Latest Payments News: Luxembourg Reprimands Citibank Over Compliance Failures, and more

Catch up on six of the stories our payments compliance analysts have covered lately, and stay up-to-date on the latest news.

Luxembourg Reprimands Citibank Over Compliance Failures

Luxembourg’s financial regulator, the Commission de Surveillance du Secteur Financier (CSSF), has issued a reprimand to Citibank for failing to meet professional obligations related to restrictive financial measures.

“This reprimand follows several exchanges between the credit institution and the CSSF that took place in the context of the off-site supervision performed by the CSSF following information provided by the credit institution notably as regards the implementation of restrictive measures in financial matters,” reads the regulator’s decision.

The enforcement action follows a supervisory review that identified delays in implementing EU sanctions on two accounts affected by the trading bloc’s sanctions regime.

Although no funds were accessed by a sanctioned individual, bank charges and interest continued to be processed automatically.

According to the regulator, the bank, which is headquartered in the US, also failed to inform Luxembourg’s Ministry of Finance in a timely manner about the restrictive measures applied.

The CSSF cited breaches of multiple financial regulations, including anti-money laundering (AML) rules, and the sanctions regime that has been introduced in light of Russia’s annexation of Ukraine’s territory in 2014.

The regulator has decided in this instance to issue a reprimand, rather than a financial or remedial sanction, having “taken into consideration the remedial actions undertaken by Citibank Europe Plc, Luxembourg Branch to resolve the breaches identified”.

Utah Senator Wants To Take Trump's CBDC Ban One Step Further

Following a Trump executive order that prohibits the US government from issuing a central bank digital currency (CBDC), a Utah senator wants the ban to go one step further.

Last week, Senator Mike Lee (R-UT) introduced a bill that would enact a CDBC ban in legislation, therefore making the ban in Trump’s executive order “permanent”.

Lee’s No CBDC Act is a two-page bill that would introduce a single passage of text to the Federal Reserve Act of 1913.

This passage would spell out explicitly that no Federal Reserve bank or the Treasury may “mint or issue” a CBDC, whether to individual users or to intermediaries.

These same agencies must also refrain from offering CBDC-“related products or services” either to individuals or intermediaries, including through the maintenance of CBDC accounts.

Lee said he introduced the bill primarily on privacy grounds, noting that CBDC has been used by the Chinese government to financially surveil and censor its citizens.

“The US doesn't need to create a CBDC to know it is a bad idea,” he said.

“We've seen this play out in China with the digital yuan. In early trials, China canceled its citizens' money after a set period, forcing Chinese citizens to spend their savings at the compulsion of the government.

“My bill protects Americans from a similar intrusion by prohibiting the Federal Reserve or any federal government agency from minting or issuing a CBDC.”

The bill names Senator Ted Cruz (R-TX) as an original co-sponsor. It is also supported by lobby groups Heritage Action, Consumer Choice Center and Taxpayers Protection Alliance.

Russia's Central Bank Issues QR Code Payment Security Rules

The Central Bank of Russia (CBR) has introduced a new set of guidelines to enhance the security of QR code-based payments and transfers.

The newly approved standard aims to help financial institutions and businesses mitigate risks by identifying potential threats at different transaction stages and implementing protective measures.

The new guidelines also include specific security protocols for ATM deposits and withdrawals using QR codes.

Although the regulation is advisory rather than mandatory, the regulator has said it expects companies to adopt internal security measures in line with the standard to safeguard users.

The new rules are set to take effect on February 17, 2025.

EBA Narrows ICT Risk Management Guidelines As DORA Takes Effect

The European Banking Authority (EBA) has amended its guidelines on ICT and security risk management measures to align with the Digital Operational Resilience Act (DORA), which came into force on January 17.

The revisions narrow the scope of the guidelines, aiming to streamline regulatory requirements and eliminate overlaps.

DORA introduces harmonised ICT risk management obligations and, to avoid regulatory duplication, the EBA has refined its guidelines to focus only on entities covered under the act.

These include credit institutions, payment institutions, account information service providers, exempted payment institutions and exempted e-money institutions.

In addition, the guidelines will now primarily address relationship management of payment service users in the context of payment services.

Financial entities that fall outside DORA’s scope, such as post-office giro institutions and credit unions, will continue to follow ICT security and operational risk management rules under the revised Payment Services Directive (PSD2), which has been in effect since 2018.

These institutions may also be subject to additional local requirements at the discretion of their respective national competent authorities.

The EBA’s guidelines on ICT and security risk management were originally introduced in 2019 to establish consistent cybersecurity standards across the EU financial sector. They were based on the Capital Requirements Directive (CRD IV) and PSD2 provisions.

The updated guidelines will officially apply two months after the publication of translated versions, giving financial institutions time to adjust to the revised framework.

Singapore Government Says No Reports Of Non-Compliance With BNPL Code of Conduct

There have been no reported breaches of Singapore's Buy Now, Pay Later (BNPL) Code of Conduct since its introduction in 2022, according to the government’s minister for trade and industry.

Gan Kim Yong, who is also deputy prime minister and the chair of the Monetary Authority of Singapore (MAS), was responding to a question from parliamentarian Ong Hua Han.

He stated that all four BNPL providers in Singapore have been independently assessed and accredited as compliant with the code since May 2024.

The code, developed by the Singapore FinTech Association (SFA) in collaboration with the BNPL industry and under the guidance of the MAS, aims to mitigate debt accumulation risks and safeguard consumers.

An independent oversight committee is responsible for investigating potential breaches, and accredited BNPL providers that are found to be in violation risk losing their accreditation.

However, in his response, Gan confirmed that the SFA has not received any reports of non-compliance.

Although the MAS does not collect specific data on BNPL users who have reached their credit limits, the minister noted that safeguards are in place to prevent excessive debt.

These include rules suspending users from making further BNPL purchases if payments are overdue, as well as existing MAS regulations requiring financial institutions to suspend credit cards for borrowers who are more than 60 days past due on repayments.

‍

Want to know more?

‍Request a demo with one of our experts today to gain full access to the stories we cover - and much more - and start learning how you can make compliance a competitive advantage for your organisation.