The RegTech Pulse
The RegTech Pulse examines the latest industry and technology trends that help organizations fight financial crime and streamline payments, so money and goods can move safely and securely around the world. Industry experts across the world join the conversation to discuss their insights and share best practices. The RegTech Pulse is brought to you by LexisNexis Risk Solutions, which helps power compliant and assured client transactions to build an interconnected and trusted financial ecosystem.risk.lexisnexis.com/regtechpulse
The RegTech Pulse
Navigating the EU's Instant Payment Revolution
The financial services landscape is transforming dramatically as the EU's Instant Payment Regulation takes effect, requiring payments to be processed in under 10 seconds. This seismic shift creates unprecedented challenges for compliance teams responsible for sanctions screening and transaction monitoring.
This episode brings together experts Eve Whittaker from LexisNexis Risk Solutions and Eglė Kontautaitė from AMALYZE to explore the complex implications of these new requirements. They break down the regulation's timeline, with banks now required to receive instant payments and soon needing to send them and offer verification of payee services by October 2025.
At the heart of this discussion is a fundamental tension between speed and security. The 10-second rule forces financial institutions to make binary accept-or-reject decisions without the luxury of freezing suspicious transactions for further review. This represents a radical departure from previous practices where compliance teams had more time to investigate potential risks. This could lead to higher rejection rates as organizations adopt lower risk appetites when forced to make split-second decisions.
For more information, visit the LexisNexis Risk Solutions or AMLYZE websites, or download our eBook.
DISCLAIMER: The information provided in this podcast is for informational purposes only and is not intended to and shall not be used as legal advice. The views and opinions expressed in this podcast are solely those of the speakers and do not necessarily reflect the views or positions of LexisNexis Risk Solutions. LexisNexis Risk Solutions does not warrant that the information provided in this podcast is accurate or error-free.
Welcome back to the RegTech Pulse everyone. Today, we're going to be exploring a seismic shift in financial crime compliance brought about by the EU's Instant Payment Regulation, otherwise known as the SEPA Instant Payment Regulation. This requirement is to process payments in under 10 seconds, so it means that financial institutions are going to be facing unprecedented pressure to adapt their sanction screening and their transaction monitoring processes, all while maintaining compliance and customer trust. I'm joined by
Julia Thorn:from Amalyze and Eve Whittaker from LexisNexis Risk Solutions, so thank you both so much for joining me. I wonder if you could give each a bit of an introduction about your role, the organization that you work with, egle, maybe starting with you?
Eglė Kontautaitė:Thanks, Julia, for the short introduction, so apologies for my English language. It's not my birth language so I will not be as fast as you, Julia. So AMALYZE, in a few words, it's a regtech company providing compliance solutions specifically in this AML/CFT area. So it's customer screening, transactions monitoring, sanctions screening, et c, and my function is head of customer solutions and it's not a self-explanatory function. What it encompasses actually is, on the one hand, it's regulatory affairs, so as soon as something shifts in at least EU regulatory environment, I am analyzing this and communicating for the Amalyze product team to be sure that our product is compliant with the most recent regulatory framework. On the other hand, I'm altogether responsible for the fluent onboarding of Amalyze clients, making sure that the compliance team, with the business model that institution has and the risk exposure that institutions, has the target customer portfolio they have, that they can adapt and analyze product in the best manner, knowing all features, how they can use those features and be compliant with the regulations. So actually it's about my role in this company.
Julia Thorn:And Eve over to you.
Eve Whittaker:Thanks, Julia.
Eve Whittaker:So I sit within the Financial Crime Compliance Division of LexisNexis Risk Solutions as a Strategy Director, so we're very much focused on much like Eglia looking at the landscape of financial crime regulation and understanding how our clients need to respond to that and then ensuring that we deliver appropriate solutions across both data and software to help our clients combat that very complex regulatory landscape Brilliant.
Julia Thorn:thank you so much both. So we've talked a little bit about, gave a bit a brief introduction on the SEPA instant payment regulation, but I'm not an expert on that. I wonder, eve, if you could give a little bit of background to what the regulation is, what it means for timings and what some of the deadlines are, because there are various dates that have been shifting around with this one.
Eve Whittaker:Yeah, that's right. So, exactly as you said in your introduction, really it's a requirement that all financial institutions and payment processes will need to offer instant payments, and that means payments that can be processed in under 10 seconds. So this 10 second window is kind of the big feature of the instant payment requirement, but it comes, as you say, with a number of deadlines and a number of other obligations around it. So, as of January earlier this year, 2025, banks within the EU eurozone were obliged to be able to receive instant payments, which means they have to have the systems in place ready to be able to receive instant payments, which means they have to have the systems in place ready to be able to receive those. As of October this year, they'll need to have systems in place to be able to send those payments and they'll also have to be offering verification of payee, which is where you can essentially ascertain if the payee name matches the details that the bank that the payment's being sent to holds for that name. So all of those obligations come into effect from October. There are later deadlines for non-bank payment processes, so electronic money businesses and other kind of payment service providers and so on. They'll have to comply from 2027 onwards, so they have a bit more time to get these systems into place.
Eve Whittaker:But for a large number of financial institutions this regulation is very much happening now.
Eve Whittaker:So that puts a lot of pressure on organizations to be able to adapt to what will really be a much higher volume of payments that are being processed very, very quickly.
Eve Whittaker:They also have to be able to offer these services 24 7, which has quite big implications for things like customer support and having staffing around the clock to be able to manage that.
Eve Whittaker:The other big implication is on the screening side of things. So the incident payment regulation brings in a shift into how screening should be approached. So a lot of financial institutions will previously have been conducting account screening, onboarding and then on a regular basis to understand if their customers are sanctioned or exposed to risks, and then they'll be performing payment screening, so screening each individual payment to understand if the parties involved have any kind of sanctions or risk exposure. Now the instant payment requirement represents a shift here, because instead financial institutions will now be obligated to screen all their account base at least daily, and there's also an expectation that whenever changes are made to EU sanctions regimes, there is an immediate response to that and that entities are then again immediately screened to be able to capture any risks that might have emerged based on that change to sanctions regimes. So that puts a lot of pressure on financial institutions to be able to respond very quickly to shift in regulation. Puts a lot of pressure on their data systems and their software systems as well.
Julia Thorn:And what are some of the reasoning behind this, because obviously, as you said, this is an EU only regulation. So how does that stack up against things like OFAC, UN, BIS, screening, that sort of thing, in terms of why the EU, what's the reasoning behind it and how is it going to impact some of those screening processes?
Eve Whittaker:That's a really good question, I think, from a sanctions perspective, because this is an EU obligation, it's an EU regime, it's the EU sanctions scheme that's specifically impacted by it. Obviously, a lot of banks within the EU who are subject to this regulation also need to adhere to regimes like OFAC or other international sanction schemes, so that does introduce quite a significant element of complexity. So where payments no longer need to be screened against EU lists and instead the daily account screening and then this immediate account screening after changes to regime is the new approach, there will still be a need to screen payments against other international sanctions regimes. So I'd say that adds another layer of complexity to organizations. You need to then balance the workload of how they respond to those multiple regimes got you and igla, so amylase.
Julia Thorn:Work with anti-money laundering, anti-fraud. What are some of the things that you're seeing with your customer base in terms of how this is working-fraud? What are some of the things that you're seeing with your customer base in terms of how this is working in Lithuania and other parts of the EU? So first, of all.
Eglė Kontautaitė:Thanks, eve. It's a great overview of sub-instant regulation and how it affects and challenges financial institutions overall in the EU zone. Sometimes I will reiterate what you've previously mentioned only because to show or demonstrate how many challenges and technological, operational ones financial institutions are facing regarding those changes relatively changes challenges that Lithuania and overall Baltics as a market face. I would like to touch several angles of SEPA instant payment rules itself. So, actually, to be truthful, those rules are nothing very new in Eurozone, but previously they were governed by the European Payment Councils, which issued a step-by-step rulebook and the market treated it as a self-regulatory regime. It's not regulation per se and, let's say, they treated it with a certain degree of flexibility across the industry. What do I mean? First of all, in practice, regulatory frameworks such as anti-money laundering and counter-financing of terrorism they, at least previously they always have taken precedence. These are superior, or at least used to be superior, legislative acts and when their requirements clashed with SEPA instant rulebook, which was treated more of a guidance, particularly regarding speed and execution, which is very strict now, and the regulation is only 10 seconds for the execution from the peer to PE ML, cft regulations and considerations always, always prevail, and I'll tell you with an example. So, for example, in high-risk scenarios, the strict 10-second execution requirement of SEP instant, at least in Lithuanian market, from what I've seen, was not always observed. And a little bit about Lithuanian market. So what we have in Lithuanian market we have SEPA instant, quite good penetration already for a while with a strong push from the Bank of Lithuania it's a central bank of Lithuania. So we have already, at least in Lithuanian market, implemented SEPA instant, at least in the Lithuanian market, implemented SEPA instant. But, as I've mentioned, the market treated with a little bit of flexibility, the guide from the European Payment Council.
Eglė Kontautaitė:So payments were sometimes paused or even frozen in mid-transit to allow further examination of the origin and destination of funds, which is the core element of MLCFT. So if transaction monitoring the system flags the transactions, it is incoming payment, so it might have been not rejected, what SEPA instance regulation requires now, but frozen somewhere in mid-transit. And to make it a bit simple and avoid technical language, so what happened, at least previously? After a payer authorized a payment, the payment service provider sends it to PSP. So it sends it to the payees PSP. However, if the payees PSP identifies the transaction as potential suspicions from the perspective of money laundering, terrorism financing, it may flag the payment and in such cases the PES-PSP confirmed receipt of the transaction to the payer's PES-PSP but did not yet make the funds available to payee. Which meant treating a bit flexibly the 10-second rule and in the Athenian market curiously, curiously did not mean that the penetration of SEPA instant payments were poor. What it meant that financial institutions were cautious and they were neither willing to be very user unfriendly and to reject the payment, nor they were willing to take the risk and make the funds available for their pay.
Eglė Kontautaitė:So this approach was actually grounded by the previous and existent legal obligations as far as it regards in terms of MLCFT. They were in MLD so directive which was implemented in the national regulations. They are existent in the recent ML regulation package. So what ML regulation requires? So that obliged entities should refrain from carrying out transactions which they know or suspect to be related to proceeds of criminal activity, at least suspect. So in fact they should refrain from executing and it does not mean rejecting the payment. That might mean various possibilities. At least it meant and this reflects the core purpose of ML safety framing to ensure that the financial services are not used to support criminal or sanctioned activities, and this ultimately highlights a key tension between speed and security.
Eglė Kontautaitė:Instant payments are designed to be fast and seamless, and instant payment regulation is directed very strongly towards that task. But effective financial crime prevention requires time for proper due diligence, and the new regulatory framework does not aim anyhow to reconcile these conflicting demands. Actually, it even introduces additional significant technological and operational challenges across the whole financial ecosystem and, as I mentioned before, it does not necessarily mean that it's a good choice. But we have what we have. We have the 10-second rule, and the application of the 10-second rule is a huge challenge for the compliance team. What it means?
Eglė Kontautaitė:It means the review of the whole payment flow.
Eglė Kontautaitė:It means the review of how transaction monitoring, especially transaction monitoring based on real-time transaction monitoring, should be working and how to implement now existing pressure for 10-second rules, which means you don't have an option to freeze the transaction in midway. You have, within the time frame of 10 seconds, to decide what to do next Accept, make funds available for the payer, pay or reject the transaction. So actually these are not the core technological channel, just that we are facing now in Lithuania or Baltics, but overall I think it's a challenge for the whole compliance teams across the EU. So I think we will see what results it will carry out. For now at least, amlaz is working very close with its clients to discuss how to approach those new regulations, how to create new alert resolution flow, how to approach the regulation that does not solve the US extratory application of the sanction regime by the US application of national sanction regimes, which probably will mean that you have to freeze certain transactions going beyond what SEPA instant regulation requires. So there are various challenges in Lithuania, market included.
Eve Whittaker:I think you drew a really interesting point there, which is this kind of conflict between customer experience and effective compliance. Right, which is like the whole point of Instant Payment, is customer experience, so they can transfer funds more quickly. It has big business benefits. They can engage in much more liquidity. They can pay people much more quickly and more seamlessly. That allows business operations to operate more fluidly. It's very convenient for individual consumers as well to be able to transfer funds, so it's very oriented around the customer experience.
Eve Whittaker:But exactly as you say that that 10 second window places huge pressure on a compliance team and they either need to decide to reject or send a payment within that window.
Eve Whittaker:There isn't time to review it and so there's no maybe anymore. It's a very black and white distinction and what that ultimately will probably mean is that the percentage of failed payments will increase, because it's not something you can take a risk on right if there's sanctioned activity. So if there is some exposure, the likely result is a failed payment, because the risk appetite for that has to be really low. And it's interesting I don't know how we don't yet understand what that means then for the customer experience, if that will ultimately undermine to an extent the purpose of the scheme in the first place by actually resulting in a much higher proportion of failed payments. And we don't have real clarity yet on whether there's an acceptable maximum number of failed payments or percentage of failed payments that an institution can have before they're subject to further scrutiny. So that's an unknown at the moment, I would say, for a lot of institutions.
Eglė Kontautaitė:Very good, pilar. One more angle I want to touch 10 seconds rule. This will be a huge conundrum for compliance team how to mitigate the risks altogether being compliant within 10 seconds rule. Additional rule that is also a huge headache for the financial market participants. That is also a huge headache for the financial market participants, at least from what is happening in Lithuania, is transaction amount limits.
Eglė Kontautaitė:So previously, as I mentioned, the European Payment Council rulebook was treated more like a guidance and financial institutions what they did to mitigate the risks stemming from financial crime. They sometimes put certain limits for transactions, for instance transactions which were lower than previously set in European Payment Council rulebook, which meant they, on the one hand, mitigated financial crime risks, on the other hand, yet again, curiously, it did not mean that the SEPA penetration in Lithuania market was poor, having a possibility, even though the transaction values were a bit lower than it indicated in the rule book by the European Payment Council. But it worked. It worked and you have a win-win situation. You had risk mitigation altogether with fast payments, execution and 10-second rule did not mean breaching or not complying with the guidance of the previous guidance with the 10-second rule. It did not mean at all that the clients were unsatisfied with the execution of payment. In most cases it was applicable 10-second rule and if it was not 10 seconds it was 10 minutes.
Eglė Kontautaitė:10 minutes for compliance to take a decision what to do next. Is it risky enough to go to the fau to freeze transaction, not to execute, not to allow the pay depends a payer or payee to dispose the funds because it's an object of mlcft requirements, reporting to f, getting the feedback from FAU. So 10 minutes, 10 seconds slash 10 minutes, it's not something that the user, especially natural persons, not a legal person, natural person would experience as a huge downfall of experience how the payment flow is working. But at the same time it was good for compliance. So yet again, it's a challenge we have to adopt. It is as it is and now there are technological challenges to be solved.
Julia Thorn:It's quite a big difference with the 10 seconds versus 10 minutes, but what are some of the, I guess, the implications? If organizations of financial institutions are not adhering to this 10 second, what does that mean for them? What could the possible implications be?
Eglė Kontautaitė:so just to rectify. It used to be like that. I was willing to show that it could have worked in a different way. But and the regulation creates challenges to adapt in a new way, especially for the compliance MLCFT. What it will mean now if you're not compliant and you risk to be compliant with MLCFT regulation but not compliant with SEPA instant regulation I think it's something that we will see how supervisors themselves will react to the breach of 10-second rule. We don't have experience yet.
Julia Thorn:It means that it's a breach of SEPA instant regulation Got you and Eve, in your introduction you mentioned a little bit about the verification of payee piece, which is coming in October this year, I believe. Could you give some more background as to that and what some of those implications might mean?
Eve Whittaker:Yeah, absolutely so. It's one facet of this, as we've established very complex regulation with a number of requirements. So verification of pay is really the process of trying to understand a person or entity that is receiving funds, if their details match up according to the receiving financial institution. So it's a way for the institution sending the funds to be able to verify that the person receiving the funds is legitimate and that the details match. And the idea is that this is a prevention mechanism, an additional layer of security to confirm when money's moving very, very quickly and it's harder to capture potential fraudulent activity, potential criminal activity. The idea is that this is another layer of protection to try and assist with that. So for financial institutions, they're obligated to have this layer of verification and pay that needs to be offered to their end customers free of charge, and so they can't implement any kind of charge for that service. And again, a large number of institutions. That will start to take effect from October of this year. So what that will mean for most institutions is having a technology system called a routing and verification mechanism in place which allows you to send the key details of the payee to the receiving institution and basically get a check mark back of, yes, these details match what we have on file, or no, they don't, and that process could and should happen relatively quickly. The good news is that, technically, this happens before the payment leaves. So, although you're still playing with that very tight window of 10 seconds and it needs to feel like a very seamless and quick process, there's, I think, think, some flexibility of interpretation to allow that verification to take place before the payment technically is executed, which means can take a little bit longer for that to occur. But it does still need to be a kind of seconds long process rather than a minutes long process, because the idea is that it's part of this seamless customer experience.
Eve Whittaker:So it's a system that organizations will need to have in place for that routing and verification mechanism. All providers of that specific type of technology do need to be registered with the European Payments Council, so you have to make sure that you're getting that software from an approved vendor and make sure that it's effectively integrated and tested in time for this October deadline. So it's yet another big infrastructural investment that organisations will need to make, and it also does have a customer facing interface right. Typically there'll be some indication to the end user. I mean if you've used a banking app that hasn't implemented already, you've probably seen, when you go to send a payment to a friend, that you'll get a checkbox back. So there's an element of customer interaction there as well. So how banks choose to incorporate that into their consumer product is another layer of implementation to consider.
Julia Thorn:Got you. So you talked a little bit about some of the technical elements and some of the software piece of things. Are there any other I guess practical steps, things that compliance teams might need to be doing now we are a few months out from the verification of payee deadline? What are some of the other steps? Are there any other I guess practical steps, things that compliance teams might need to be doing now we are a few months out from the verification of payee deadline? What are some of the other steps that compliance teams or organizations should be taking if they haven't been preparing for this already? Maybe a question for both of you, I suppose.
Eve Whittaker:If you haven't got your RBM software yet, start moving now would be my advice. I imagine most institutions that are working towards that October deadline will already have a good idea of how that system is going to work and we'll be rolling through the testing and implementation phases. I think, again, the customer experience angle is always relevant, given again that that's the big driving purpose behind instant payment regulation. You want to make sure that that verification of pay experience also feels fast and seamless. But again, making sure that it's well integrated and compliant with that registered service with the EPC is a key factor. Egla, I don't know if you have any other considerations there.
Eglė Kontautaitė:So, yes, be prepared for something that is coming altogether. So, yes, be prepared for something that is coming altogether. Be prepared that you have a certain twilight zone that European Commission is not willing to talk about going beyond SEPA instance. So, as you mentioned previously, they were clear enough about what relief they provide for targeted financial sanctions screening meaning EU, not screening payer and PE. They provided certain relief for fraud monitoring, indicating that verification of PE might be the main tool for fraud prevention teams. However, they kept silent.
Eglė Kontautaitė:What to do with MLCFT regulation? What to do with MLCFT regulation? What to do with national restrictive measures? And a bunch of EU countries have those national restrictive measures and freezing of transactions should be applicable for being compliant with those national restrictive measures. What to do with national regulation adapted for screening solutions? With national regulation adapted for screening solutions, for example, in Lithuania, we have a specific requirement stemming from the Bank of Lithuania, the supervisor of financial institutions, to screen payment purpose payment detail, which creates huge noise in transaction screening area. What to do with those? So what different solutions are being discussed in financial market in Lithuania, and including preparedness for a huge rejection of transactions? So I don't know which is more user-friendly execution, a transaction beyond 10 seconds, like 10 minutes, or having a huge flow of transactions that will be rejected, because 10 seconds you have to choose accept or reject and what the compliance team should be aware of.
Eglė Kontautaitė:Analyze. Analyze what you have now. Analyze your false positive. Analyze where those false positives come from. Analyze how can you optimize the system. Analyze how can you optimize the system. Analyze how can you optimize the parametrization of system. I'm not talking only about screening system. I'm talking altogether about transaction monitoring systems, especially real-time transaction monitoring systems, not only being compliant with SEPA instant, but altogether being compliant with AML regulation, because there are no reliefs in that area. And what we see? We see that Europe is going into the stricter regulation regime in AML area.
Eve Whittaker:Some really really good points. I agree with everything that you said there, and I think, in particular, this idea of evaluating false positive volumes, knowing that you need to make really quick, snap decisions based on very minimal information in a very short period of time. It means having really really high quality data in place is key. And then having a really strong, well-tuned engine for your detection is also key. So that false positive reduction angle could have a huge impact on the proportion of payments that you're able to pass versus fail.
Eve Whittaker:We all know that the false positive rate is really really high, both in screening and in transaction monitoring, so anything that could be done to bring that down will help make this whole implementation more effective. And I think just the other point to touch on is we talked briefly about it, but not a lot today is this requirement for all accounts to be screened as soon as there's a change to the sanctions regime. So having a data source that's able to reflect those changes immediately that's the wording that's used right. This needs to be immediate as soon as there's a change made to the sanctions program of the eu. Having confidence in the data source that you're using, that it's going to capture that data and that the next time you screen you're going to be reflecting that it is also really crucial.
Eglė Kontautaitė:So another area to scrutinize within the aml program that was very, very great angle that you touched upon that we have not previously mentioned that immediate customer account screening. So for screening providers and data set providers, that's indeed very crucial. And additional advice for the compliance team to communicate with your providers. How can you implement that? Because it appears that it's only one word, immediately, but from what we see, that might create a huge operational burden. Going into establishing this list of how fast the datasets can be updated, going into deeper, how fast automatically, re automatically screening can take place, and it does not mean what previously might have been existing within the financial institution, that screening having and taking into account the huge operational burden that account screening brings, usually it was carried out during the night. Doing so immediately, regardless of existing batch processing schedules, alert cues or internal system constraints. It means that you have to react immediately. This is a huge operational burden, and not operational burden from the IT perspective, but also operational boarding for the whole alert resolution team. You might have huge batches of alerts and you will not be aware when will you be having those, because data sets may change. It will run in any time of the day because it has to run immediately. Screening will run immediately. You will receive a batch of alerts. You will be having to solve those.
Eglė Kontautaitė:That was a good angle. You touched on Eve.
Julia Thorn:I think that gives, I think, a really good place to wrap up this conversation. I think we could talk for a lot longer about it. I wonder if each of you Eve, perhaps starting with you, I guess. Closing thoughts, one final piece. We've touched on quite a bit of advice for compliance teams, but if there were maybe one or two immediate and practical steps that listeners could take now, what would you want them to walk away from this conversation thinking?
Eve Whittaker:yeah, as you say, we could talk about it all day, but I think, if we were to condense it down, I think the really, really key elements to look at are ensuring you have a really, really robust, well-updated data source as the foundation of your systems, and then evaluating your technology systems to ensure that they're equipped to handle both an increased volume in workload but also to try and minimize the operational impact on teams, with really really effective false positive reduction and tuning. I think those would be the biggest areas of priority for me.
Julia Thorn:And Eagly any closing thoughts from your side.
Eglė Kontautaitė:From the MLI's perspective, so actually it was a very good wrap-up that you've mentioned. What I wanted to stress is analyze your false positives. Analyze which data points creates the most false positives, which data sets creates most false positives. Optimize your system, optimize parameterizations of the system and, of course, optimize your alert resolution flow. How you do that? Taking into account that soft-stop possibilities is also a possibility for observing where your risk lies Brilliant.
Julia Thorn:Thank you so much, yves Egle. Thank you for joining me on the RegTech Pulse. We will include some links to some useful resources and to both the LexisNexis, risk Solutions and Amalyse websites in the show notes To all of our listeners. Thank you so much for joining Yves Egle. Thank you for joining me as well and looking forward to hearing more about this topic in the future. Thanks for having us.
Eve Whittaker:It's been great conversation. Thank you very much.
