Comments to the report from the Commission on the application of Directive 2005/60/EC.

Transcription

1 To: European Commission DG Internal Market and Services B-1049 BRUSSELS Belgium By ( address: Waterloo, 11 June 2012 RE: Comments to the report from the Commission on the application of Directive 2005/60/EC. Dear Sir/ Madam, MasterCard Worldwide ( MasterCard ) 1 submits this comment letter in response to the report from the European Commission ( Commission ) to the European Parliament and the Council on the application of Directive 2005/60/EC on the prevention of the use of the financial system for purposes of money laundering and terrorist financing ( Report ). MasterCard appreciates the opportunity to offer its comments on certain issues raised in the Report. I. Introduction MasterCard shares the Commission s commitment to a strong and comprehensive regime that is at the forefront of the global fight against money laundering and terrorist financing, and safeguards the integrity of Europe s financial system. Consequently, MasterCard welcomes the endeavours of the Commission to protect the European financial system through a steady improvement of the anti-money laundering legal framework. Our comments on the Report are focussed on three issues raised in the Report, namely aspects related to (i) the application of a risk based approach ( RBA ), (ii) customer due diligence ( CDD ) requirements and (iii) the protection of personal data, as outlined below. In order to provide some background and context for our comments, we thought it may be useful to begin by providing some basic information about MasterCard and its products. II. Background on MasterCard and its products 1 MasterCard advances global commerce by providing a critical link among financial institutions and millions of businesses, cardholders and merchants worldwide. In the company s roles as a franchisor, processor and advisor, MasterCard develops and markets secure, convenient and rewarding payment solutions, seamlessly processes more than 23 billion payments each year and provides analysis and consulting services that drive business growth for its banking customers and merchants. With more than one billion cards issued through its family of brands, including MasterCard, Maestro and Cirrus, MasterCard serves consumers and businesses in more than 210 countries and territories, and is a partner to 21,000 of the world s leading financial institutions. With more than 32.9 million acceptance locations worldwide, no payment card is more widely accepted than MasterCard. 1

2 MasterCard is a global provider of payment products and technology. MasterCard owns the MasterCard family of brands and licenses financial institutions to use those brands when they conduct payment transactions. MasterCard also provides the networks through which these financial institutions interact to complete payment transactions, and sets certain rules regarding those interactions. MasterCard does not issue prepaid cards or other types of payment cards, nor does it contract with merchants to accept those cards. Those functions are performed by thousands of financial institutions located throughout the world. MasterCard refers to the financial institutions that issue payment cards bearing the MasterCard brands as card issuers. MasterCard refers to the financial institutions that enter into contracts with merchants to accept MasterCard-branded cards as acquirers. In parts of its business, MasterCard develops instruments which are used for cashless payment processes where money is stored in advance on a corresponding device ( prepaid cards ). The card issuers issue over 11 million prepaid cards across Europe that qualify as electronic money under the Directive 2009/110/EC. Certain of the prepaid cards issued by the card issuers trigger the simplified customer due diligence ( SDD ) regime as specified in article 11 (5) lit d) of Directive 2005/60/EC, as amended in article 19 (2) of Directive 2009/110/EC (The Directive 2005/60/EC as amended by the Directive 2009/110/EC, referred to as the Third AML Directive ). The prepaid cards issued under SDD fall broadly into two commercial categories: nonreloadable gift cards and restrictively reloadable general purpose cards. Commercially, gift cards fall under the category of e-money products subject to SDD that is; non-reloadable devices where a maximum amount of EUR 250 can be stored and which do not provide cash access. Gift cards are widely used in the EU market. The gift card market in Europe is estimated at EUR 10 billion and is projected to grow by 32 % over the next five years. General purpose reloadable prepaid cards fall into the other category of e-money products potentially subject to SDD, provided that the thresholds contained in the Third AML Directive are not exceeded that is; a limit of EUR 2,500 on the total amount transacted in a calendar year and a redemption of the stored funds not exceeding EUR 1,000 in the same calendar year. Prepaid products differ greatly as they have been developed to cater to a wide variety of customer needs. In light of the extensive use of MasterCard s products across the world, MasterCard does not tolerate the use of its programs, services or systems for money laundering, terrorist financing or any other illegal activities. MasterCard requires its financial service provider customers to abide by all applicable laws and the rigorous rules it has established to protect the integrity of its network and to prevent it from being used for illegal activities. Accordingly, MasterCard has developed and applies different measures and mechanisms to avoid the misuse of its products and services for money laundering and terrorist financing, both at the level of card issuers and acquirers and seeks that all of the card issuers, acquirers and/or franchise applicants comply with the rules and requirements set out by MasterCard. 2

3 III. Comments on the Commission s Report on the application of the Third AML Directive MasterCard shares the view of the Commission that the legal framework currently existing under the Third AML Directive does not show fundamental shortcomings and therefore farreaching changes to the Third AML Directive are not required. In particular, with a view to the RBA and CDD issues, the Third AML Directive is already in line with the FATF Recommendations on international standards on combating money laundering and the financing of terrorism and proliferation (the FATF Recommendations ). Accordingly, and considering the Commission s Report, changes to the Third AML Directive in relation to the RBA and CDD issues would mainly serve for clarification purposes. 1. Application of a Risk Based Approach (Section 2.1 of the Report) The application of a RBA i.e. the obligation to assess and understand any money laundering and terrorist financing risks by the country and/or the obligated parties (e.g. financial institutions) is both reflected in and expressly dealt with in the Third AML Directive. The creation of different levels of due diligence obligations reflects the assessment conducted by the European Union when preparing the Third AML Directive on certain types of transactions and the related risks. The implementation of such RBA is further reflected in the obligations imposed on the obligated parties such as financial institutions to systematically assess the potential money laundering or terrorist financing risk in any transaction, e.g. in Art. 8 (2) of the Third AML Directive. This provision requires the obligated parties under the Third AML Directive to put processes in place to counter money laundering and terrorist financing risks and to be able to demonstrate that the extent of the measures taken is appropriate. In this context, the Third AML Directive expressly refers to an assessment of the type of customer, business relationship, product and transaction. These requirements fit with the first FATF Recommendation requiring the assessment by financial institutions of money laundering risks in relation to customers, countries or geographic areas, products, services, transactions or delivery channels (Interpretative Note to FATF Recommendation No. 1) Furthermore and in accordance with the requirements of the FATF Recommendations, the Third AML Directive requires each Member State to establish a financial intelligence unit to effectively combat money laundering and terrorist financing (FATF Recommendation No. 29 & Art. 21 et seq. Third AML Directive). In the context of a contemplated broader application of the RBA and of the development of a common approach between the Member States it should be noted that the concept of an RBA requires case-by-case assessments, both in relation to countries and/or transactions. Thus, there is an inherent risk that rigid determination of SDD requirements/minimum measures, unless the special characteristics of each Member State are considered sufficiently, could undermine the purpose of a RBA. 2. Customer Due Diligence (Section 2.4 of the Report) 2.1 Regular Customer Due Diligence The Report notes that respondents to the Commission s review process have requested clarifications regarding the application of certain CDD requirements, and states that consideration is being given to reducing the EUR 1,000 threshold for Electronic Fund Transfers ( EFT ) in EC Regulation 1781/2006. MasterCard urges the Commission not to propose a reduction of the value threshold for EFTs. 3

4 Reducing the EUR 1,000 threshold could have the effect of driving a material amount of EFTs to cash, an outcome that would be inconsistent with the ability of financial institutions and law enforcement authorities to more readily trace payment transactions. Indeed, we note that a key concern identified in Regulation 1781/2006 was to balance the risk of driving transactions underground by imposing overly strict identification requirements against the potential terrorist threat posed by small transfers of funds. Also, reducing the current threshold could have an adverse effect on bringing un-banked and under-banked individuals in to the financial mainstream. The imposition of customer information collection requirements on lower value transactions could potentially serve as a disincentive for un-banked and under-banked consumers to look to financial institutions to meet their needs, such as for remittances or other types of EFTs. Finally, retention of the EUR 1,000 level would be consistent with the FATF Recommendations (Interpretative Note to FATF Recommendation No. 16). 2.2 Simplified Customer Due Diligence The Report further notes that discussions are being held regarding the range of SDD requirements in relation to certain types of customers or products. This concerns certain of the prepaid products developed by MasterCard. In this context the Report asks several questions to which MasterCard would like to provide its opinion Clarifying that SDD is not a full exemption from Customer Due Diligence MasterCard shares the view that the application of SDD shall not lead to a full exemption from CDD obligations. In this context, it should be highlighted that the European legal framework does not provide for a full exemption from CDD in the case of products where SDD applies. While Art. 11 (5) lit. d) of the Third AML Directive provides generally for the possibility to apply SDD for e- money products below the thresholds of EUR 250 for non-reloadable prepaid cards or EUR 2,500 for reloadable prepaid cards, this provision does not provide for a full exemption from CDD. This is made clear by the fact that the obligation pursuant Art. 7 lit. c) of the Third AML Directive to apply CDD in the case of a suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or threshold is expressly not waived under Art. 11 (5) of the Third AML Directive. Thus, due diligence measures are always required under the Third AML Directive in order to assess whether there is a risk of money laundering or terrorist financing in the context of transactions. When clarifying that SDD is not a full exemption of CDD, the effect should not be to supplement the SDD requirements so as to make them identical to regular CDD. In particular, the Commission should consider that in relation to e-money products, the conduct of regular CDD measures and in particular the introduction of a systematic identification duty regardless of the product at hand would not be commensurate and would not consider the different applications and risks related to the wide variety of prepaid products. Furthermore, in considering amendments to the Third AML Directive and its provisions on CDD, a blanket approach based on viewing prepaid cards as a single product should be avoided. 4

5 In MasterCard s view, the following aspects should be considered in the context of the preparation of amendments to the Third AML Directive: a) Reloadable general purpose prepaid cards are an important tool in combating financial exclusion The functionality of these cards mirrors that of a basic bank account. Consumers can receive their salaries, send payments, purchase goods and services, and make cash withdrawals. In this way, a general purpose reloadable prepaid card issued under the SDD regime provides certain groups of consumers their only easy access to electronic payments and serves as a substitute to a basic bank account. Low income consumers struggle to meet the full CDD requirements. These consumers often do not have third party verification of addresses and multiple forms of identification. The SDD regime allows these consumers to easily obtain an entry-level basic banking substitute. Low income consumers may also have access issues that are solved by a prepaid card issued under the SDD regime. Low income consumers have difficulty taking time off from work to visit bank branches which are often not located in low income neighbourhoods. Prepaid cards issued under the SDD regime can be sold in retail outlets, like corner shops, and SDD completed over the phone or online. Consumers experiencing financial hardship use these cards as budgeting tools, loading small amounts of money as a monthly budget with no risk of indebtness. These consumers may also have difficulty meeting the CDD requirements for the reasons above. Additionally, young consumers can also have difficulty meeting the CDD requirements. Prepaid cards are a popular choice for young people and are increasingly the method of choice for payments related to emerging products like mobile phones. b) The money laundering and terrorist financing risks linked to low value prepaid cards products is low In relation to gift cards, money laundering and terrorist financing risks appear very low. The EUR 250 threshold makes non-reloadable gift cards an unattractive and inefficient instrument for purposes of money laundering and terrorist financing. MasterCard further reduces the already low risk of the use of gift cards for criminal offences, including money laundering, by requiring that these products are only redeemed for services or merchandise and restricts cash access such as ATM withdrawals. In relation to reloadable general purpose prepaid cards the money laundering risks also appear to be low. The limit of EUR 2,500 p.a. is inadequate for criminal purposes aimed at the movement of funds resulting from illegal activities. Notwithstanding this limit, it should be highlighted that according to the Third AML Directive, SDD will apply to such products only to the extent that the moneys stored on the prepaid card are not redeemed within a calendar year in an amount exceeding EUR 1,000. With this threshold, the existing legal framework further limits the risks of money laundering and terrorist financing. Furthermore, card issuers can more easily monitor and report to law enforcement suspicious behaviours associated with transactions executed with such cards, as card issuers are required to develop and implement monitoring systems allowing the identification of suspicious transactions, regardless whether the holder of a prepaid card is identified or not. As a cash replacement, prepaid e-money products help combat the shadow economy by shifting cash transactions to electronic transactions. They are replacing cash transactions which are not only anonymous but also not traceable. Through the cash displacement to electronic transactions (whether it s gift cards replacing cash presents, the financially excluded moving from cash to electronic payments, or travelers using prepaid travel cards instead of cash when abroad), prepaid products help reduce the risks related to money laundering or terrorist financing. 5

6 c) The accentuation of CDD obligations in relation to prepaid products with low money laundering and terrorist financing risks would have negative economic impacts In addition to the financial inclusion benefits of reloadable prepaid cards described above, gift cards are an important product for both consumers and merchants, representing increasing economic activity. The gift card market in Europe is estimated at 10 billion Euros and is projected to grow by 32 % over the next five years. In a legislative process amending the Third AML Directive the low money laundering risks and the fact that prepaid cards, in particular gift cards, have become an integral part of the daily business activities of merchants and consumers should be considered in order to avoid measures which could lead to the abolition of such products if their handling becomes disproportionally difficult. Studies have shown that: Consumers like the convenience of gift cards, as they remove the anxiety of selecting an unwanted gift. Gift cards are easy to give, whether purchased as a piece of plastic at a retail outlet or online as a virtual gift card. Gift cards can even be delivered to a mobile phone. Merchants see gift cards as a good business opportunity. Gift cards allow the merchant to reinforce their brand with consumers and many studies show that consumers spend more than the value of the gift card when they redeem it at the merchant. Gift cards are much harder to counterfeit than paper gift vouchers resulting in a cost saving for the merchant. Some companies use gift cards as incentives for employees in recognition of performance, etc Whether the Directive should set out the risk factors that need to be taken into consideration when determining if SDD is appropriate, or whether it should provide specific examples of when SDD might apply. MasterCard believes that generally the risk factors for electronic payments are sufficiently clear, particularly as they relate to electronic money (Directive 2009/110/EC). In any event, setting out risk factors should not happen in an exhaustive and absolute manner as this would conflict with the RBA requested by the FATF Recommendations. Such RBA requires an assessment of the money laundering risks by the obligated party at sub national level, such as financial institutions, in the context of the specific transactions in day to-day business. In order to cope with and allow such single case assessment, any risk factors set out in the Directive should neither be exhaustive nor automatically lead to the assumption of money laundering and terrorist financing. The RBA requires that SDD measures should be tailored for each specific product and associated risk. Notwithstanding the above, MasterCard believes that SDD is appropriate for low-value (e.g., under EUR 2,500) prepaid products. The limit of EUR 2,500, along with the specific controls in place with these products, make these products inadequate for criminal purposes aimed at the movement of significant funds resulting from illegal activities. MasterCard strongly encourages the Commission to propose revising the Directive to specifically provide that such cards are an example of a financial product where SDD is appropriate. MasterCard believes that applying any CDD requirements beyond SDD to these types of cards would create burdens on payment system participants, including consumers, that outweigh the corresponding anti-money laundering and counter-terrorist financing benefits. In addition, non reloadable prepaid cards that do not provide cash access and where the maximum 6

7 amount is 250, should continue to be exempt from SDD standards, as the significant limitations of such cards make them unattractive and inefficient instruments for money laundering and terrorist financing Whether further guidance on risk factors should be elaborated (for example by the AML Committee in the case of the financial sector). MasterCard believes that no further guidance on risk factors is necessary. As set out above under any guidance on risk factors should avoid establishing a rigid pre-assessment of transactions, as this would contradict the RBA carried out by financial institutions requiring an assessment and understanding of potential risks in specific transactions Whether to specify (either in the Directive or via guidance) a minimum set of measures that have to be taken by the obliged entities in SDD situations. In the case of non-reloadable devices with a maximum load of EUR 250, MasterCard believes that the risk of money laundering is so small that no minimum set of measures is warranted. In the case of reloadable devices with an annual load limit of EUR 2,500, any minimum set of measures must take into account both the low risk of money laundering and the vital position that this product holds in the wallets of previously financially excluded consumers. Any measures must be designed to continue to permit the financially excluded to access these products. Generally speaking, MasterCard believes that the establishment of particular SDD measures across a broad range of financial products or transaction types would be overly prescriptive and inconsistent within the context of the contemplated broader application of an RBA to money laundering and terrorist financing across Member States. MasterCard also believes that the existing RBA outlined in the Directive is consistent with the most recent iteration of the FATF Recommendations and that to specify particular SDD measures would be inconsistent with the RBA approach established under the FATF Recommendations. 3. Protection of Personal Data (Section 2.14 of the Report) As the global economy continues to generate and consume information and data, multinational businesses face increasing demands to provide data to various governmental authorities in jurisdictions with varying data protection laws and requirements. Most of the data requests from third country governmental authorities are justified on the grounds of national laws aimed at the prevention of money laundering and the fight against terrorist financing. Under the current Directive 1995/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Data Protection Directive ), businesses are facing serious restrictions to the disclosure and transfer of personal data to third country public authorities, including for anti money laundering and fight against terrorist financing purposes. For instance: Legal basis: Data controllers may only disclose personal data to third parties on unambiguous consent from the individual concerned or if a statutory exception applies, such as the fulfilment of a legal obligation. As regards a legal obligation, European data protection authorities have taken the position that an obligation imposed by a foreign legal statute or regulation... may not qualify as a legal obligation by virtue of which data processing in the European Union would be made 7

8 legitimate. Any other interpretation would make it easy for foreign rules to circumvent the EU rules laid down in the Directive. 2. Consequently, without express consent of the individual concerned, and in the absence of a statutory exception, providing data to a foreign public authority would constitute a breach of the Data Protection Directive. Data transfers: Personal data may not be transferred outside of the European Economic Area unless the receiving country is deemed by the Commission to have an adequate level of data protection. If not, the data transfer would violate the Data Protection Directive, without the data subjects unambiguous consent or a statutory exception, such as when the transfer is necessary on important public interest grounds or for the establishment, exercise or defence of legal claims. Here again, the European data protection authorities take the view that this should not apply to obligations under foreign laws 3. Hence, data transfers to public authorities of a country which is not deemed by the Commission to have an adequate level of data protection would constitute a breach of the Data Protection Directive. In addition, European data protection authorities have expressed in recent high profile cases, in particular the SWIFT-case 4, that if data controllers receive demands for disclosures of personal data from foreign authorities, they should inform European Union authorities prior to such disclosures. Businesses are thus often caught in an inextricable conflict of laws, subject to the obligation to communicate the requested data to third country public authorities in the context of anti money laundering and/or fight against terrorist financing investigations on the one hand, and the obligation to refrain from transferring such data pursuant to the Data Protection Directive on the other. As acknowledged by the Report from the Commission data protection principles should be taken into consideration when revising the Third AML Directive. This revision offers a unique opportunity to reconcile both the anti money laundering and fight against terrorist financing purposes and data protection interests by expressly legitimizing disclosures and transfers of personal data to third country public authorities for anti money laundering and fight against terrorist financing purposes, possibly subject to strict conditions to be defined (e.g. data minimization and data security). Again, MasterCard appreciates the opportunity to provide comments on the Report. If you have any questions regarding our comments, please do not hesitate to contact the undersigned per at mikael_svensson@mastercard.com or per telephone under Article 29 Working Party, Opinion 1/2006 on the application of the EU data protection rules to internal whistleblowing schemes in the fields of accounting, internal accounting controls, auditing matters, fight against, banking and financial crime, adopted on 1 February They state that the drafters of the Directive clearly did envisage that only important public interests identified as such by the national legislation applicable to data controllers established in the EU are valid in this connection. Any other interpretation would make it easy for a foreign authority to circumvent the requirement for adequate protection in the recipient country laid down in the Directive. Article 29 Working Party, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), adopted on 22 November Furthermore, the European data protection authorities have taken the position that it does not seem acceptable that a unilateral decision taken by a third country for reasons of its own public interest should lead to the routine and wholesale transfer of data protected under the Directive. Article 29 Working Party, Opinion 6/2002 on transmission of Passenger Manifest Information and other data from Airlines to the United States, adopted on 24 October For further information regarding the SWIFT-case, we refer to the Article 29 Working Party Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) adopted on 22 November 2006 and the Belgian Data Protection Authority s decision regarding the SWIFT-case of 9 December

9 Sincerely, 9