Simplified Due Diligence Prepaid is commonly misconceived as being an industry plagued by disingenuous businesses issuing high risk products, without controls, to vulnerable consumers and providing criminals anonymity and financial vehicles to traffic their illegal wares. With discussions taking place regarding Simplified Due Diligence in the prepaid market, this whitepaper compares the reality with these misconceptions and discusses the benefits and risks of Simplified Due Diligence in this market.
Produced by the Prepaid International Forum in partnership with Neopay Ltd
Page |2
Simplified Due Diligence in Prepaid
Contents Just how anonymous is prepaid? ...................................................................................... 3 What are prepaid products? .............................................................................................. 4 Are all prepaid products and services the same? .............................................................. 4 What is simplified due diligence?....................................................................................... 5 Are all prepaid products regulated? ................................................................................... 7 The regulated prepaid market ........................................................................................... 8 Just how attractive are these products for money laundering? ........................................ 10 What about their use in other financial crime? ................................................................. 13 What does anonymous really mean? .............................................................................. 14 What are the risk factors associated with SDD? .............................................................. 15 What are the tools available to mitigate these risks? ....................................................... 16 What about the risks to vulnerable members of society? ................................................. 17 What are the benefits of SDD products? ......................................................................... 22 What would be the impact of withdrawing the exemptions? ............................................. 23 Conclusion ...................................................................................................................... 25
Page |3
Simplified Due Diligence in Prepaid Just how anonymous is prepaid? Prepaid products and services provide flexibility to users which has revolutionised modern personal banking. This flexibility is due largely to the innovation of issuers and service providers and supported by commensurate regulation and oversight such as the requirements for risk based Anti-Money Laundering measures. But this broadening and transition away from traditional banking has also caused concerns over the security and formality of these newer payment methods, due largely to unfamiliarity. As acknowledged by The Wolfsberg Group: “The broadening of payment methods has resulted in greater complexity for regulators, and for banks, in relation to assessing the risks attached to them and the application of, and responsibility for AML controls, particularly if the transactions flow through one or more jurisdictions.” There is a general misconception within the market that the prepaid industry is increasing the risk of criminal activity within the financial services sector due to the provision of anonymous products. However this is a wildly inaccurate portrayal of a highly regulated sector which is issuing e-money and payment services responsibly, and in the interests of consumers and service users. Furthermore, the provision of such services is very rarely truly anonymous; only in specific circumstances which must comply with legal and regulatory requirements.
In our
experience, institutions operating in the market utilise numerous controls to effectively manage the potential risks. These controls are based on the specific business model and product offered – there cannot be a one size fits all ethos – and this leads to the confusion and assumptions that there are no controls. This paper sets out to clarify the situation and address such concerns with the intention of informing and educating about products and services utilising the regulatory model of simplified due diligence (SDD) – to show that when applied correctly in appropriate
Page |4
circumstances and with the suitable controls in place, SDD can provide great benefits to consumers.
What are prepaid products? Prepaid products are electronic payment devices that are preloaded with funds. They do not offer credit or pay interest. The most well known are prepaid cards, for example gift cards, Oyster cards or travel money cards.
Are all prepaid products and services the same? The answer to this is definitely not! Just as every service provider is different so is every product offering on the market. The product type itself is a key factor when considering the appropriate controls and the suitability of utilising Simplified Due Diligence, the typical characteristics that make up the product are:
Network acceptance – whether the product operates under open loop, semiclosed loop or closed loop (i.e. whether the product can be used with all retailers who accept a certain card type e.g. MasterCard or VISA, a limited number of retailers who accept the card type or is limited to a specific retail chain);
On-going use – whether the product is for single or multiple use, i.e. nonreloadable or reloadable;
Functionality – whether the product is a plastic or virtual card, voucher or wallet based will influence how widely the product can be used and whether it enables cash access (ATM use), card not present transactions, or is restricted to Point of Sale (POS) transactions or online only.
The most notable distinctions between prepaid products is whether they operate on an open loop or closed loop network and consequently how widely accepted the payment instrument is.
A common example of closed loop prepaid product is the consumer
favourite Gift Card; purchased at a specific merchant by an individual for use by a third party to spend with the selected merchant or within a defined group of merchants, with a typical value load of £35.00. Prepaid products will also vary between services that are non-reloadable and reloadable, and this distinction will greatly influence the commercial proposition.
For example, a
Page |5
single use voucher bought for the sole purpose of spending the denominated value with a specific merchant will have very different risks associated with it compared to a travel card which allows multiple loads for use at ATMs cross border. The attractiveness of these products for use by criminals is very different, which is why the purchase, application and monitoring processes for these two products will be so diverse. It is widely acknowledged that by limiting such products to low value payments and limited functionality, the attractiveness of this type of product to criminals is greatly reduced. Additional controls will also reduce the risk of criminal exploitation, for example restricting the ability to access cash. It is virtually impossible to compare two prepaid products because there are so many variable factors covering the business, the product, and the market. All of these impact and change the risks requiring mitigation, such that the resulting controls must be unique to each service provider in order to effectively mitigate the specific risks in each case. Therefore, the user experience of a prepaid product will vary from issuer to issuer and even between different products or services from the same issuer. The one thing that all prepaid products have in common is that every transaction leaves an electronic footprint that provides information about when, where and how the product has been used. These details can subsequently be monitored and used to prevent, identify, and report which further inhibits the use of prepaid products for the purposes of engaging in financial crime.
What is simplified due diligence? The concept of SDD was founded in European Union legislation as a consequence of the guidance issued by the Financial Action Task Force (FATF) to achieve a risk-based approach to implementing Anti Financial Crime procedures.
SDD is a regulatory
exemption for relevant institutions which removes the legal requirement to conduct full customer due diligence and verify the identification of an individual, using independent sources, in appropriate circumstances. The European Union’s Third Money Laundering Directive provides for SDD to be applied in four specific cases, on a risk sensitive basis, where the assessed risk posed by the product or service is low.
Page |6
Subsequently, the UK implemented the provisions of the European Directive and set out the legal requirements
in
the
Money
Laundering
Regulations 2007 (MLR) and further guidance is provided by the Joint Money Laundering Steering Group
which
specifically
Simplified Due Diligence
acknowledges
and
enforces the risk based approach to be adopted by relevant institutions and service providers. In accordance with regulation 13(1) of the MLR “A
SDD is a regulatory exemption which removes the requirement for full customer due diligence in certain circumstances. Within the UK, this can be applied to
regulated
e-money
products
meeting the following criteria:
relevant person is not required to apply customer
The device cannot be recharged
due diligence measures in the circumstances
and has a maximum stored value
mentioned in regulation 7(1)(a), (b) or (d) where
of €250.
he has reasonable grounds for believing that the customer, transaction or product related to such
The device cannot be recharged, is limited to use within the UK and
transaction, falls within any of the following
has a maximum stored value of
paragraphs.
€500.
..(7) The product is —
The device can be recharged, the total amount of transactions is
(d)electronic money, within the meaning of Article 2(2) of the electronic money directive, where— . (i)if the device cannot be recharged, the maximum
less than €2,500 per calendar year,
and
the
total
amount
redeemed is less than €1,000 per calendar year.
amount stored in the device is no more than 250 euro or, in the case of electronic money used to carry out payment transactions within the United Kingdom, 500 euro. (ii)if the device can be recharged, a limit of 2,500 euro is imposed on the total amount transacted in a calendar year, except when an amount of 1,000 euro or more is redeemed in the same calendar year by the electronic money holder (within the meaning of Article 11 of the electronic money directive).” Within the prepaid market, the SDD exemption only applies to institutions that are authorised to issue electronic money, and therefore regulated and supervised to provide such financial services. Accordingly, it is within very specific parameters and subject to comprehensive risk assessment that issuers should apply simplified due diligence to a product.
Page |7
As with any other financial service provider there are very strict requirements on e-money issuers to ensure consumers are protected. As an industry, due to the nature of the products, prepaid service providers are highly motivated to protect both consumers and themselves from the risk of financial crime. The decision to apply SDD to a product will be the result of a detailed risk assessment carried out by each issuer based on the specific product and business model to ensure that it is appropriate and within the regulatory requirements. A number of factors will be taken into consideration, namely the product type, target market,
geographical
location,
value
and
business
systems,
to
assess
the
appropriateness of issuing a product under SDD. Furthermore, use of the SDD provision does not necessarily mean that service providers do not take any information about the customer at all, in many cases the individuals personal details will be recorded for both monitoring and commercial purposes.
Are all prepaid products regulated? No, not all prepaid products are regulated and the SDD exemption applies only to regulated products and services. Unregulated products and services have no regulatory requirement to conduct customer due diligence regardless of transaction volumes or value on the product. There are two exemptions from regulation that apply to prepaid products; the Limited Network exclusion and the Limited Goods and Services exclusion: Limited Networks:
Those that may be used to purchase goods and services only in or on the issuer’s premises.
Those that may be used to purchase goods or services under a commercial agreement with the issuer within a limited network of service providers.
Limited Goods and Services:
Those that may be used to purchase a limited range of goods and services
It is estimated that up to 75% of the prepaid card market is unregulated. A significant proportion of this unregulated market is made up of Gift Card products and in 2009 sales
Page |8
of the electronic gift card overtook that of the paper gift voucher. Gift card products have tended to be non-reloadable and their typical value is under £50, but there are no regulatory restrictions to limit value. Gift card products make up approximately 20% of the prepaid card market. Although historically these products were largely B2C, B2B products have been growing in popularity and now make up over half of the prepaid gift card market. Corporations are increasingly turning to gift cards for a range of services, including customer incentive and reward programmes, employee incentive and reward schemes
and insurance
replacement services. As new developments and innovations occur, more reloadable and higher value products are being introduced to the market, some of which are regulated while others fall within the regulatory exemptions. Another common example of an unregulated prepaid product is a travel card, for example the Oyster Card. These are reloadable and there is no limit on transaction volumes or stored value. As well as prepaid card products, the unregulated sector continues to make use of new technologies in providing improved services to its customers including new developments in social media, SMS and NFC.
The regulated prepaid market Institutions that offer prepaid products and services that do not fall under the limited networks or limited goods and services need to be authorised or registered with the Regulator as either an Authorised E-Money Institution (AEMI) or a Small E-money Institution (SEMI). Prepaid Cards There are numerous prepaid cards available for use through a wide range of outlets, and for a wide range of products and services, that require authorisation or registration with the Regulator and also membership of a card scheme, for example VISA or MasterCard. Because of the cost and complexity of this, most card issuers operate through a third party issuer, commonly known as a BIN Sponsor or Deposit Taker.
They are not
authorised directly themselves, but act as a program manager under the issuer’s
Page |9
authorisation, effectively ‘renting’ the regulatory and scheme licences to provide white labelled products to customers.
Structure of the Regulated Prepaid Card Market Regulator Card Scheme
Bin Sponsor / Deposit Taker (AEMI or Credit Union/ Bank)
AEMI
FSA Regulated Entities
SEMI
Program Managers
Prepaid Card Sales
To minimise their risk, the authorised issuers tend to put stricter controls in place on their program managers than are required by regulation.
This often includes
regular audits of a program manager’s operations and documentation to ensure that they are still compliant with the authorised issuer’s procedures and policies, with anti financial crime legislation and consumer protection being high on the list of priorities. In addition, authorised issuers tend to assess each program manager on a case by case basis when entering into a contractual arrangement with them. The authorised issuer will review and assess the controls and procedures of the program manager to identify and mitigate any potential risks before entering into a contract with them. Other Prepaid Products The main focus of discussions relating to SDD in prepaid seems to relate to the prepaid card market, but there are other prepaid products on the market. Other e-wallet products
P a g e | 10
that don’t rely on a prepaid card, for example web-based e-wallets, can also fall under the SDD exemption if they meet the required criteria. These products are generally assumed to carry a lower risk of financial crime than prepaid card products as their potential misuse is seen to be more limited. In reality issuers of these products, as well as prepaid cards, undertake a detailed risk analysis to ensure that their anti financial crime procedures are appropriate in order to gain authorisation and meet their regulatory obligations.
Just how attractive are these products for money laundering? If you compare the restrictions placed on unregulated and regulated prepaid products which fall under the SDD exemption with financial products that require full customer due diligence, it is obvious that other financial products are far more attractive in terms of money laundering. The monetary value restrictions on SDD prepaid products makes the use of them for money laundering highly impractical and the costs associated far higher than alternative routes. The Regulatory Spread with Regard to Due Diligence in Prepaid
Unregulated Products
Used only in or on the issuer’s premises, used within a limited network of service providers, or used to purchase a limited range of goods and services.
Regulated Products Simplified Due Diligence
Full Customer Due Diligence
Has a maximum stored value of €250 and cannot be reloaded,
All other prepaid products and services.
is limited to use within the UK, has a maximum value of €500 and cannot be reloaded, or can be reloaded, but the total amount of transactions is less than €2,500 per calendar year, and the total amount redeemed is less than €1,000 per calendar year.
P a g e | 11
There is little if any evidence that SDD prepaid products are used for money laundering purposes, and, if they are at all, the levels are negligible when compared with alternative methods. The basis for the argument that the ‘anonymity’ of SDD prepaid products makes them attractive seems to be based on the assumption that these products are totally anonymous, which is rarely true, and that they have unrestricted loading and spending ability, which is completely untrue. It also assumes that more traditional methods are no longer available due to AML regulations and policies in more established financial sectors. As highlighted by recent press coverage and enforcement action by Regulators, we know that this is not the case. There will always be methods by which money can be laundered through traditional routes, and those responsible have the resources and a considerable motivation to find gaps in the regulatory practices of financial firms to enable them to do so. The prepaid industry has several advantages in this regard over other more established sectors of the financial and payments industry, as outlined below, which makes it less susceptible and attractive to money laundering activities. Usage Restrictions The usage restrictions and value limits of prepaid products, in particular those which qualify for SDD or are unregulated, make them highly unattractive vehicles for money laundering. Employee Training and Awareness When dealing with more traditional financial institutions, it can be common to experience a lack of employee understanding of AML and due diligence.
Examples we have
experienced have included copying and certifying passport front covers rather than the relevant passport pages and also photo ID’s being requested and accepted as proof of address, when the ID in question did not provide any address details. More concerning breaches can be seen in the supervision and enforcement notices issued by the Regulator. In our experience, the evidence would suggest that, as a whole, the prepaid industry has a much higher level of employee understanding and awareness than more established institutions. This, again, makes them less attractive targets for money laundering. The reasons for this are as follows:
P a g e | 12
Firstly, the product and service range of prepaid companies tends to be much more limited than other financial institutions.
This means that it is easier to provide more
focused training to employees, and also reduces the amount of knowledge and number of procedures that an employee is expected to understand and follow. Secondly, the proportion of organisations that provide bespoke compliance training to their employees rather than a web based, generic solution appears to be higher within the prepaid sector than other more established sectors. This means that their training is more suited to the business and product which reduces the potential for errors. Thirdly, the organisations tend to be smaller with a simpler line of reporting and greater visibility to the compliance function. This means that gaps and errors are more likely to be identified and remedied. Finally, as we mentioned earlier, a large number of organisations operate as program managers and have to undergo regular auditing by their authorised issuer. This process is more independent and rigorous than the monitoring of organisations in other financial service sectors, and therefore highlights gaps in employee training and reduces the risk of regulatory breaches. Cultural Factors As we are all no doubt aware by now, more traditional financial sectors tend to have cultures which place high focus on sales, profit and growth.
Individuals within these
organisations may receive substantial benefit through gaining new sales and clients. In some cases, organisations may unwittingly incentivise certain employees to overlook AML procedures in order to obtain a high value client. Employees may gain financially through bonuses and promotion and take very little personal risk from their actions. The prepaid market has a very different culture. The ‘bonus’ culture highlighted so often in the press does not apply to this industry and therefore the temptations for employees to overlook compliance policies or take unnecessary risks does not apply to such an extent. This greatly reduces the attractiveness of this industry as a target for money laundering. Profitability The enforcement action and penalties against institutions found to be in breach of AML regulation have not always been equal to the profit made by the institution through their breach. This means that, in the past, it has at times been worth the risk for financial institutions to take a more lenient approach to their AML frameworks and controls.
P a g e | 13
Although this is now changing, this does not necessarily mean that these avenues will be closed and therefore the ‘anonymous’ SDD prepaid products will become any more attractive for money laundering purposes. Industry Growth There will always be a battle between sales and regulatory compliance in any financial organisation. In general, the slower the market growth, the harder the sales and therefore the more pressure there is to loosen compliance policies to enable growth. The prepaid market is fortunate in this regard. It is a growing industry, not even close to saturation, with new technological and product innovations occurring regularly. This puts less pressure on business leaders to risk breaches and compromise their reputations in order to maintain and grow their business. The Need for Integrity and Trust The prepaid market has largely grown from a need for additional security, choice and protection in payments, but consumers are often wary of providers.
It is therefore
essential to the organisations that operate in this market to gain and maintain a reputation of trust and integrity with their customers and the market. Most of the market is made up of relatively new organisations without the brand awareness or market dominance of more established financial firms. The main operators in the prepaid market take their reputations and, in turn, regulatory compliance extremely seriously.
What about their use in other financial crime? There is evidence that a small number of other financial crimes have involved the use of prepaid cards. These are crimes that could, and have, been committed using any form of plastic card. Removing the SDD exemption would not prevent all of these crimes. Although there is an argument that the ‘anonymity’ of prepaid cards makes them more attractive, the level of financial crime and the losses incurred are minimal compared with the use of other products and methods. The irony of this argument is that, for a large number of prepaid products, the attractiveness to the consumer is based around the increased security and
P a g e | 14
protection offered through a prepaid product when compared with alternative methods of payment. So, given the increase in protection and choice to consumers provided by prepaid products, and the low level of financial crime involving them, why is there such a focus on SDD within prepaid? The answer seems to be that firstly, the financial crimes committed impact the banks rather than the consumer and secondly, that prepaid cards cannot be confiscated under the Proceeds of Crime Act.
What does anonymous really mean? Unfortunately, even within the industry ‘anonymous’ will evoke different interpretations from different individuals, service providers and experts. To some, anonymous will mean that the user is unknown and completely unidentifiable, whereas others will consider that any product that does not name the person is anonymous, for example a nonpersonalised prepaid card, even where the user has been identified and verified by the issuing institution. Another factor to consider is the type of service offered. Using the example of a gift card product the purchaser is usually not the intended recipient and subsequent user of the product – therefore capturing personal information of the purchaser would not be appropriate as it would not identify the user. Contrary to this, many SDD products are typically used by the purchaser for a specific purpose and in these cases, personal information is collected. This information is not always verified by the service provider however it is often used to perform a check against sanctions and PEP lists to ensure the service can be offered. Issuers applying SDD measures to their products will often require contact information as standard from the users, such as residential and email address and telephone number, as a means to contact their customers for service or commercial reasons. This also provides the service provider with the opportunity to detect duplicate accounts or link user accounts which may subsequently indicate suspicious or criminal activity. However, even in cases where no personal information is requested unlike cash, which is truly anonymous, a prepaid product will create a transaction history which can be used to identify, monitor, manage and report unusual, unexpected or
P a g e | 15
suspicious use. Therefore, the fact that a name, address and identity information is not recorded at the point of sale does not mean that the use of this product is unknown as the issuer will have system data of all transactions and user activity covering:
Country of distribution of the product
Transaction date
Transaction time
Unique transaction identifier
Location of use
Merchant ID or activity type
Furthermore, where the product or service is issued or managed online, service providers will have access to the users IP address and device ID which can be used to identify the user. All of this data enables the issuer to monitor the use of their product and build a tangible profile of the user and the user’s activity. In some cases this will indicate criminal activity and enable individual identification which will often assist law enforcement investigations, for example where a prepaid card is used at ATMs the data will provide details of the date, time and physical location of the activity which can enable CCTV to be recovered and examined for use in detection or capture of the relevant individual.
What are the risk factors associated with SDD? The most fundamental risk associated with a SDD product is that there is an unknown or unidentified user of the prepaid service. Further concern is attributed to any product that can be used on a cross-border basis with cash access. As discussed above, the principle of AML regulation is to account for risk factors by implementing effective controls to mitigate the risks identified and create a balance between product functionality and procedural requirements. This allows services providers to construct the most effective AML framework for the products they issue based on their business and customers specifically. The more widely a product can be used to access cash, the more controls will be required (limits, restrictions, identification) to effectively manage the service and counter-balance the risks posed. As part of the risk assessment service providers will:
P a g e | 16
define the product proposition identifying the needs of the target market
classify all risks posed by the specific business proposition
assess the impact of these risks when applied to the business’ operating framework and risk appetite
identify the controls available, systematic and procedural, to mitigate the risks identified
review the proposition and apply the appropriate controls to mitigate the risks identified and effectively manage the service
What are the tools available to mitigate these risks? One of the most common ways to mitigate the risk of criminal use is to impose restrictions on the product to limit the functionality of the product to its intended authorised purpose, thereby reducing the usefulness and attractiveness to criminals. Some of the restrictions available and frequently used are identified below. 1) Limit users’ access to services by providing a restricted network for sale and or acceptance, which will increase the service providers control over the flow of funds into and out of its system. 2) Issue the product or service on a non-reloadable basis. This, by virtue of the MLR, has a defined low maximum value limit and cannot be additionally funded. 3) Limit the values of the product, such as limited load, balance and spend values (in addition to the regulatory limits imposed for SDD) 4) Limit the load channels available to prevent cash (or equivalent) funding for any load or reload. 5) Issue a POS only product preventing cash access via ATMs or other cash over the counter methods. Furthermore, prevent ‘card not present’ transactions. 6) Prevent any intra-programme funds transfers between users. 7) Limit the geographical use of the product or service to domestic transactions. 8) Limit the network of acceptance to create a semi-closed loop. 9) Prevent any redemption of funds without full identification and verification of the user. 10) Prevent multiple accounts using system data to identify duplication of name, address, dob, telephone number, email address, username, IP address, device ID or other data field where applicable. 11) Limit the life of the product or service to provide as short a term as possible.
P a g e | 17
Some issuers operate a tiered system for the product or service to operate under. In such cases, users will initially receive a low value highly restricted product and gradually increase the functionality of the service, commensurate to the information provided and checks performed, until such time as the user is effectively ‘verified’. Many issuers will conduct security checks on the payment instrument used to purchase or load the prepaid product to identify any fraudulent activity. Issuers will also conduct rigorous activity monitoring of all transactions including sale, load, reload, spend, use and redemption with the intention of identifying unusual activity and links or patterns between users. The service provider will develop both system and manual controls to monitor transactions based on the specific product proposition to define processes and procedures that will identify suspicious or criminal activity effectively. The nature and frequency of monitoring will be designed to reflect the product features and risks identified as a part of the risk assessment, accounting for the mitigating controls imposed. It is worth acknowledging that a lot of the monitoring controls used are commercially beneficial to issuers as well, therefore it is in the interest of any successful business, not only as responsible service providers, to know their customers and their target market needs in order to deliver a competitive service and anticipate the use of the product – and actually regulation and guidance has caught up with the industry in this regard. Ultimately, prepaid issuers are striving for a balance; to provide a commercially viable service that meets user needs and that does not recklessly expose the users, market or service providers to disproportionate risks or financial crime.
What about the risks to vulnerable members of society? The market for prepaid products increases protection to consumers and provides access to payment mechanisms to the unbanked sector.
It offers significant benefits to all
members of society including those classed as vulnerable. In contrast to the benefits that these products provide, there are also areas of risk to the vulnerable that need to be covered. Concerns have been raised by the Children’s Charities’ Coalition on Internet Safety, the CEOP and other groups in respect of the risks of SDD products in relation to children’s
P a g e | 18
safety.
Their concerns are two-fold, firstly the attractiveness of these products to
purchase illegal goods on-line, including images of child abuse, and secondly their potential for use by children and young people to purchase age restricted products. The benefits of prepaid products are acknowledged by these groups, and there is not a mass of evidence showing their mis-use in these ways, but given the seriousness of these issues they must be, and are, taken very seriously by the industry. Purchase of Illegal Goods The internet has increased the availability and ease of purchase of illegal goods, including the purchase of images of child abuse. The anonymity and speed of payment provided by some SDD products is seen to make them attractive for use in this way. It is important when considering these issues in respect of SDD products that we look at the bigger picture; for example other payment mechanisms and access, as well as the current methods used by the industry to act against mis-use. Sellers of illegal goods on-line use a wide range of different payment methods, including credit cards, cheques, wire transfers, money orders, bank transfers, phone, SMS and cash.
Many of these offer anonymity to the purchaser and, although most financial
companies including card schemes have processes and systems in place to identify illegal activity, some do manage to evade detection. There are a number of ‘new’ payment mechanisms that can also be used for on-line purchases that offer immediate payment, for example virtual cards and vouchers and P2P (person to person) payment services, for example PayPal.
Like some of the other
methods used, P2P services enable sellers to receive payment without registering with an acquirer to accept VISA, MasterCard and other card and payment types. This places the seller under less scrutiny, therefore making them less easily detected. In most cases, it is the visibility of the seller that helps in the detection of these criminals and deters the sale of illegal goods. It is suggested that many purchasers consider a commercial site relatively safe to use, and that their identity and activity will be protected through methods employed by the seller. Criminals employ various methods to hamper identification of those involved.
For
example, although the site may advertise the use of card payment methods, the purchaser may actually be requested to send an email to a specified email account and
P a g e | 19
will then be instructed on an alternative payment mechanism. These often include the use of middle-men to add further layers and barriers for law enforcement agencies. However, once the site has been identified, methods can be used to identify those involved including the purchasers. As we have stated, a benefit of electronic payment methods is that they leave an electronic transaction trail regardless of their ‘anonymity’ and in addition, law enforcement agencies are now using increasingly sophisticated methods to identify offenders and overcome the barriers put in place. In a press release earlier this year, Peter Davies, Chief Executive of CEOP, said: “Some offenders have come to mistakenly believe that there are areas online, or tactics they can employ, that will cover their tracks from law enforcement. This is not the case. There is nowhere to hide.” With specific regard to child abuse, the growth of the internet has also unfortunately increased accessibility to images free of charge and therefore without the need for any payment method. In 2010, the EFC reported that analysis of the INHOPE URL database showed that 22% of all reported child abuse image sites are commercial; image sharing and social networking sites have also enabled the sharing of these images and these services are often provided to users free of charge1. The birth of social networking sites has also seen other disturbing side-effects; grooming, coercion and bullying have increased the risks to children and the young and the volume of self published images has grown significantly. Although SDD products do offer benefits to purchasers of illegal goods, other payment methods offer the same or greater benefits. For the reasons above the significance of SDD prepaid products to this issue is limited.
The impact of
withdrawing the SDD exemption unfortunately would not reduce the sale or distribution of illegal goods, including images of child abuse. It is also unlikely to have a significant impact on the detection of the criminals involved. Having said that, the industry does take this risk very seriously and actions are taken to detect and deter such illegal on-line activity. Again, a balance needs to be struck between the prevention of mis-use, and the provision of convenient, private and secure payment services that benefit society as a whole.
1
14 months on: A combined report from the European Financial Coalition 2009-2010
P a g e | 20
A significant proportion of the tools used to limit the risks in this area are focused on the seller. Most card schemes dedicate a considerable amount of resource on the prevention and identification of mis-use and have systems and policies in place to monitor their merchant base. Some schemes, including VISA and MasterCard, have technology to scan the internet to help identify offenders. Once identified, information is passed to the relevant authorities. Without the identification of the seller, illegal purchases cannot be detected through the payment mechanism, regardless of the anonymity or otherwise of the purchaser. To combat their detection, criminals selling illegal goods regularly change URL’s, location and host country in an attempt to evade detection. This is another area, as with money laundering, where the motivation of offenders is such that as the tools for identification and prevention develop, so do the efforts employed to overcome them. In addition to the focus on sellers, the use of all regulated e-money products is monitored. Suspicious activity is identified and reported in line with regulatory requirements and transaction histories and other details can usually be provided which can help identify the purchaser. As explained earlier, the criminals involved in these activities have many methods to attempt to maintain anonymity and hamper the detection of those involved in the sale and purchase of illegal goods.
There is a risk that some purchasers do consider the
‘anonymity’ of SDD products as a benefit, but no more than other methods used. Unfortunately there is currently little data available on the use of these products and its impact as research has focused on the wider payment issues, but having said that, we can still assume that the removal of the exemption is unlikely to result in deterring or preventing of any of this illegal activity. Unfortunately, the anonymity of SDD products, although a factor, is not a primary factor and neither the sellers nor the purchasers rely on this. Other methods are more routinely used to hamper detection and identification; the use and benefits of SDD products are thought to be limited in this context and their existence does not significantly alter the issues faced. These issues are obviously very complex. Due to this complexity the industry, linked industries, law enforcement and other bodies need to work together to combat these crimes. This co-operation occurs in a variety of ways, from the detection and reporting of
P a g e | 21
illegal sites, to groups researching the issues and providing information and feedback to the industry and law enforcement, to developments in best practice and regulation. There is no one solution to this issue, but a continual effort to prevent, detect, deter and prosecute these offenders, whilst ensuring that other legitimate groups and consumers are not discriminated against in the process. Purchase of Age Restricted Products Concerns have been raised over the potential for children to purchase cards and use them to buy age restricted products. Evidence suggests that this occurs occasionally but also that many parents express the benefit of being able to provide funds to their children in a way that enables them to monitor their spending and also is safer than carrying cash. Although other products that have come with the increased use of the internet, for example Facebook, do not necessarily respect the age restrictions put in place, this is not the case in the prepaid market. The regulation that applies to organisations offering SDD products ensures that all aspects of their business, from marketing and promotion onwards, are designed to limit the attractiveness of these products directly to children and the risk of their use by them for age restricted products. The issue with age restricted products when purchased in card holder not present situations is that the responsibility seems to shift away from the retailer. Unfortunately, given that many of these cards are purchased by someone other than the end user, and that the unregulated market and other payment methods are also attractive for this, the removal of the SDD exemption is likely to have little impact. Instead the industry is looking at alternative approaches that could be introduced in collaboration with retailers, which would limit the risks in this area.
These include
restriction of the sale of age restricted products in circumstances where face-to-face verification cannot take place, or restrictions on SDD and regulatory exempt products to prevent their use for the purchase of age restricted products. One of the key issues is how to limit the risks in purchaser not present situations without unnecessarily restricting other purchases, for example the purchase of petrol. Having said this, if the responsibility was placed with the retailer, this would ensure that the risks associated with all payment methods and transaction types would be tackled together, rather than regulation needing to focus on each payment method and transaction type individually.
P a g e | 22
Further research and analysis needs to take place on this issue to establish the extent of mis-use in this way and to establish the effectiveness of the product specific controls currently in place by issuers and program managers. Due to the vast range of products and the benefits that SDD prepaid products offer, the negative impact of any one size fits all initiative on other groups of society also needs to be assessed to ensure that other vulnerable groups are not unnecessarily impeded by any new restrictions put in place.
What are the benefits of SDD products? The most fundamental argument for SDD products and services is market need and demand for:
Speed and convenience – SDD products and services can be available immediately, without a protracted application process which is disproportionate to the product offered.
Fulfilling a specific, short term requirement for the customer – for example gift cards to family and friends or travel cards for use whilst abroad. In these situations the user does not require a long term relationship with the issuer and so does not want to accept a significant on-going contract.
Data security – Arguably the most topical issue for consumers in today’s society, SDD prepaid products and services can be purchased without the need to disclose personal information and identification. This removes the risk of the data being compromised, which many view as being unreasonably disproportionate to the value of the product to the user, particularly in situations such as gift cards where the purchaser is not the intended user.
Financial security – SDD prepaid products and services operate independently of the users’ bank account, therefore limiting the potential loss to the value assigned to the product (or within the confines of the prepaid service) and not compromising the entire bank account.
Financial inclusion – SDD prepaid products and services enable the unbanked to have access to a payment instrument. Using the example of a reloadable product for general use, this could be used by an unbanked individual or as a budget facility, enabling greater financial control for the customer.
Greater competition – not only within the prepaid market itself, but for consumers without a means of electronic payments; consumers are not restricted to shopping
P a g e | 23
on the high street as they can make payments online to retailers who, typically, offer lower prices and better service.
Reduced costs – SDD products have low ‘overheads’ due in part to the removal of independent verification costs and, where no customer data is obtained, less development is required on systems to record and store data. As a result, SDD products can often be less expensive to launch and operate and therefore the cost benefit can be passed on to users, who are charged less at point of sale.
Greater accessibility – SDD products are available to everyone, regardless of electronic verification data or credit history. In some regions, electronic verification is not as easy as it is in the UK, which restricts the use of products for people from these regions. This is not the case with SDD and unregulated products.
What would be the impact of withdrawing the exemptions? The benefits of SDD products to society are substantial. As we have stated previously, the increase in protection offered by these products as well as the increased rate of inclusion have made these products indispensible to many in the UK. Withdrawing the SDD exemption would have a significant impact on the practicality of many useful products. The value and usage limits imposed on SDD products are at a level that is a practical balance for the consumer and provider; removing the exemption would make the costs and hassle for the consumer too great for many products that fall into these exemptions. We also need to remember that there are a number of legitimate reasons why consumers may not want to undertake the full due diligence procedure. They may be nervous about providing full details of their identity, they may not have the appropriate electronic verification data available, or they may not consider the process worthwhile for the value of the products available under SDD. As we have discussed previously, you cannot consider the SDD exemption without also considering unregulated prepaid products. The risks are just as high with these products, and their usage is much higher than SDD products.
Removing the SDD exemption
without also reviewing unregulated products would clearly be worthless. The negative impact of a removal of the regulatory exemptions for these products would be so great, it cannot possibly be justified. If you think about some of the most well known
P a g e | 24
unregulated products, you can see why; the Oyster card, store gift cards, even loyalty cards would be seriously affected by the change. What would be the impact on the Oyster Card, for example, if full due diligence was required? All of these prepaid schemes have been implemented because
they
offer
significant
benefits
to
Examples of the benefits of SDD and regulatory exempt prepaid products
Financial inclusion Financial security
consumers and organisations over the previous
Data security
methods used.
Increased consumer choice and variety of payment methods
The majority of unregulated products are not purchased by the end user. Over half of these
Convenience
products are B2B, used for example for insurance
Reduced costs to the consumer
replacement or employee incentive schemes. The
Greater competition
introduction
Greater accessibility
of
due
diligence
in
these
circumstances would be highly impractical. And with store gift cards, surely it would mark the return to paper vouchers.
Transaction history and audit trails
Reduced
As stated, the removal of these exemptions would
make
a
wide
range
of
functionality
and
attractiveness for financial crime
products
unfeasible, and consequently consumer choice and needs not met. Another suggestion has been to limit the value of unregulated products. Again, you have to look at their use to establish why, currently, usage limits do not apply. To use the same examples, travel cards, insurance replacement and employee incentive schemes would all be seriously affected if additional limits were put in place. With such a high negative impact to consumers on the removal of these exemptions, surely they should not be removed lightly. If there are arguments to suggest that these consequences may be necessary, then it has to be worth a full risk assessment to identify the extent of the risks of these products with others and show that the current balance is not adequate. And remember, this risk assessment is already carried out on a product by product basis by authorised issuers. Their knowledge of the product and the level of detail they are able to assess give a far better result for the consumer than a one size fits all approach. Each issuer puts in place controls that are based on the specific business model and product offered.
P a g e | 25
Conclusion The concerns relating to SDD within prepaid are often due to a lack of understanding of the market, the controls that are used, the meaning of anonymity, the limits and restrictions that are in place and the regulatory structure that exists. Concerns often focus on the deliberate use of false name and address details, which are not always verified with these products, without looking at the reasons why this customer due diligence is not considered necessary for products of such limited value or use, and what alternative products exist that also do not require customer due diligence. SDD prepaid products are issued by regulated institutions who undertake a detailed risk analysis of each product to ensure that their procedures and controls are appropriate to the risks associated with the product. They must do this in order to gain authorisation and meet their regulatory obligations. In addition, these products provide transaction histories and audit trails which can be used to identify and evidence misuse. They are rarely truly anonymous, with contact and other details usually provided at the time of issue. The evidence suggests that SDD prepaid products are very rarely used for financial crime, as the restrictions and limits make them unattractive compared to alternatives. Where they have been misused, the amounts concerned are relatively low and alternative products could also have been used. Conversely, the benefits to consumers and society of SDD prepaid products is significant, particularly in respect of security, convenience and financial inclusion, and many now rely on these products in their day-to-day lives. With regard to the purchase of illegal goods, although it may be desirable to think that the SDD exemption on prepaid products is significant, the reality is that there are many methods used for payment of these goods which provide greater anonymity.
The
criminals involved in these activities are not reliant on the SDD exemption and there is little data to show the use of prepaid SDD products in this way. It is also the ability to identify sellers and sites which is most important in tackling these crimes and, in addition to the monitoring activities that are undertaken by card schemes to help in their identification, electronic payment methods including SDD prepaid products are able to track suspicious transactions and provide transaction histories, which some alternative methods cannot. Prepaid issuers are there to provide useful products and services to consumers, not to act as law enforcement. There is already a significant level of regulation in place to ensure
P a g e | 26
the appropriate risk assessments and controls are in place for SDD prepaid products. The level of regulation that exists at the moment is sufficient to protect against risks, and take action against specific schemes that may attract misuse.
It provides a balance
between consumer interests and protection on a case by case basis. We also have to consider the unregulated prepaid market and why we would consider these products less of a risk than the regulated SDD products. This cannot be justified. And, similar to SDD products, unregulated products have restrictions of use that make them unattractive and their use for financial crime and money laundering negligible. The current implementation of the regulation is proportionate and in line with the spirit of the European Directive. SDD is only applied in the most strict circumstances; issuers are regulated and need to have in place the appropriate controls to the mitigate risks attached to these products. Rather than focussing on the SDD exemption, there would be greater benefit in looking at areas of regulation where prepaid cards do not align with other financial products, with no benefit to consumers. One example given is the inability to confiscate prepaid cards under the Proceeds of Crime Act. A review of this is likely to have a far more significant impact than focussing on the current implementation of the SDD exemption. It would also be beneficial to consider and question areas where the use of the internet has shifted existing legal responsibilities, for example in the purchase of age restricted products. In the past this was the responsibility of the retailer, and we question why this has changed with on-line purchases. Although the market is working to find a solution, these risks also apply to non-regulated payment products and other payment methods that are not related to the e-money regulations or the prepaid market. These are wider issues and the focus purely on the SDD exemption will not provide an adequate solution. SDD is a valuable asset to the industry which allows responsible service providers to meet the demands of the market. Consumers require, in today’s environment with the fast pace of payments, a range of safe, secure and convenient options to meet their different payment requirements. The removal of the SDD would not have any significant impact on financial crime or other risks but would harm the choice and security that these products provide to consumers.
P a g e | 27
About PIF Prepaid International Forum (www.prepaidforum.org) is a not-for-profit trade association established in 2007 to represent the interests of all parties participating in the prepaid economy on a commercial basis. Prepaid International Forum (PIF) is dedicated to the progression of prepaid commerce around the world and acts as a principal point of liaison between the prepaid economy and government agencies, regulators, consumer bodies and the media. It is focused on the entire prepaid world and facilitates the development of cross-industry guidelines and codes of practice. In all of its activities PIF aims to:
Provide an informed and unified voice for the cross-industry prepaid sector to speak to national and international government bodies, regulators, consumer bodies and the media;
Act as a catalyst for the creation of industry guidelines and codes of practice, and
Provide research and thought-leadership to participants in the prepaid economy
www.prepaidforum.org
About Neopay Neopay is the market leader in delivering integrated compliance solutions to Electronic Money and Payment Institutions. Neopay provide a full suite of regulatory compliance services; working with organisations to develop their compliance frameworks, ensuring successful authorisation processes, and providing maintenance of compliance structures. Our approach is different. Your compliance framework needs to stem from your business, your operations and your priorities and risks. We partner with you, sharing our knowledge and expertise, to help you to develop comfortable solutions that offer best practice to your business. www.neopay.co.uk
P a g e | 28
TERMS OF USE The information in this whitepaper is intended to furnish users with general information on the Simplified Due Diligence in the Prepaid Market. While every effort has been made to offer current and accurate information, errors can occur. PIF disclaims all liability and responsibility for any errors or omissions in the content contained in this whitepaper. The information presented in this whitepaper should not be construed as legal, regulatory or any other professional advice or service. You should consult with a specialist consultant or other professional advisor familiar with your particular situation for advice concerning specific regulatory or other matters before making any decision. COPYRIGHT NOTICE All material in this whitepaper is Copyright © 2012 Prepaid International Forum Limited (PIF). All rights reserved. No part of the materials in this whitepaper, including the text and graphics, may be reproduced or transmitted in any form, or by any means without PIF's written permission.
