Payment Service Providers (PSPs) are essential to the modern payments ecosystem. The connecting architecture a PSP provides ensures that merchants can more readily accept a broader range of payment options and that customers benefit from a great total experience. The PSP connects merchants via a merchant account and a payment gateway; this connecting layer, however, places a PSP in the middle of a series of compliance risk scenarios and general challenges.
Eastnets explores some of the most pressing compliance risks affecting PSPs and how to overcome them.
The PSP and financial compliance
PSPs are a critical moving part of the payments ecosystem, with vendors such as PayPal, Stripe, and VaultsPay being integral to the seamless payment experiences that consumers expect. Geography plays a part in the regulations a PSP must abide by, but as many PSPs are international, these geographies are fuzzy. However, by understanding the risk scenarios, a PSP can create an environment that meets the requirements to comply with any financial regulation.
Major risk scenarios for a PSP
The following scenarios offer an insight into some of the biggest risks that dovetail with compliance that a PSP is likely to meet:
Not fit for purpose anti-money laundering processes
The European Banking Authority recently revealed that PSP processes on ML/TF (money laundering and terrorist financing) risks were inadequate, stating, "The AML/CFT internal controls in payment institutions do not seem robust enough to mitigate the ML/TF risks identified." One of the issues PSPs have is that they provide highly dynamic payment rails extending across a broad ecosystem. This leads to gaps in security.
The fix: Visibility across all the risk points within that ecosystem is challenging for the PSP. AML capability must be based on advanced, intelligent systems that provide real-time transaction monitoring and behavioral analytics, allowing suspicious behaviors to be identified quickly and accurately.
Stored Value Facilities (SVF) security gaps
A PSP payment function can include a Stored Value Facilities (SVF): an SVF is a method that allows a customer to pay a sum of money to the SVF issuer, who then provides storage of that money, for example in a digital wallet. The money can be from a debit card, credit card, bank account transfer, crypto assets, etc., and a PSP is the ideal conduit for handling these transactions. The SVF could be crypto assets, reward points, or other values. In a report, the Hong Kong Monetary Authority identified that in the SVF sector, “pockets of higher ML/TF risks have emerged.” The authority identified the risk areas associated with SVF as being in the areas of “overseas cash withdrawal, cross-border remittance and person-to-person fund transfers, which may introduce higher vulnerability for illicit fund flows.”
The fix: any PSP that hooks an SVF onto its service must be aware of the misuse of the device for nefarious means. An SVF license will require that stringent anti-money laundering and counter-financing of terrorism (AML/CFT) controls are in place. However, the anti-financial crime solutions used to mitigate these risks must be intelligent enough to handle complex fraud chains and obfuscated money laundering transactions across borders.
Onboarding security gaps
The Federal Financial Institutions Examination Council (FFIEC) highlights the risk of fraud and money laundering with payment processors by ineffective KYC/CDD of merchant identities and business practices. However, onboarding must also be balanced with a seamless experience for merchants. How to square this balance brings in KYC/CDD compliance risks. Merchant onboarding extends KYC to KYCC (Know Your Customer's Customer).
The fix: Merchant risk management must be followed, and robust KYC processes that are balanced with smooth onboarding must be implemented. This should extend to the detection of shell companies, typically used to obfuscate money laundering activities. KYC solutions must abide by the FATF recommendations covering trade-based money laundering (TBML).
Monitoring of merchants and customers (RPS)
The merchants and their customers handled by a PSP add significant risk, and robust KYC/CDD processes are essential. However, the continued monitoring of merchants and customers is another layer needed to reduce system risk. Risks identified and prevented by monitoring of merchants include:
- The detection of suspicious activities that may reveal financial crime.
- Reduction in chargebacks. Merchant monitoring identifies potential fraud or compliance issues before they result in chargebacks.
The fix: Merchant monitoring involves regularly checking transactions and identifying potential risks or suspicious activity using behavioral analytics and AI. Robust KYC/CDD solutions that utilize behavioral analytics are another part of the overall puzzle of reducing compliance risk.
Instant payments have opened a compliance and risk challenge to a PSP, with the almost real-time availability of funds to a merchant. There are inherent risks with this instant movement of money, including identifying fraud or erroneous transactions in real time. Money launderers and financial criminals can take advantage of these instantaneous transactions.
The fix: PSPs must use intelligent anti-money laundering solutions that use AI to spot real-time transaction anomalies. Also, implementing the ISO2022 standard improves data quality across borders, enabling AML/CFT checks to be made in real time.
Trade-based money laundering (TBML)
Trade-Based Money Laundering (TBML) is one of the most complex and sophisticated financial crimes impacting PSPs. As trade has become increasingly globalized and the payment system has expanded to provide global reach, this international trade has opened gaps in visibility around financial crime.
Fix: TBML results in risk indicators that can be used to identify potential financial crimes. However, these indicators are often difficult to spot due to the broad nature of international trade. Areas such as structural complexity, including multiple intermediaries and shell companies, can obfuscate fund flow. TBML and other complex financial crimes need an integrated approach to crime prevention and regulatory compliance. Solutions must combine real-time transaction monitoring, risk scoring, and enhanced due diligence. These capabilities must be AI-driven, including behavioral analytics, to tease out the complex web of transactions that define TBML.
Eastnets has built an integrated approach to tackling financial crime. Talk to our experts to see how Eastnets' anti-financial crime solutions can de-risk your PSP platform.