Anti-Money Laundering and Counter Terrorism Financing: New Regulations for the Payments Industry

The Financial Information Unit ( the “UIF,” after its acronym in Spanish), is in the process of reviewing its anti-money laundering and counter terrorism financing (“ML/TF”) regulations, moving from a “normative” approach to a “risk-based” approach, in line with Financial Action Task Force (FATF) recommendations.

In this context, Regulation UIF No. 76/2019 (“Regulation 76”) was enacted on July 29, 2019, aiming at: (i) clarifying who in the payments industry qualify as reporting entities; and (ii) implementing a new risk based approach for this industry.

Among other news, this rule expressly refers to the companies that work on digital platforms in which their clients are able to carry out commercial transactions on a non-face-to-face basis by using the credit cards system or other means of payment. In this sense, said rule broadens the scope of the ML/FT prevention regime, including as reporting entities (together with the credit or purchase card “issuers”) the following operators of the credit card system:

 

• Acquirer (Adquirente): individual, legal entity, or legal structure (that is not considered a legal entity), that carries out some of the following tasks relating to card transactions: (a) to sign up stores to the credit card system; and (b) to settle, to the payments recipient, the amount of the payments made with cards (that have been previously authorized for payment by the issuer).

 

• Aggregator (Agregador) or Group Facilitator (Agrupador) (i.e., entities providing collection services) or Payment Network Operator (Facilitador de Pagos): individual, legal entity, or legal structure (that is not considered a legal entity), that enters into an agreement with the Acquirer, to provide its clients (by means of a platform or system) processing services and/or card payment settlement services, through several means (whether such payments are made face-to-face or non-face-to-face).

Moreover, Regulation 76  includes up-to-date rules in accordance with international standards, such as the use of new technologies to identify clients and to comply with due diligence requirements, even including the opening of remote accounts using strict storable, auditable, and unalterable biometric techniques. In this way, the UIF now provides for a control tool over transactions carried out by individuals that were previously outside of the system.

Reporting Entities

Regulation 76 sets forth the following reporting entities:

• Traveler’s checks issuers.
• Entities that act as operators of the credit or purchase card system (i.e., credit or purchase card issuers, and acquirers, aggregators, group facilitators and payment network operators.
• Prepaid card operators, including prepaid gift cards, reloadable or not, that operate against deposits credited prior to use, and destined to the purchase of goods or services in commercial stores.

The following are not considered reporting entities:

• Operators of SUBE card (i.e., local public transport).
• Operators of cards destined exclusively to acquiring consumable goods within the store of the card issuer. With regards to this point, it is highlighted the fact that Regulation 76 defines “Purchase Card” as that which commercial entities provide their clients to make purchases in commercial institutions.
• Operators of cards destined exclusively to purchasing gas and lubricants.

 

Implementation Plan

In general terms, Regulation 76 will enter into force on October 31, 2019. However, regarding the ML/TF risk assessment, the regulation sets forth the following deadlines for the implementation plan:

1. On December 31, 2019: develop and document the methodology to identify and assess the risks according to their nature and volume of its commercial activity, considering the different risk factors of each business line.

 

2. On March 31, 2020: prepare a technical report, including the results of the implementation of the mythology to identify and assess the abovementioned risks.

 

3. On June 30, 2020: adjust the policies and proceedings, according to Regulation 76 requirements, and in accordance with the results of the risk self-assessment, that must be included in the ML/TF prevention manual.

Information regimes:

• All reporting entities must comply by presenting an Annual Report, between January 2 and March 15 (inclusive) each year, in connection with the previous calendar year.
• The credit card operators must comply with an additional information regime, on a monthly basis, between the 15th day and the last business day of each month (inclusive), in connection with the previous calendar month. The first filing is due on February 28, 2020, regarding the information corresponding to January 2020.

Responsible with the UIF:

• The acquirers, aggregators, group facilitators and payment network operators must report to UIF the appointment of an individual responsible of responding to UIF’s urgent requests. This appointment must be reported to UIF on or before August 8, 2019 (i.e., within 10 days as of the publication date of Regulation 76).

 

General Regime

Regulation 76 establishes the following obligations and guidelines applicable to the reporting entities:

• ML/TF Prevention system Consisting of (i) all policies, proceedings and controls for ML/TF risk management, and (ii) all compliance elements requested by applicable rules. The ML/TF prevention system must be developed by the compliance officer and approved by the reporting entity’s administration body or its highest rank authority.
  • Risk management. Self-assessment The reporting entities must establish policies, proceedings and controls to identify, assess, mitigate and monitor their ML/TF risks. To such effect they must develop a methodology for identifying and assessing risks in accordance with the nature and volume of their commercial activities, considering the different risk factors of each line of business.
  • The compliance officer must prepare a technical report showing the results of the application of such methodology. Such report must be updated on a yearly basis and must be filed with the UIF before April 30 each year.
  • Regulation 76 establishes minimum guidelines to identify risk factors concerning clients, products and/or services, distribution channels (Internet, phones, mobile devices, and remote connections, among others) and geographical reach. In addition, the reporting entities may develop their own additional risk indicators.
  • Once the risks are identified and assessed, the reporting entities must establish the most appropriate and efficient mechanisms to mitigate such risks, in line with Regulation 76 guidelines.
  • Compliance Regulation 76 provides for the minimum compliance standards to be included in the ML/FT prevention system; such as a detailed description of policies and proceedings to be adopted, rules regarding the administration body’s (or highest rank authority’s) responsibilities, compliance officer’s duties and responsibilities, document preservation, and training sessions, among others. Furthermore, an independent external auditor must issue a report on an annual basis regarding the quality and effectiveness of the ML/TF prevention system.
• Due Diligence: Know your client policy Due diligence guidelines regarding segmentation in low, medium and high risk clients. High risk clients require a reinforced due diligence, while low risk clients may be subject to simplified due diligence, which makes digital on-boarding easier and the financial inclusion of those who did not have prior access to other means of payment. In addition, Regulation 76 provides for specific recommendations concerning prepaid gift card beneficiaries. Finally, it includes the possibility for the clients to authorize the reporting entities to share their identification file.
• Transactional monitoring Mechanisms regarding transaction monitoring and analysis, unusual transactions detection, and suspicious transactions reporting.
• Urgent UIF requests The acquirers, aggregators, group facilitators and payment network operators must immediately provide UIF, at its request, with information and documents regarding the transactions they are involved in. To such effect they must appoint a contact person to answer urgent requests (even outside non-business hours or days).