EBA puts virtual IBANs into regulatory spotlight

EU regulators need to get to grips with how payment firms use virtual IBANs. That's one of the conclusions from a European Banking Authority report on virtual International Bank Account Numbers (vIBANs). The report is expected to trigger more scrutiny of how payment service providers manage the risks around vIBANs.

What is a vIBAN?

IBANs are used to identify payment accounts. A vIBAN looks like a regular IBAN but doesn't represent its own payment account. Instead it is linked to a master payment account (which has a separate IBAN) and allows payments to be routed to that account.

The report maps out six use cases for vIBANs that the EBA has observed. These range from payments firms partnering with firms in other jurisdictions to offer “local” vIBANs through to the use of vIBANS to support the centralisation of payments within a group.

Risks of vIBANs

The EBA highlights 10 risks and challenges relating to vIBANs. These include:

• Money laundering risks associated with the identity of the end users of vIBANs being unknown to the issuers of vIBANs. This risk is compounded by divergent interpretations on the applicable anti-money laundering regulatory framework in the context of the cross-border provision of vIBANs.
• An unlevel playing field and risk of regulatory arbitrage due to different interpretations of what vIBANs are and how applicable regulations apply. This includes the risk that vIBANs are used by non-EU financial institutions or by EU non-payment services providers to provide payment services without the requisite authorisation.
• Risks to end users (particularly consumers) who (depending on how a business model is structured) may not benefit from certain protections and may suffer detriment due to a lack of transparency. This is particularly relevant in the context of complaints procedures and deposit guarantee protection.

Recommended mitigations

The recently finalised AML Regulation includes a first EU-wide definition of a virutal IBAN. AMLR requires firms servicing the master account to make sure that they can get information about the end users of vIBANs, even when they are issued by another firm. The EBA hopes that, once it starts to apply, this requirement in AMLA will mitigate some of the AML risks associated with vIBANs.

The EBA also suggests clarifying:

• In the EU's AML framework, whether a vIBAN identifies the master account to which it is connected or a separate account.
• The definition of a “payment account” in payment services legislation and, in particular, whether users of vIBANs that are not the holder of the master account are considered to have a payment account within the meaning of PSD2. This has implications for the characterisation of the payment services offered by payments firm offering the vIBANs to end users.
• How the SEPA regulation and ISO IBAN Standard apply to vIBANs.
• The legal qualification of the relationship between the payments firm offering the vIBAN to the end user and the partner payments firm providing the master account and issuing the vIBAN.
• How the payer's payments firm should report transactions made towards a vIBAN when it has a different country code to the master account. 

The EBA calls on national regulators to:

• Determine the extent to which vIBANs are issued / used by payments firms in their jurisdiction.
• Enhance their understanding of business models used to issue or offer vIBANs.
• Assess the effectiveness of AML controls in place within payments firms to mitigate the risks associated with vIBANs.
• Consider whether payments firms draw on multiple risk factors when monitoring transactions to ensure that their transaction monitoring system flags apparent discrepancies.

Why does the report matter?

The report is relevant to both issuers of vIBANs and payments firms who may offer (but not issue) vIBANs to end users. While the EBA does not, for now, put forward specific rule changes, it will increase regulatory scrutiny in two respects:

• At the pan-EU level, the Commission may take on board the risks that the EBA has highlighted and its recommendations to clarify the application of key EU legislation in this area which would impact vIBAN business models.
• At the EU Member State level, the report should focus the minds of national regulators on business models involving vIBANs, particularly from an anti-money laundering and regulatory licensing perspective.