Dariusz Gradzi Fintech/Regtech. The risk of money laundering and terrorist financing resulting from new technologies in the area of electronic payments In the first quarter of 2019, over 1.2 billion debit card transactions and over 100 million credit card transactions were recorded 1 . In the second quarter of 2019, the total number of non-cash transactions amounted to 1.43 billion, and their value nearly PLN 93 billion 2 . Research shows that the most popular payment instruments are payment card, bank account with online account access and PayPal account 3 . In the era of continuous and irreversible digitization of the financial sector, it is particularly vulnerable to the risks associated with criminal activities, including terrorist activities. For this reason, legislative work has been carried out for many years, resulting in new regulations in this area. They are intended to respond to identified threats. In practice, however, it is different, because the length of the legislative process means that as soon as the implemented legal acts are in force, they are not adapted to reality. Anti-money laundering (AML) and terrorist financing (TF) in financial institutions are regulated by the Fourth Anti-Money Laundering Directive (AMLD4). 4 It integrates the AML/CTF (counter terrorist financing) system with the international money laundering (ML) and terrorist financing standards adopted by the Financial Action Task Force (FATF). 5 According to these standards, AMLD4 adopts as a rule 1 Information on payment cards. I quarter 2019, nbp.pl/systemplatniczy/karty/q_ 01_2019.pdf, p. 6, 15 access: 4 XII 2019. 2 Information on payment cards. II quarter 2019, nbp.pl/systemplatniczy/ karty/q_02_2019.pdf p. 16, 17 access: 4 XII 2019. 3 See Report. Patnoci cyfrowe 2019, eizba.pl/wp-content/uploads/2019/11/ PLATNOSCI_CYFROWE_2019.pdf?fbclid=IwAR1ol9GL6K85vybNy5iwjoctd4k7YPFuT1rki_ OpLjTwSqw1DFpGNkBoXBk access: 2 XII 2019. 4 Directive (EU) 2015/849 of the European Parliament and of the Council of 25 May 2015 on the prevention of the use of the financial system for money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council and repealing Directive of the European Parliament and of the Council 2005/60/EC and Commission Directive 2006/70/EC (Official Journal, EU L 141 of 5 June 2015, p. 73). 5 Also known as Groupe daction financiere (GAFI) International Special Group on the Prevention of Money Laundering founded in 1989. The purpose of its activity is to develop practicesDariusz Gradzi 214 Fintech/Regtech. The risk of money laundering and terrorist financing. a risk-based approach. It assumes that ML/TF risk varies from country to country. Therefore, countries and their competent authorities (CA) and participants in legal transactions must identify risk and manage it on the basis of AMLD4 standards, i.e. take appropriate and adequate legal measures. On May 30, 2018, the Fifth AML Directive (AMLD5) was adopted, with the date of implementation by the Member States of the EU until January 10, 2020. 6 The European Money Laundering and Terrorist Financing Risk Assessment 7 identifies several dozen products and services potentially exposed to ML/TF risk, including: private banking, crowdfunding 8 platforms, virtual currencies, property values with cash-like properties: gold, diamonds. Pursuant to ML/TF regulations, specific legal obligations have not been imposed on every entity. AML/CTF legislation only applies to obligated institutions which, on the basis of the Polish Anti-Money Laundering Act, 9 include among others (relevant to the subject matter of this study): domestic banks, branches of foreign banks, branches of credit institutions, financial institutions based in the territory of the Republic of Poland; cooperative savings and credit unions and the National Cooperative Savings and Credit Union; national payment institutions, national electronic money institutions, branches of the EU payment institutions, branches of the EU and foreign electronic money institutions, small payment institutions, payment service offices and billing agents; investment companies, custodian banks; foreign legal entities conducting brokerage activities on the territory of the Republic of Poland; companies operating a regulated market; investment funds, alternative investment companies, investment fund companies, managers of alternative investment companies; insurance companies; The National Depository for Securities; to combat money laundering. The organization publishes recommendations on this topic, fatf-gafi/about/ access: 2 XII 2019. 6 Directive (EU) 2018/843 of the EP and Council of 30 May 2018 amending Directive (EU) 2015/849 on preventing the use of the financial system for the washing or financing of terrorism and amending Directives 2009/138/EC and 2013/36/EU (Official Journal of the EU L 156 of 19 June 2018, p. 43). 7 Report from the Commission to the European Parliament and the Council on the assessment of the risk of money laundering and terrorist financing affecting the internal market and relating to cross-border activities, ec.europa.eu/info/sites/info/files/supranational_risk_assessment_of_ the_money_laundering_and_terrorist_financing_risks_affecting_the_union.pdf access: 4 XII 2019 8 The crowdfunding mechanism assumes that the project promoter will pay people who contribute money to the project in a pre-determined form (editors note). 9 Act of 1 March 2018 on Counteracting Money Laundering and the Financing of Terrorism (Journal of Laws of 2019, item 1115, as amendedDariusz Gradzi Fintech/Regtech. The risk of money laundering and terrorist financing. 215 entrepreneurs engaged in currency exchange; entities conducting economic activity consisting in the provision of services in the field of: exchange of virtual currencies for means of payment, exchanges between virtual currencies, brokering the exchange referred to above, keeping accounts; entrepreneurs who are not other obligated institutions, providing services consisting in: the creation of a legal person or organizational unit without legal personality, performing the function of a member of the management board or enabling another person to perform this function, or a similar one, in a legal person or an organizational unit without legal personality, providing a registered office, business address or correspondence address and other related services to a legal person or an organizational unit without legal personality, acting or enabling another person to act as a trustee of a trust which was established by legal action, acting or enabling another person to act as exercising rights from shares for the benefit of an entity other than a company listed on a regulated market that is subject to disclosure requirements in accordance with the EU law or equivalent international standards; foundations, to the extent that they accept or make payments in cash of a value equal to or exceeding the equivalent of EUR 10,000; associations with legal personality to the extent that they accept or make payments in cash with a value equal to or exceeding the equivalent of EUR 10,000; entrepreneurs to the extent that they accept or make payments for goods in cash with a value equal to or exceeding the equivalent of EUR 10,000; loan institutions. General risks related to the financial services sector The joint opinion of the European Supervisory Authorities 10 on the risk of money laundering and terrorist financing affecting the financial sector of the European Union divides the risk into: common for all sectors of financial services and relevant (specific) 10 European Supervisory Authorities (ESA) consists of: European Securities knf.gov.pl/en/ MARKET/Fintech/Regulatory_Sandbox access: 2 XII 2019. 19 See report UK FinTech. State of the Nation, assets.publishing.service.gov.uk/government/ uploads/system/uploads/attachment_data/file/801277/UK-fintech-state-of-the-nation.pdf access: 2 XII 2019. 20 The EU agency regulating and supervising banking across all EU countries. The EBA was established on 1 January 2011 on the basis of Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 on the establishment of the European Supervisory Authority (European Banking Authority), amendment of Decision No. 716/2009 / EC and repealing Commission Decision 2009/78 / EC (Official Journal of the EU L 331 of 15 XII 2010, p. 12). 21 consilium.europa.eu/en/policies/relocation-london-agencies-brexit/ access: 2 XII 2019. 22 Joint Opinion of the European Supervisory Authorities, p. 10 access: 2 XII 2019. 23 AMLD4 provides for certain minimum common standards, and EU Member States have the option of raising those standards when transposing AMLD. 24 Compliance is understood as ensuring compliance of the entitys activities with legal provisions and their monitoring, rewi.europa-uni.de/pl/lehrstuhl/pr/poloerecht/projekte/Compliance/ index.html access: 2 XII 2019Dariusz Gradzi 218 Fintech/Regtech. The risk of money laundering and terrorist financing. In the event of the UKs withdrawal from the EU without a ratified agreement or in the absence of agreement between the UK and the EU supervisory authorities, equivalent to such an agreement, the EU supervisory authorities will be able to exchange information on ML/TF countermeasures to a limited extent. If Brexit is based on a contract, the exchange of information (which is sensitive for electronic payments, as they often have cross-border elements) will depend on the conditions adopted. In this case, the so-called Memorandum of Understanding (MoU) 25 between European Supervisory Authorities and the Financial Conduct Authority (FCA). 26 Risk related to the development of new technologies 27 This type of risk is associated with the new areas of FinTech and RegTech. 28 Examples of fintech solutions are secure mobile applications 29 for banks and online services (loans) or online factoring, in which the entire procedure and assessment of the customers credit (payment) ability is carried out electronically and remotely, and entities offering these services use, among other things, databases of economic information offices, social networking sites such as Facebook, LinkedIn or Instagram. The most important fintech entities that have their headquarters in Poland are: PayU, Blue Media, Polish Payment Standard Polish Payment Standard (BLIK), Currency One, Finanteq, V oicePIN, ZenCard. Examples of foreign fintech entities are Revolut 30 and N26. 31 Examples of fintech solutions in the payment segment are the BLIK payment system 32 and payment systems on mobile devices: 33 Google Pay, Apple Pay, Samsung Pay, as well as contactless payments, unrelated or related to the above systems. 25 The memorandum sets out the rules for the future and wishes to accept specific obligations, pressto.amu.edu.pl/index.php/cl/article/viewFile/6437/6458 access: 2 XII 2019. 26 Equivalent to the Polish Financial Supervision Authority in Great Britain, fca.uk access: 2 XII 2019. 27 Joint Opinion of the European Supervisory Authorities, p. 12 access: 2 XII 2019. 28 RegTech is the use of new technologies to support regulatory processes and their application definition developed by Institute of International Finance, see Regtech access: 2 XII 2019. See also Financial Stability Implications from FinTech, p. 34 access: 2 XII 2019. In addition to FinTech and RegTech, there is a third term InsureTech refers to the use of modern technologies in solutions that result in increasing the functionality of the insurance sector. 29 Payment applications for integration with mobile devices (e.g. telephone, iPad). 30 access: 2 XII 2019. 31 access: 2 XII 2019. 32 blikmobile.pl access: 2 XII 2019. 33 These are payments made using a mobile device equipped with an operating system, with a multimedia interface using radio technology, wireless telecommunications networks (GSM, GPRS, UMTS, Wi-Fi, NFC, RFiD, Bluetooth), ecb.europa.eu/paym/cons/pdf/131120/ recommendationsforthesecurityofmobilepaymentsdraftpc201311en.pdf access: 4 X 2017Dariusz Gradzi Fintech/Regtech. The risk of money laundering and terrorist financing. 219 RegTech tools enable entities to collect and analyze data faster, more cheaply and more easily. 34 This is particularly important from the AML/TF point of view (increasing the transparency of financial operations). An example might be the automatic verification of the list of politically exposed persons, (PEP), i.e. according to AMLD4, among others: presidents, prime ministers, deputies, ministers and their families. One of the RegTechs solutions is a dedicated application programming interface (API) 35 designed for a specific financial institution. This action results from meeting the needs of a given institution or providing its economic data from many sources and integrating them so that this financial institution, e.g. a bank, receives all the required information in one system. 36 The development of technology opens new opportunities for FinTech and RegTech providers but carries the risks associated with ML/TF. Based on the already mentioned joint opinion of the European Supervisory Authorities, the following risks arising from the use of FinTech can be identified: 37 providing services in the form of unregulated financial products that do not fall within the scope of the AML/CTF legislation, the quality of information collected during the customer due diligence process (CDD), misunderstanding of FinTech suppliers regarding AML/CTF requirements and other regulations, compliance culture 38 differences between supervised entities, the emergence of new technologies at the stage of remote establishing relationships with customers (so-called onboarding), without maintaining security measures in the field of combating cybercrime and identity theft, over-reliance by financial institutions (e.g. banks) on outsourcing 39 to fintechs, without paying due attention to their control mechanisms (a common phenomenon in Poland). When introducing new assistive technologies for RegTech, there may be risks associated with 40 uncritical reliance of companies on technological solutions that can lead to limiting peoples involvement in transaction monitoring; 34 sektora-finansowego-i-panstwa/ access: 2 XII 2019; co-to-jest-regtech-i-jak-ma-si-do-fintech-f27bab5a3a55 access: 2 XII 2019. 35 Application programming interface; set of rules on how computer programs communicate with each other. 36 For example, Transparent Data system, transparentdata.pl access: 2 XII 2019. 37 Joint Opinion of the European Supervisory Authorities, p. 12 access: 2 XII 2019. 38 Ensuring compliance with legal regulations, standards or recommendations (editors note). 39 Abbreviation of English