In 2022 Transactive Systems UAB was second among Lithuanian electronic money and payment institutions in terms of annual turnover (€13.1 billion), with operating income amounting to almost €4mn.

In revoking its electronic money authorisation, the Bank of Lithuania said that the following “main violations and deficiencies were identified” at the regulated #fintech firm Transactive Systems UAB:
 

• failed to properly identify clients, their representatives and beneficiaries;
• did not ensure adequate monitoring of business relations and operations*;
• in opening virtual accounts for its clients, Transactive Systems UAB enabled the opening of anonymous accounts;
• had absolutely no control measures for identifying cases of terrorist financing;
• failed to ensure proper implementation of international financial sanctions restrictive measures, and its monitoring and verification systems were ineffective;
• did not identify suspicious customer transactions and did not report them to the Financial Crimes Investigation Service;
• failed to ensure that the internal control function responsible for the organisation of money laundering and the prevention of terrorist financing was independent and a conflict of interest was avoided; and
• provided incorrect, incomplete and inaccurate information to the Bank of Lithuania.

* including that institution's immediate and retrospective monitoring of transactions was ineffective, the selected monitoring model did not correspond to the volume of processed transactions, suspicious transactions were not reviewed and properly analysed.

* measures aimed at determining whether the client's funds and assets were not obtained directly or indirectly from a criminal act or by participating in such an act were of poor quality and insufficient.
 

If these are a description of the ‘main violations and deficiencies’ identified, what else was going on?  

Over the past few weeks at events like ACAMS (ACAMSAssembly ACAMSEurope) Joby Carpenter Craig Timm Natasha Powell Shelley Schachter-Cahm and I discussed the situation of fintech and financial crime controls.
 
Many others and I had great discussions about good fintech companies having their reputations impinged by a few bad fintech actors both big (yes some fintech banks who know who they are and some from China who know who they are) and small (some from the east side of the EU bloc, Israel and disturbingly some regulated fintech firms from the UK who also know who they are) whose mentality is that an authorisation is akin to a driver's licence exam. They also often say if country A doesn't jump to our demands, then we will go to country B and will whine to your ministers and FDI agencies.

While it is good to see such decisive regulatory action here, the question has to be asked "How did Transactive Systems UAB get through what is supposed to be a thorough and rigorous common EU approach to regulatory authorisation by national competent authorities (NCAs) in the first place?"

​Particularly given the lengths that many EU authorities go to verifying the existence, performance and execution of the #financialcrime business wide risk assessments, the  risk registers, the risk appetite statements, #moneylaundering policies and procedures under EBA Guideline 14 and the vetting of managers, owners and directors of #blockchain emoney and #blockchain payments. Did this company say one thing, and then do the polar opposite? Did the regular trust but not verify?

Interestingly, back in January 2023, the Bank of Lithuania restricted the activities of the company by instructions:
 

• not to establish business relations with new clients and not to provide services to existing clients who provide financial services (including brokerage, investment ( Forex , CDF), money transfers, issuance of electronic money), as well as for customers whose activities are related to virtual currencies (including operators of virtual currency exchanges, operators of depository virtual currency wallets, exchange of virtual assets, loans with virtual assets).
• not to provide a payment account service when the conditions are created for the use of such a payment account by third parties whose identity has not been determined in accordance with the Law on the Prevention of Money Laundering and Terrorist Financing.
• not to provide a payment account service when the conditions are created for the use of such a payment account by third parties whose identity has not been determined in accordance with the Law on the Prevention of Money Laundering and Terrorist Financing

The news cannot but help take us to:
 

1. discussions of regulatory arbitrage between EU NCAs and consistency in approach by the European Banking Authority’s to ensure a level playing field for NCAs.
2. if the Lithuanian regulator is identifying and responding in a hard manner (the revocation, not the fine), are other regulators in the EU doing their bit too across ALL INDUSTRIES whether a bank, emoney, insurer etc.
3. would further examples like this lead to direct rule by ESAs if there is regulatory arbitrage and indeed greater powers for AMLA?
4. should penalties be higher and should there be higher Fitness & Probity standards harmonised across the EU?

​Well run regulated fintech must be getting depressed. Banks will jump on this example as evidence that fintechs cannot be trusted to adhere AML, sanction and financial crime laws properly and some regulators might do so too, recalibrating their supervisory engagement models. Those going through authorisation will find it tougher to satisfy their future regulator compared to others who went through the process a few years ago.
 
Another telling issue in this case is the fact the Bank of Lithuania says that it “has received many complaints and inquiries from individuals and legal entities of various European Union countries and financial market supervisory authorities regarding possible fraud related to clients of Transactive Systems UAB or accounts opened there. Although the Bank of Lithuania has repeatedly drawn the institution's attention to the importance of money laundering and terrorist financing risk management and fraud prevention, gross and systematic violations of the legal acts regulating the prevention of money laundering and terrorist financing were identified during the inspection.”  This comes across really weak.

​Separately, getting really tired of hearing from people who should know better saying that "I will not apply to country A for my authorisation (recommend my client not to do so) because I hear it is easier and faster at country B".  While I am not saying that country B is Lithuania, it is news that one would have to share as a both a positive and negative when asked "Peter what are the best 3-5 EU member states you would suggest for a fintech authorisation and why?" It's a question I am asked every month.  And you know what, the answer is ‘It depends – on your business model, access to banking services, access to talent and reputation of the regulator’ to name but a few points. 

​Contact Peter Oakes at the details here or via Linkedin if you want to know more about how I help fintech businesses get authorised in Europe and the UK and my non-executive director services to regulated fintech, MiFID and banks.

Links to sources:
1) Bank of Lithuania Announcement of 2 June 2023
2) Previous restriction imposed on Transactive Systems UAB on 20 January 2023
​3) Linkedin Post HERE

Friday 20th January 2023: Central Bank of Ireland (CBI) issued a Dear CEO letter to the fintech industries of electronic money institutions and payments institutions.  The purpose is to reaffirm the CBI's supervisory expectations built on its supervisory experiences, both firm specific and sector wide, and enhance transparency around its approach to, and judgements around, regulation and supervision.

If you are looking to get authorised as an electronic money or payments institution in Ireland, contact us.  We are working with a number of such applicants and we advise those already authorised on their on-going regulatory obligations, business models and strategy.  See our Authorisation Page with links to useful Authorisation Guides. 

Busy start to the year with enquiries from UK, Asia and the US continuing to roll in about the benefits, opportunities and challenges of establishing a EEA regulated presence in Ireland, particularly for #emoney and #payments. While Ireland is in the top three of the final round, there remains stiff competition (so to speak) from two other leading jurisdictions.
​
Thus it was good to see, , as I am sure others will agree, the Central Bank of Ireland most recent Dear CEO letter issued to emoney and payments institutions on Friday 20 January 2023 by Mary-Elizabeth McMunn, Director of Credit Institutions Supervision. It will help provide greater clarity not only to currently authorised emoney and payments firms, but also those in the authorisation pipeline and those thinking of filing in Ireland.

It is a meaty document at 5,168 words across eleven (11) pages. Download a copy of the letter and additional relevant reading material here - https://complireg.com/blogs--insights/2023-dear-ceo-letter-re-supervisory-findings-and-expectations-for-payment-and-electronic-money-e-money-firms
​
If you wish to get a quick understanding of the letter in terms of your regulatory obligations search the words 'we expect'. You will see those appear eleven (11) times too!

Right now, best to mark in your calendar and work backwards, that an audit opinion on safeguarding, along with a Board response on the outcome of the audit, is to be submitted to the CBI by 31 July 2023. And it is not just a case of ringing your current external auditors and appointing them.  

• Emoney and payments firms will need to demonstrate that they exercised due skill, care and diligence in selecting and appointing auditors for this purpose; including satisfying themselves that the proposed auditor has, or has access to, appropriate specialist skill in auditing compliance with the safeguarding requirements under the PSR/EMR taking into account the nature, scale and complexity of the firm's business.  Let the beauty parades begin.  And so it should be the case!
• The auditor is to provide an opinion confirming:
  "whether the firm has maintained adequate organisational arrangements to enable it to meet the safeguarding provisions of the PSR/EMR on an ongoing basis, with the specific areas, at a minimum, that should be subject to review and assurance by the auditor outlined in Appendix 2 of the Dear CEO Letter.

The purpose of the letter is to reaffirm the CBI's supervisory expectations built on its supervisory experiences, both firm specific and sector wide, and enhance transparency around our approach to, and judgements around, regulation and supervision.


The breakdown of the letter is as follows:

(1)      Supervisory Approach for the Payment and E-Money Sector (provides wider and specific context to our supervisory approach).

(2)      Supervisory Findings (key findings from supervisory engagements over the last 12 months and actions the CBI expects firms to undertake)
➡ Safeguarding;
➡ Governance, Risk Management, Conduct and Culture;
➡ Business Model, Strategy and Financial Resilience;
➡ Operational Resilience and Outsourcing; 
➡ Anti-Money Laundering and Countering the Financing of Terrorism;

• ♻ Risk-Based Approach,
• ♻ Distribution Channels, 
• ♻ Electronic Money Derogation and Simplified Due Diligence

(3) Conclusion and Actions Required (CBI's expectation that this letter is provided to and discussed with your Board, and any areas requiring improvement that directly relate to your firm are actioned).

Next Steps:

Get in contact with Peter Oakes / CompliReg. Founded by the CBI's inaugural Director of Enforcement and AML/CFT Supervision & board director of payments, emoney and MiFID companies. Peter is also a former: FSA (now FCA) enforcement lawyer; senior officer (legal) at ASIC; and adviser to the deputy director of banking at SAMA.


Further Reading:

10 December 2021: Authorisation Guidance and Supervisory Expectations for Payment and Electronic Money Firms (Central Bank of Ireland)
09 December 2021: Central Bank of Ireland Dear CEO Letter on Supervisory Expectations for Payment and Electronic Money (E-Money) Firms

Today (Monday 11 July 2022) the Central Bank of Ireland issued a press release highlighting weaknesses in Virtual Asset Service Providers’ (VASP) AML/CFT Frameworks.

As of today, according to the Central Bank's website, the total number of VASPs registered in Ireland is ZERO.  See image below.

Question: If there are no firms appearing on the register, does that mean that there are no VASPs operating lawfully in Ireland?  

Answer: No.  VASPs established in Ireland and carrying on business as a VASP immediately prior to the Criminal Justice (Money Laundering and Terrorist Financing) (Amendment) Act 2021  coming into force, who applied to the Central Bank for registration before 23 July 2021 are permitted to continue to offer VASP services pending the outcome of their application ('transitional period'). 

While we have heard stories of firms operating as VASPs in Ireland in circumstances where they do not fall under the transitional period, such firms should be subject - if they came to the attention of the Central Bank -  to criminal and/or regulatory investigation.

​Accompanying today's press release is a bulletin in relation to Virtual Asset Service Providers (VASPs), seeking to assist applicant firms to strengthen both their applications for registration and their Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) Frameworks.

The Central Bank says while it seeks to anticipate and support innovation in the financial services industry, firms operating in novel areas must ensure their businesses will not be used to launder the proceeds of crime or to finance terrorism.  The Central Bank issued the bulletin to VASPs to assist them in strengthening their applications and frameworks.

Background: Since 23 April 2021, VASPs are required to comply with the relevant AML/CFT obligations under the Criminal Justice Act 2010 to 2021. Any firm wishing to conduct business as a VASP must apply to the Central Bank for registration. The Central Bank says it is currently progressing the assessment of registration applications, and has provided feedback to 90% of applicants on their proposed AML/CFT frameworks.

Findings: The Central Bank identified, in the vast majority of applications:

• a lack of understanding and compliance with key AML/CFT obligations; and
• significant control weaknesses.

See below for further details on the Central Bank's 'findings' observations.
​
The Central Bank reported that the lack of compliance, coupled with control weaknesses, resulted in a significant number of the applicant firms not being able to demonstrate that they could meet their AML/CFT obligations.

Actions: The Central Bank has reconfirmed that it will only register a firm when it is satisfied that the firm can meet its AML/CFT obligations on an ongoing basis. It has said that all current and potential VASP applicants should:

• take actions to rectify weaknesses;
• review the bulletin; and
• be aware that if they fail to register they may face significant criminal and/or administrative sanctions.

The Central Bank also too the opportunity to remind that:

• VASPs are supervised by it for AML/CFT purposes only, and that consumers do not enjoy the Central Bank’s consumer protection mandate in their dealings with VASPs.
• as with all other supervised financial institutions, registered VASPs will be subject to a supervisory levy which will be driven by the level of resources applied to their supervision.

Incomplete Applications: A number of registration applications did not contain the required information and documentation and consequently such applications did not progress to the assessment phase.

• some firms had submitted policies but no accompanying procedures.
• a number of firms submitted a copy of the firm's internal risk register in place of a documented risk assessment.
• majority of firms that did not progress to the assessment phase had not availed of the pre-application meeting and/or had not given consideration to the guidance documents issued by the Central Bank.

Assessment Phase: In undertaking its assessment of registration applications, the Central Bank noted recurring fundamental issues preventing approving of registration applications as the applicants could not meet their AML/CFT legislative obligations or the Central Bank’s expectations. The Central Bank communicated its concerns and expectations to the applicants for further consideration.

The Central Bank helpfully provided a couple of pages in its bulletin (pages 4 - 6) giving an overview of recurring issues identified during the assessment of VASP registration applications.  These are repeated below.

Money Laundering and Terrorist Financing (ML/TF) Risk Assessment: An effective AML/CFT control framework is built on an appropriate ML/TF risk assessment that focuses on the specific ML/TF risks arising from the firm’s business model. This risk assessment should drive the firm’s AML/CFT control framework such that it ensures there are robust controls in place to mitigate and manage the specific risks identified through the risk assessment. The Central Bank identified a significant number of issues with the ML/TF risk assessments conducted by VASP applicant firms, including: 

• A number of firms had not assessed or documented the ML/TF risks as they pertain to the firm’s customers and business activities. The Central Bank expects a Risk Assessment to be specific to the firm and the specific risks that pertain to that firm’s activities and customers. 
• Several VASP applicant firms did not document the inherent ML/TF risks that pertain to the firm or document how, after assessing the effectiveness/strength of the firm’s control environment, the firm had determined the residual risk rating for each of the risk factors as set out in the CJA 2010 to 2021.
• A number of firms did not consider relevant information in the National Risk Assessment, CJA 2010 to 2021 and/or guidance on risk issued by the Central Bank, when documenting the firm’s risk assessment. This included consideration of inherent risk factors, such as Nature, Scale, Complexity, Geographical Risk, Products and Services risk, etc.

Policies and Procedures: When developing AML/CFT policies, controls and procedures (“AML/CFT P&Ps”), firms should maintain a detailed documented suite of AML/CFT P&Ps, which are:

• supplemented by guidance
• accurately reflect operational practices; and
• fully demonstrate consideration of and compliance with all legal and regulatory requirements. 

The Central Bank identified a number of recurring issues with the AML/CFT P&Ps submitted by applicant firms including; 

• Several firms submitted AML/CFT P&Ps that did not meet the Irish legislative and regulatory requirements, in many instance referring to legislative frameworks in other jurisdictions where parent/group entities are situated. Where firms rely on group policies and procedures, these must be sufficiently detailed, applicable to the Irish entity that is applying for VASP registration and meet the Irish legislative and regulatory requirements.
• The Central Bank received several registration applications that included the firm’s policies but failed to include the firm’s procedures that document how the firm meet their legislative obligations. As detailed in the application guidance, applicant firms are required to submit AML/CFT P&P relating to Customer Due Diligence (“CDD”), Transaction Monitoring, Suspicious Transaction Reporting, Financial Sanctions, Record Keeping, Training and Assurance Testing

Customer Due Diligence (“CDD”): 
CDD involves more than just verifying the identity of a customer. Firms should collect and assess all relevant information in order to ensure that the firm:

• Knows its customers, persons purporting to act on behalf of customers and their beneficial owners, where applicable;
• Knows if its customer is a Politically Exposed Person (“PEP”)
• Understands the purpose of the account and therefore understands the expected activity; and;
• Is alert to any potential ML/TF risks arising from the relationship.

The Central Bank identified a number of recurring issues with the CDD AML/CFT P&Ps submitted by applicant firms including;

• A number of applicant firms failed to demonstrate compliance with the legislative obligation to obtain information reasonably warranted by the ML/TF risk on the purpose and intended nature of the business relationship with a customer prior to the establishment of the relationship.
• The Central Bank received several registration applications where the firm failed to demonstrate how screening is conducted for PEPs for both new and existing customers. A number of firms also failed to document how PEP customers are managed including documenting requirement for Senior Management approval, the application of Enhanced Due Diligence (“EDD”) measures to PEPs and enhanced on-going monitoring measures.
• Several firms failed to document policies and procedures relating to the refresh of CDD documentation.

Financial Sanctions Screening: The Central Bank’s expectation is that firms have an effective screening system in place, appropriate to the nature, size and risk of their business. In addition to this, firms should have clear escalation procedures in place to be followed in the event of a positive match.

• Several firms failed to document the frequency of Financial Sanctions screening, how the firm screens (including what, if any, software is used) and also the steps the firm would take in the case of a Financial Sanctions hit.

Outsourcing: A firm can outsource certain AML/CFT Functions, but are reminded that the firm remains ultimately responsible for compliance with its obligations under CJA 2010 to 2021. It is expected that, where firms outsource AML/CFT functions, a documented agreement is in place that clearly defines the obligations of the outsource service provider. Firms should also evidence that sufficient oversight is conducted on the outsourced activity.

A number of VASP applicant firms outsource certain AML/CFT functions to group-related parties and/or non-group related parties.

• Several firms did not include their policies around outsourcing or submit their service level agreements
• In addition to this, several firms have failed to demonstrate sufficient oversight of the outsourced activities or failed to evidence that appropriate regular assurance testing of the outsourced activities takes place.

Individual Questionnaires for proposed Pre-Approval Controlled Function role holders:
A number of firms have failed to or delayed in submitting Individual Questionnaires (IQs) for each of their proposed Pre-Approval Controlled Function (PCF) role holders. IQs should be submitted for each individual proposed to hold a PCF role as soon as practical.

The Central Bank’s expectation on a firm’s presence in Ireland.
In line with the principle of territoriality enshrined in the EU AML Directives and Section 25 of the CJA 2010 to 2021, the Central Bank expects a physical presence located in Ireland and for there to be at least one employee in a senior management role located physically in Ireland, to act as the contact person for engagement with the Central Bank. In addition, in accordance with Section 106 H of the CJA 2010 to 20212 , the Central Bank may refuse an application where the applicant is so structured, or the business of the applicant is so organised, that the applicant is not capable of being regulated to the satisfaction of the Central Bank. 

Further Reading: ​Press Release - Central Bank highlights weaknesses in Virtual Asset Service Providers’ AML/CFT Frameworks 11 July 2022 

Peter Oakes, fintech and financial crime expert talks to Gabriel Vedrenne of ACAMS MoneyLaundering.com about European financial institutions that switched to onboarding all new clients remotely at the height of COVID-19 lockdowns should review their customer files to ensure that adequate due diligence was conducted as per the European anti-money laundering standard setter warned.
​
​CLICK HERE

European Supervisors Instructed to Challenge Banks More Frequently.  Peter Oakes discusses this topic with Gabriel Vedrenne, ACAMS MoneyLaundering.com

CLICK HERE

EU inches towards uniform AML rules and supervision. Peter Oakes discusses this topic with Gabriel Vedrenne, ACAMS MoneyLaundering.com

​CLICK HERE