At present, EU firms are able to use SDD on customers that are deemed to have a low enough level of risk associated to them. This allows firms to postpone verifying a customer’s identity until their level of risk changes (as they make updates to their customer information or use of product). Critically, SDD is currently not limited by a threshold of any kind for many EEA countries. There are no thresholds on transactions, topping-up eWallets, withdrawals or any other financial operations. As stated in the Fourth Money Laundering Directive (4MLD) guidelines: “Where a Member State or an obliged entity identifies areas of lower risk, that Member State may allow obliged entities to apply simplified customer due diligence measures.”
However, the European Banking Authority (EBA) are planning to change this. The EBA have stated that in terms of SDD, European firms may only postpone “the verification of the customer’s or beneficial owner’s identity to a certain later date after the establishment of the relationship or until a certain (low) monetary threshold is exceeded (whichever occurs first).” It goes on to say that the monetary threshold should not exceed €250 if the product can be used in other jurisdictions or for cross-border transactions, or €500 if it can be used only domestically.
Put simply, even for customers that are considered to carry the lowest risk, further Due Diligence would have to be applied once these thresholds had been hit. Countries are able to interpret directives in different ways, meaning firms may choose to stick with their own nationally implemented legislation of 4MLD. However, they will not be able to operate within countries that have adopted the EBA guidelines, causing significant challenges for cross-border businesses.
The Electronic Money Association (EMA) has raised concerns over this decision, as it fears the change in regulation will be detrimental to the success of eMoney businesses. A summary of the key arguments made by the EMA is found below:
The Guidelines derive their authority from, and are therefore subordinate to, the 4MLD. By changing a core aspect of the Directive, such as proposing to remove a risk-based approach in reference to customer due diligence requirements, the EBA is overstepping its remit.
The new thresholds go against the central concept of the 4MLD’s risk-based approach - that risk management should be a holistic process, including analysis of the product, jurisdictions and nature of the business. This approach goes far further than just limits.
There is no evidence that SDD has actually led to failures in risk management.
However, whilst there are definitely grounds for thinking that the proposed thresholds are incompatible with the directive, fighting to continue with the status quo may not be the most progressive solution.
Along with the request to remove the new thresholds, the EMA is currently in discussions with the EBA as to how firms can verify customers using innovation, as opposed to the traditional identity and address verification documents. Paybase has always maintained a tech-first, innovation-driven approach and is currently using, or is exploring to use, the following methods:
IP address mapping: Identifying customers by their unique IP address and gaining insight into their location. This makes it simpler for suspicious activity to be identified, as the location of customers during transactions is known, as opposed to simply knowing the address their card is linked to.
Device check: Raising an alert if the device being used has suddenly changed, indicating that the account may have been compromised.
Address Verification System (AVS) check: A more established form of identity check, AVS checks that the address provided matches with the address associated with the debit/credit card in question.
Bank Account Verification: Uniquing bank account information within the system and/or verifying the information provided by the customer with the issuer via a third party.
Dynamic customer risk scoring: Automatically calculating and adjusting a customer’s risk based on their activity.
Sophisticated transaction rules: Implementing rules to block, pause or create alerts on transactions based on risk. Using state-of-the-art AI technology, these rules can be trained to detect unusual activity more accurately than ever before.
System-wide risk categorisation: Identifying risky entities such as addresses, cards and bank accounts, and preventing customers that own them them from abusing systems.
These are just a selection of innovation-driven methods sent to the EBA as potential alternatives to using thresholds in SDD. Whilst discussions between the organisations are still ongoing, the EBA have stated that using methods such as these may actually amount to full Customer Due Diligence.
If the EBA upholds its high valuation of these methods, the matter of the thresholds being removed or not becomes somewhat irrelevant for innovation-driven businesses such as Paybase. Our customers won’t have to worry about expanding into Europe and can benefit from an increased level of Due Diligence on their customers and merchants. This is at no extra cost, with nothing additional required from them.
Due Diligence, however, is only one area of compliance in which we are using innovative technology. Our custom-built Logic Engine allows us to create risk-management rules for our customers that are appropriate for their business. If they are a marketplace, they may wish to block transactions over £200 for users that have joined within the past 24 hours, but permit transactions over £500 for more established users, for example.
Similarly, they may decide to block card details that are linked to another user or prevent the same address being added more than twice. Whatever the rules, we work with our customers to create a risk management framework that is akin to their business model. Through this, we are maintaining the original holistic approach to risk that was encouraged in 4MLD.
Paybase supports the EMA in its approach towards the potential new thresholds and hopes that they are removed from the EBA’s guidance. That being said, we also note that an innovation-driven approach to compliance allows you to not only ensure that your customers are covered when regulations are inevitably updated, but offer them so much more.
Originally posted at Verdict Payments.