Payment institutions Wwft

Payment institutions and the Wwft: the biggest digital challenges

9 min reading time

COVID-19 has resulted in a major acceleration in the growth of e-commerce activities and digital transformation. Lockdowns caused more people than ever to work and shop from home. The growth of online shopping was not limited to developed economies. In fact, the biggest movement to online has taken place in emerging markets.

The (technical) solutions needed to continue that movement are offered by a few digital giants and many start-up fintechs. These platforms and companies are mainly moving outside the financial sector. The provision of specific financial services is often not an end in itself. In addition, digital means that national borders are no longer relevant. For these types of parties, the financial laws and regulations and the associated supervision of a specific jurisdiction are an inhibiting factor on the speed of innovation.


This certainly also applies to Dutch fintechs. They have to deal with a regulator that applies a strict or even stricter interpretation of EU regulations, which can lead to differences with other EU countries. Compared to the legal framework outside the EU, the differences can be even greater. Not yet accustomed to the role of gatekeeper, a significant part of the new challenges consists of managing integrity risks. And not the integrity of the software solution, but of the business operations.

In a series of articles, Charco & Dique and RiskQuest will examine several topics relevant to payment service providers. They do this from their specific expertise in the field of knowledge of regulations (Charco & Dique) and quantitative risk management models (RiskQuest). In this first article, Remco Voogt, consultant at Charco & Dique and Tabor Smeets of RiskQuest discuss a number of specific challenges fintechs may face when dealing with the Money Laundering and Terrorist Financing (Prevention) Act (Wwft) and the Sanctions Act 1977 (SW).

Customer due diligence and screening

Important themes that policymakers of these fintechs must deal with in practice are customer due diligence under the Wwft and screening under the Sanctions Act.

The client investigation, as prescribed by the Wwft, is aimed at finding out with whom one does business and to be able to assess the associated risks. Whereas this is relatively quickly clear to a private individual with a payment account, potential purchasers (merchants) of payment services can sometimes be quite complicated. Some of the questions that come to mind are:

  • How do you link the URL of the webshop to the entity that signs the merchant agreement?
  • Are you dealing with a group of websites operating under a single entity or are they all different legal entities?
  • Is it a “white label solution” for small individual online sellers or is it a centralized organization that sets up its own small webshops?
  • How is an online platform set up, on whose behalf does it act and how does the money flow?


Finally, webshops need little ‘brick and mortar’ to operate. This means the business address can quickly lead to a so-called ‘Panama Paper’ alert. In short, a technical solution for an optimal digital customer experience is sometimes difficult to translate into a customer file that, according to the supervisor, meets the requirements of Section 3 of the Wwft.

High-risk factors

High-risk factors such as cross-border activities and non-face-to-face services should be valued differently in an online world. A payment institution based in the Netherlands that offers 200+ alternative payment methods worldwide has as a business proposition the facilitation of (cross-border) digital payments. This kind of institution is equipped for this and can therefore weigh the risk factor ‘cross-border services’ differently in the Systematic Integrity Risk Analysis (SIRA).

Voogt: ”Webshops often sell products across national borders. For a provider of alternative payment methods, it is therefore more common to have foreign customers than for providers of retail payment accounts or asset management. Experience shows that this is not always recognized when assessing a SIRA and/or AML/CDD policy.

Nature of the relationship and source of funds

The regulator’s emphasis on capturing the purpose and nature of the relationship and source of funds can also lead to a negative customer experience; a disaster for any online service provider.

”The purpose and nature of the relationship is pretty obvious for a payment institution,” Voogt explains. ”A webshop wants to be able to offer several different payment methods to online shoppers. For this purpose, it turns to a payment institution, which can make the processing of online payments possible. There are few other options available.”

“Research into the origin of the funds should take place if necessary. This is also a special obligation for a payment institution with a webshop as customer. The ‘funds’ of the webshop are in fact the funds generated by the webshop’s online shoppers. A payment institution cannot be expected to research the origin of the funds of the online shopper. After all, that is a random consumer with whom the payment institution has no relationship. Determining the plausibility of this using independent, reliable sources therefore does not seem to add much.”

Establishing and monitoring the transaction profile

What is important, however, is to establish the transaction profile of a webshop and monitor it for deviations. Webshops are pre-eminently flexible in the provision of services and specific risks such as transaction laundering (transactions are processed in violation of the agreements with the payment service provider) and fraud (products are not delivered or sometimes do not exist at all) are lurking.

Smeets: “Automated monitoring (using AI techniques, for example) can be an excellent way to add value to the multitude of merchants being served and the large number of transactions that payment service providers process.

By using automated tools, the payment service provider is relieved of work and can focus on those transactions that the tool identifies as potentially fraudulent for screening purposes.”

Also read: 'Transaction monitoring at payment institutions: a challenging task'

Screening against sanction lists

The Regulation on Supervision pursuant to the Sanctions Act 1977 requires institutions to screen whether relations appear on one or more sanctions lists. In a transaction, according to the Wwft and SW guidelines, at least the client and the beneficiary must be screened.

Voogt: ”Anyone who has ever bought a product online knows that not all products require the same amount of information from the buyer. To settle a credit card transaction, name and date of birth are not required. This means that sometimes, the data necessary to perform certain checks is missing. Unlike in the case of SWIFT traffic, it is not compulsory for the data of the client to be passed on to the payment institution when settling a transaction. This can makes screening the parties involved in a transaction an ineffective process in which it is difficult to determine whether there is a real ‘hit’.”

Smeets: “When you want to use historical credit card data to estimate a model, traditional modeling techniques sometimes fall short. After all, the target variable, whether something was actually a fraudulent transaction, is often missing. Unsupervised machine learning techniques can help with this.”

Want to know more?

It can be quite a challenge for a payment institution to comply with the Wwft. Charco & Dique can help you to adequately implement the Wwft requirements and translate them into your daily practice. To make processes more efficient, RiskQuest can help you build adequate models for automated monitoring. RiskQuest also offers a tool to screen clients and borrowers based on transaction data, the RiskQuest Navigator.

Want to know more? Please contact Charco & Dique or RiskQuest for a free consultation.