 |
| Hang On, Speedy |
As
highlighted in the previous
post,
following explosive growth, in 2020 non bank PI & EMI accounted
for
86%
of the number of transactions in
Centrolink
69%
of the total value
of all transactions,
and
represented
87% of Centrolink
participants.
What
are the specific risk characteristics of PI & EMI business that
pose challenges for the authorities?
Explosive
growth
in number and aggregate value of transactions
Non
bank
entities predominate
Centrolink
transactions
are
now primarily “offshore”
business
in two senses:
In
the majority of cases, both sides of the payment are “outside”
Lithuania, e.g., the by-order party and the beneficiary
Up
to 70% of PI & EMI clients are
from
offshore centers
Customer
vetting may be inadequate
given “remote” CDD
(customer
due diligence)
Centrolink
is an attractive gateway to 36 countries in Europe.
Risk
issues thus transcend Lithuania’s borders.
I
don’t need to say much about the issue of explosive growth.
The
more trees in the forest, the harder to find Robin or
any other hoods.
As
regards non bank FI’s perceived greater risk, some
general comments.
The
failure of a large bank or group of banks poses a systemic risk to
the financial system and economy.
In
contrast the failure of a money exchange firm or a payments processor
(think PI or EMI) is likely to have much less of an impact.
As
a result, banks are more strictly regulated and more strictly
monitored than other
FIs.
Non-bank
FI policies and procedures, internal control systems, etc. are often
less rigorous and less rigorously implemented.
Part
of this is due to less developed and onerous regulations on them. No
need to have as elaborate structures as banks.
Economics
and size also have
an impact.
The
fact that monitoring is often “lighter” can also play a role: no
one is watching.
We
can use the 2020
Lithuanian National Risk Assessment of Money Laundering and Terrorist
Financing (NRA)
to
assess the risks outlined above.
Page
numbers below refer to the NRA unless another document is cited.
Let’s
start by looking at potential weaknesses in PI/EMI policies and
procedures and implementation thereof.
Weakness
in PI and EMI Licensees AML/CFT Risk Assessments and Monitoring
According
to the NRA (page 38)
Due
to the fact that many of the clients are non-resident or from
offshore countries, the companies have difficulties to identify the
clients in reliable and independent sources. The due diligence and
transaction monitoring systems are less effective than the ones used
in the banking sector, as most of the businesses are new and focus on
increasing clients’ portfolio instead of AML/CFT regulatory
compliance. Most institutions have not yet performed
organization-wide risks assessments to identify the risks based on
five factors (geographies, customers, products or services, delivery
channels, other qualitative risks). Next to that, not all
institutions perform the retrospective transaction
monitoring.
Wide
ranging deficiencies across a critical set of control areas.
“Suspiciously”
Low Volumes of Suspicious Transaction Reports (STRs)
The
data in the annual reports of the Ministry of Interior’s Financial
Crimes Investigate Service Money Laundering and Terrorist Financing
Prevention Board (ML&TFPB) is more detailed and current than that
in the NRA. So
I’ll use that information.
Here
is a link to the 2018
Annual Report.
Here is the 2019
Annual Report.
And
here is the 2020
Annual Report.
The
tables below are based on data from these three reports.
If
you know anything about STRs, you’ve probably heard that FI’s
prepare these primarily for CYA purposes and generate excessive
numbers that overwhelm the authorities’ ability to make use of
them.
These
statements are often correct.
So
why am I focused on the number of STRs?
I’m
not.
Rather
I want to compare
- STRs from the PI & EMI
sector to that from banks and
- STRs of each sector as
percentage of transactions processed
by that sector.
When
a particular segment of FI’s has a relatively low number of STRs or
scores low on the above two metrics, it’s not unreasonable to
assume that that segment’s transaction monitoring procedures are
less than robust.
If
a particular institution scores low on all three measures, that’s
also a red flag in most cases.
These
metrics are not conclusive. There may be very good reasons for
differences.
At
first blush the data seems to show definite progress. The PI &
EMI sector is filing more reports. Fantastic growth! 2020 is more
than 18x 2018.
Their
percentage of total STRs is increasing smartly.
But
as a percent of the number of transactions not so good.
As
a percentage of transaction made, in 2020 banks submitted 3.5x the
number of STRs that the PI & EMI institutions did!
As
outlined above, the PI & EMI sector certainly
appears to be
conducting more risky business than the banks.
It’s,
therefore, not unreasonable to expect that would have a higher
percent than they do.
Their
actual performance confirms NRA’s assessment of weakness in the
PI/EMI AML/CFT.
Let’s
turn to a feature in regulations that poses a risk.
Remote
KYC/CDD Allowed for PI and EMI Licensees (page
38)
PI
and EMI licensees are allowed to conduct “remote” know your
customer/customer due diligence.
That
is, the client need not be present in Lithuania. Approval is by
review of documents submitted.
This
is an even greater KYC issue because PI and EMI entities’ clients
are primarily non residents.
And
up to 70% of them are from offshore centers.
(page
38).
That
is a rather large red flag.
Adding
to the risk is the fact that 97% of the value of all EMI and PI
transactions in 2019 was conducted for legal entities not natural
persons. (page 6 of the 2019
PI and EMI Activity Review).
Positively
identifying the UBOs of private companies is a difficult endeavour,
even more so for those formed in offshore jurisdictions.
In
contrast, Lithuanian banks have been de-risking their exposure to
foreign clients by reducing foreign
client relationships
and deposits.
As
of 2020, Lithuanian banks had the lowest percentage of foreign
corporate and natural person customers’ deposits in the Baltic
region at 2.5% compared to Latvia (20,3%) and Estonia (7.3%). (Page 7
and 8).
Risks Associated with SEPA
Based
on the average amount
of 2020 Centrolink transactions (banks
Euros 3,841 and
the PI & EMI institutions Euros 1,423)
and the ACH/BACS-like nature of Centrolink, you might well wonder if
there is a real risk of significant
illicit transactions.
To
the first point, these are
arithmetic averages. There could quite well be some fairly large
value transactions among the 95.2 million total transactions
processed in 2020.
To
the second, while Centrolink processes
Direct Debits and Direct Credits—that
are likely to be small
“ticket” items—it also processes payments similar
to typical bank transfers.
There
are two types of these transfers:
A
SEPA Instant
Credit Transfer subject to a SEPA
system
limit of Euros 100,000 for each separate transaction. With promised
completion (delivery to the beneficiary’s bank) 10 seconds after
release! Note this timing
doesn’t apply in all 36 of SEPA countries.
A
SEPA Credit Transfer subject to a SEPA
system
limit of Euros 999,999,999,99. These transactions are completed at
the earliest next business day after receipt.
Each
bank sets
its own
SICT and SCT limit
for each
customer both for individual
as well as aggregate transactions.
That would include Centrolink DP’s for IDP’s they accepted as
clients.
SCT
limits of Euros 1 billion are
likely to be rare indeed.
And not just in Lithuania.
SCIT
and SCT “straight”
payments and likely transactions limits
make it possible
to move significant amounts through Centrolink
into the
SEPA.
Monitoring systems to detect
suspicious transactions would therefore be in competition with the
creativity of illicit actors to disguise them.
The offshore nature
of Lithuania payment activity makes this a harder “race”.
Posts
