EU introduces new rules to mitigate ‘virtual IBAN’ AML/CFT risks

The European Union is introducing a new regulatory framework for virtual international bank account numbers (vIBANs) to mitigate anti-money laundering (AML) and terrorist financing (CFT) risks. The framework, which forms part of the EUʼs latest AML package, will require vIBAN issuers to identify end-users, including their linked payment accounts, to a member stateʼs bank account register.

“Details of virtual IBANs which are linked to other payment accounts will have to be recorded in member states’ bank account registers. This will allow law enforcement to trace any funds being moved by such virtual IBANs,” the Central Bank of Ireland’s deputy governor Derville Rowland explained in a speech at the Afore annual fintech and regulation conference.

A vIBAN is a ‘virtualʼ bank account number that is not linked to a traditional bank account. It has the same format and functionality as a regular IBAN, but acts as a reference number to direct payments to a master account. E-commerce firms, accounting software providers and others use vIBANs to facilitate cross-border payments.

The forthcoming EU AML/CFT rules will apply to traditional banking providers, payment firms and crypto-asset service providers (CASPs). VIBAN providers and CASPs will be obligated entities, requiring them to share information relating to high-risk customers, and conduct Know Your Customer (KYC) checks as well as enhanced due diligence.

The EU is expected to implement the new AML rules by 2027.

Increased obligations

Several supervisory authorities have flagged vIBANs as high risk, because customers are able to open and manage different accounts in different countries, with little or no monitoring. The European Banking Authority (EBA) released a report in May 2024 addressing 10 regulatory challenges associated with vIBANs that included AML/CFT risks, consumer and depositor protection, authorisation and passporting, and regulatory arbitrage.

Regulatory compliance expert Pierre Simon, founder of Simon Consulting in the Netherlands, told Compliance Corylated : “If you are an e-money institution or a payment institution that is offering virtual IBANs, it is basically a product. They will need to do their product risk assessment, and then determine the money laundering risks.

“Money can actually be routed to an account, maybe outside of the EU or any other part of the world. We cannot see that booking, and also law enforcement cannot see how the money flow is going. From a AML perspective, it makes it risky,” he added.

Due diligence

The AML framework will require payment institutions to identify and verify legal entities associated with vIBANs, including individuals using vIBANs and the associated bank or payment accounts linked to them, according to Simon.

The EU will apply new requirements for customer due diligence (CDD), reducing the threshold for carrying out CDD obligations from 15,000 euros to 10,000 euros for occasional transactions. Additionally, the new AML package will set out a “full KYC procedure” for payment institutions, he said.

Currently, payment institutions often perform “light KYC” when dealing with vIBAN holders, conducting only a simplified, minimum check on customers. That is because of the high number of transactions within the vIBAN network, said Simon. However, with the new AML package, the institutions are expected to follow all KYC procedures, including customer and beneficial ownership identification.

Financial crime risks

Since it is possible for vIBANs to assign a country code that is different from the code of master bank accounts, this makes the geographical location of vIBAN payees and recipients more difficult to trace than traditional cross-border payments. It also increases the risk of money laundering being conducted through the global vIBAN network.

“There are definitely risks. I think the biggest risk is that itʼs pretty easy to get a virtual IBAN, and theyʼre not as transparent as a regular IBAN but they cannot be distinguished [from a regular IBAN],” according to Simon.

Customers using vIBANs for international transactions are faced with diverse interpretations of AML regulatory frameworks, leading to supervisory and reporting gaps for suspicious transactions. With “no uniform view” of vIBAN providers, the EBA also highlighted the risk of vIBANs being used by non-EU financial institutions and EU non-payment service providers (PSPs) to provide payment services without the required authorisation.

“What we have seen in the EU is that itʼs not only regulated entities that can offer virtual IBANs; there are other parties, like online bookkeeping or accounting software providers, that are linking or actually providing accounts virtual IBANs to their account,” said Simon.

“So letʼs say if you have a small medium or medium-sized enterprise that says, my bookkeeping or my accounting is done via this online software through that provider, they can also get a business account, even a debit card or a credit card, and those accounts are in principle, for IBANs. So itʼs not required for them to have a licence or to be regulated themselves.”

The cross-border function of vIBANs is one reason the EBA has flagged the product for financial crime risk. Corlytics data shows the AML risk score has ranked as the highest among financial crime risks since 2021, highlighting greater regulatory focus on firmsʼ systems and controls.

Red flags

VIBANs have prompted similar concerns from the UK Financial Conduct Authority (FCA), since tackling financial crime is a key focus of its three-year strategy and part of the national economic crime plan and fraud strategy. It expects firms, including those offering vIBANs, to have adequate systems and controls to mitigate risks associated with their products and services.

The FCA has taken action against at least one UK payment provider that offered vIBANs, in a case that reflects the EBAʼs concern that they can used to provide payment services without the required authorisation.

In September 2020, a director of vIBAN account provider Monneo was found in contempt of court and sentenced to nine months in prison, while the company failed to notify the FCA; this is a Principle 11 breach, according to a first supervisory notice. The regulatorʼs action in April 2023 effectively shut down the company.

The FCA found Monneo had “acted outside its permissions”, which only extended to providing money remittance and executing payment transactions. For example, there was evidence of customers using vIBAN accounts to store large balances before making one or two substantial outward transactions, with one customer holding a balance of over £100,000 without making any transactions for more than eight months.

Monneo was barred from carrying out any payment services without the consent of the regulators, and went into special administration shortly after.

Industry response

Within the private sector, although the European Fintech Association (EFA) released a statement in May 2024 supporting the new AML rules on vIBANs, it then proposed an alternative regulatory approach. “There are alternative measures to address the potential risks perceived by the regulators. This can be achieved through information exchange between industry and enforcement authorities, rather than an overall prohibition of innovative business models,” it said.

The EFA is concerned that the suggested ISO IBAN standard could “limit the options” to offer vIBANs to customers. “For instance, with the ISO standard, it might become difficult in the future to differentiate between the master account holder and the vIBAN holder, which would make salary depositing impossible for the end customers,” it said in May.

The EU’s regulatory treatment would also require PSPs to submit their customer “entire database” to banks they consider to be competitors, meaning the new AML rules could “distort competitions, hampers user privacy, and requires additional costs”, the EFA added.