Navigating AML obligations in the age of virtual IBANs

February 10 2025

by Payments Intelligence

What is this article about?

The compliance challenges of virtual IBANs, focusing on AML obligations and regulatory gaps.

Why is it important?

While vIBANs offer innovation in payment systems, they introduce risks like money laundering due to insufficient oversight.

What’s next?

Payment Service Providers must strengthen due diligence, monitoring, and collaboration with regulators to address these risks.

Virtual IBANs (vIBANs) have become a key component of modern payment systems, enhancing payment reconciliation and facilitating cross-border transactions. However, their rapid adoption has raised concerns about regulatory oversight, particularly concerning anti-money laundering (AML) compliance.

Regulatory reviews from the Bank of Italy, UIF, and the European Banking Authority (EBA) have identified key shortcomings in the management of vIBANs. Currently, large enterprises are the primary users, while small businesses and consumers have shown limited adoption—likely due to unclear policies on customer eligibility and risk exposure.

Voices from the industry

Virtual IBAN regulations are evolving as regulators tighten AML compliance, data protection, and cross-border payment rules. PSPs must stay ahead by monitoring industry updates, engaging with key groups, and building flexible compliance systems. AI can enhance transaction monitoring, while stronger KYC processes and staff training will help manage risks and maintain compliance. To navigate diverse vIBAN regulations, PSPs should establish a global compliance framework adaptable to local laws. Partnering with regional providers, leveraging AI for fraud detection, and conducting regular audits will ensure compliance, transparency, and operational excellence.

While vIBANs have positive use cases, challenges exist in limited monitoring of the end user, alignment with the PSP’s risk appetite, and the lack of a consistent framework to mitigate financial crime and regulatory risks. Common standards would bring consistency and confidence. These could mandate key business and UBO information, as in Germany, verified by the PSP holding the direct relationship. Including structured data would help PSPs monitor and mitigate financial crime risks. Policymakers must ensure standards are not overburdensome, as excessive data requirements or restrictions could limit vIBAN use and eliminate their benefits.

Key takeaways

The AML Compliance Challenge with vIBANs

Virtual iBANs: A double-edged sword

Virtual IBANs have become a powerful tool in modern payment systems, enhancing payment reconciliation and financial management. However, their indirect ownership structures and lack of transaction traceability create serious AML compliance risks. Financial regulators are intensifying scrutiny, highlighting gaps that PSPs must urgently address.

Regulatory oversight intensifies

Authorities such as the EBA, UIF, and national regulators are raising concerns about vIBAN compliance. Recent inspections show that PSPs often exclude vIBAN transactions from their customer profiling efforts, significantly reducing visibility into high-risk activities. The primary focus on monitoring master accounts leaves an oversight gap that can be exploited for illicit financial activities.

Critical AML weaknesses exposed

Compliance reviews reveal systemic shortcomings in how PSPs handle vIBAN due diligence. Since vIBANs are often treated as extensions of master accounts rather than independent relationships, firms fail to apply appropriate risk assessment frameworks. This weakens transaction monitoring, particularly in scenarios involving third-party involvement or high-risk jurisdictions.

Bridging the Compliance gap: The PSP response

To meet regulatory expectations, PSPs must redefine their AML strategies. Strengthening KYC procedures is critical, ensuring that verification extends beyond master account holders to individual vIBAN end users. Real-time monitoring tools must be implemented to detect suspicious patterns, while AI-driven risk assessments can help identify emerging threats in cross-border transactions.

Future-proofing vIBAN compliance

As regulatory frameworks evolve, PSPs need to proactively engage with authorities to shape compliance standards. Greater harmonisation across jurisdictions will be essential to closing existing loopholes. By adopting a proactive, technology-driven approach, financial institutions can enhance transparency while preserving the efficiency and benefits of vIBANs.

What are vIBANs?

vIBANs extend traditional International Bank Account Numbers (IBANs), providing PSPs with a way to manage payments and streamline financial operations. Unlike standard IBANs, vIBANs are linked to a primary ‘master account’ and serve as individual identifiers, allowing businesses to segregate transactions for different purposes. This makes them particularly useful for firms operating and managing complex flows.

However, vIBANs remain indistinguishable from standard IBANs to third parties, which raises a separate set of challenges around transparency, transaction monitoring and, importantly, given the current landscape, AML compliance. As the adoption of vIBANs grows, they’re increasingly seen as both a valuable innovation in payment systems and a growing regulatory challenge requiring careful oversight and further due diligence practises.

Aspect	iBAN	vIBAN
Nature	Direct bank account number	Identifier linked to a master account
Account holder	Specific to an individual/entity	Linked to a master account
Primary use	General banking transactions	Payment reconciliation, segregation
Traceability	Tied directly to a customer	Linked indirectly via a master account
Compliance	Built-in regulatory clarity	Requires additional AML measures for transparency

Key findings from inspections

Regulatory inspections have revealed significant insights into the current usage and oversight of vIBANs, highlighting both their operational strengths and critical compliance gaps.

Data shows that vIBANs are primarily used by large financial firms, with minimal adoption among small businesses and individual consumers. This may be due to unclear PSP policies regarding target customers, acceptable use cases, and associated risks.

When thinking in the context of customer verification, vIBANs are often treated as extensions to master accounts as opposed to independent relationships. This leads to inadequate due diligence. In addition, vIBAN activities are often excluded from customer profiling efforts, leading to gaps in identifying and addressing suspicious behaviours. Primarily, transaction monitoring efforts focus on the master accounts, which oftens means individual vIBAN activities are overlooked, limiting the ability to detect anomalies or risks effectively for firms.

Regarding high-risk scenarios such as On Behalf Of (OBO) transactions or third-party involvement, which are not accompanied by proportionate risk controls, these deficiencies underscore the need for PSPs to enhance their risk assessment frameworks and implement sturdy policies to address the gaps and challenges raised by vIBANs.

Regulatory expectations for PSPs

As regulators continue to refine their expectations for PSPSs, a strong compliance framework is essential to mitigate financial crime risks. One key area of focus is enhanced due diligence (EDD), particularly in the context of virtual IBANs (vIBANs), where additional scrutiny is required to manage associated risks effectively.

Enhanced due diligence

The idea of enhanced due diligence (EDD) for vIBANs revolves around addressing some of the unique compliance challenges posed by their structure and use. While there are plenty of operational advantages, the indirect relationship to master accounts requires a higher standard of KYC processes and verification. Failure to do so could exacerbate risks of money laundering (ML) and terrorist financing (TF). Here’s how PSPs can strengthen their approach:

1) Robust KYC processes

PSPs should extend their KYC procedures beyond master account holders to include vIBAN end users. This means identifying individuals or entities that benefit from vIBAN activities, even if they are not the direct holders of the master account.
Verifying the legal identity of vIBAN end users through documentation and independent data sources
Gathering information on the intended use of the vIBAN, including its role in the customer’s financial activities, whether for payment reconciliation, invoicing, or another purpose.

2) Ongoing verification

It’s important to note that EDD should not be a one-time activity but more a continuous process for firms to adopt in order to maximise awareness of changing customer behaviours and emerging risks.

Firms should continuously monitor transactions at both the master account and individual vIBAN levels to detect anomalies or potential ML/TF patterns.

Risk ratings—based on transaction volumes, geographic locations, and industry type—should be regularly updated to reflect changes in customer activity.

Firms should establish protocols to escalate and report unusual activities linked to vIBANs promptly to the relevant Financial Intelligence Units (FIUs).

3) Risk-based approach

PSPs should monitor high-risk indicators, such as customers operating in high-risk jurisdictions or industries vulnerable to money laundering (ML) or terrorist financing (TF).

Mitigating risks by limiting the number of vIBANs issued to a single customer, imposing transaction limits on vIBAN usage based on the risk profile and enhancing scrutiny of high-risk accounts through periodic audits or on-site visits.

4) Cross-border considerations

Firms should ensure collaboration with partner PSPs, establishing agreements with these firms to share meaningful KYC data and ensure alignment on compliance standards
Meanwhile, firms that adopt due diligence measures aligned with local regulations will be better equipped to address cross-border compliance gaps.

5) Technological support

To manage the complexities of EDD effectively, PSPs should leverage advanced technologies including artificial intelligence (AI) to help identify patterns and predict risks in vIBAN transactions.
Alongside this, enabling seamless data exchange with partners and enhancing visibility in customer activities are also recommended.
Firms that streamline onboarding and verification processes can ensure compliance without delaying operations.

How do UK regulations apply to vIBANs?

Unlike the EU, the UK has yet to establish clear regulatory guidance on vIBANs. While the EBA has identified regulatory gaps and issued recommendations, the Financial Conduct Authority (FCA) has not formally defined Virtual IBANs, nor has it issued specific compliance obligations for PSPs operating in the UK. This, therefore, means it is possibly the case that the FCA leaves it to the firm’s assessment or interpretation.

This lack of clarity presents a challenge: compliance with EU regulations does not guarantee compliance with UK financial laws. While EU member states, such as Italy, have referenced older regulations to cover vIBANs, UK PSPs cannot assume that similar principles apply without explicit FCA guidance.

UK PSP compliance: What to consider

Since no dedicated UK framework exists, PSPs must rely on broader financial regulations to ensure compliance:

Regulatory Area	EU Guidance (EBA, PSD2, SEPA, etc.)	UK Approach (FCA, AML Regs, etc.)
Definition of vIBANs	No formal definition in PSD2, but EBA guidance discusses vIBAN risks	No FCA definition or standalone regulatory framework for vIBANs
AML/CTF Requirements	EBA urges enhanced due diligence (EDD) and specific KYC for vIBANs	UK Money Laundering Regulations (MLRs 2017) apply; vIBANs must be treated as potential AML risks
Regulatory Oversight	Supervised by National Competent Authorities (NCAs) under EU frameworks	FCA has no direct supervisory framework for vIBANs but oversees AML compliance
Transparency Obligations	EBA stresses monitoring both master accounts and vIBANs separately	UK PSPs must ensure traceability under POCA (Proceeds of Crime Act 2002) and FCA’s Financial Crime Guide (FCG)
Customer Due Diligence (CDD)	vIBAN users require separate risk assessments under EBA’s AML/CTF guidance	UK PSPs must extend CDD to vIBAN users (not just master account holders) under MLRs 2017
Regulatory Collaboration	EU encourages PSPs to engage proactively with regulators to shape future guidance	FCA is behind the curve—UK PSPs should still engage with industry bodies (e.g., The Payments Association, UK Finance)

Risks and challenges highlighted

The European Banking Authority (EBA) has identified several key risks and challenges associated with the use of virtual IBANs (vIBANs) in its report, a large proportion of which stem from regulatory inconsistencies, operational complexity, and transparency issues.

A key issue is regulatory divergence, as there is no uniform definition of vIBANs across different jurisdictions. This inconsistency results in varied standards and practices, creating opportunities for regulatory arbitrage and making it harder for PSPs to develop cohesive compliance strategies. The lack of clarity in how vIBANs should be treated under existing frameworks such as the SEPA Regulation and PSD2 further exacerbates the challenge. Customer transparency is also a critical issue, with many vIBAN users lacking a clear understanding of the protections and operational risks associated with these services.

Regulatory Findings on vIBANs – Key Deficiencies and industry implications

vIBANs under the regulatory microscope

Virtual IBANs are increasingly seen as both a transformative innovation and a regulatory challenge. Financial authorities are scrutinising their use, raising concerns about transparency, risk controls, and governance. Compliance gaps in customer verification and transaction traceability are pushing regulators to demand stricter oversight.

Findings from inspections: Where PSPs are falling short

Regulatory reviews highlight inconsistencies in customer due diligence processes. Many PSPs fail to properly verify vIBAN users, assuming that compliance obligations are met at the master account level. This approach limits firms’ ability to assess and mitigate AML risks, particularly in high-risk transactions such as On Behalf Of (OBO) arrangements.

Regulatory divergence creates compliance challenges

A major challenge in vIBAN oversight is the absence of a unified regulatory framework. Different jurisdictions apply inconsistent standards, leading to regulatory arbitrage. Without clear definitions under PSD2 or SEPA, PSPs struggle to develop comprehensive AML strategies that align with international best practices.

Industry response: Strengthening AML controls

To address these deficiencies, PSPs must rethink their risk assessment models. A shift towards a risk-based approach will be essential, ensuring that high-risk transactions are subject to enhanced scrutiny. The adoption of regulatory technology (RegTech) solutions can help automate compliance processes, reducing manual oversight gaps and improving fraud detection capabilities.

Looking Ahead: The next phase of vIBAN regulation

As regulators intensify their focus on virtual IBANs, stricter enforcement measures are expected. PSPs must anticipate further regulatory intervention and proactively adapt their compliance frameworks. Cross-industry collaboration will play a key role in shaping future standards, ensuring that financial institutions can continue to leverage vIBANs while maintaining robust AML controls.

The EBA also highlighted unclear oversight as a significant problem. National competent authorities (NCAs) often struggle to track and assess the scale and nature of vIBAN usage within their jurisdictions. This lack of visibility hinders effective supervision and makes it tough to identify weaknesses in PSPs’ internal controls, particularly when considering AML and CTF.

Transaction traceability presents another concern with the very nature of vIBANs, which redirect payments to a master account and can obscure the actual flow of funds. This creates challenges for tracing transactions and identifying the originators and beneficiaries, complicating efforts by financial intelligence efforts.

Finally, there are substantial risks linked to vIBANs on the consumer side. Users may unknowingly enter into arrangements where they are not the master account holders, potentially and inadvertently depriving them of rights and protections associated with traditional payment accounts.

Use cases and strategic considerations

There is a range of functionalities that make vIBANs invaluable in specific financial scenarios, particularly for businesses that are managing complex payment flows. Common use cases include the following:

Payment reconciliation: vIBANs simplify payment reconciliation by allowing businesses to allocate a unique vIBAN to each customer, project, or revenue stream.
Cross-border transactions: By enabling businesses to issue vIBANs with local country codes, vIBANs help overcome issues like IBAN discrimination. This functionality allows companies to maintain a local presence in multiple jurisdictions without needing to open physical accounts in each one.
Centralised treasury functions: Large organisations use vIBANs to centralise payments within a corporate group. As an example, a treasury department can manage the financial activities of multiple subsidiaries through vIBANs linked to a single master account, improving cash flow visibility and efficiency.

Practical steps for UK PSPs

Until the FCA issues direct guidance, UK-based PSPs should take proactive measures to ensure compliance and mitigate risk:

Align with EU best practices – Even though EU regulations do not apply directly, following EBA recommendations can demonstrate strong governance if scrutinised by the FCA.
Enhance internal AML controls – Given the lack of official FCA rules, PSPs should treat vIBANs as high-risk financial instruments and apply enhanced due diligence (EDD) in line with UK AML regulations.
Monitor FCA updates – While no definition exists today, PSPs should remain alert to FCA developments and engage with industry bodies (e.g., The Payments Association, UK Finance) to stay ahead of potential changes.
Engage with the FCA – Instead of waiting for a formal stance, PSPs should proactively seek FCA input to clarify expectations and prevent regulatory misalignment in the future.
Apply a risk-based approach – Until clearer rules are issued, PSPs should take a conservative compliance stance by applying robust customer due diligence (CDD), tracking transactions at both the vIBAN and master account level, and ensuring full traceability in line with UK financial crime regulations.

Actionable takeaways

PSPs play a pivotal role in safeguarding the financial ecosystem against money laundering (ML) and terrorist financing (TF) risks. As the adoption of vIBANs grows, PSPs must take proactive measures to ensure these tools are not exploited for illicit activities, especially in jurisdictions like the UK, where regulatory guidance remains unclear.

Since the FCA has yet to establish a formal regulatory framework, UK PSPs should not wait for prescriptive rules but instead align with existing AML/CTF obligations, such as MLRs 2017 and POCA 2002. Firms should describe its proposition and outline its reasoning relating it to both obligations and the FCA’s Financial Crime Guide. It should continually evidence that it is following this approach and reviewing this to make any amendments considered necessary in the event of new information coming to light or subsequent adverse findings.

Implementing robust compliance controls, enhanced due diligence (EDD), and advanced monitoring technologies will help mitigate the risks associated with vIBANs while ensuring transparency in financial operations.

Compliance is not just a regulatory checkbox—it is a safeguard for financial trust. While UK PSPs cannot yet “work with regulators” in the way EU firms can, they should still engage with industry groups such as The Payments Association and UK Finance to drive regulatory clarity. By proactively addressing challenges and ensuring financial integrity, PSPs can protect their operations while shaping the future of vIBAN oversight in the UK.