31st May 2024
The EBA has issued a report on Virtual IBANS, providing some much needed insight into the thinking of European regulators around this relatively new financial product.
Before delving further into this report, it is worth answering the questions “What is a “Virtual” IBAN”? And what is an “IBAN” for that matter?
IBAN stands for International Bank Account Number. It’s a standardized international numbering system developed to identify bank accounts.
The IBAN is made up of:
- A two letter country code
- Two check digits, used for error detection. These are generated via an algorithm and are based on the other components of the IBAN
- A bank identified code
- The bank account number
One can think of the IBAN as a precise and unique address for a bank account, allowing payments to find their way to the correct bank account.
A “Virtual” IBAN then is an identifier that has the same format as a regular IBAN, but which in turn is linked to a payment account with its own, different, IBAN. This linked regular IBAN is referred to as the “Master Account”.
A payment directed towards a vIBAN would therefore be rerouted to the Master IBAN. You can think of this as a bit like a mail forwarding service, but for payments.
Virtual IBANS have various legitimate uses. The EBA notes that:
“vIBANs are often used by companies to automate payment reconciliation. They enable companies to assign individual vIBANs, issued by their PSP, to a specific customer, project, part of a business line, etc. to facilitate the tracking of incoming payments (and, in some cases, also outgoing payments) and reduce the costs associated with payment reconciliation”
However, the EBA also notes that a number of risks arise in connection with vIBANs, including some having a financial crime character. The risks associated with virtual IBANs (vIBANs) include:
- Regulatory Arbitrage: Differences in interpretations across regulators may lead to unfair advantages.
- Lack of NCA Visibility: Regulators may lack insight into vIBAN scale, impacting AML/CFT assessments.
- Cross-Border Challenges: Divergent AML/CFT regulations for vIBANs can create supervisory gaps and reporting challenges.
- SEPA Regulation Uncertainty: Unclear application of SEPA regulations to vIBANs may create regulatory ambiguities.
- End User Risks: Users may face risks when not master account holders, leading to unfair competition.
- PSD2 Reporting Issues: Inconsistent reporting of transactions involving vIBANs can pose challenges.
- Instant Payments Regulation Compliance: Compliance challenges may arise with vIBANs under instant payments regulations.
- Unauthorized Financial Institution Use: Non-authorized entities may use vIBANs, raising financial crime risks.
- Supervisory Practices Variations: Divergent supervisory practices may lead to oversight inconsistencies.
- Consumer Transparency Issues: Lack of transparency about vIBANs may pose risks to consumers.
- The EBA report also includes an Annex providing list of risk factors which ought to be taken into consideration when assessing the ML/FT risk associated with vIBANs in different scenarios.
In particular, the EBA report identifies the following ML/FT high risk flags:
- The lack of a contractual relationship between the PSP servicing the master account and issuing the vIBANs and the end users of vIBANs as this means that the identity or location of the end user may not always be known to the PSP servicing the master account;
- The lack of transparency of end users transactions;
- No limitations applied by a PSP on the number of vIBANs that may be held by one end user;
- A holder of a master account or, if different, an end user of a vIBAN is based in a high risk non-EU country or a country where the AML/CFT rules are less stringent than those set out in the AMLD;
- Issuing documents that associate the vIBAN with names of third parties other than the verified account holder of the master account or any feature that causes confusion about the identity of the account holder;
- Offering their customers the capacity to create, delete or deactivate vIBANs without the involvement of the PSP issuing the vIBAN and applying limited monitoring of the real use of these vIBANs (with direct access through an application program interface for example).
Mindful of the above, obliged entities should deal with Virtual IBANS in a prudent manner, ensuring that they understand the risks involved and setting up appropriate safeguards.
Follow the link for a copy of the report:
https://fiaumalta.org/app/uploads/2024/05/EBA-Report-on-virtual-IBANs.pdf
