Expansion of duties to cover e-money
Definition of 'e-money' and scope of application of anti-money laundering provisions
Development of legislative process
Impact of new law
The latest revisions of the Anti-money Laundering Act have extended the scope of anti-money laundering duties to cover issuers of electronic money ('e-money') and e-money agents, as well as entities or persons distributing or redeeming e-money. The amendments restrict pre-paid card-based transactions and thus may have severe effects on the pre-paid market.
Public use and the variety of pre-paid cards have increased in recent years. Unlike other pre-paid card markets, such as the United States or the United Kingdom, until recently Germany did not make full use of pre-paid services outside the telecommunications market. In addition to pre-paid phone cards, the most commonly used pre-paid cards can be bought at different points of sale – for example, gift cards for furniture stores, home depots or department stores can be bought in supermarkets, at kiosks or at gas stations. Such gift cards can be used only in the issuer's premises.
Other pre-paid cards are accepted by a large number of entities, stores and online shops. Some pre-paid cards are even accepted outside corporate boundaries, similar to a credit card. Furthermore, some e-money systems used in e-commerce operate using a code or pin number rather than a card.
Recent national and international studies and risk analyses of the German Financial Intelligence Unit (FIU), the criminal and regulatory authorities, the Financial Action Task Force (FATF) and the Wolfsberg Group have revealed that e-money business is highly susceptible to being misused for money laundering. In particular, the following situations bear high risks of money laundering:
- anonymous issuance of e-money for cash;
- distribution of e-money via small e-money agents and points of sale as these generally do not implement proper anti-money laundering measures and are not integrated into the e-money issuer's anti-money laundering systems;
- trading of e-money on secondary markets, in particular to unknown third parties; and
- pooling of e-money issued by different e-money issuers and distributed via different distribution channels.
In light of these findings, as well as the FATF Evaluation Report on Germany of February 2010 which identified a number of deficits, the German legislature has now implemented a stronger anti-money laundering regime for e-money. First and foremost, identification requirements have been introduced as a major prevention measure against anonymous e-money-related businesses.
Pre-paid cards generally store e-money. The Anti-money Laundering Act and the anti-money laundering provisions in the Banking Act refer to the general definition of 'e-money' in Section 1a (3) of the Payment Services Act, which is in line with the definition in the second EU E-Money Directive (2009/110/EC). According to Section 1a(3), 'e-money' is defined as electronically, including magnetically, stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions, and which is accepted by a natural or legal person other than the e-money issuer.
E-money is issued by either e-money institutes, which are subject to licensing and other regulatory requirements under the Payment Services Act, or deposit institutions (savings banks) to which the Banking Act applies. The distribution of e-money takes place via:
- e-money agents for e-money issued by e-money institutions; and
- branches of deposit institutions or persons or entities distributing or redeeming e-money (points of sale) for e-money issued by deposit institutions.
Monetary values stored on devices which are accepted only within the business premises of the issuer, upon a business agreement with the issuer, within a limited network of undertakings or for a limited range of products are deemed not to be e-money. The same applies to monetary values which can be used only for payment transactions executed with a telecommunications, digital or IT device regarding services or goods used exclusively with such devices.
Thus, e-money issuers and agents (including sales agents) are obliged to comply with anti-money laundering provisions only in tri-party e-money relationships (ie, the issuer and the obligor of the e-money must be different persons or entities). This means that pre-paid cards such as gift cards, which are accepted only by the issuer, do not fall within the scope of application of the anti-money laundering provisions. In addition, pre-paid cards which are used for online services (eg, downloading ringtones to mobile phones or downloading games or songs to a computer) are not e-money products, and thus the anti-money laundering provisions are not applicable.
The April 2011 revision of the Anti-money Laundering Act made e-money institutions and agents subject to the act, particularly its customer due diligence measures. The latest revision of the anti-money laundering provisions, made by the Act to Optimise Anti-money Laundering Prevention in December 2011, extended the scope of application of the Anti-money Laundering Act to persons or entities distributing or redeeming e-money – for example, points of sale which recharge pre-paid cards or distribute coupons, chips or vouchers for cash which can be used to recharge e-money instruments. These amendments were designed to mitigate the risks of money laundering associated with the distribution and trading of e-money.
Further, detailed provisions on the prevention of money laundering with regard to e-money institutions and deposit institutions issuing e-money (e-money issuers) have been introduced into the Banking Act (Section 25i).
Although the initial draft of the Act to Optimise Anti-money Laundering Prevention provided a €100 threshold for e-money institutions, it laid down that the extension to e-money agents and points of sale shall apply notwithstanding the amount of e-money at issue. With this, the legislature intended to prevent any anonymous ways of buying, dealing with or using e-money. Hence, when purchasing a payment card with an amount of €0.01, the distributor would have to conduct due diligence measures to identify the customer, verify his or her identity and record the personal data. Otherwise, the legislature feared that thresholds could be avoided by smurfing.
The extension of anti-money laundering duties to e-money agents and points of sale without setting down a threshold has been criticised by the industry during the legislative process. Since e-money cards in Germany are often sold in supermarkets, small stores, gas stations, bakeries and kiosks, the industry feared that these entities would be subjected to overly heavy due diligence measures. Furthermore, data protection concerns have been raised as the records must be kept for at least five years. In reaction to this criticism, the legislature finally agreed to introduce a general €100 threshold.
General due diligence obligations
As a general due diligence measure, the Anti-money Laundering Act requires that the legal entity:
- identify the customer and verify his or her identity;
- obtain information on the purpose and intended nature of the business relationship;
- clarify whether the contracting party acts for a beneficial owner and, when applicable, identify the beneficial owner and verify the data on a risk-based approach; and
- conduct ongoing monitoring of the business relationship and ensure that the documents, data or information held are kept up to date.
However, Section 3(2)3 of the Anti-money Laundering Act and Section 25i(1) of the Banking Act modify these obligations for the issuance, distribution and redemption of e-money. For e-money institutions, Section 22(2) of the Payment Services Act refers to Section 25i of the Banking Act and is therefore applicable. E-money issuers, agents and persons distributing or redeeming e-money must always identify their customers and continuously monitor the business relationship. Furthermore, the data collected must be recorded in accordance with Section 8 of the Anti-money Laundering Act.
As is the case for other subjects of anti-money laundering obligations, the identification of the customer requires:
- in the case of natural persons, the name, address, birth date and place and nationality of the person, and verification of this information with an identification card or a passport; or
- in the case of legal entities, data on the name of the company, the form of organisation, the registration number (if applicable), the address of the registered office or headquarter and the names of the members of the legal entity's representative body or statutory representative.
However, e-money issuers, agents and points of sale are exempt from the identification requirement if the value stored to the pre-paid card does not exceed €100 a month and, in case of a rechargeable card, the amount cannot exceed €100 a month and the e-money cannot be combined technically with e-money from another issuer. Furthermore, when e-money is redeemed for cash, customer due diligence measures must be applied if the amount exceeds €20. This exemption and its application to all persons involved in the issuing, distribution and redemption of e-money is the result of the protests described above.
However, there is an exception to the exception if the e-money owner acquires an amount of more than €100 a month with several transactions which obviously belong together ('smurfing'). In the case of such artificial splitting, the customer due diligence measures apply (Section 25i(2)2 of the Banking Act).
Section 25i(5) of the Banking Act and Section 3(2)4 of the Anti-money Laundering Act provide that simplified due diligence measures can be applied if:
- requested by the legally bound person; and
- there is a low risk of money laundering, terrorist financing or other criminal acts associated with the specific e-money business.
However, even the simplified due diligence obligations require identification of the customer and the ongoing monitoring of the business relationship. Only the means by which the identity is verified and the monitoring is conducted can be adapted to the specific (low) risk. Upon request, the Federal Agency for Financial Market Supervision (BaFin) can exempt a legally bound person from the identification requirement and the obligation to keep an e-money owner file (see below) if this does not impede the prevention of money laundering.
Ongoing monitoring of business relationship
Further to the identification measures, e-money issuers, agents and points of sale must continuously monitor the business relationship. The law gives no detailed instructions as to how the monitoring must take place. Useful measures are likely to be the electronic recording of all e-money transactions in a file (see below) and the examination of records for inconsistencies and unusual transactions with the aid of suitable software.
Record-keeping duties and exchange of information
The data collected for customer due diligence purposes must be recorded and records must be kept for at least five years, counted from the end of each calendar year (Section 8 of the Anti-money Laundering Act).
Obligation to keep e-money owner file
Section 25i(3) of the Banking Act obliges an e-money issuer to keep a file which records:
- each owner of e-money;
- the amounts of e-money issued to it and redeemed, including the time and point of issuance; and
- repayment information.
The file shall implement a shadow account system for e-money businesses and transactions. The e-money issuer is exempt from keeping such files only if it can technically ensure that the customer cannot charge more than €100 a month to the card (eg, by blocking the system).
This obligation does not apply to e-money agents or persons distributing or repaying e-money. However, such parties may wish to keep a file recording all e-money transactions to comply with their obligation to monitor the business relationship.
Obligation to file suspicious transaction reports
As they are subject to anti-money laundering obligations, e-money issuers, agents and points of sale must file suspicious transaction reports to the respective criminal authority and the FIU. A report must be filed when there are facts which indicate that money derives from money laundering. Accordingly, the suspicion need not be strong to trigger reporting duties. The legally bound person or entity must not tip off the customer or ultimate beneficiary of a suspicious transaction report (Section 12(1) of the Anti-money Laundering Act).
When a suspicious transaction has been reported, the legally bound person is allowed to execute the transaction if the FIU or the prosecutor does not prohibit the transaction within two business days (Section 11(1a) of the Anti-money Laundering Act). If delaying the transaction was impossible, Section 11(1a)2 provides for an exemption that an obligor under the Anti-money Laundering Act may execute business notwithstanding a suspicion.
Internal procedures and measures
In order to monitor the risks of money laundering and prevent them, all legally bound persons and entities must establish respective internal procedures and measures. These generally comprise:
- the appointment of a money laundering officer and a deputy;
- the development and application of internal principles to prevent money laundering and terrorist financing and adequate control systems;
- the training of employees and implementation of adequate measures to control the trustworthiness of their employees ('know your employee' measures).
These obligations also apply to e-money issuers, agents and points of sale.
In order to ease the administrative burden of appointing a money laundering officer, Section 9(4)1 of the Anti-money Laundering Act provides that e-money agents and persons distributing or repaying e-money must appoint a money laundering officer only if BaFin so orders; such order is issued if appropriate to the money laundering risks of the particular business. However, e-money issuers must always appoint a money laundering officer (Section 25c(4) of the Banking Act and Section 22(2) of the Payment Services Act).
In addition to its general powers, BaFin has specific supervisory and audit competences relating to e-money business. In particular, BaFin has the right to examine the technical measures implemented to mitigate money laundering risks in relation with e-money.
In case of increased money laundering risks, BaFin has the authority to impose further risk-reducing measures or even prohibit further e-money business. Section 25i(4) of the Banking Act lists the combination of e-money from different e-money owners or different e-money issuers as one example of high-risk activity. Intentional or negligent non-compliance with a BaFin order constitutes an administrative offence under Section 56(3) No 7e of the Banking Act and is subject to a fine of up to €150,000.
With the introduction of the €100 threshold, the legislature eased some concerns regarding unnecessary data recording duties and data protection. However, it is still unclear how the anti-money laundering duties shall be applied in daily practice.
According to the Pre-paid Forum Deutschland, 50,000 kiosks, gas stations and similar small points of sale distribute e-money in Germany. These are mostly small, even family-run businesses with limited personal and administrative resources. Since the legislature provided no exemption for mass retail business, but introduced only the €100 threshold, the general difficulties in handling the due diligence obligations may continue.
Moreover, it remains unclear how an e-money agent or a mere point of sale should monitor the storage of e-money on a card if it keeps no records. While the keeping of e-money owner files is mandatory for e-money issuers, it is not required of e-money agents and points of sale. Hence, it will be hard for these to identify smurfing, as it will be for e-money issuers, notwithstanding the file keeping duty. For example, if a payment card is issued with €20 and recharged five times with €20 within one month, the issuer of the payment card would have to apply customer due diligence measures when the customer recharges the card for the fifth time, thereby exceeding €100 a month. Since the payment card might be recharged at a machine, the e-money issuer would be unable to identify the customer at the time of the fifth recharging. The same applies for e-money agents and points of sale if the recharging takes place at a different point of sale. Therefore, in light of these issues, the exemption for transactions below the €100 threshold might not be of any practical help.
The impact of the extension of the Anti-money Laundering Act to e-money issuers, agents and other persons or entities distributing or redeeming e-money is not yet foreseeable. One of the arguments made in favour of a threshold was that according to the FIU's 2010 report, only 1% of suspicious transaction reports are related to e-money products. However, this low number does not mean that e-money-related products and activities bear a low risk of being used for money laundering. On the contrary, due to the possibility of using anonymous payment devices, e-money products are highly susceptible to money laundering. The low number of suspicious transaction reports merely shows the lack of awareness of money laundering risks in the e-money industry. Therefore, the extension of anti-money laundering duties to e-money issuers, agents and persons or entities distributing or redeeming e-money is a first step in the right direction.
With the new measures and duties in place, it now remains to be seen how the concerned entities and persons will deal with their new obligations.
For further information on this topic please contact Joachim Kaetzler or Sabrina Salewski at CMS Hasche Sigle by telephone (+49 69 71701 132), fax (+49 69 71701 40433) or email (firstname.lastname@example.org or email@example.com).
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.