microsoft word - statutory review of aml-ctf act - ppau ... web viewit is essential that combating...

PAYPAL AUSTRALIA PTY LIMITED

Page 2 of 13

April 2013

PayPal Australia Pty Limited

Submission to:

Statutory Review of the Anti-Money Laundering and Counter-Terrorism

Financing Act (Cth) 2006

of 13


1. Executive Summary

The Australian AML/CTF law is based on FATF Recommendations. PayPal Australia Pty. Ltd. (PayPal) recognises that, through the statutory review of the AML/CTF Act, and the recent process of customer due diligence (CDD) reform, it is the intention of the Attorney General’s Department and AUSTRAC to further align the Australian AML/CTF regime with the FATF Recommendations.

Under the AML/CTF Act, and the supporting AML/CTF Rules, reporting entities are required to meet their obligations based upon their assessment of ML/TF risk in the provision of designated services to their customers

PayPal believes that there are opportunities to further improve the risk-based principles within the AML/CTR Act and Rules to obtain greater alignment with the FATF Recommendations and also FATF’s broader guidance on how the Recommendations should be interpreted for companies like PayPal.

Given the current environment of innovation and change within the Australian financial system, the AML/CTF regime should, PayPal believes, incorporate more recent guidance on risk-based approaches, particularly those outlined in FATF’s Guidance Paper on Prepaid Cards, Mobile Payments and Internet-based payment services issued in June 2013.

In considering the terms of reference for the statutory review, and the breadth of issues subject to debate and comment, PayPal’s submission has focused on specific opportunities for improvement that are particularly relevant to the e-commerce and the payments sectors.

There are three broad recommendations that PayPal will set out in this submission:

1. Improving principles based legislation to better enable all stakeholders, i.e. the

regulator and Reporting Entities, to proactively manage ML/TF risk as the

financial services industry responds to an ongoing evolution in financial products

and services that are being driven by changing customer preference and technological

advancements. Although “risk-based systems or controls” are referenced throughout the

AML/CTF Rules many requirements, particularly those outlined in Chapter 4, are

prescriptive in nature. There is an opportunity to enhance the regulatory and

industry approaches to fully leverage risk based principles and technology to ensure

more efficient allocation of resources to areas of highest risk.

2. Minimising regulatory burden on reporting entities and ensuring a more

equitable distribution of cost across stakeholders in the financial system. The level

and cost of effort required by reporting entities to mitigate ML/TF risks can be

disproportionate to the value of the customer relationship, given the assessed

of 13

PAYPAL AUSTRALIA PTY LIMITEDML/TF risk of those customers. Options should be explored to allow reporting

entities implement more

of 13


efficient and streamlined measures appropriate to the level of assessed ML/TF risk while

also considering their business model.

3. Broadening the scope of legislation to capture services which are currently

unregulated, or offered by unregulated entities, but nevertheless pose a level of ML/TF

risk in the way the services could be used. FATF categorises these as New

Payment Products and Services (NPPS) and includes products or services which

employ new methods of transferring value between individuals or entities

through both traditional and non-traditional electronic payment systems. Regulation

of NPPS would ensure that the AML/CTF regime sets a minimum standard for

payment service providers to safeguard the integrity and security of the financial

system. It is critical that the legislation is applied in a manner that applies equal

treatment to providers of similar products or services to maintain a high degree of

competitive neutrality and ensure a “level playing field”.

The ongoing commitment of PayPal to ensuring the integrity of its payment platform is aligned with the objectives of making the broader Australian financial environment hostile to serious and organised crime and terrorism, whilst permitting legitimate commerce and innovation to thrive not only within the financial services industry, but also in the broader community which it supports.

The coupling of principles based legislation with the use of technological tools and data arising from new payment methodologies will allow reporting entities to undertake more effective authentication of customer identities, more dynamic risk assessment of customer transactions and behaviour, and provide for implementation of more effective ML/TF risk mitigation treatments.

We welcome the opportunity for further dialogue with the Attorney General’s Department and AUSTRAC on Australia’s AML/CTF reforms.

of 13


2. Overview of PayPal Business in Australia

2.1. PayPal Australia Pty. Ltd. (PayPal) has been operating in Australia since 2005, holds an Australian Financial Services Licence (AFSL 304962) and is licenced to provide non-cash payment products by the Australian Securities and Investments Commission (ASIC) and an authority under the Banking Act to carry on banking business confined to providing‘purchased payment facilities’. PayPal is also a subscriber to the ePayments Code.

2.2. The PayPal service gives people simpler ways to send money without sharing financial information. With 132 million active accounts in 193 markets and 26 currencies around the world, PayPal enables global commerce, processing more than 7.7 million payments every day. In Australia, PayPal has more than 5.5 million active accounts, including more than 100,000 small and medium business customers.

2.3. At the core of the PayPal business model is the ongoing commitment to provide both consumers and merchants with a trusted and secure payments platform which facilitates legitimate commerce whilst preventing fraud and other criminal activities. Our risk management systems are a key differentiator and are as important today as they were at PayPal’s inception.

2.4. In addition to our focus on innovation in the fast developing e-commerce sector, we are also focused on the use of innovative and rapidly developing tools that support verification and authentication of our customers and their transactions. We are passionate about investment in industry based solutions that offer broader growth and benefits to the e-commerce and payments sector.

2.5. PayPal’s commitment to ensuring the integrity of its payment platform is aligned with the objectives of making the broader Australian financial environment hostile to serious and organised crime and terrorism, whilst permitting legitimate commerce and innovation to thrive not only within the financial services industry, but also in the broader community which it supports.

3. PayPal and the AML/CTF regulatory environment

3.1. PayPal has been proactively engaged with the Financial Action Task Force (FATF) and regulators to assist in identifying emerging risks to financial systems, and providing input into the creation of frameworks to mitigate those risks. It has participated in FATF Typologies Experts meetings which contributed to the development of guidance contained in FATF papers: Report on New Payment Methods (2006), Money Laundering& Terrorist Financing Vulnerabilities of Commercial Websites and Internet Payment Systems (2008), Money Laundering Using New Payment Methods (2010), and Prepaid Cards, Mobile Payments and Internet-Based Payment Services (2013).

3.2. Although the AML/CTF Act encompasses a range of designated services offered by a variety of reporting entities, the scope of this submission will limit itself to a discussion on payment services, as this is an area in which PayPal has expertise and can provide the greatest insight.

of 13


4. PayPal recommendations to the Review of the AML/CTF Act

4.1. PayPal wishes to make three broad recommendations to this Review. Details of these recommendations are laid out in the sections below.

5. Recommendation 1: Principles based legislation

5.1. PayPal recognises the challenge for regulation to achieve the key objectives of managing risk and providing regulatory oversight whilst balancing these against the needs of protected consumers, securing and building confidence in the broader financial system, and providing an environment for innovation in the industry. Accordingly, PayPal is supportive of inclusion of objects within the AML/CTF Act focused upon:

o Improving the integrity of the financial system

o Protecting the privacy of individuals and their personal information

5.2. It is essential that combating money laundering and terrorism financing (ML/TF) risks within the financial system remains at the core of the legislation. In view of the evolving nature of payments services both online and within the physical point of sale environment, it is also critical that the AML/CTF regulatory framework of Australia is broad enough to encompass current and emerging payment business models and technologies, whilst adopting a principles based approach enabling reporting entities and the Regulator to effectively respond to the dynamic nature of ML/TF risk.

5.3. Similarly, industry should remain cognizant of the ML/TF challenges presented by the evolution of payment services which is being driven by technological change, changing consumer preferences and demands, and increasing globalisation of commerce, and seek to leverage the unique opportunities that lie in the harnessing of technology to utilise a broad set of data to identify, assess and mitigate ML/TF risk.

5.4. Globally speaking, current payments regulations generally utilise prescriptive terms that specify requirements and impose particular business practices on innovative business and a methodology that cannot iterate with rapid developments in industry.

5.4.1. For example, the basic CDD process involves collection of information such as: name; date of birth or business registration details, and the address of the identified customer. Identity is then verified by means of a supporting physical document or electronic verification to validate the identity data collected.

5.4.2. Yet, the required data points collected, while important, tell you nothing about a range of risk factors, including but not limited to: who that person is in terms of political life, a customer’s relationships with any other person and whatever constitutes ‘normal behaviour’ for the identified customer.

5.4.3. Consequently, identity verification performed with reference to physical documentation (such as driver’s licences, utility bills, trust deeds, business registration documents, etc.) or the equivalent electronic records, will only provide static confirmation that the actual identity exists.

of 13


5.5. In contrast, ongoing capture and assessment of other unique customer identifiers (e.g. email addresses, IP address, mobile phone numbers, etc.), coupled with predictive risk models, neural network learning systems and location and device analysis, enables a reporting entity to perform authentication of transactions and customer identities within the system whilst providing for dynamic assessment of associated risks. This is particularly true within closed loop systems where there is visibility of both the sender and receiver for transactions processed.

5.5.1. Analysing customer data and transaction activity within the system provides for an understanding of ‘normal’ behaviour and enables identification of abnormal patterns indicative of high risk activity such as fraud or money laundering. Thus, ongoing assessment of customers, product type, delivery channels, and other risks factors are likely to be more effective, as a determinant for ML/TF risk, than upfront prescriptive measures.

5.5.2. To identify and mitigate ML/TF risks on its platform, PayPal has implemented a combination of controls, many of which are industry best practice including automated risk assessment at onboarding, customer identification and verification arrangements, ongoing monitoring of transactions, analysis of account behaviour, linkages to other accounts, non-acceptance of anonymous forms of payment, imposing transactions limits, maintaining transaction records, and reporting suspicious activity to the regulator/FIU. Employing these risk mitigants throughout the lifecycle of customer accounts enables PayPal to provide a payment service that is effective for legitimate purposes whilst minimising illegitimate activities.

5.6. Today, modern payment services are looking at the entire electronic footprint of actors when determining identity and identifying risk within the system. Regulations, if principles based, should reflect the ability of electronic footprints to minimise ML/TF risk. Although FATF Guidance for online payments and e-commerce generally is still evolving, it appears clear that it is heading towards a position that is more embracing of alternative measures that are available in our industry.

5.7. In June 2013, FATF published its most recent guidance for new payment methods, titled “Guidance for a risk-based approach: prepaid cards, mobile payments and internet-based payment services”. This Guidance Paper builds on the FATF typologies reports to provide guidance in the implementation of a risk based approach to combating ML/TF risk associated with new payment products and services (NPPS) in line with the FATF Recommendations.

5.7.1. As discussed in the Guidance Paper, FATF recognises that the risks associated with internet based payment businesses may not necessarily be higher than those associated with the offline sector provided that appropriate risk-based measures with regard to customer identification, record keeping and transaction reporting are taken. Specifically, the FATF paper states:

5.7.2. “For Internet-based payment services there is typically no face-to-face customer contact. This may increase the risk of identity fraud or customers providing inaccurate information potentially to disguise illegal activity if effective measures to address this risk are not employed. However, this lack of face-to-face contact is often counterbalanced through the adoption of alternative identification mechanisms, which can provide adequate risk mitigation measures.”

of 13


5.8. Regulation should also give recognition to the fact that inherent risks of a given designated service are not uniform across all reporting entities and will vary depending upon the product configuration, delivery channel, and customer type. For example, a designated service within a closed loop system is likely to have an inherently lower risk than a designated service offered in an open loop system. Similarly, systems that restrict the entry and exit methods of funds present a lower risk than those which allow cash or other anonymous forms of funding or withdrawal.

5.8.1. PayPal notes that the FATF Recommendations continue to endorse a risk based approach to managing ML/TF risks. Through Interpretative notes published with the40 Recommendations, FATF also recognises the need to ensure that measures to prevent or reduce ML/TF risk are commensurate with the risks identified, and allow stakeholders within the financial system (Government/Regulator and financial institutions) to make decisions on allocation of resources where they are most effective and, where lower risks are identified, allowing for simplified measures for some of the FATF recommendations under certain conditions.

5.8.2. Accordingly, decisions on collection and verification of customer information should be informed by the assessed ML/TF risk of a customer and the designated service provided by a reporting entity. Where elevated levels of risk are identified, a reporting entity should have appropriate arrangements in place to collect and verify a more extensive range of customer information.

5.8.3. Conversely, where a customer and designated service are assessed to be of low risk, principles based legislation should allow reporting entities to determine the minimum customer information collection and verification requirements.

5.8.4. In contrast to a prescriptive and rule-based “one size fits all” approach, regulation should provide for more sophisticated approaches to controlling and mitigating ML/TF risks by allowing industry to harness technological solutions, better management and analysis of customer and transactional data to identify risk, and adopt a more targeted application of risk control strategies and resources.

5.9. It is the view of PayPal that prescription in the form of regulatory guidance (in lieu of prescriptive and rigid rules) would greatly assist reporting entities in meeting their obligations.

5.9.1. Prescription can articulate current best practice and may provide a means of establishing a “safe harbour” standard that is broadly applicable to a large section of the reporting entity population, without mandating a particular process across all sizes of enterprise, and types of designated services where the risk profile may be significantly lower for certain reporting entities.

5.9.2. Regulators should exercise caution when considering the inclusion of prescriptive requirements within regulation as cycles of legislative revision are too slow to adequately take account of emerging risks as, and when, they arise.

5.10. To reduce reliance upon prescriptive measures, and fully exploit the advantages of a risk based principles approach to regulation, it is recommended that consideration be given to further modification of the AML/CTF Rules, particularly the obligations

of 13


prescribed in Chapter 4, to provide reporting entities with greater flexibility to adjust their risk mitigation strategies and allocation of resources to the areas of highest risk.

6. Recommendation 2: Minimising regulatory burden on reporting entities

6.1. The financial system needs to be viewed more holistically and greater recognition and emphasis should be placed on ML/TF risks introduced from other sectors within the economy.

6.2. For example, reporting entities are required to undertake significant efforts to mitigate the ML/TF risks arising from complex legal structures and arrangements of customers. The level and cost of effort required by reporting entities can be disproportionate to the value of the customer relationship. However the prescriptive nature of some requirements within the AML/CTF Rules often prevents consideration of alternative means of customer identification and verification. The current lack of oversight and regulation of designated non-financial businesses and professions (DNFBP), present an ongoing weakness in the financial system and inequitable allocation of costs.

6.3. PayPal strongly advocates for rollout of the second tranche of the AML/CTF legislation.Compliance costs associated with ML/TF risks inherent to, or introduced into the financial system by, DNFBP entities are currently borne by REs caught by the first tranche rollout of the AML/CTF legislation. Allowing for self-regulation by the sector may not establish an adequate level of rigour and integrity sufficient to meet the objectives of the Act, namely, combating money laundering, corruption, transnational crime and terrorism, among other things.

6.4. Rollout of the second tranche of AML/CTF legislation will enable Australia to create an additional layer of defence in its regulatory regime and ensure that it satisfies FATF Recommendation 22 and Recommendation 23 to extend AML/CTF Act obligations to "gatekeepers" to the financial system.

6.5. PayPal submits that, in accordance with the principles described in FATF Recommendation 24 and Recommendation 25, the Government and the Regulator minimise the regulatory burden on reporting entities by accelerating access to, and utility of, registers maintained by Government and regulatory bodies to facilitate CDD actions undertaken by reporting entities

6.5.1. Industry currently has access to a limited range of cost effective verification sources and, whilst initiatives such as the Document Verification Service (DVS) are welcomed, further work needs to be undertaken to provide a more robust framework within which industry can operate. The NZ Companies Office, which performs a similar company registry role to that performed by ASIC, provides a good example of how a government regulator/registry can facilitate risk assessment and CDD activities of reporting entities by providing a greater level of transparency of businesses’ organisational structures and associated individuals.

6.5.2. Similarly, harmonisation of disparate State/Territory based requirements such as the transfer of Business Name registration process to ASIC, or the establishment of centralised regulatory bodies such as the Australian Charities and Not-for-profit Commission (ACNC) provide for a more consistent and streamlined approach to the conduct of customer due diligence. To this end PayPal would be fully supportive of

of 13


the development of centralised registers to record information for unincorporated entities such as unincorporated associations, partnerships, and trusts.

7. Recommendation 3: Broadening the scope of legislation

7.1. The current breadth and pace of technology driven innovation within payment services has ML/TF implications for the broader financial system. Whilst the traditional financial institutions explore online opportunities to service customers, there are also a multitude of players from non-financial sectors such as retail, telecommunications and technology (e.g. Amazon, Apple, Google, etc.) seeking to offer payment services to consumers and merchants.

7.2. New payment services currently being offered include things such as:

a) Stored value accounts by private and public network operators (e.g. access tags issued by toll operators and transport operators)

b) Online retail sites that store payment credentials

c) Stored value/reloadable travel money cards

d) Prepaid or reloadable accounts that offer telecommunications carrier

billing e) New digital wallet or m-payment businesses

f) Crypto currencies and virtual currencies

7.3. In establishing the scope of its application, the Act places a heavy reliance upon prescription to define designated services and, by extension, reporting entities. The designated services defined by the Act are based upon traditional financial products. For example, under Part 1, Section 5 of the Act, the definition of an account includes:

a) a credit card account; andb) a loan account (other than a credit card account); and c) an account of money held in the form of units in:d) a cash management trust; ore) a trust of a kind prescribed by the AML/CTF Rules

7.3.1. Further to this, within Part 1, Section 6 of the Act, designated services are consistently identified with reference to products or services issued by the following entities, or variations thereof:

a) an ADI; or b) a bank; orc) a building society; or d) a credit union; ore) a person specified in the AML/CTF Rules

of 13


7.3.2. Similarly, there appears to be an underlying assumption within the Act that “money” is the unit of transfer for financial products. Part 1, Section 5 of the Act defines “money” as:

a) physical currency; andb) money held in an account, whether denominated in Australian currency or any

other currency; andc) money held on deposit, whether denominated in Australian currency or any other

currency; andd) e-currency, however amounts of the e-currency are expressed.

7.3.3. The Act then proceeds to define e-currency as an internet-based, electronic means of exchange that is:

a) known as any of the following:i. e-currency;ii. e-money;iii. digital currency;iv. a name specified in the AML/CTF Rules; and

b) backed either directly or indirectly by:i. precious metal; or ii. bullion; oriii. a thing of a kind prescribed by the AML/CTF Rules; and

c) not issued by or under the authority of a government body; and includes anything that, under the regulations, is taken to be e-currency for the purposes of this Act.

7.4. When considering the range of new payment products offered in the market it is clear there are numerous “accounts” that facilitate the transfer of value between parties that are not currently caught by the Act. Furthermore, in narrowly defining the unit of transfer, the Act fails to capture value transferred in other forms. A quick search of payment related products and services available in Australia will show that value is stored in a myriad of forms including identity and billing or delivery information, payment credentials, credit for online content, phone credit for carrier billing, coupons and discounts, loyalty programs, etc.

7.4.1. This creates a regulatory regime in which providers of payment services, particularly those from outside the realm of licenced financial institutions are able to circumvent regulatory obligations and avoid supervision by developing products that avoid the specific criteria prescribed within the AML/CTF Act and associated Regulations and Rules.

7.4.2. Consequently, the ML/TF risks of many new forms of payment services escape regulatory oversight. These unmitigated ML/TF risks are then transferred into the financial system at the point where these new payment services and traditional financial products intersect.

7.5. The implications of not addressing AML/CTF controls for new payment methods is well documented in a report issued by FATF on “Money Laundering Using New Payment Methods” (2010). FATF identified that some ML/TF risks such as anonymity, methods

of 13


of funding, value limits etc. are the direct result of product design, while others are dependent upon the strength of the CDD measures employed by the payment provider.

7.5.1. Unregulated payment products can introduce or transfer ML/TF risks to the formal financial system by facilitating placement of funds obtained through illicit activities. Where an account is established for a new payment product, a provider may ask for their customers´ names, but the levels of customer verification vary significantly, ranging from no verification at all (some providers only require a pseudonym) to sophisticated verification measures.

7.5.2. The method of funding sources for new payment products can also vary widely and include not only standard banking instruments such as bank accounts or credit cards, but also cash and other forms of unregulated value such as virtual or crypto currencies. Anonymity of accounts and/or transactions processed with new payments products also increase the risk of integration of illicit funds into the financial system through a lack of audit trails, decreased visibility of parties to transactions, and absence of reporting obligations.

7.6. PayPal recommends that the Act be revised to capture new and emerging financial products and services, particularly those which allow the storage and exchange of value or payment credentials within digital wallets or similar mechanisms.

7.7. A broader scope of AML/CTF regulation will ensure that emerging risks to the Australian financial system are surfaced and captured. Subjecting a broader range of payment products to a defined standard of risk assessment and mitigation will provide certainty for new entrants to the industry and provide a ‘level playing field’ for all industry participants.

8. Conclusion

8.1. Law reforms being contemplated should include an assessment of the impacts to all reporting entities and allow sufficient flexibility to accommodate differing business models and alternative risk mitigation strategies and tools.

8.2. Although PayPal has existing and robust risk and compliance arrangements in place, we recognise the need to continually enhance and adapt our processes in response to new risks within the financial services environment and the rapidly evolving nature of new payment services globally.

8.3. In this submission PayPal makes the three recommendations:

1. Principles based legislation and rules2. Minimising regulatory burden on reporting entities3. Broadening the scope of regulation

8.4. PayPal looks forward to the opportunity of continued contribution to, and collaboration with, Government and the broader industry to ensure the ongoing integrity and security of the Australian financial system.

microsoft word - statutory review of aml-ctf act - ppau ... web viewit is essential that combating...

Documents