Virtual IBANs (vIBANS) Explained

The European Banking Authority has put together a helpful overview of the six main ways that virtual International Bank Account Numbers (vIBANs) are being issued and used throughout Europe (and the UK). The EBA clarification is welcome, as there is confusion as to whether a vIBAN represents/creates a corresponding payment account, or just operates as a unique reference number to track payments. Not only does this confusion fail to fix underlying problems, such as IBAN discrimination, but it can also trigger many other compliance and commercial challenges. There is also concern as to whether vIBAN schemes are adequately supervised and transparent, including from a financial crime standpoint... Please let me know if I can help you navigate any issues you have regarding vIBANs under existing regulation, or under the proposed controls relating to them.

What's a vIBAN?

You will likely have seen your own unique IBAN - the string of letters and numbers that relates to your current account (the most common type of payment account). IBANs are used in about 80 countries, including the UK and EU, and each IBAN has some letters to denote the country where the bank account is based. They are usually used for international or 'cross border' payments, instead of the 'account number and sort code' for domestic payments. 

Tracking incoming payments is not really a consumer problem, but some businesses need to receive many payments from many different customers into one current account (to pay for, say, purchases or deposits). Usually, the business gives each customer a unique reference number to include in each payment order, along with the bank account number, so the company knows who paid. The trouble is that many customers don't include their unique reference number when making the payment from their bank, so the business receiving the payment has to spend time figuring out ('reconciling') who made the payment while the funds sit in 'suspense'. That means extra cost and delay in processing transactions, and that's usually a problem for both the business and the customer concerned.

Where a business has a really big corporate customer, it might make sense to a separate bank account (and related IBAN) just for that customer. But that would usually prove very costly for lots of consumers or smaller business customers. 

Enter the vIBAN! 

Instead of the additional reference number with the IBAN, the business gives each customer one unique account number to make the payment to. That a unique number looks like an other IBAN but is really just a unique number that the issuer uses to receive and move the funds to the business's actual IBAN and bank account. It's literally a virtual IBAN.

In many cases, the vIBAN may be issued/controlled by an intermediate payment service provider which holds a database matching each vIBAN with a customer number given to it by the business. When the money comes into the relevant IBAN account for that business, the intermediary electronically reports who made the payments in a way that the business can then match with its actual customer database. 

The business could also make payments to customers using the same process, but in reverse. 

Each vIBAN can also be limited to a particular type of transaction, like 'top-ups' to an e-money account or prepaid card.

One confusing aspect of the EBA report is that it refers to the actual bank account associated with the IBAN as the 'master account' which implies that each vIBAN is itself an account when that is not the case.  There is only one actual bank account involved in an IBAN/vIBAN arrangement. If there has to be a reference to a 'master' at all, then it would be more helpful if the IBAN itself were referred to as the 'master IBAN' to differentiate it from the vIBANs associated with it (there is also the concept of a 'secondary IBAN' that refers to the actual bank account).    

Do vIBANs have other uses and benefits?

vIBANs have other benefits besides solving the main payment-tracking problem. 

Sometimes, for example, local banks or businesses in one country will refuse to make payments to an IBAN that has a different country code (so-called 'IBAN discrimination'). So a supplier based outside that country will arrange for local vIBANs to be presented to its local customers, so they or their bank won't refuse to pay. IBAN discrimination is banned in the EU and UK under the Single Euro Payments Area (SEPA Regulation), but the rule is not always enforced in practice. 

The same set up that defeats IBAN discrimination is also used to establish a more cost-effective global payment network. That's because the ability to receive and make payments locally in many different countries usually requires a network of different local payment service providers, but they can all be controlled by one corporate team. That team can manage payments for external customers or internal payments among the companies in the same corporate group, and can also keep balances in different currencies to minimise foreign exchange exposures and conversion costs.

What are the risks/concerns relating to vIBANs?

Possibly the easiest concern to understand is that people making payments (and their payment service providers) are nervous about not being able to tell the difference between an IBAN and a vIBAN. Only the recipient/payee and the PSP(s) issuing the vIBANs know the difference and there may not be any direct customer relationship between the PSP that issued the vIBAN and the end-user. As described above, the initial 'payee' may in fact be an intermediary PSP and not the PSP of the actual intended end-payee. That could interfere with the need to verify the actual payee (and efforts to stop 'Authorised Push Payment' fraud). Similarly, the use of vIBANs may impede the transparency requirements around payer and payee under Funds Transfer and SEPA/ISO standards.

At the regulatory/technical level, some regulators (indeed vIBAN issuers!) don't understand that vIBANs as really just reference numbers. Sometimes vIBANs are also confused with a 'secondary IBAN' which, like the original or 'primary IBAN' also identifies an actual bank account. Some regulators also seem to believe (or there is contractual/operational confusion which suggests) that a vIBAN necessarily implies or creates a distinct, extra payment account (rather than just the data showing which end-user made/received a payment). Unfortunately, that analysis would also mean there is a direct customer relationship between vIBAN issuer and the end-user, which would trigger a lot of related contractual and compliance requirements and confusion over customer's rights (including deposit guarantee schemes), regulatory supervision and complaints. 

However, even if the vIBAN were to be considered an 'identifier' of the actual bank account under the associated IBAN, where the end-user is not the named holder of that bank account then the account could not be deemed that end-user's payment account. The EBA is concerned that this may mean an end-user somehow lacks a payment account and the related regulatory protection that brings. But, of course, the vIBAN itself is just a reference number that the end-user quotes when initiating a payment order - and a payment order could only be initiated in relation to a source payment account from which the relevant funds are to be drawn to fund the payment transaction.

Some regulators agree that vIBAN issuance is not itself a regulated banking/payment service activity, so cannot provide the basis for an institution to open a branch in another member state (host state) under passporting arrangements. Other regulators allow vIBAN to constitute an activity enabling passporting or requiring local authorisation/agency. This means that institutions need to check the regulators view on both sides of each border they wish to 'cross' by issuing vIBANs.

The EBA has also found that some regulators have effectively banned cross-border issuance of vIBANs, by requiring that there must be no divergence between the country code of the vIBAN and the country code of the IBAN of the actual payment account. While those regulators point to ISO technical standards for their view, the EBA has explained that the European Commission does not share that interpretation, nor is it consistent with the SEPA Regulation.  

There's also some risk that a PSP issuing vIBANs might be facilitating the operation of an unauthorised payment service business, depending on the nature of the business being operated by the immediate customer and services offered to end-users (i.e. is that customer offering one of the specified 'payment services' as a regular occupation or business activity). 

There is also the potential for failures in fraud reporting where a payment is made to a vIBAN in one country, but actually means the payment has been routed to a payment account with an IBAN in another country.

Are separate vIBAN controls needed?

Some regulators' concerns about vIBANs might be addressed if those same regulators were to tackle IBAN discrimination in their jurisdictions - so that vIBANs aren't needed as a 'band aid' or 'sticking-plaster' for that problem. 

For anti-money laundering purposes, it's especially important for the issuing PSP to understand the payee's business, the scenario in which the vIBANs are being used, and the type of end-users able to use the vIBANs and the rationale for the payments being received (or made). This becomes more critical where the end-users are based in another jurisdiction.

In turn, the payment services regulator in the country where the vIBAN arrangement is deployed needs to know that: vIBANs are being issued; the issuing PSP has the right risk assessment, customer due diligence and transaction monitoring controls in place (including where another PSP or business is actually allocating the vIBANs to the end users); and that suspicious transactions involving vIBANs can be detected, reported to the correct country authority and readily traced. Again, this becomes more important where the end-users to whom vIBANs are issued are based in another ('host') jurisdiction to the ('home') jurisdiction where the IBAN and bank account are based.

Some PSPs have already lost their licences over failure to comply with existing controls in the vIBAN context, but the EU's new AML Regulations will explicitly require the 'account service' PSP that offers the underlying payment account to which the IBAN relates to be able to obtain customer due diligence information on end users to whom the associated vIBANs are issued 'without delay' and in any case within five working days - even where vIBANs are issued by another PSP. 

In addition, the next anti-money laundering directive (AMLD6) will require all national bank account registers to hold information on vIBANs and their users. 

The EBA has also included an Annex listing the factors that may increase or reduce the risk of money laundering or terrorist financing.

Please let me know if I can help you navigate any issues you have regarding vIBANs under existing regulation, or under the proposed controls relating to them.

FCA's Final Warning To Crypto Firms On Marketing and Money Laundering

The UK's Financial Conduct Authority has issued a "final warning" to all firms marketing cryptoassets to UK consumers, including firms based overseas, that it will strictly enforce the new 'financial promotions' restrictions that take effect on 8 October 2023. Among the FCA's concerns, in particular, is the fact that overseas firms with UK customers have failed to engage with the process of introducing the restrictions. Of 150 overseas firms surveyed by the FCA, only 24 responded. The FCA has updated its Warning List accordingly. In addition to criminal prosecutions for breaching the restrictions, the FCA envisages actions to recover the proceeds of crime from those who receive money from offending firms, as well as prosecutions for related money laundering offences. I've summarised the FCA's concerns below for information purposes. This note does not constitute legal advice. If you need advice on any of the matters raised, please get in touch.

What is a financial promotion?

A 'financial promotion' basically means any invitation or inducement to engage in a regulated activity. This could be a feature of any customer communications, marketing activity, social media posts, advertising or part of sponsorship arrangements, for example. 

What is the main restriction?

Firms lacking the appropriate authorisation or registration must only communicate to UK residents financial promotions that either fit an exemption or have been approved by an FCA authorised firm (who have to comply with their own financial promotions rules). 

The FCA expects authorised firms who are considering approving cryptoasset financial promotions to notify the FCA before doing so.  

Depending on the type of product and related activity involved, there may be different promotional rules that the approving firm must check that the promotion complies with before giving approval.

Crypto firms which cannot legally communicate financial promotions to UK consumers will be expected to have robust processes to prevent UK consumers accessing and responding to their financial promotions, including geo-blocking UK consumers, clear statements that their services are not available to UK residents, on-boarding and KYC/AML checks for UK addresses, preventing the use of UK-based payment methods, and ongoing monitoring. 

What happens if there's a breach?

Breaching the financial promotions restrictions is a criminal offence. 

In turn, the FCA considers that any benefits obtained from illegal financial promotions could be criminal property, so anyone receiving or dealing with such proceeds of crime may be implicated in money laundering. Some may also commit an offence where they breach requirements to report suspicious activity. In this context, the FCA will be looking at funds flows such as: 

• the fees generated by app stores, social media platforms, search engines and domain name registrars from hosting illegal financial promotions; 
• investments made due to illegal financial promotions; 
• receipt of payments under advertising, co-marketing and sponsorship deals; and 
• fees charged by payments firms or other intermediaries for services to unregistered cryptoasset businesses that generate income through illegal financial promotions. 

The FCA would likely begin its enforcement activity with an alert on the FCA website and by seeking to remove or block offending promotions, in addition to targeting intermediaries, social media platforms, search engines, app stores, domain name registrars, hosting providers and payment service providers who support the activities of offending firms.

What if I have UK residents as customers right now?

The FCA explains that firms who are at risk of non-compliance may communicate with their existing UK consumers for a limited time but only to allow those customers to transfer, withdraw or sell their existing assets, which must be communicated in a way that does not breach the financial promotion requirements and clearly explain how consumers can use each option and any associated fees, costs and charges. The FCA considers it unsustainable for unregistered cryptoasset firms to maintain a longer-term relationship with UK consumers who cannot be shown financial promotions. 

This note does not constitute legal advice. If you need advice on any of the matters raised, please get in touch.

.

New Money Laundering Guidance

The complexity of the anti-money laundering regime has meant that practical guidance on how to comply has been particularly necessary. The best guidance has come from the Joint Money Laundering Steering Group of various organisations (JMLSG) in three parts. 

New EU directives on money laundering has led to consultation on how these should be implemented in new draft UK regulations that are due to take effect from 26 June 2017. 

And the JMLSG has used the draft regulations as the basis for consultations on updating Part I of its guidance (the mark-up is in 4 separate documents, Chapter 5 of which shows changes to the guidance on electronic identity verification), and more recently on Parts II and III. The consultation versions show the proposed changes to the current guidance, and are an invaluable tool for understanding how a firm's existing approach should change once the new regulations take effect.

Money Laundering Includes... Tax Evasion and Virtual Currencies?

Hot on the heels of the UK's consultation to introduce the 4th Money Laundering Directive comes the imminent EU approval of MLD5. 

A key element involves the creation of a central register of beneficial ownership of legal entities and related ownership arrangements, plus ongoing monitoring of those arrangements, with the intention that: 

"The enhanced public scrutiny will contribute to preventing the misuse of legal entities and legal arrangements for ...predicate offences such as tax evasion."

Other key provisions may be seen as closely related to this ambition: 

• creating a central register of all citizens' bank/payment accounts;
• enabling authorities to go hunting for evidence of suspicious activity even in the absence of a 'suspicious activity report';
• imposing customer due diligence and transaction monitoring obligations on 'virtual currency' exchanges and wallet providers; and
• reducing the limit of anonymity for prepaid cards/instruments.

Needless to say, the members of the European Banking Federation are very uncomfortable with the idea of equating tax evasion with money laundering. The nub of EU banks' concern seems to be that their tax evading customers will simply move their accounts to banks based outside the EEA, the implication being that they'd quite like to retain the business! To be fair, it is a little odd that the list of countries with deficient anti-money laundering regimes doesn't include tax havens typically associated with tax evasion.

But there are reasonable objections on the basis that centralising such sensitive and valuable personal data would be a 'snoopers/fraudsters charter'; and creating a central record of every citizen's bank account and financial arrangements seems mightily disproportionate to the benefit of collecting evidence on the comparatively small proportion of the population that would be involved in significant organised crime or tax evasion. It's surprising that the European Economic and Social Committee ("EESC") did not object on these grounds - either the 'social' aspect of the committee's remit is subordinate to the 'economic' interest, or they consider that the whole of society should happily sacrifice privacy and security to ensure everyone pays their fair share of tax. That's certainly the Scandinavian practice. At any rate, the European Central Bank says that member states' central banks shouldn't have to operate the central registers unless they can bill the government for doing so - highlighting the more important point, that governments are better at wasting the taxes they do manage to collect than collecting taxes in the first place.

The FinTech crowd will no doubt be concerned about stealth regulation of distributed ledger technology or blockchains, via the virtual currency requirements. A "virtual currency" is quite broadly defined as:

"...a digital representation of value that is neither issued by a central bank or a public authority, nor necessarily attached to a fiat currency, but is accepted by a natural or legal person as a means of payment and can be transferred, stored or traded electronically."

Even if exchanges and wallet providers are prepared to tolerate AML regulation as the price for entering the 'mainstream', trying to regulate 'virtual currencies' (or any aspect of digital ledger technology or blockchains) at this early stage is very problematic. The above definition is broad but still does not cover every characteristic of a currency (which the Isle of Man has tried to capture). Indeed, the ECB has bluntly responded that so-called 'virtual currencies' are not currencies or money, pointing out they can also be used for other purposes and the holders don't need to use exchanges or wallet providers. The courts are also struggling with the concept that such 'currencies' are 'ownable' or 'property', as Lavy and Khoo have also explained.

Little wonder that the EESC recommends creating some kind of "European tool for monitoring, coordinating and anticipating technological change." But quite how Europe intends to 'anticipate' let alone 'coordinate' blockchain development is anyone's guess!

In any event, retailers should breathe a sigh of relief. Gift cards and other 'closed loop' instruments generally would not fit the MLD5 definition of a virtual currency, since they typically cannot be transferred or traded electronically. And there is a specific exclusion consistent with the 'limited network' exemption from the definition of electronic money (and therefore 'funds') for instruments that can be used to acquire goods or services only in the premises of the issuer, or within a limited network of service providers under direct commercial agreement with a professional issuer, or that can be used only to acquire a very limited range of goods or services. But note that the limited network exemption will be significantly narrower from January 2018, especially for programs transacting more than EUR1m a year.

At least someone wins!

Boring But Important: UK's Anti-Money Laundering Consultation

The Treasury is consulting on how to implement the fourth Money Laundering Directive into UK law by 26 June 2017, with responses due on 10 November 2016. Draft guidance from the European Banking Authority is also open for consultation. In parallel, a new EU Funds Transfer Regulation will take direct effect, updating the rules on information on payers and payees accompanying the transfer of funds in any currency.

The consultation is important, given that money laundering is also a key enabler of serious and organised crime, estimated by the Home Office to cost us £24 billion a year. Terrorists also tend to use the proceeds of crime as a means to obtain funding, but might also try to obtain finance from (unwitting) legitimate sources.

The current Money Laundering Regulations 2007 cover 150,000 UK businesses, with more likely to be covered due to a lowering of the threshold for eligible transactions in cash (or a series of transactions that appear to be linked) by persons trading goods, from EUR15,000 down to EUR 10,000 (probably about £1000 in 2017 money!); and an extension to include receiving as well as making payments in cash.

With the exception of money remittance, the government is able to exempt from the regulations some persons engaging in certain financial activities on an occasional or very limited basis where there is little risk of money laundering or terrorist financing:

• the financial activity is limited in absolute terms (the proposal is that the total annual turnover from the activity should not exceed £100,000);
• the financial activity is limited on a transaction basis (the proposed maximum threshold per customer and per single transaction, whether the transaction is carried out in a single operation or in several operations which appear to be linked, is £1,000);
• the financial activity is not the main activity of such persons (the proposal is that the activity should not exceed 5% of the total turnover of the natural or legal person concerned);
• the financial activity is ancillary and directly related to the main activity of such persons;
• the main activity of such persons is not an activity referred to in Article 2(1)(3)(a) to (d) or 2(1)(3)(f) of the directive; and
• the financial activity is provided only to the customers of the main activity of such persons and is not generally offered to the public.

The directive requires firms to verify the identity of a customer and any beneficial owner(s) before establishing a business relationship or carrying out a transaction, subject to certain thresholds. But the timing of the verification can be altered: (i) where there is little ML/TF risk and it is necessary so as not to interrupt the normal conduct of business, then verification can be carried out during the establishment of a business relationship - although it shall still be completed as soon as practicable after initial contact; and (ii) an account may be opened with certain institutions provided there are adequate safeguards in place to ensure transactions are not carried out by the customer or on its behalf until the necessary CDD measures are completed.

The directive also requires obliged entities to apply customer due diligence measures to existing customers at appropriate times, using a risk-based approach, as well as to new customers. In particular, such measures should be applied when the circumstances of a customer change, but it is not clear which circumstances are relevant ("e.g. name, address, vocation, marital status etc.") and how a firm would know they had changed. There is a non-exhaustive list of factors in Annex 1 of the MLD that must be taken into account when assessing the risk of money laundering and terrorist financing, raising some uncertainty as to what might constitute an exhaustive list in any given circumstances.

Certain thresholds for implementing customer due diligence apply, but the fact they are expressed in Euros highlights the significant problems posed by the volatility of the pound following the Brexit vote.

Simplified due diligence remains an option, but the list of products currently specified in Regulation 13 is to be replaced by a non-exhaustive list of factors in Annex II of the directive and further guidelines due from the EBA by June 2017 - heralding more uncertainty. In addition, pooled client accounts are no longer mentioned specifically in this context, meaning that the existing explicit option for an institution hosting another firm's client money account (or 'segregated' account or 'safeguarded' account) to apply simplified due diligence in connection with the beneficial owners of the funds in that account will no longer apply.

Enhanced due diligence measures must be implemented in certain circumstances, a non-exhaustive list of which appears in Annex III, with further details in the EBA consultation documents that the Treasury expects everyone to review separately... In fact, there are numerous instances where the various European financial authorities are to draw up regulatory technical standards, so watching that space is very important, as it could act as a brake on innovation.

There has been some increase in the scope of entities that can be relied upon to have conducted customer due diligence, and the Treasury is inviting further suggestions here, particularly to help reduce the regulatory burden. Here it would be very helpful if governments could actually work together to achieve, or at least support, formally 'reliable' ways of verifying the identity of each others' citizens, as envisaged by the eIDAS regulation (there is a single reference to electronic signatures as a means of reducing certain risks, in Annex III).

The new directive is more prescriptive on the internal controls that firms are required to implement, which must vary according to the nature and size of the business concerned. The Treasury is open to suggestions on the thresholds etc., particularly related to a compliance officer and independent audit functions.

There are separate chapters in the consultation specific to gambling, e-money, estate agents, correspondent banking; dealing with politically exposed persons (PEPs); and meeting the requirement for a central register of beneficial owners of corporate and other legal entities incorporated in each member state; as well as reporting, supervision and sanctions for breaches of the regulations.

Worth a read to know what's coming down the 'pike.

Boring But Important: Changes To Money Laundering Regulation

The UK government is consulting on important changes required to implement the fourth EU directive on anti-money laundering (which is still subject to change in the meantime) and changes to wire transfer regulation. Responses are due by 10 November.

This is not the only consultation paper issued recently, so it will be a week or so before I add further summary detail below!