EBA sets out its findings and supervisory expectations on virtual IBANs

RegCORE – Client Alert | EU Digital Single Market

QuickTake

On 24 May 2024 the European Banking Authority (EBA) released an inaugural ReportEBA REP 2024/08 available here. Articles 8, 9, and 9a of Regulation (EU) 1093/2010 (also known as the EBA Founding Regulation) require the EBA to perform various tasks, including monitoring and evaluating market trends, overseeing both new and existing financial activities, and helping safeguard the EU's financial system from money laundering and terrorist financing.Show Footnote on the issuance of virtual International Bank Account Numbers (VIBANs). The Report follows on from a detailed fact-finding exercise completed during 2023 and 2024.

The Report notes that due to the (current) lack of a standardised definition at EU law, VIBANs are provided in various methods and for different reasons. Additionally, national competent authorities (NCAs) differ in their interpretation and implementation of legal requirements. The Report also highlights concerns regarding money laundering and terrorist funding (AML/CTF), as well as difficulties related to consumer and depositor protection, authorisation and passporting as well as regulatory arbitrage risks. With these statements the EBA appeals to the EU’s co-legislators to facilitate legislative clarity and equally for NCAs to adopt measures in the Report to delivery regulatory and supervisory certainty.

As explored in this Client Alert, the Report outlines the features of VIBANs, describes different scenarios seen by the EBA in the market, evaluates the perceived advantages as identified by market participants, and highlights the problems and issues related with this practice. The latter refers to discrepancies among NCAs in their interpretation and implementation of current EU financial services legislation for VIBANs, including the Anti Money Laundering Directive, the Payment Services Directive, the Capital Requirements Directive, and the SEPA Regulation. This is primarily because there is no universally applicable definition that considers the various use cases that exist. Currently, the exact number of VIBANs issued in EU Member States is unknown. This lack of information may hinder NCAs from properly overseeing and evaluating the effectiveness of firms’ internal controls in managing the risks associated with VIBANs, especially in AML/CTF efforts. Some of these were explored in the EBA’s earlier Opinion on AML/CTF risks The EBA’s Opinion is available here.Show Footnote affecting the EU’s financial sector (which has led to reforms to the EU’s AML/CTF framework in the form of the AMLR – see below).

These issues and differences, especially in the absence of VIBANs not being subject to a harmonised approach in the EU’s Single Rulebook weaken the EU’s Single Market and lead to regulatory arbitrage.This Client Alert should also be read in conjunction with the following contribution from Michael Huertas in the Journal of International Banking Law & Regulation available here as well as a recent Client Alert here.Show Footnote As a result, the Report contains (selected) suggestions on how to clarify EU law and proposes steps that NCAs could implement to resolve these concerns. While the issues raised by the EBA in its inaugural VIBAN Report focus on the state of play in the EU, there are lessons to be learned for banks as well as payment service providers (PSPs) as well as account holders and their VIBAN use further afield. 

What is a VIBAN anyway?

The EU’s new Regulation on the prevention on the use of the financial system for AML/CTF (the AMLR – see separate coverage from PwC Legal’s EU RegCORE on that development) includes a definition of VIBANs for the purposes of the EU’s now new enhanced AML/CTF legislative and regulatory framework. That definition states a VIBAN is “an identifier causing payment to be redirected to a payment account identified by an IBAN different from that identifier.”

While the Report states (our comments in square brackets): “there is current no legal definition of VIBANs at EU level [this is true], and no uniform understanding across NCAs and the industry of VIBANs [also both true] are” a VIBAN is typically linked to a master IBAN, which is a real bank or PSP account that holds the funds received by the VIBANs. The master IBAN can belong (i) to the bank or the PSP that issues the VIBANs, or (ii) to a third-party intermediary that facilitates the payment processing. The VIBANs are usually generated and assigned by an algorithm or a software system and can have different formats and lengths depending on the country and the provider.

The Report sets out six use cases (not spelled out in this Client Alert) the EBA had identified through which PSPs or other entities that partner with PSPs offer VIBANs to their customers the main benefits of using a VIBAN are:

• It simplifies and streamlines the payment reconciliation process, as each VIBAN can be associated with a specific customer, invoice, currency, or purpose and the payment details can be automatically matched and updated in the accounting system.
• It reduces the operational costs and risks of managing multiple physical bank accounts, as the VIBANs can be created and closed on demand, without the need for opening, maintaining, or closing real bank or PSP operated accounts.
• It enhances the customer experience and satisfaction, as the VIBANs can offer faster, cheaper, and more transparent cross-border payments (including with a country code outside the jurisdiction of their habitual residence) and can also enable customers to receive payments in their preferred currency or from their preferred payment method. VIBANs are also a means of reducing or at least circumventing IBAN discrimination. 
• It improves the compliance and security of the payment transactions, as the VIBANs can comply with the regulatory standards and requirements of different jurisdictions, and can also prevent fraud, errors, or misrouting of payments by validating the sender and the recipient information.

Some examples of use cases for VIBANs are:

• E-commerce platforms or marketplaces that need to collect and distribute payments from and to multiple sellers and buyers across different countries and currencies, and that want to offer a seamless and customised payment experience for their customers.
• FinTech companies or PSPs that want to offer innovative and flexible payment solutions for their clients, such as multi-currency accounts, digital wallets, or payment cards and that want to leverage the existing banking/PSP infrastructure and network without having to open physical bank accounts in each country – thus free of national border constraints but not necessarily free of what then becomes potential VIBAN discrimination. 
• Businesses or individuals that need to receive or send frequent or large payments from or to different countries or currencies and that want to avoid the high fees, delays, or errors that can occur with traditional bank transfers or intermediaries. 

Key takeaways from the EBA’s VIBAN Report

The EBA’s Report identified the following 10 key risks and challenges linked to VIBAN’s arising for (i) financial institutions, (ii) NCAs and (iii) users of VIBANs these include risks from:

1. VIBANs being used by non-EU financial institutions or by EU non-PSPs to provide payment services without the required authorisation in EU; 
2. an unlevel playing field and thus regulatory arbitrage stemming from divergent interpretations across NCAs of what VIBANs are from a regulated activity perspective for activity in and outside of EU;
3. divergent interpretations across NCAs about the way in which the SEPA Regulation and the ISO IBAN technical standards apply to VIBANs; 
4. conflicting categorisation and reporting of payment transactions by PSPs under the EU’s second Payment Services Directive (PSD2), itself subject to review,See Client Alert available here.Show Footnote where the VIBANs and the IBAN of the master account have different country codes. This may also provide reporting issues under newest efforts on CESOP;See Client Alert here.Show Footnote
5. issuers for end users of VIBANs, where they are not the master account holders, and associated unlevel playing field and regulatory arbitrage issues stemming from divergent interpretation across NCAs about the qualification of the relevant payment services in such cases; 
6. fragmented application of the service ensuring verification of the payee introduced by Regulation (EU) 2024/886 on instant credit transfers in euro (the ‘Instant Payments Regulation’), where the payee using a VIBAN is not the master account holder; 
7. differing interpretations on the applicable AML/CTF regulatory framework in case of cross-border provision of VIBANs, leading to risks of AML/CTF supervisory gaps, lack of clarity about the reporting of suspicious transactions to the financial intelligence unit (FIU) and challenges associated with the tracing of suspicious transactions involving VIBANs by FIUs and law enforcement; 
8. a lack of visibility for NCAs on the scale of VIBAN offerings in their jurisdiction, leading to risks that the adequacy of PSPs’ internal controls framework, including from an AML/CTF perspective, may not be adequately assessed/supervised by NCAs; 
9. consumers using VIBANs and for consumers making a payment to a VIBAN, stemming from lack of transparency; and
10. users of VIBANs stemming from inappropriate disclosure about which Deposit Guarantee Scheme (DGS) of which EU Member State protects their deposits and risks arising to DGSs. 

The Report’s Annex 1 sets out AML/CTF a (non-exhaustive) list of risk indicators associated with VIBANs. These include higher and lower risk indicators. The higher risk exposure indicators are, in the EBA’s views existent where there is:

• a lack of a contractual relationship between the PSP servicing the master account and issuing the VIBANs and the end users of VIBANs exists, as this means that the identity or location of the end user may not always be known to the PSP servicing the master account; 
• absence of transparency of end users transactions; 
• no limitations applied by a PSP on the number of VIBANs that may be held by one end user; 
• a holder of a master account or, if different, an end user of a VIBAN is based in a high risk non-EU country or a country where the AML/CTF rules are less stringent than those set out in the AMLD (soon to be AMLR); 
• issuing documents that associate the VIBAN with names of third parties other than the verified account holder of the master account or any feature that causes confusion about the identity of the account holder; and/or
• an ability for customers to have capacity to create, delete or deactivate VIBANs without the involvement of the PSP issuing the VIBAN and applying limited monitoring of the real use of these VIBANs (with direct access through an application program interface for example). 

By contrast, the following indicators are identified by the EBA as indicating a lower level of AML/CTF risk namely where:

• a PSP servicing the master account has a direct business relationship with the end user of the VIBAN who is identified and verified; 
• the PSP servicing the master account and issuing the VIBANs is different from the PSP offering the VIBANs to the end users and: 
  • the PSP servicing the master account obtains due diligence on the end users of VIBANs; and 
  • the PSP servicing the master account and the PSP offering the VIBANs to the end users are based in the same EU Member State;
• the end users and the master account are based in the EU; 
• a person (preferably a PSP) offering VIBANs to the end users is an obliged entity under the AMLD/AMLR and has effective AML/CTF systems and controls in place; 
• a PSP has imposed limitations on the type of payments that can be processed via the VIBAN (e.g. to top up e-money account); and/or
• a PSP servicing the master account restricts the provision of VIBANs to PSPs which are authorised agents only.

Considerations for financial services firms and calls upon the co-legislators

EBA uses the Report and the Annex thereto to offer targeted suggestions about the actions that could be taken by financial institutions (in particular PSPs) the EU’s co-legislators and NCAs to mitigate the risks identified in the Report. While non-binding they do communicate supervisory expectations (which the NCAs are thus required to follow) and include (other than items stemming from the above):

A.   The bank or PSP providing a master account and issuing the VIBAN to request sufficient information from the person offering the VIBANs to end users to ensure that it has a good understanding of:

1. the robustness of AML/CTF systems and controls of the PSP offering the VIBANs to the end users, for example through questionnaires or through on-site visits, on a risk-sensitive basis; 
2. the type of services provided by the PSP offering the VIBANs to the end users, to be satisfied that the offering of VIBANs is a reasonable service for this type of PSP; 
3. the nature of the customer base of the PSP offering VIBANs, so that the PSP is able to monitor transactions in a meaningful way. In exceptional, high AML/CTF risk cases, or where AML/CTF suspicions arise, this may involve the verification of an end user’s CDD information. 

B.   Relatedly, the EBA notes that the above risks may be mitigated by provisions in Article 18(2a) the AMLR, which provides that credit and financial institutions servicing the master account should ensure that they can obtain information on end users of VIBANs, even where VIBANs are issued by another credit or financial institution. The legislation requires that ‘this information should be obtained without delay and in any case within no more than five working days’;

C.   Require the PSP providing the master account and issuing the VIBANs to satisfy itself that the PSP offering the VIBANs to its own customers (the end users) will provide it with information identifying and verifying the end users of the VIBANs upon request; 

D.   PSPs being (more) responsible for identifying risks associated with their business, including various products and services provided by them, and for putting in place appropriate controls to mitigate these risks. When assessing the effectiveness of the PSPs’ controls, NCAs may consider whether the PSPs draw on multiple risk factors when monitoring transactions to ensure that the transaction monitoring system flags apparent discrepancies for further investigation; 

E.   That NCAs should assess on a case-by-case basis the extent to which institutions within their supervisory remit enter into a correspondent relationship with other PSPs in the VIBANs context and communicate their regulatory expectations to the sector accordingly; 

F.   Furthermore, to address the challenges mentioned above about the lack of transparency of the ultimate originator/beneficiary of a payment, it may be necessary to require that PSPs, under the SEPA schemes, include in the payment message remittance information about the end user on whose behalf a payment is made or received. Accordingly, EBA notes that, while the revision to the ISO 20022 standard presents the ability to share information on the ‘ultimate’ parties in financial transactions – ordering customer (referred to as ‘ultimate debtor’), and beneficiary (referred to as ‘ultimate creditor’), on a voluntary basis, when processing transfers in the context of ‘payments and collections/receivables on behalf of’ (POBO & COBO). 

Given all of the above, the EBA additionally proposes the need for further clarification from the co-legislators to definitively determine:

i.   If a VIBAN is associated with the main account or a distinct account an anchor this into law; 

ii.   whether users of VIBANs who are not the primary account holder are regarded to have a payment account according to the definition provided in payment services legislation, namely under PSD2. This has consequences for the characterisation of the payment services provided by a payments company that offers VIBANs to end customers;

iii.   a clear of the SEPA Regulation and ISO IBAN Standard to VIBANs; 

iv.   the legal classification of the relationship between the payments firm that offers the VIBAN to the end user and the partner payments company that provides the master account and issues the VIBAN; 

v.   how should a payment transactions made towards a VIBAN that has a different country code than the master account should be reported, including for CESOP purposes. 
Equally, the EBA urges NCAs to:

• assess the prevalence of VIBANs in the operations of payment companies within their respective jurisdictions;
• improve their comprehension of the business concepts employed for issuing or providing VIBANs;
• evaluate the efficiency of AML/CTF measures implemented by financial services firms (in particular PSPs) to reduce the risks associated with VIBANs;
• examine whether financial services firms (in particular PSPs) utilise various risk indicators while monitoring transactions to guarantee that their transaction monitoring system identifies apparent inconsistencies including for VIBANs.

All of these issues and considerations may trigger review of existing inasmuch as drafting of new policies and procedures, amending respective systems and controls, including beyond AML/CTF as well as CESOP reporting and amending of existing as well as drafting new counterparty as well as client and/or customer-facing contractual and non-contractual documentation.

Outlook

While VIBANs are certainly set to grow as their use cases remain strong, EU banks, PSPs and financial services more generally that use or plan to use VIBANs for themselves or more crucially with (including offering them to) their clients and customers should consider and clearly document the VIBAN-specific risks identified by EBA and elsewhere and look to strengthen compliance overall. 

The EBA’s VIBAN Report may be inaugural in nature but when read alongside a number of other related legislative and regulatory policymaking developments as well as supervisory scrutiny being advanced across the EU, including by NCAs in a much more coordinated manner, all financial services firms (not just PSPs) should take action. Many would do well to engage with legal counsel and multidisciplinary advisors who can evidence pan-EU breadth and depth of capabilities to help clients identify, mitigate and manage how to shore up VIBAN compliance.

About us

PwC Legal is assisting a number of financial services firms and market participants in forward planning for changes stemming from relevant related developments. We have assembled a multi-disciplinary and multijurisdictional team of sector experts to support clients navigate challenges and seize opportunities as well as to proactively engage with their market stakeholders and regulators. 

Moreover, we have developed a number of RegTech and SupTech tools for supervised firms, including PwC Legal’s Rule Scanner tool, backed by a trusted set of managed solutions from PwC Legal Business Solutions, allowing for horizon scanning and risk mapping of all legislative and regulatory developments as well as sanctions and fines from more than 1,500 legislative and regulatory policymakers and other industry voices in over 170 jurisdictions impacting financial services firms and their business. 

Equally, in leveraging our Rule Scanner technology, we offer a further solution for clients to digitise financial services firms’ relevant internal policies and procedures, create a comprehensive documentation inventory with an established documentation hierarchy and embedded glossary that has version control over a defined backward plus forward looking timeline to be able to ensure changes in one policy are carried through over to other policy and procedure documents, critical path dependencies are mapped and legislative and regulatory developments are flagged where these may require actions to be taken in such policies and procedures.  

The PwC Legal Team behind Rule Scanner are proud recipients of ALM Law.com’s coveted “2024 Disruptive Technology of the Year Award”. 

If you would like to discuss any of the developments mentioned above, or how they may affect your business more generally, please contact any of our key contacts or PwC Legal’s RegCORE Team via de_regcore@pwc.com or our website.