Showing posts with label Fintechs. Show all posts
Showing posts with label Fintechs. Show all posts

Sunday, 30 May 2021

Lithuania: Supervisory Challenges on (Non Bank) PI & EMI Payment Activity in Centrolink

Hang On, Speedy

As highlighted in the previous post, following explosive growth, in 2020 non bank PI & EMI accounted for
  • 86% of the number of transactions in Centrolink

  • 69% of the total value of all transactions, and

  • represented 87% of Centrolink participants.

What are the specific risk characteristics of PI & EMI business that pose challenges for the authorities?

  1. Explosive growth in number and aggregate value of transactions

  2. Non bank entities predominate

  3. Centrolink transactions are now primarily “offshore” business in two senses:

    • In the majority of cases, both sides of the payment are “outside” Lithuania, e.g., the by-order party and the beneficiary

    • Up to 70% of PI & EMI clients are from offshore centers

  1. Customer vetting may be inadequate given “remote” CDD (customer due diligence)

  2. Centrolink is an attractive gateway to 36 countries in Europe.

  3. Risk issues thus transcend Lithuania’s borders.

I don’t need to say much about the issue of explosive growth.

The more trees in the forest, the harder to find Robin or any other hoods.

As regards non bank FI’s perceived greater risk, some general comments.

The failure of a large bank or group of banks poses a systemic risk to the financial system and economy.

In contrast the failure of a money exchange firm or a payments processor (think PI or EMI) is likely to have much less of an impact.

As a result, banks are more strictly regulated and more strictly monitored than other FIs.

Non-bank FI policies and procedures, internal control systems, etc. are often less rigorous and less rigorously implemented.

Part of this is due to less developed and onerous regulations on them. No need to have as elaborate structures as banks.

Economics and size also have an impact.

The fact that monitoring is often “lighter” can also play a role: no one is watching.

We can use the 2020 Lithuanian National Risk Assessment of Money Laundering and Terrorist Financing (NRA) to assess the risks outlined above.

Page numbers below refer to the NRA unless another document is cited.

Let’s start by looking at potential weaknesses in PI/EMI policies and procedures and implementation thereof.

Weakness in PI and EMI Licensees AML/CFT Risk Assessments and Monitoring

According to the NRA (page 38)

Due to the fact that many of the clients are non-resident or from offshore countries, the companies have difficulties to identify the clients in reliable and independent sources. The due diligence and transaction monitoring systems are less effective than the ones used in the banking sector, as most of the businesses are new and focus on increasing clients’ portfolio instead of AML/CFT regulatory compliance. Most institutions have not yet performed organization-wide risks assessments to identify the risks based on five factors (geographies, customers, products or services, delivery channels, other qualitative risks). Next to that, not all institutions perform the retrospective transaction monitoring.


Wide ranging deficiencies across a critical set of control areas.

Suspiciously” Low Volumes of Suspicious Transaction Reports (STRs)

The data in the annual reports of the Ministry of Interior’s Financial Crimes Investigate Service Money Laundering and Terrorist Financing Prevention Board (ML&TFPB) is more detailed and current than that in the NRA. So I’ll use that information.

Here is a link to the 2018 Annual Report. Here is the 2019 Annual Report.

And here is the 2020 Annual Report.

The tables below are based on data from these three reports.

If you know anything about STRs, you’ve probably heard that FI’s prepare these primarily for CYA purposes and generate excessive numbers that overwhelm the authorities’ ability to make use of them.

These statements are often correct.

So why am I focused on the number of STRs?

I’m not.

Rather I want to compare 

  • STRs from the PI & EMI sector to that from banks and  
  • STRs of each sector as percentage of transactions processed by that sector.

When a particular segment of FI’s has a relatively low number of STRs or scores low on the above two metrics, it’s not unreasonable to assume that that segment’s transaction monitoring procedures are less than robust.

If a particular institution scores low on all three measures, that’s also a red flag in most cases.

These metrics are not conclusive. There may be very good reasons for differences.

At first blush the data seems to show definite progress. The PI & EMI sector is filing more reports. Fantastic growth! 2020 is more than 18x 2018.




Their percentage of total STRs is increasing smartly.




But as a percent of the number of transactions not so good.



As a percentage of transaction made, in 2020 banks submitted 3.5x the number of STRs that the PI & EMI institutions did!

As outlined above, the PI & EMI sector certainly appears to be conducting more risky business than the banks.

It’s, therefore, not unreasonable to expect that would have a higher percent than they do.

Their actual performance confirms NRA’s assessment of weakness in the PI/EMI AML/CFT.

Let’s turn to a feature in regulations that poses a risk.

Remote KYC/CDD Allowed for PI and EMI Licensees (page 38)

PI and EMI licensees are allowed to conduct “remote” know your customer/customer due diligence.

That is, the client need not be present in Lithuania. Approval is by review of documents submitted.

This is an even greater KYC issue because PI and EMI entities’ clients are primarily non residents.

And up to 70% of them are from offshore centers. (page 38).

That is a rather large red flag.

Adding to the risk is the fact that 97% of the value of all EMI and PI transactions in 2019 was conducted for legal entities not natural persons. (page 6 of the 2019 PI and EMI Activity Review).

Positively identifying the UBOs of private companies is a difficult endeavour, even more so for those formed in offshore jurisdictions.

In contrast, Lithuanian banks have been de-risking their exposure to foreign clients by reducing foreign client relationships and deposits.

As of 2020, Lithuanian banks had the lowest percentage of foreign corporate and natural person customers’ deposits in the Baltic region at 2.5% compared to Latvia (20,3%) and Estonia (7.3%). (Page 7 and 8).

Risks Associated with SEPA

Based on the average amount of 2020 Centrolink transactions (banks Euros 3,841 and the PI & EMI institutions Euros 1,423) and the ACH/BACS-like nature of Centrolink, you might well wonder if there is a real risk of significant illicit transactions.

To the first point, these are arithmetic averages. There could quite well be some fairly large value transactions among the 95.2 million total transactions processed in 2020.

To the second, while Centrolink processes Direct Debits and Direct Credits—that are likely to be small “ticket” items—it also processes payments similar to typical bank transfers.

There are two types of these transfers:

  1. A SEPA Instant Credit Transfer subject to a SEPA system limit of Euros 100,000 for each separate transaction. With promised completion (delivery to the beneficiary’s bank) 10 seconds after release! Note this timing doesn’t apply in all 36 of SEPA countries.

  2. A SEPA Credit Transfer subject to a SEPA system limit of Euros 999,999,999,99. These transactions are completed at the earliest next business day after receipt.

Each bank sets its own SICT and SCT limit for each customer both for individual as well as aggregate transactions. That would include Centrolink DP’s for IDP’s they accepted as clients.

SCT limits of Euros 1 billion are likely to be rare indeed. And not just in Lithuania.

SCIT and SCT “straight” payments and likely transactions limits make it possible to move significant amounts through Centrolink into the SEPA.

Monitoring systems to detect suspicious transactions would therefore be in competition with the creativity of illicit actors to disguise them. 

The offshore nature of Lithuania payment activity makes this a harder “race”.

Wednesday, 26 May 2021

Non Bank “Fintech” Payment Activity in Lithuania’s Centrolink

 


As mentioned in the previous post, the Central Bank of Lithuania (CBOL) allows non bank “fintech” entities holding PI (Payment Institution) or EMI (Electronic Money Institution) license Indirect access to Centrolink.

Access is subject to

  1. CBOL approval and

  2. the license holder agreeing terms with a Centrolink Direct Participant.

CBOL approval is not automatic. As mentioned in the last post, as of 2019 the CBOL had restricted the activities of 18 of these license holders.

Once approved, a Lithuanian PI or EMI licensee is able to make Euro payments across the SEPA – some 36 countries. Not just the EU (eurozone) but the EU-28 and then beyond!

These licenses also automatically confer the right to offer the licensed services within the EU/EEA without further licensing requirements, including from other countries. Think of it as a “passport”.

The CBOL also requires that local commercial banks inform it whenever they refuse to open an account for a PI or EMI and the reason why. 

This is to ensure that PI and EMI license holders are not denied accounts unless there is a good reason.

Why is this important?

Two reasons.

First, it's hard to conduct business without a bank account.

Second, a local account is needed to access Lithuania's Centrolink.

Most payments in national systems (including transfers to beneficiaries in other countries) are made in “central bank” money so the entity making or receiving a payment must have a settlement account with the local central bank. In this case with CBOL.

Entities like PI or EMI license holders generally would not qualify to hold accounts at a central bank. 

So they would need to have accounts at commercial banks through which they could indirectly access the payment system.

As per Centrolink's operating rules, there are two classes of participants:

  • Direct Participants (“DPs”): FIs that have an account with the CBOL and are connected to Centrolink. That means, they are able to directly input payments and receive credits from Centrolink from/to their accounts at the CBOL.

  • Indirect Participants (“IDPs”): FIs that do not have an account with the CBOL and are not connected to Centrolink. That means that they must submit their payments to a DP and received credits from the system to their account with the DP. but instead have an account with a Direct Participant. (Paragraph 16 of Operating Rules).

As per the CBOL’s website, there are 19 Direct Participants, including the CBOL. Thus, from the statistics published by the CBOL there would 118 Indirect Participants.

The CBOL has also made Centrolink economically attractive by keeping payment charges low with a reduction as recent as January this year.

You can find the current list of fees at Tab IV Service Fees on the CBOL website.

IDPs no doubt pay fees to the DPs fees for the services provided them.

As demonstrated by the charts below, PI and EMI payment activity through Centrolink dominates that of the commercial bank sector both in number of and euro value of transactions








PI and EMI fintechs are also the overwhelming majority of entities participating in Centrolink. I suspect the difference between the information above and the chart below is due to difference between the dates of the reports, e.g., 2020 versus 2021.


In the next post, we will take a look at the challenges posed to the CBOL and other regulators by this activity.

If you would like more detail on what SEPA is, please see the comment to the first post.