ARTICLE
9 August 2024

EBA Sets Out Its Findings And Supervisory Expectations On Virtual IBANs

PL
PwC Legal Germany

Contributor

PwC Legal Germany logo
In today’s rapidly evolving marketplace, our clients are increasingly concerned with business collaborations, restructuring, mergers and acquisitions, financing and questions of social responsibility. They need legal security when dealing with such complex issues. That is why we work closely with PwC’s tax, human resources and finance experts and draw on the resources of our legal network in more than 100 countries to deliver comprehensive advice. Whether a global player, a public body or a wealthy individual, each client can rely on a personal account manager to address his or her specific legal needs. This dedication helps us ensure our client’s long-term business success. PwC Legal. More than 220 lawyers at 18 locations. Integrated legal advice for the real world.
Explore
On 24 May 2024 the European Banking Authority (EBA) released an inaugural Report on the issuance of virtual International Bank Account Numbers (VIBANs).
European Union Finance and Banking
Photo of Michael Huertas
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

RegCORE – Client Alert | EU Digital Single Market

QuickTake

On 24 May 2024 the European Banking Authority (EBA) released an inaugural Report1 on the issuance of virtual International Bank Account Numbers (VIBANs). The Report follows on from a detailed fact-finding exercise completed during 2023 and 2024.

The Report notes that due to the (current) lack of a standardised definition at EU law, VIBANs are provided in various methods and for different reasons. Additionally, national competent authorities (NCAs) differ in their interpretation and implementation of legal requirements. The Report also highlights concerns regarding money laundering and terrorist funding (AML/CTF), as well as difficulties related to consumer and depositor protection, authorisation and passporting as well as regulatory arbitrage risks. With these statements the EBA appeals to the EU's co-legislators to facilitate legislative clarity and equally for NCAs to adopt measures in the Report to delivery regulatory and supervisory certainty.

As explored in this Client Alert, the Report outlines the features of VIBANs, describes different scenarios seen by the EBA in the market, evaluates the perceived advantages as identified by market participants, and highlights the problems and issues related with this practice. The latter refers to discrepancies among NCAs in their interpretation and implementation of current EU financial services legislation for VIBANs, including the Anti Money Laundering Directive, the Payment Services Directive, the Capital Requirements Directive, and the SEPA Regulation. This is primarily because there is no universally applicable definition that considers the various use cases that exist. Currently, the exact number of VIBANs issued in EU Member States is unknown. This lack of information may hinder NCAs from properly overseeing and evaluating the effectiveness of firms' internal controls in managing the risks associated with VIBANs, especially in AML/CTF efforts. Some of these were explored in the EBA's earlier Opinion on AML/CTF risks2 affecting the EU's financial sector (which has led to reforms to the EU's AML/CTF framework in the form of the AMLR – see below).

These issues and differences, especially in the absence of VIBANs not being subject to a harmonised approach in the EU's Single Rulebook weaken the EU's Single Market and lead to regulatory arbitrage.3 As a result, the Report contains (selected) suggestions on how to clarify EU law and proposes steps that NCAs could implement to resolve these concerns. While the issues raised by the EBA in its inaugural VIBAN Report focus on the state of play in the EU, there are lessons to be learned for banks as well as payment service providers (PSPs) as well as account holders and their VIBAN use further afield.

What is a VIBAN anyway?

The EU's new Regulation on the prevention on the use of the financial system for AML/CTF (the AMLR – see separate coverage from PwC Legal's EU RegCORE on that development) includes a definition of VIBANs for the purposes of the EU's now new enhanced AML/CTF legislative and regulatory framework. That definition states a VIBAN is "an identifier causing payment to be redirected to a payment account identified by an IBAN different from that identifier."

While the Report states (our comments in square brackets): "there is current no legal definition of VIBANs at EU level [this is true], and no uniform understanding across NCAs and the industry of VIBANs [also both true] are" a VIBAN is typically linked to a master IBAN, which is a real bank or PSP account that holds the funds received by the VIBANs. The master IBAN can belong (i) to the bank or the PSP that issues the VIBANs, or (ii) to a third-party intermediary that facilitates the payment processing. The VIBANs are usually generated and assigned by an algorithm or a software system and can have different formats and lengths depending on the country and the provider.

The Report sets out six use cases (not spelled out in this Client Alert) the EBA had identified through which PSPs or other entities that partner with PSPs offer VIBANs to their customers the main benefits of using a VIBAN are:

  • It simplifies and streamlines the payment reconciliation process, as each VIBAN can be associated with a specific customer, invoice, currency, or purpose and the payment details can be automatically matched and updated in the accounting system.
  • It reduces the operational costs and risks of managing multiple physical bank accounts, as the VIBANs can be created and closed on demand, without the need for opening, maintaining, or closing real bank or PSP operated accounts.
  • It enhances the customer experience and satisfaction, as the VIBANs can offer faster, cheaper, and more transparent cross-border payments (including with a country code outside the jurisdiction of their habitual residence) and can also enable customers to receive payments in their preferred currency or from their preferred payment method. VIBANs are also a means of reducing or at least circumventing IBAN discrimination.
  • It improves the compliance and security of the payment transactions, as the VIBANs can comply with the regulatory standards and requirements of different jurisdictions, and can also prevent fraud, errors, or misrouting of payments by validating the sender and the recipient information.

Some examples of use cases for VIBANs are:

  • E-commerce platforms or marketplaces that need to collect and distribute payments from and to multiple sellers and buyers across different countries and currencies, and that want to offer a seamless and customised payment experience for their customers.
  • FinTech companies or PSPs that want to offer innovative and flexible payment solutions for their clients, such as multi-currency accounts, digital wallets, or payment cards and that want to leverage the existing banking/PSP infrastructure and network without having to open physical bank accounts in each country – thus free of national border constraints but not necessarily free of what then becomes potential VIBAN discrimination.
  • Businesses or individuals that need to receive or send frequent or large payments from or to different countries or currencies and that want to avoid the high fees, delays, or errors that can occur with traditional bank transfers or intermediaries.

Key takeaways from the EBA's VIBAN Report

The EBA's Report identified the following 10 key risks and challenges linked to VIBAN's arising for (i) financial institutions, (ii) NCAs and (iii) users of VIBANs these include risks from:

  1. VIBANs being used by non-EU financial institutions or by EU non-PSPs to provide payment services without the required authorisation in EU;
  2. an unlevel playing field and thus regulatory arbitrage stemming from divergent interpretations across NCAs of what VIBANs are from a regulated activity perspective for activity in and outside of EU;
  3. divergent interpretations across NCAs about the way in which the SEPA Regulation and the ISO IBAN technical standards apply to VIBANs;
  4. conflicting categorisation and reporting of payment transactions by PSPs under the EU's second Payment Services Directive (PSD2), itself subject to review,4 where the VIBANs and the IBAN of the master account have different country codes. This may also provide reporting issues under newest efforts on CESOP;5
  5. issuers for end users of VIBANs, where they are not the master account holders, and associated unlevel playing field and regulatory arbitrage issues stemming from divergent interpretation across NCAs about the qualification of the relevant payment services in such cases;
  6. fragmented application of the service ensuring verification of the payee introduced by Regulation (EU) 2024/886 on instant credit transfers in euro (the 'Instant Payments Regulation'), where the payee using a VIBAN is not the master account holder;
  7. differing interpretations on the applicable AML/CTF regulatory framework in case of cross-border provision of VIBANs, leading to risks of AML/CTF supervisory gaps, lack of clarity about the reporting of suspicious transactions to the financial intelligence unit (FIU) and challenges associated with the tracing of suspicious transactions involving VIBANs by FIUs and law enforcement;
  8. a lack of visibility for NCAs on the scale of VIBAN offerings in their jurisdiction, leading to risks that the adequacy of PSPs' internal controls framework, including from an AML/CTF perspective, may not be adequately assessed/supervised by NCAs;
  9. consumers using VIBANs and for consumers making a payment to a VIBAN, stemming from lack of transparency; and
  10. users of VIBANs stemming from inappropriate disclosure about which Deposit Guarantee Scheme (DGS) of which EU Member State protects their deposits and risks arising to DGSs.

The Report's Annex 1 sets out AML/CTF a (non-exhaustive) list of risk indicators associated with VIBANs. These include higher and lower risk indicators. The higher risk exposure indicators are, in the EBA's views existent where there is:

  • a lack of a contractual relationship between the PSP servicing the master account and issuing the VIBANs and the end users of VIBANs exists, as this means that the identity or location of the end user may not always be known to the PSP servicing the master account;
  • absence of transparency of end users transactions;
  • no limitations applied by a PSP on the number of VIBANs that may be held by one end user;
  • a holder of a master account or, if different, an end user of a VIBAN is based in a high risk non-EU country or a country where the AML/CTF rules are less stringent than those set out in the AMLD (soon to be AMLR);
  • issuing documents that associate the VIBAN with names of third parties other than the verified account holder of the master account or any feature that causes confusion about the identity of the account holder; and/or
  • an ability for customers to have capacity to create, delete or deactivate VIBANs without the involvement of the PSP issuing the VIBAN and applying limited monitoring of the real use of these VIBANs (with direct access through an application program interface for example).

By contrast, the following indicators are identified by the EBA as indicating a lower level of AML/CTF risk namely where:

  • a PSP servicing the master account has a direct business relationship with the end user of the VIBAN who is identified and verified;
  • the PSP servicing the master account and issuing the VIBANs is different from the PSP offering the VIBANs to the end users and:
    • the PSP servicing the master account obtains due diligence on the end users of VIBANs; and
    • the PSP servicing the master account and the PSP offering the VIBANs to the end users are based in the same EU Member State;
  • the end users and the master account are based in the EU;
  • a person (preferably a PSP) offering VIBANs to the end users is an obliged entity under the AMLD/AMLR and has effective AML/CTF systems and controls in place;
  • a PSP has imposed limitations on the type of payments that can be processed via the VIBAN (e.g. to top up e-money account); and/or
  • a PSP servicing the master account restricts the provision of VIBANs to PSPs which are authorised agents only.

Considerations for financial services firms and calls upon the co-legislators

EBA uses the Report and the Annex thereto to offer targeted suggestions about the actions that could be taken by financial institutions (in particular PSPs) the EU's co-legislators and NCAs to mitigate the risks identified in the Report. While non-binding they do communicate supervisory expectations (which the NCAs are thus required to follow) and include (other than items stemming from the above):

A. The bank or PSP providing a master account and issuing the VIBAN to request sufficient information from the person offering the VIBANs to end users to ensure that it has a good understanding of:

  1. the robustness of AML/CTF systems and controls of the PSP offering the VIBANs to the end users, for example through questionnaires or through on-site visits, on a risk-sensitive basis;
  2. the type of services provided by the PSP offering the VIBANs to the end users, to be satisfied that the offering of VIBANs is a reasonable service for this type of PSP;
  3. the nature of the customer base of the PSP offering VIBANs, so that the PSP is able to monitor transactions in a meaningful way. In exceptional, high AML/CTF risk cases, or where AML/CTF suspicions arise, this may involve the verification of an end user's CDD information.

B. Relatedly, the EBA notes that the above risks may be mitigated by provisions in Article 18(2a) the AMLR, which provides that credit and financial institutions servicing the master account should ensure that they can obtain information on end users of VIBANs, even where VIBANs are issued by another credit or financial institution. The legislation requires that 'this information should be obtained without delay and in any case within no more than five working days';

C. Require the PSP providing the master account and issuing the VIBANs to satisfy itself that the PSP offering the VIBANs to its own customers (the end users) will provide it with information identifying and verifying the end users of the VIBANs upon request;

D. PSPs being (more) responsible for identifying risks associated with their business, including various products and services provided by them, and for putting in place appropriate controls to mitigate these risks. When assessing the effectiveness of the PSPs' controls, NCAs may consider whether the PSPs draw on multiple risk factors when monitoring transactions to ensure that the transaction monitoring system flags apparent discrepancies for further investigation;

E. That NCAs should assess on a case-by-case basis the extent to which institutions within their supervisory remit enter into a correspondent relationship with other PSPs in the VIBANs context and communicate their regulatory expectations to the sector accordingly;

F. Furthermore, to address the challenges mentioned above about the lack of transparency of the ultimate originator/beneficiary of a payment, it may be necessary to require that PSPs, under the SEPA schemes, include in the payment message remittance information about the end user on whose behalf a payment is made or received. Accordingly, EBA notes that, while the revision to the ISO 20022 standard presents the ability to share information on the 'ultimate' parties in financial transactions – ordering customer (referred to as 'ultimate debtor'), and beneficiary (referred to as 'ultimate creditor'), on a voluntary basis, when processing transfers in the context of 'payments and collections/receivables on behalf of' (POBO & COBO).

Given all of the above, the EBA additionally proposes the need for further clarification from the co-legislators to definitively determine:

i. If a VIBAN is associated with the main account or a distinct account an anchor this into law;

ii. whether users of VIBANs who are not the primary account holder are regarded to have a payment account according to the definition provided in payment services legislation, namely under PSD2. This has consequences for the characterisation of the payment services provided by a payments company that offers VIBANs to end customers;

iii. a clear of the SEPA Regulation and ISO IBAN Standard to VIBANs;

iv. the legal classification of the relationship between the payments firm that offers the VIBAN to the end user and the partner payments company that provides the master account and issues the VIBAN;

v. how should a payment transactions made towards a VIBAN that has a different country code than the master account should be reported, including for CESOP purposes.
Equally, the EBA urges NCAs to:

  • assess the prevalence of VIBANs in the operations of payment companies within their respective jurisdictions;
  • improve their comprehension of the business concepts employed for issuing or providing VIBANs;
  • evaluate the efficiency of AML/CTF measures implemented by financial services firms (in particular PSPs) to reduce the risks associated with VIBANs;
  • examine whether financial services firms (in particular PSPs) utilise various risk indicators while monitoring transactions to guarantee that their transaction monitoring system identifies apparent inconsistencies including for VIBANs.

All of these issues and considerations may trigger review of existing inasmuch as drafting of new policies and procedures, amending respective systems and controls, including beyond AML/CTF as well as CESOP reporting and amending of existing as well as drafting new counterparty as well as client and/or customer-facing contractual and non-contractual documentation.

Outlook

While VIBANs are certainly set to grow as their use cases remain strong, EU banks, PSPs and financial services more generally that use or plan to use VIBANs for themselves or more crucially with (including offering them to) their clients and customers should consider and clearly document the VIBAN-specific risks identified by EBA and elsewhere and look to strengthen compliance overall.

The EBA's VIBAN Report may be inaugural in nature but when read alongside a number of other related legislative and regulatory policymaking developments as well as supervisory scrutiny being advanced across the EU, including by NCAs in a much more coordinated manner, all financial services firms (not just PSPs) should take action. Many would do well to engage with legal counsel and multidisciplinary advisors who can evidence pan-EU breadth and depth of capabilities to help clients identify, mitigate and manage how to shore up VIBAN compliance.

Footnotes

1. EBA REP 2024/08 available here. Articles 8, 9, and 9a of Regulation (EU) 1093/2010 (also known as the EBA Founding Regulation) require the EBA to perform various tasks, including monitoring and evaluating market trends, overseeing both new and existing financial activities, and helping safeguard the EU's financial system from money laundering and terrorist financing.

2. The EBA's Opinion is available here.

3. This Client Alert should also be read in conjunction with the following contribution from Michael Huertas in the Journal of International Banking Law & Regulation available here as well as a recent Client Alert here.

4. See Client Alert available here.

5. See Client Alert here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Michael Huertas
Michael Huertas
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More