Anti-Money Laundering & Know Your Customer

Summary

  • As a global financial services provider, PayPal is committed to compliance with all applicable laws and regulations regarding Anti-Money Laundering ("AML").
  • PayPal's policy and practice is to try to prevent people engaged in money laundering, fraud, and other financial crimes, including terrorist financing, from using PayPal's services.

United Nations Office on Drugs and Crimes estimates that global money laundering transactions are estimated at 2-5% of the global GDP ($1-2 trillion annually) and that less than 1% of these illicit transactions are seized by authorities.

The Changing Landscape Calls For Changing Policy

  • The ever-present threat of criminal activity has forced governments and regulators to increase their focus on AML/Counter-Terrorist Financing (CTF) issues. PayPal's philosophy is to develop and utilize new methods of identification and authentication that go beyond the traditional KYC collection of static data elements. Industry should leverage existing static typologies [i.e. birth date] and red flags [i.e. spending amounts] and combine with more dynamic events and practices using new forms of data to increase transaction monitoring.

PayPal Protects Its Users

  • PayPal is a closed-loop system (having a relationship with both the sender and receiver) that allows us to identify suspicious activity more easily than competing systems.
  • PayPal's Customer Due Diligence program collects certain identity details at sign-up while remaining relatively frictionless. Once certain thresholds are met, in compliance with relevant market regulation, PayPal will subject users to additional KYC requirements for identity verification.
  • PayPal conducts a global AML/CTF and Sanctions risk assessment consistent with Financial Action Task Force (FATF) guidance to identify, assess and understand the ML/TF risks PayPal faces. This is consistent with a risk-based approach (RBA) which impacts global policy decision-making and implementation of program elements.
  • PayPal screens accounts and transaction history on a nightly basis, covering the entire customer base. We cross-reference our information against a variety of lists from regulators, governments and more (OFAC's Specially Designated Nationals list, UN Security Council sanctions list, Commission de Surveillance du Secteur Financier in the EU, etc.).

PayPal is Proactive About Cybercrime

  • PayPal engages/partners with law enforcement proactively and reactively to both help stop cybercrime while also catching the bad actors that have committed crimes and are under investigation.
    • PayPal created a Law Enforcement portal that allows members of organizations around the world to submit case requests, subject to the legal process.
      • We have proactively reached out to law enforcement to make them aware of this system and encourage them to reach out to us with any questions or concerns.
    • On the proactive side, PayPal establishes regular training with law enforcement organizations and educates agents on PayPal's systems and the types of crimes that we encounter while also learning from them about the broader ecosystem and the latest trends and movements in global cybercrime.
  • From an internal standpoint, we collaborate with various teams across the company (compliance, legal, risk, infosec, etc.) to better identify potential bad actors and make recommendations to agencies.

What Are The Experts Saying?

  • In 2007, the Financial Action Task Force (FATF) published guidelines for the risk-based approach, with the intention to create a more pragmatic process that is, "workable…[ for] financial institutions grappling with a constantly increasing regulatory burden." [link]
    • FATF recommendations updated in 2016 state, "the risk-based approach allows countries…to adopt a more flexible set of measures, in order to target their resources more effectively and apply preventative measures that are commensurate to the nature of risks." [link]
  • Veridu (identity verification company) and Ramparts (European law firm) published a white paper in 2016 detailing how KYC practices need to move away from static data collection. "Identity verification (IDV) is a particularly challenging aspect of the KYC process and the traditional way of verifying identities using passports, driving licenses and other documentary forms of identification is becoming a barrier. IDV mechanisms also have an unintended negative impact on financial inclusion. [link]
  • A paper by Juan Zarate and Chip Poncy (Financial Integrity Network and Center on Sanctions and Illicit Finance) identifies a need to move away from reactive model of AML/CFT to a preventative risk-based approach. The paper also reaffirms the need for more information sharing using big data capabilities, biometrics and identity verification, and network and behavioral analysis. [link]
    • Customer identification (KYC) is rapidly evolving with a biometrics market in India predicted to reach $3 billion by 2021. Banks are beginning to introduce "touch ID" log-in capabilities for customer accounts as well as other biometric fusion such as iris scans and voice recognition.

Our Vision

Policymakers should recognize the changing landscape of technology-enabled criminal behavior. We encourage policymakers to enable the use of real-time data and account monitoring (rather than relying heavily on static data point collection for traditional KYC procedures) and to adopt a risk-based approach.