When e-money providers must verify identity – new guidance

The Joint Money Laundering Steering Group (JMLSG) has published draft amended guidance for electronic money. It covers products that are card-based as well as those that are entirely software-based.

The JMLSG is made up of the leading UK trade associations in the financial services industry. Its aim is to promulgate good practice in countering money laundering and to give practical assistance in interpreting the UK Money Laundering Regulations. This is primarily achieved by the publication of industry guidance.

The draft guidance on e-money will be included in Part II of the JMLSG's amended 2006 Guidance which contains supplementary sector-specific guidance.

The purpose of the guidance is to provide clarification to e-money issuers on verification of identity and other customer due diligence measures required by legislation.

The guidance can be used by all issuers of e-money, regardless of whether they are regulated by the Financial Services Authority or operate under a small e-money issuers' waiver.

The JMSLG defines electronic money as:

'"monetary value, as represented by a claim on the issuer, which is:

(a) stored on an electronic device;

(b) issued on receipt of funds; and

(c) accepted as a means of payment by persons other than the issuer."

E-money is therefore a prepaid means of payment, that can be used to make payments to multiple persons, where the persons are distinct legal or natural entities. It can be card-based or account-based and used entirely online.

The UK Money Laundering Regulations state that for a business relationship, verification of identity must be carried out at the outset.

Taking account of the risk mitigation features applied to e-money systems, the approach to verifying identity for the e-money sector is predicated on the need to minimise barriers to take-up of these new products, whilst addressing the risk of money laundering and meeting the obligations set out in the Regulations.

The draft guidance says that e-money issuers are, in common with other financial services providers, required to verify identity at the outset of the relationship with the customer.

This requirement includes verification of beneficial owners – i.e. the individuals who ultimately own or control the customer or on whose behalf a transaction or activity is being conducted.

In a limited set of circumstances, however, simplified due diligence can be adopted. The Regulations say this is when:

(i) if the device cannot be recharged, the maximum amount stored in the device is no more than 150 euro; or

(ii) if the device can be recharged, a limit of 2,500 euro is imposed on the total amount transacted in a calendar year, except when an amount of 1,000 euro or more is redeemed in that same calendar year by the bearer.

Where e-money purses cannot be recharged, and the total purse limit does not exceed €150, verification of identity does not need to be undertaken. The guidance acknowledges that purchase of e-money gift cards could be undertaken in multiple numbers. But provided that the gift card does not allow for redemption to be made at ATMs, the risk of money laundering arising from multiple purchases is likely to remain low, the guidance says. Issuers should however adopt a maximum total value that they will allow single customers to purchase, on a risk weighted basis, without identity being verified, it says.

Once the limits are reached, e-money issuers are required to undertake verification of identity, which may require sight of photographic ID such as a passport.

The JMLSG points out that the limits do not apply where there is a suspicion of money laundering or terrorist financing. In such circumstances, the identity of the customer must be verified, irrespective of the transacted total.

The new guidance augments the limits with systems for the detection of abuse. These include transaction monitoring systems that detect anomalies or patterns of behaviour; systems that identify discrepancies between submitted and detected information – for example, between country of origin submitted information and the electronically-detected IP address; and on-chip controls that disable a card when a given pattern of activity is detected, requiring interaction with the issuer before it can be re-enabled.

The JMLSG is inviting comments on the draft guidance by 7 September 2007.