THE KEY COMPLIANCE CHALLENGESBUSINESSES FACE WHEN INITIATINGCROSSBORDER PAYMENTS

The Comprehensive Guide WhenSelecting Your Payment Service Provider

Courtesy of

Businesses initiating cross-border payments need to be cognizant of the challenges that payment regulations pose. Cross-border payments are subject to multiple regulations in both the originating country and the country in which they land. The costs of non-compliance can be severe, including failed payments, fines, reputational damage and in severe cases, imprisonment.

Payment regulations are a moving target in many regions due to the continuing growth of e-commerce and massive increase in cross-border payment volume. Governments from the U.S. to China are scrambling to monitor and control the new money flows generated by industry and political disruptions driven by the Internet.

This paper: Reviews the motivations of governments for regulating cross-border paymentsIntroduces international bodies that are influential in shaping regulationsOverviews existing and emerging regulations in the U.S. and EuropeProposes guidelines for a comprehensive risk-based approach for managing complianceProvides a checklist for evaluating payment providers on how well they address global regulatory compliance challenges

2The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments

INTRODUCTION

Motivation for Regulating Cross-Border Payments

International Bodies Involved in Payments Regulation

Regional Regulations United States Europe

Your Key Guidelines for a Risk-Based Approach to Compliance

Your Comprehensive Compliance Checklist

About Payoneer

4

10

1414-1718-19

20

22

23

CONTENTS

4

When criminals try to hide or disguise the source of their illegal money by converting it to funds that appear legitimate, the process is called “money laundering.” Every year, money launderers try to cover up the illegal source of their money by funneling billions of dollars through financial institutions. Money laundering is most likely to be successful when criminals avoid leaving a paper trail of transactions linking the money back to the crime. Law enforcement can follow the paper trail created from reports and records of financial institutions. To prevent money laundering, regulatory authorities typically set strict rules for recordkeeping and reporting of financial transactions by financial institutions and Payment Service Providers (PSPs).

ANTIMONEY LAUNDERING (AML)

1MOTIVATIONFOR REGULATINGCROSSBORDER PAYMENTS

The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments

Governments have multiple reasons for regulating cross-border payments. Primary motivations include preventing money laundering, blocking funding to terrorist and criminal organizations, imposing sanctions on speci�c countries, controlling currency �ows and others.

Terrorist financing became a critical issue in the United States after the terrorist attacks on September 11, 2001. The U.S. government passed the USA PATRIOT Act to attempt to thwart the financing of terrorism and make sure the issue receives adequate focus by U.S. financial institutions. This act arms U.S. law enforcement with new tools to detect and prevent terrorism, improving counter-terrorism efforts in significant ways, including:

COUNTER TERRORIST FINANCING (CTF)

The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments

1

5

Allows investigators to use already available tools to investigate organized crime and drug trafficking.Facilitates information sharing and cooperation among government agencies and removes legal barriers preventing law enforcement, intelligence, and national defense communities from coordinating work to protect national security.Updates the law to reflect new technologies and threats.Imposes tough new penalties on those who commit and support terrorist operations, both at home and abroad. Forces non-U.S. banks doing business with U.S. banks to upgrade their AML/CTF processes.

While AML and CTF are often linked in legislation and regulation, terrorist financing and money laundering are conceptual opposites. Money laundering is the process in which cash raised from criminal activities is made to look legitimate for re-integration into the financial system, while terrorist financing cares less about the source of funds, but more about what funds are being used for, as legally earned funds may be used to finance terrorism.

To facilitate the application of financial sanctions, regulators have compiled consolidated lists of entities subject to sanctions. Financial institutions are obliged to retrieve and maintain the most recent copies of these lists, screen payment parties against lists, block attempted payments to listed entities or countries and to report attempted infringement to regulators.

Commonly applied sanctions lists include: OFAC (published by the Office of Foreign Assets Control to enforce economic and trade sanctions based on U.S. foreign policy and national security goals); United Nations Security Council Sanctions List (including all individuals and entities subject to sanctions measures imposed by the UN Security Council); HMT list (a consolidated list of financial sanctions targets published by the UK treasury).

The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments 6

Typically, countries that employ exchange controls are those with weaker economies.

Currency controls are imposed by some governments on the purchase or sale of foreign currencies by residents or on the purchase/sale of local currency by nonresidents. Governments put in place currency controls to ban or restrict the amount of foreign currency or local currency that is allowed to be traded or purchased.

Common foreign exchange controls include: banning the use of foreign currency within a country; banning locals from possessing foreign currency; restricting currency exchange to government-approved exchangers; fixed exchange rates; and restrictions on the amount of currency that may be imported or exported.

Typically, countries that employ exchange controls are those with weaker economies. These controls allow countries a greater degree of economic stability by limiting the amount of exchange rate volatility due to currency inflows/outflows. Often, foreign exchange controls result in the creation of black markets to exchange the controlled currency for stronger currencies. As such, it is unclear whether governments have the ability to enact effective exchange controls.

CURRENCY CONTROLS

7

Regulations applied by governments to the licensing of PSPs typically address fraud prevention and consumer protection. These regulations are designed to prevent businesses that engage in fraud or specified unfair practices from gaining an advantage over competitors.

Cross border payments facilitated by credit or debit card need to comply with non-government regulations for fraud prevention established by the Payment Card Industry (PCI). The Data Security Standard (DSS) is a proprietary information security standard that organizations handling branded cards from the major card schemes need to comply with.

FRAUD PREVENTION

The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments 78

Regulations typically define the type of organizations that are permitted to provide payment services. Traditionally, provision of payment services was restricted to banks, central banks and government bodies. With the advent of the Internet and proliferation of businesses providing electronic commerce and payments services, regulatory regimes worldwide have begun to focus on licensing and regulating smaller PSPs that facilitate various forms of payment online.

In U.S. law code, a money transmitter or money transfer service is a business entity that provides money transfer services. Money Transmitters in the U.S. are part of a larger group of entities called Money Service Businesses or MSBs, which also include currency exchange firms, prepaid access providers, and check cashers. In Europe the Payment Services Directive (PSD) defined Electronic Money Institutions, a new category of payment institution with its own prudential regime. Organizations can apply for authorization as a payment institution if they meet certain capital and risk management requirements in any EU country where they choose to become established and then "passport” payment services into other EU member states without additional licensing requirements. In China, the State Administration of Foreign Exchange (SAFE) seeking to regulate the development of Internet cross-border payments by payment institutions, and to prevent the risks of cross-border capital flows through the Internet, allowed non-bank PSPs to participate in the business of payments. This is the first time that the Chinese State has permitted private third-party payment enterprises to conduct cross-border foreign currency e-business payments directly. SAFE allows payment institutions in China to obtain a Payment Business Permit issued by the People's Bank of China to participate in a pilot covering cross-border foreign currency Internet payments.

REGULATION OFPAYMENT SERVICE PROVIDERS

The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments 9

2INTERNATIONALBODIES INVOLVED INPAYMENTS REGULATIONRegulations are typically formulated by international organizations whose member states seek global coordination on matters of trade, �nance and enforcement. This section introduces the various international bodies that are active in recommending regulatory frameworks for payments in individual countries.

10

The Financial Action Task Force (FATF) is an inter-governmental body established in 1989 by the Ministers of its Member jurisdictions. The objectives of the FATF are to set standards and promote effective implementation of legal, regulatory and operational measures for combatting money laundering, terrorist financing and other related threats to the integrity of the international financial system. The FATF is a “policy-making body”, which works to generate the necessary political will to bring about national legislative and regulatory reforms in these areas.

FATF

The Key Compliance Challenges Businesses Face Wwhen Initiating Cross-Border Payments

3

11The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments

The FATF lists countries having strategic AML/CTF deficiencies and calls on its members to consider the risks arising from the deficiencies associated

with each jurisdiction.

2 The FATF currently comprises 34 member jurisdictions and two regional organizations, representing most major financial centers in all parts of the globe.

The FATF has developed a series of recommendations that are recognized as the international standard for combating money laundering and the financing of terrorism. These recommendations form the basis for a global coordinated response to threats to the integrity of the financial system. The FATF has made recommendations regarding AML and CTF, which have become the global standard that all countries regimes are held to. The FATF published the annual Non-Cooperative Countries and Territories (NCCT) list to monitor and coerce countries to implement CTF policies. NCCT reports included details of the deficiencies identified regarding countries identified as non-cooperative and the actions taken by these countries to remedy deficiencies. The NCCT process ended in 2007 when the last country was delisted.

To protect the international financial system from money laundering and financing of terrorism risks and to encourage greater compliance with AML/CTF standards, the FATF identified jurisdictions that have strategic deficiencies and works with them to address deficiencies that pose a risk to the international financial system. The FATF lists countries having strategic AML/CTF deficiencies and calls on its members to consider the risks arising from the deficiencies associated with each jurisdiction.

3

The International Monetary Fund (IMF) is an organization of 188 countries, working to foster global monetary cooperation, secure financial stability, facilitate international trade, promote high employment and sustainable economic growth, and reduce poverty around the world. The IMF has a provision allowing countries with transitional economies to employ foreign exchange controls. Countries with foreign exchange controls are known as "Article 14 countries," after the provision in the IMF agreement allowing exchange controls for transitional economies. Such controls used to be common in most countries, particularly poorer ones, until the 1990s when free trade and globalization started a trend towards economic liberalization. Today, countries which still impose exchange controls are the exception rather than the rule.

IMF

The World Trade Organization (WTO) is an intergovernmental organization that regulates international trade. The WTO General Agreement on Trade in Services and its Annex on Financial Services provide the international legal framework for the regulation of cross-border trade in financial services. The most important elements of the WTO commitments on financial services pertain to nondiscrimination and national treatment, meaning that if you accept opening your market, you may not apply different regulations to banks from different foreign countries than to your local banks. Open trade in financial services does not mean greater risk to the system’s safety and soundness.

WTO

12The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments

The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments 13

The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council, the standard was created to increase controls around

cardholder data to reduce credit card fraud via its exposure.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from major card schemes including Visa, MasterCard, American Express, Discover, and JCB. The PCI Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is performed annually, either by an external Qualified Security Assessor that creates a Report on Compliance for organizations handling large volumes of transactions, or by Self-Assessment Questionnaire for companies handling smaller volumes.

The PCI Data Security Standard specifies 12 requirements for compliance, organized into six logically related groups called "control objectives”.

PCI

Payment regulations in the U.S. are tightly aligned with the FATF. FinCEN is the government body charged with administering AML/CTF regulations. Bank and non-bank financial institutions are required to abide by anti-money laundering rules stipulated in the Bank Secrecy Act and USA PATRIOT Act and to screen customers and transactions against sanctions lists maintained by OFAC.

UNITED STATES

The Financial Crimes Enforcement Network was established in 1990 by the U.S. Congress as a bureau within the Treasury Department. FinCEN’s duties and powers include: maintaining government-wide data access to financial transaction information; analyzing and disseminating information to support law enforcement; determining emerging trends in money laundering and financial crimes; and carrying out delegated regulatory responsibilities. FinCEN defines its mission as safeguarding the financial system from illicit use and combatting money laundering and promoting national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities. FinCEN governs federal regulation of Money Services Businesses. FinCEN requires registration making it a felony to engage in money transmission without a license in any state that requires a license to operate.

FinCEN

14The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments

3While each country regulates cross-border payments di�erently according to regional requirements and legal infrastructure, most follow guidelines and best practices promoted by FATF and other international bodies. This section describes regulations in the US and Europe.

REGIONAL REGULATIONS

Internet and mobile-based payment services are required to seek a state money transmitter license if

they offer services to individuals residing in the state.

3 Forty-eight U.S. states regulate Money Transmitters with laws varying from state to state. Most states require Transmitters to provide a surety bond of between $25,000 and $1 million and maintain a minimum capital requirement. Internet and mobile-based payment services are required to seek a state money transmitter license if they offer services to individuals residing in the state. Under the Dodd-Frank Act (2012), the Consumer Financial Protection Bureau (CFPB) extended state regulation under a "Remittance Rule" that added additional protection for U.S. consumers sending money electronically to foreign countries. The rule targets MSBs providing consumer-to-consumer transfers of low monetary value to businesses and individuals in foreign countries.

State Regulation of Money Transmitters

The Bank Secrecy Act (BSA) was enacted by Congress in 1970 to fight money laundering and other financial crimes. The BSA requires financial institutions to create “paper trails” by keeping records and filing reports on certain transactions. Reports are submitted to FinCEN, who collects and analyzes the information to support law enforcement and provide policy makers with strategic analyses of money laundering developments, trends and patterns. The BSA governs not just banks, but also MSBs. The BSA requires Money Service Businesses (MSBs) to register. If an MSB knows or suspects that any transaction or activity is suspicious it must file a SAR. MSBs are required to develop and implement an AML compliance program. MSBs must file a CTR for transactions exceeding a threshold with the same customer in a day. MSBs are required to keep a record of certain types of transactions.

Bank Secrecy Act

15The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments

Structuring involves designing a transaction to evade triggering a reporting or recordkeeping requirement.

Suspicious activity includes any conducted or attempted transaction or pattern of transactions known, or suspected of meeting any of the following conditions: involves money from criminal activity; is designed to evade BSA requirements, whether through structuring or other means; appears to serve no business or other legal purpose and for which available facts provide no reasonable explanation; involves use of the MSB to facilitate criminal activity.

Structuring involves designing a transaction to evade triggering a reporting or recordkeeping requirement. Structuring is a federal crime, and must be reported by filing a Suspicious Activity Report (SAR). Examples of structuring include: A client breaking a large transaction into two or more smaller transactions; a large transaction that is broken into two or more smaller transactions conducted by two or more people.

There are a number of possible factors, or red �ags, which signal that an activity or transaction might be suspicious. Examples of “red flags” include: customer using fake ID; two or more customers using similar IDs; customer changing a transaction after learning that he or she must show ID; customer conducting transactions so that they fall just below amounts that require reporting or recordkeeping; two or more customers, trying to evade BSA requirements, that seem to be working together to break one transaction into two or more transactions.

Guidelines for Financial Institutions to Detect Money Laundering

16

The Office of Foreign Assets Control (OFAC) is part of the U.S. Department of the Treasury which administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States. OFAC acts under Presidential national emergency powers and authority granted by legislation, to impose controls on transactions and freeze assets under U.S. jurisdiction. Many of the sanctions are based on United Nations and other international mandates, are multilateral in scope, and involve close cooperation with allied governments.

OFAC publishes the Specially Designated Nationals List (SDN) as part of its enforcement efforts. The list includes individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called "Specially Designated Nationals" or "SDNs." Their assets are blocked and U.S. persons are generally prohibited from dealing with them. PSPs that initiate payments in the U.S. are required to screen beneficiaries against this list and to block payments to listed entities.

OFAC administers a number of different sanctions programs against countries. Sanctions can be either comprehensive or selective, using the blocking of assets and trade restrictions to accomplish foreign policy and national security goals. Sanctions programs currently administered by OFAC include: Cuba Sanctions; Ukraine-/Russia-related Sanctions; Iran Sanctions; Syria Sanctions; Counter Terrorism Sanctions; and Counter Narcotics Sanctions.

OFAC publishes the Sectoral Sanctions Identifications (SSI) List to identify persons operating in sectors of the Russian economy identified by the Secretary of the Treasury pursuant to Executive Order 13662. Directives found within the list describe prohibitions on dealings with the persons identified.

OFAC

17The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments

The EMD defines rules for conducting business and supervising electronic money institutions with the aim of contributing to the emergence of a single European market for electronic money services. Electronic money is defined as a digital equivalent of cash, stored on an electronic device or remotely at a server.The EMD aims to enable new, innovative and secure electronic money services to be designed; provide market access to new companies; and foster competition between all market participants. The directive focuses on modernizing EU rules on electronic money, and defines the prudential regime for Electronic Money Institutions. The EMD defines the rules for licensing and supervision of Electronic Money Institutions in order to guarantee fair competition conditions for all payment service providers. Electronic Money Institutions must obtain authorization from a Member State to carry out activities related to the provision of payment services. A license to operate as an Electronic Money Institution obtained in any European state can be passported throughout the entire EU.Electronic money institutions must hold initial capital of not less than EUR 350 000 and hold own funds which shall be composed mainly of capital reserves. For the activity of issuing electronic money, own funds shall amount to at least two percent of the average outstanding electronic money. Electronic money institutions must safeguard funds that have been received in exchange for the electronic money issued. These safeguards must be effective no later than five business days after the issuance of electronic money. Electronic money issuers are required to issue electronic money at par value on the receipt of funds. Upon request by the electronic money holder, issuers must be able to redeem the monetary value of the electronic money held at any moment. Redemption conditions shall be clearly established in the contract between the issuer and the holder of electronic money. Redemption may be subject to a fee only if stated in the contract in specific cases.

Payment regulations in Europe are aligned with the FATF. The European Parliament has issued directives aiming to establish a modern and comprehensive set of rules for regulating payment services and creating an EU-wide single market for payments.

EMD - E-Money Directive (2009/110/EC)

18The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments

EUROPE

19

Electronic Money Institutions must obtain authorization from a Member State to carry out activities related to the provision of payment services.

The Directive on Payment Services (PSD) provides the legal foundation for the creation of an EU-wide single market for payments. The PSD aims at establishing a modern and comprehensive set of rules applicable to all payment services in the European Union. The target is to make cross-border payments as easy, efficient and secure as 'national' payments within a Member State. The PSD also seeks to improve competition by opening up payment markets to new entrants, thus fostering greater efficiency and cost-reduction. At the same time the Directive provides the necessary legal platform for the Single Euro Payments Area (SEPA).

PSD - Directive on Payment Services

The Payment Services Directive (PSD2) will replace the existing PSD in 2017. It will have a wider scope to cover the new payment services created by innovation in financial services. The PSD2 will increase focus by regulators on consumer protection and promote development of a unified payment services sector that better fosters competition, innovation and security.

Payments Legislative Package (PSD2)

To mitigate compliance and fraud risks, a comprehensive compliance program should include risk management, fraud monitoring and robust investigation processes.

Applications for boarding financial accounts should be automatically screened against multiple risk-based criteria. Red flags raised should be manually reviewed by dedicated personnel trained to identify potentially fraudulent account applications.

Disbursements should be automatically monitored, leveraging proprietary data and third party tools such as IP Geo-location, PC Fingerprints, RSA Adaptive Authentication and others to identify potential fraud.

20The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments

4YOUR KEY GUIDELINES FORA RISKBASED APPROACHTO COMPLIANCE

21

Red flags should trigger manual investigations that include link analysis, review of transaction activity, web activity and information about activities from parties identified as being related to the incident. Suspicious activity reports (SARs) should be filed as deemed appropriate pursuant to the AML/CTF Program.

Multiple layers of risk technology should be deployed alongside procedures to protect customers and the platform against different fraud and compliance scenarios including registration fraud, account takeover and others. Procedures should be deployed at multiple technology layers including:

Device Tagging and Data Enrichment Identity Verification and Account Protection Analytics & Monitoring Management and Business Processes Perimeter Protection

4A comprehensive compliance program should

include risk management, fraud monitoring and robust investigation processes.

22The Key Compliance Challenges Businesses Face When Initiating Cross-Border Payments

5YOUR COMPREHENSIVECOMPLIANCE CHECKLIST

Is the PSP registered in the U.S. as a Money Service Business and licensed as a Money Transmitter in the States in which licensing is required?Does the PSP hold a payment institution or e-money license in Europe?Are the PSP and its payment partners regulated and licensed in the countries that funds are disbursed to payees?

Licenses

Does the PSP administer a robust KYC program that is audited regularly by third parties?Know Your Customer (KYC)

Does the PSP actively monitor transaction activity of customers for unusual or suspicious activity and report on red flags that are uncovered? Have PSP’s employees been trained to recognize activity indicative of money laundering, terrorist financing or other criminal activity.

Transaction Monitoring and Reporting

Is the PSP audited regularly to maintain licenses and relationships with banking partners?Are audit reports available for inspection?

Audit

Transactions occurring in certain countries can pose higher AML/CTF risk due to less stringent AML/CTF regulations, lax privacy laws or prevalence of drug trafficking, corruption, or financial crime in these countries. Does the PSP apply a country risk evaluator to assess geographic risk?

Geographic Risk

Does the PSP have a strong Anti-Money Laundering and Combatting Terrorist Financing (AML/CTF) program that is regularly tested, audited and reviewed?

AML/CTF

Does the PSP screen all transactions against OFAC and other country relevant lists to prevent payments to sanctioned entities?Does the PSP regularly retrieve updated sanction lists and re-screen parties in cases of updates to the lists?

Sanctions Screening

When selecting a Payment Service Provider verify that they adequately address the following compliance challenges:

Payoneer was created to provide businesses around the world with faster, easier, cheaper and compliant payments to global payees. We facilitate payment of billions of dollars annually by thousands of leading platforms like Airbnb, Elance, Fiverr, Getty Images and Google to millions of beneficiaries in over 200 countries. Payoneer processed over one million applications in 2014 from beneficiaries across the world seeking to get paid.

Payoneer offers multiple international payment methods including local bank transfers, international wires, prepaid cards, Payoneer accounts, and local currency checks to enable beneficiaries anywhere to get paid easily. The company works with a network of banks and regulated non-bank payment partners to deliver payments around the world. Payoneer is registered in the U.S. as a Money Service Business and licensed as a Money Transmitter. In Europe, Payoneer has an e-money license through Payoneer EU, a wholly-owned subsidiary.

By working with Payoneer on cross-border payments, you will immediately benefit from a comprehensive choice of payment methods, wide geographical coverage, robust compliance and Payoneer’s payment-savvy Account Managers that will assist you to apply payment methods that are most applicable for your business scenarios and geographical requirements, while ensuring low transaction costs, robust, fast clearance, strong security, finality, flexible tracking, superior multi-lingual customer services and complete regulatory compliance.

Payoneer removes geographical borders for payers and payees and ensures smooth, regulatory compliant, cost-effective and secure payments.

HAVE PAYONEER CARRY THE COMPLIANCE BURDENOF CROSSBORDER PAYMENTS FOR YOU.

Traditional Cross-Border Payments Traditional Cross-Border Payments About Payoneer 23

ABOUT PAYONEER

© 2005-2015 Payoneer; All Rights Reserved.

This publication is for informational purposes only and is not intended to provide any professional or business advice. Although the information provided in the publication is intended to be current and accurate, no warranties whatsoever are made in respect to it. Payoneer is not responsible for any errors or omissions in the content of the publication and no entity or person at Payoneer is liable for any losses suffered by any person or entity that relies on this publication.

Learn More About Compliance & Regulation Challenges whenInitiating Cross-Border Payments

www.payoneer.com

LEARN MORE