
The majority of service providers provide their services via an online channel. Online channels have traditionally been considered to involve a higher risk as business is primarily conducted remotely. The FIN-FSA considered the risk level for both payment institutions and registered PSPs to be significant.
The management method categories
Risk-based approach to activities
As regards payment institutions, the primary factor resulting in a higher risk level is the fact that customer risk evaluations are not taken into consideration in the ongoing monitoring of the relevant customer relationships. As regards registered PSPs, the risk evaluations lack elements required by the law, and not all entities have procedures in place for the evaluation of risks pertaining to customers. The FIN-FSA considered the risk level to be significant for payment institutions and very significant for registered PSPs.
Organisation of activities
Payment institutions primarily have operating guidelines and procedures required by the Finnish Act on Preventing Money Laundering and Terrorist Financing as well as training and practical work instructions in place to ensure compliance with CDD procedures. Meanwhile, registered PSPs were found to still retain some outdated operating principles, procedures, and practical work instructions. The FIN-FSA considered the risk level to be less significant for payment institutions and significant for registered PSPs.
Customer due diligence (CDD)
The assessment indicated that entities have not updated their customer information even for high-risk customers. Many entities rely on third-party services to comply with CDD, and some use new methods such as video identification or other non-conventional methods in verifying the identity of their customers, which then translates into a higher risk level. Further, the majority of registered PSPs were lacking in statutory procedures. The FIN-FSA considered the risk level to be significant for payment institutions and very significant for registered PSPs.
The majority of payment institutions have implemented a system-based solution for monitoring payment traffic, whereas all registered PSPs indicated that they use both manual and system-based solutions. However, the results of the assessment show that relatively few entities have submitted notifications to the Financial Intelligence Unit (FIU). Furthermore, the assessment found that entities have not arranged for sufficient enhanced monitoring for politically exposed persons. The FIN-FSA considered the risk level to be significant for payment institutions and very significant for registered PSPs.
The risk assessment showed that service providers lack elements required by the law and that not all entities have risk evaluation procedures regarding customer due diligence (“CDD”) and monitoring in place. It is crucial for these procedures to be up-to-date in order to mitigate any risks that may arise. We encourage service providers to review their processes and consider any necessary measures they should take. Borenius’ experts are available to assist you in this process.