EBA opinion on de-risking

The EBA recalls that ‘de-risking’ occurs where a given financial institution decides not to enter into, or to terminate, business relationships with individual customers or categories of customers associated with higher money laundering or terrorist financing (ML/TF) risk, or refuses to carry out higher ML/TF risk transactions. It seems that firms adopt de-risking strategies to face situations where ML/TF or reputational risks exceed their risk appetite, where they do not have sufficient knowledge or expertise to assess the risks associated with a specific business models, or also where the expected costs of AML compliance outweigh the anticipated profits.

De-risking has a negative impact on various categories of customers that cannot longer access financial services (not only individuals, but also e.g. various types of payment service providers (PSPs) that cannot longer access bank accounts to serve their own customers). Accordingly, this undermines EU’s objectives on promoting financial inclusion and competition in the single market, and also on fighting financial crime effectively (for example, certain payment institutions have no choice than seeking alternatives to opening bank accounts in the EU, such as dealing with large amounts of cash, or maintaining accounts outside the EU).

De-risking and anti-money laundering (AML) regulations

The difficulty with de-risking is that it may find some legal justification in AML regulations (in addition to other commercial grounds that any firm may have), and complying with these is probably one of the most common reasons that financial institutions tend to invoke when they refuse to onboard certain customers, or offboard them.

In its Opinion, the EBA reaffirmed that decisions not to establish or to end a business relationship, or not to carry out a transaction may be in line with Directive (EU) 2015/849 (AMLD). In particular, Article 14(4) requires obliged entities to do so when they are “unable to comply with the customer due diligence [CDD] requirements”.

However, the EBA also reaffirmed clearly that de-risking entire categories of customers, without due consideration of individual customers’ risk profiles can be unwarranted and a sign of ineffective ML/TF risk management. In other instruments (see our previous Alert, available here), the EBA already clarified that de-risking was not required under AMLD, and firms must mitigate their ML/TF risks instead of discontinuing their commercial relationships.

The EBA takes the view that national competent authorities (NCAs) should take further actions in order to support the effective implementation of existing EBA instruments (which, if applied correctly, could already prevent unwarranted de-risking), and each NCA should engage more actively with firms that de-risk and those affected by de-risking so as to raise rights and responsibilities of firms and their customers.

Interplay with PSD2

In the Opinion, the EBA notes that de-risking may conflict with other provisions in EU law, in particular Article 36 of the second Payment Service Directive (PSD2), which provides that payment institutions must have access to credit institutions’ payment accounts services on an objective, non-discriminatory and proportionate basis. In turn, credit institutions are required to provide NCAs with duly motivated reasons for any rejection (note that the notification requirement currently only applies when onboarding a new payment institution).

In the EBA’s view, the high-level nature of this provision, coupled with the lack of guidance for credit institutions on the circumstances in which the closure of an account must be notified have given rise to divergent application across the EU member states and divergent interpretations across the NCAs. For this reason, the EBA addressed proposals to EU bodies, in particular the European Commission (EC), seeking to clarify the relationship between PSD2 AMLD requirements.

The EBA suggests following the same approach taken in one EU member state (without saying what it is), where it appears that the relevant NCA would have adopted a streamlined process to facilitate/standardise the notification, involving a template that credit institutions must use to notify their NCA when they decide to reject an account application. This approach seems appealing to the EBA in the sense that it gave the NCA valuable insight into most common reasons for rejections, allowed that NCA to issue appropriate guidance, and ultimately managed to decrease the number of rejections (apparently, credit institutions have started to communicate more often with their NCA, even before rejecting accounts). We suspect that this EU member state is Lithuania, where the Bank of Lithuania indeed released some guidance (including the said template) that highlights the rights of payment institutions to access bank accounts opened with credit institutions, clarifies the ML/TF risks associated with different types of accounts (current account, safeguarding account, payment account), and also reminds credit institutions that they are expected to manage ML/TF risks on a risk-sensitive basis (instead of de-risking).

It must be noted that the UK also developed helpful guidance on Article 36 of PSD2, as implemented under regulation 105 of the Payment Services Regulations 2017 (PSRs 2017), which also includes the use of a template in case of rejection.

To our knowledge, Denmark also released some guidance on above Article 36 (but does not refer to any template) (see our previous Alert on this, here), and the Netherlands seems to require credit institutions to use a dedicated form when rejecting an application (without however having guidance on that topic).

Most likely, some changes are to be expected during the upcoming review of PSD2 (for example, above procedure may also apply when a credit institution decides to offboard a given payment institution), and the EBA may well be tasked with the development of regulatory technical standards (as the EBA already did for a number of other topics).

Interplay with the PAD

The EBA also identified potential conflicts with the Payment Account Directive (PAD).

Essentially, Article 16 creates a right for certain customers to obtain and use a payment account with basic features, but this right only exists to the extent the financial institution can comply with its AML obligations. Additionally, Article 19(4) states that consumers must be given the grounds and the justification for a decision to close a payment account, but this right obviously conflicts with other requirements under AMLD prohibiting ‘tipping-off’.

Therefore, the EBA also suggests drafting guidelines (perhaps jointly with the future Anti-Money Laundering Authority?) in order to clarify in which situations a “basic payment account” should be rejected or closed, or the basic features curtailed to the extent needed. The EBA believes this may help achieve the right balance between financial inclusion and ML/TF risks. At the same time, it is likely that the process or complaint mechanism will be reviewed so as to ensure a transparent and fair process for customers.

If you require further information or have any further questions, please contact our payments team.

If you would like to receive our regular Payments alerts in your inbox, click here.

If you would like to read Bird & Bird's previous alerts, please check out our Payments webpage here.