Is a banking licence necessary for group cash management systems?
banking licence necessary for cash management systems
Do companies outside of the financial sector that operate group cash management systems currently require authorisation from BaFin?
Groups frequently pool the handling of payments (usually supported by cash pooling systems) for all group companies in a group entity as a shared service or in-house bank. Such payment services for other group companies were in the past covered by what is known as "group privilege" and did not require the authorisation of BaFin.
In the second half of 2018, BaFin issued guidance on the new regulation: the German Payment Services Supervision Act [ZAG]. This states that payment transactions "to a group" or "from a group" are not covered by group privilege.
What does this interpretation in the BaFin guidance mean for corporates?
The guidance from BaFin would mean that cash management systems in which payments are received or made for group companies would represent payment services requiring authorisation and that companies would be required to apply for authorisation, meaning a banking licence pursuant to Section 10 ZAG. This would result in supervision and regulation by BaFin as is the case for financial institutions.
Protests from industry
Broad sections of industry protested against this notice in the guidance. Following several intense meetings, discussions and an exchange of letters between industry – led by the Verband Deutscher Treasurer e.V. (VDT) (Association for Corporate Treasury in Germany) – on the one side and BaFin on the other, a solution was found. In the letter from the VDT dated 30 July 2018 and the confirmation from BaFin dated 3 August 2018, it was agreed that there is no obligation to obtain authorisation for cash management systems provided four requirements are met:
- Conclusion of service level agreements between the group companies participating in cash management
- Documentation of all payment transactions
- Creation of uniformly applicable guidelines and instructions, establishment of processes and systems, especially for risks arising from international trade legislation, for the prevention of money laundering and terrorist financing – without being restricted to these
- Compliance with these guidelines/instructions is routinely checked within the scope of internal control systems/compliance using suitable system and process checks by the company that are comprehensible for third parties. Deviations and irregularities arising from these checks are addressed by appropriate processes and permanently resolved.
For the companies affected this means that they have a choice: they either subject themselves to supervision by BaFin or they meet the aforementioned four requirements and do not require authorisation.
Violation of this may amount to a criminal offence, which can be sanctioned with a custodial sentence of up to five years for the persons involved.
What do companies need to do to avoid violation of the authorisation requirement?
Companies must first determine whether they are potentially affected, whether they operate a cash management system, for instance in the form of an in-house bank, that provides payment services. This is followed by an analysis of the organisational and operational structure of the cash management system. Close coordination between Treasury and Corporate Compliance is recommended as a matter of urgency.
To comply with the first two requirements – the conclusion of contracts and documentation of payment transactions – a look at the existing documentation and implementation in the respective IT systems suffices.
Requirements 3 and 4 – maintaining processes and systems relevant for foreign trade legislation and money laundering and the establishment of an ICS – aim to determine whether the compliance management system covers the said fields of law as sub-areas and whether the resulting risks are appropriately identified, evaluated and mitigated through effective control and monitoring actions.
Information on how such a compliance management system and ICS are to be designed, what a suitable risk assessment might look like and which control and monitoring actions could also be advisable (for instance: organisation documentation, business partner due diligence, training, reporting concepts) will be covered in our webinar on this topic that is to take place shortly.
Source: KPMG Corporate Treasury News, Edition 104, September 2020
© 2021 KPMG AG Wirtschaftsprüfungsgesellschaft, eine Aktiengesellschaft nach deutschem Recht und ein Mitglied der globalen KPMG-Organisation unabhängiger Mitgliedsfirmen, die KPMG International Limited, einer Private English Company Limited by Guarantee, angeschlossen sind. Alle Rechte vorbehalten. Für weitere Einzelheiten über die Struktur der globalen Organisation von KPMG besuchen Sie bitte https://home.kpmg/governance.