Pierre-Laurent Chatain Lead Financial Sector Specialist Financial Market Integrity

Pierre-Laurent Chatain Lead Financial Sector Specialist

Financial Market Integrity

World Bank/APG workshop for bank supervisors on AML/CFT supervision

Integrity in Mobile Phone Financial Services Jakarta, Indonesia, May 11-14, 2009

Contents

• What are mobile phone financial services (m-FS)?• The Global Potential• Methodology• New Framework for Analysis• ML-TF risks associated to m-FS• Observed Control Measures• Applying the FATF 40+9• Lessons Learned• Policy Recommendations

Mobile Phone Financial Services = m-FS

Definition: The remote delivery of financial services by a mobile phone

What are m-FS?

Transactions

Bill Payments

Stock Trades

Vendor Receipts Rem

ittan

ces

Check

ing A

ccou

nt

Balanc

e

Access bank

or credit card

Sometimes called “m-banking” or “m-commerce”

Enormous Potential for DevelopmentProblem: Poor countries fall way behind in terms of giving access to financial services

Solution: Mobile signal covers over 80% of the world’s population

Potential is huge: All Regions Booming

0

500

1,000

1,500

2,000

2,500

3,000

3,500

4,000

2000 2001 2002 2003 2004 2005 2006 2007 2008

Mill

ions

USA/CanadaMiddle EastEuropeAsia PacificAmericasAfricaWorld Total–

3.5 Billion people with access to a mobile phone in 2008

Source: World Bank analysis of Wireless Intelligence Data provided March 2008.

Mobile payment and commerce projections

Research predicts that users of contactless mobile payment and mobile banking will reach nearly 900 million users by 2012. These users will complete 62 billion transactions over the phone (source: mFoundry).

The Mobile Phone Financial Services (m-FS) and the perceived ML/FT risks

Managing Risks of the Different Uses of Mobile Phones for Financial Services

Proposed Paradigm for ML/TF Risk Analysis for m-FS

Conclusions on perception, actual and mitigation for ML/FT risks

Recommendations to policy makers, TelCos, financial institutions and regulators

WB’s contribution to policymakers’ discussions on the development of mobile financial services in a safe and sound AML/CFT environment

World Bank’s Research on M-FS

South Africa, The Philippines, Brazil, Hong Kong, Malaysia, Macau and South Korea

Methodology

Plan: 1) Identify the unique risks

2) Mitigation measures Perceptions

Which are real?

Seven Leading Markets

Malaysia Philippines

MacaoChina

BrazilHong Kong

ChinaSouth Africa

South Korea

Bank or Non-bank services (not anchored by a bank account)

No interaction with costumer

Anchored by a bank or securities account

- fINFO

- BSA

- Money

- Payments

Mobile Financial Information

- BSA- fINFO - Payments

Mobile Payments

Offers alternative settlement systems

Mobile Banking and Securities Accounts

- Money

Mobile Money

1. New Framework for AnalysisFrom a ML/TF risk analysis all business models could be grouped into 4 types of services:

Client TelCo FIs

Services Received• Account Balance• Credit Limit Alerts• Confirmation of Transaction• Security Quotes and Positions• Exchange Quotes and Positions

Gives access to view personal financial information

-fINFO

Client TelCo

3rd Party

CCC

FIs

-BSA

CCC : Credit Card Company

FI : Financial Institution

3rd Party: Any other individual or other financial entity.

Dotted line indicates entity which provides the transaction

Services Received• Account transfers• Bill payments• Settling balances• Security quotes and positions• Exchange quotes and positions• Access to credit lines

Permits user to make transactions with a bank account

Client

FIs

3rd Party

TelCo

CCC

-Payments

Services Received• Merchant payments• Settling balances• Non-bank account transfers • Security quotes and positions• Exchange quotes and positions• Access to credit linesDotted line indicates entity which provides the

transaction

Allows user to make payments without pre-existing bank accounts

-Money

Client

FIs

CCC

TelCo

3rd Party

Services Received• Allows access to all services available

through other m-FS. • Electronic storage of value (i.e. “e-

Wallet)• Remittances (domestic and

international)

Dotted line indicates entity which provides the transaction

Empowers user to work in electronic money through mobile phone

2. Risks associated to m-FS

Type of Risk Possible ML/TF Risks Key Control Measures

Anonymity

Off-the-branch or non-face-to-face customer origination

Innovative KYC and identity verification procedures MTN Banking – SA

Unauthorized use of mobile phones for financial transactions

Advanced identification mechanisms• Bradesco – Brazil• First National – SA

Lack of traceability

Use of mobile phone at the layering stage of the ML process

Use of multiple m-FS accounts

Limits on transactions • Korea FSSCustomer profiling • Bank of China – MacauReporting • Korea FIU

Cross-border mobile-to-mobile remittances

In-field service risk assessment • Hong Kong FIUIdentification of sender • Maxis – Malaysia

3. Observed Control Measures

3. Observed Control MeasuresType of

Risk Possible ML/TF Risks Key Control Measures

RapidityLack of capacity to monitor/freeze real-time messaging and settlement

Integrated system of internal controls • Itau - Brazil

Poor oversight

Oversight loopholes for m-BSA providers

Guidelines on m-BSA and risk management • Philippines, Korea

Lack of regulation, supervision of new providers

M-FS Shell companies

Regulator-provider collaboration (Philippinnes, Malaysia) New e-finance laws and guidelines to m-FS providers (Korea)Clear licensing of non-bank m-FS (Malaysia, Korea)IT & AML supervision capacity (Philippines)AML/CFT training (South Africa)

4. Sample of AML/CFT best practices (KYC/CDD)

. Several examples of risk mitigation practices in the jurisdictions visited reflect the FATF Recommendations:

Korea:

►A customer needs to hold a bank account, ► come in person to a bank branch, ► provide identification, and fill in a form (including details of predefined

accounts to transfer money) to receive an e-banking ID and password.

► A letter is then issued by the bank so that the customer can obtain the SIM from the TelCo.

► Service is available only to post-paid individual subscribers, not corporate clients

► A foreign citizen is required to present a valid passport.► A copy of the letter is retained by the TelCo for billing purposes.

4. Sample of AML/CFT best practices (KYC/CDD)

Philippines:

► Customers using G-Cash need to register via their mobile phones or the Internet. However, they may not deposit or withdraw funds until undergoing face-to-face CDD, which can take place at a retail shop, an accredited business partner, or a partner bank.

Hong Kong SAR of China:

► customers willing to use the mobile remittance service need to register their SIM card face-to-face with the mobile phone operators.

► Subscribers are required to present their national ID, which is equipped with security features and a chip with biometric information.

4. Sample of AML/CFT best practices (Record Keeping)

• m-FS providers keep customer activity records (Customer Detailed Records- CDRs) similar to banks, payment system providers and RSPs.

• CDRs contain data related to a mobile operator’s system usage and include identification of each mobile call’s originating and receiving phone, duration, and other information

Malaysia: ► Maxis keeps records of transactions for active customers

on an ongoing basis. Once the relationship is terminated, the information is archived for seven years.

4. Sample of AML/CFT best practices (Reporting Obligations)

Hong Kong:

TelCos are reporting entities under the AML and CFT regime.

Korea:

m-FS providers are also subject to the regime as reporting institutions to the Korean FIU (KoFIU).

Macao:

Providers are required to indicate in the STR the channel used, including m-FS.

Philippines:

Reporting of STRs by m-FS providers is conducted electronically, and is required for all transactions above 500,000 Pesos (US$ 11,200)

Varying Provider Obligations Ambiguous

• Fieldwork shows that TelCo AML and CFT obligations are applied unequally in the observed jurisdictions.

• The majority of TelCo m-FS perform some KYC and CDD measures

• Virtually none are designed specifically to address ML and TF concerns.

• There is no consensus on how to implement AML and CFT international standards among the telecom industry

Providers should be classified as FIs

• FATF 40+9 Rec. contain no specific provisions governing AML/CFT obligations for Telcos

• Grounds to believe that Telcos are subject to AML/CFT obligations:

–m-fINFO & m-BSA: no ambiguity–m-Payment & m-Money: ambiguity lifted

by applying the “functional definition”

Providers should be classified as FIs• Problem: Are Telcos providing m-FS DNFBPs

or FI?• Telcos do not fit into DNFBPs category

According to the FATF, “financial institution” means, among other things, any person or entity who provides its customers with transfer of money or values services, or issues and manages means of payment, inter alia, electronic money.

• ¾ business models consist of TelCos providing a means to transfer money

• TelCos providing m-FS should be considered as FATF “financial institutions”

5. Lessons LearnedFATF standards– Address m-FS vulnerabilities– No need for new standards

Regulations do not – Address full spectrum of entities (Telco, Credit Card Company)– Provide clarity on the licensing process

TelCos providing financial services are not explicitly subjected to AML/CFT regulations

Although many m-FS providers are already applying measures consistent with AML/CFT, their purposes are commercial and not targeted to prevent ML/TF.

6. Policy Recommendations• Policy Makers

- All m-FS providers should be subject to AML regulations in accordance with risk-based approach.

- Conduct risk assessment prior to legislating controls.

• FIU/Law Enforcement• Develop clear rules and guidelines  for m-FS transaction providers.   • Consider requiring STR to include data on the type of channel used

• Sector Regulators• Set clear licensing criteria and monitoring procedures that are commensurate with

services and risks. • Define transaction limits giving each m-FS providers flexibility to take advantage of

market opportunities

• Supervisors• Include the associated risks into the scope of their on and off-site duties

• Private Sector• Consult with regulators on the development of new services• Introduce robust internal controls and risk management practices

Pierre-Laurent [email protected]

Lead Financial Sector Specialist

The World Bank

Thank you