Digitisation of payment systems are delivering significant benefits to customers but also risk to their assets. In the last decade the rise of internet enabled e-commerce has led to increasing cashless payment options (greater adoption of credit cards, payment platforms, digital wallets & buy now pay later) significantly overtaking traditional cash payments1. This global trend has accelerated the emergence of new and innovative financial services initiatives (e.g., Open Banking) and payment technologies. The increasing number of payment firms2 in the payments landscape and in the merchant life cycle has attracted significant regulatory focus to ensure that payments are safe, efficient, and effective for consumers and businesses alike.
Recent commentary by regulators has highlighted concerns with growing challenges and risks faced by payments businesses particularly as it relates to fraud3 and money laundering/terrorism financing (ML/TF)4 risks. In a recent report by the European Banking Authority5 on ML/FT risks in payment institutions, it described the inherent risks as high and identified the controls to mitigate risks as being ineffective. The report also noted that the authorisation standards for payment firm entry into the financial system was variable including inconsistent assessment of AML programs. Regulations around virtual assets (including crypto) continue to be an issue as evidenced by a recent survey conducted by FATF that indicated 75% of jurisdictions are partially or non-compliant on its implementation of adequate risk identification and mitigation measure for virtual asset service providers.6
Timing of cash flows and market conditions are other major liquidity risk factors, as is increased capital risk that can arise from fast expansion, investment in new technology, regulatory requirements, and credit risk correlated to customers defaulting on their payments.7
The consumer demand cashless payment options, magnified by the COVID-19 pandemic, coupled with regulatory pressure to reduce the ML/TF risk posed by cash has seen increasing number of industries going cashless.
With the rise of ransomware attacks, data breaches and scams, regulatory guidance has put the onus on Payment Service Providers (PSPs) to ensure adequate risk management is in place to safeguard customers and the payment system.
The payments technology landscape faces a large quantum of risk factors. Technology-driven PSPs tend to focus primarily on delivering a convenient, fast, frictionless, and innovative customer experience. This focus can sometimes mean that comprehensive design and implementation of all regulatory obligations, particularly risk-based ones, may be somewhat an afterthought, rather than fundamental to product and service design and delivery. Another recent risk has been reputational, with interest seen from short sellers, or market participants, in analysing publicly listed payment firms and making allegations of fraud, mismanagement of information, false accounting etc.
Some of the key risk factors highlighted by global regulators include:
1. Less rigorous fraud/financial crime programs and culture of compliance. New PSPs generally have less mature financial crime programs. The increased presence of fraud associated with payment technology providers as compared to traditional payments businesses is evidenced in recent cases such as BitMEX8, and Payza9.
2. The rapid pace at which payments technology changes. Using traditional forms of regulation, it can be difficult for payment firms and regulators to keep up with the rapid rate of technological change and attendant risks in the payments landscape.10
3. Vulnerability to major data breaches and cybersecurity risks. Breaches of privacy and data security can cause identity theft, harm to financial records, fraud, and other risks.
4. The scale of investment to run risk management/compliance imperatives over business. In times of economic downturn, the volume of payments will decline and may lead to reduced investments in risk management and personnel capability and capacity. Typically, ML/TF risk management requires increased funding to deliver and sustain ‘good’ compliance outcomes. Western Union, a global payments provider reported in 2018 that it spends over US$ 200 million on compliance activities.11 Smaller and emerging PSPs will be challenged to build the scale required to sustain the right level of investment in these activities.
5. Limited protections for consumers from a financial harm and fraud/loss perspective. Some new payment products such as Buy Now Pay Later (BNPL) have traditionally not been subject to consumer protections, leading to hardship for consumers.12
6. Lack of transparency. Payment technologies can be designed to provide bad actors with anonymity or pseudonymity e.g., synthetic account takeover, which increases the difficulty for the firms themselves and law enforcement agencies to detect and investigate suspicious transactions
7. Increasingly complex commercial value chains: Open Banking, emerging technology and overlay services, including those to merchants, has introduced ever increasing parties and services to payment value chains increasing the complexity of risk management.
8. Cross-border payments. Online payment technologies may facilitate cross-border transactions which introduces additional risk factors related to different legal and regulatory regimes, currency exchange/controls, and political instability.
Reflecting on concerns that many payment firms do not have sufficient controls, the UK’s Financial Conduct Authority (FCA) has recently set financial crime outcomes for payment firms13, of which we summarize here on those relating to ML/TF and Fraud, as follows:
Priority 1: Money Laundering & Sanctions. Firms must have systems and controls in place to identify, assess, monitor, and manage ML/TF risk and sanctions risk which are thorough and proportional to the nature, scale, and complexity of a firm’s activities. Common issues include:
a. Failure to carry out and/or to evidence adequate KYC/ due diligence
b. Failure to regularly review and refresh risk assessments and control frameworks
c. Failure to conduct appropriate risk-based enhanced due diligence
d. Failure to ensure consistency and completeness of data being sent to a third-party for screening
Actions to take include regular reviews to assess your businesses compliance with AML obligations and sanctions requirements, including identifying as your businesses grows over time.
Priority 2: Fraud. It is essential that firms act to address weaknesses in their systems and controls to prevent fraud. The common issues around fraud include a lack of engagement with industry bodies, payment providers having inadequate anti-fraud systems and controls, and a high proportion of customer accounts being used to receive illicit funds. Appropriate measures to prevent customers from experiencing fraud and businesses receiving illicit funds includes regularly reviewing your businesses risk appetite statements, policies, procedures, and fraud prevention systems and controls.
Whilst advancements in technology have had their own impacts on global payment modalities, there has and continues to be significant regulatory and structural changes in the payments environment. A recent example in Australia is the launch of a Strategic Plan for Australia’s Payments System and two consultation papers on the underlying payment regulations. It recognises that Australia lags other leading countries with financial service hubs, and needs, for competitive purposes, to update its payment infrastructure and regulations to ensure that this key tenet of the financial system is in line with leading overseas practices.
With a unique combination of expertise, local and global experience, deep understanding of the drivers of the AML/CTF regime in Australia, and value through proven global methodologies, tools, and deep networks, we can help with assessing the fitness of payment schemes to withstand these risks, conducting due diligence on participants joining in a payment scheme and provide a range of services including:
To learn more about Deloitte’s financial crime solutions, please click here.