The Point of Sale Blind Spot: Why the R16 Card Exemption Deserves Closer Scrutiny

When the Financial Action Task Force (FATF) agreed the revised Recommendation 16 at its June 2025 Plenary, it delivered the most significant overhaul of payment transparency standards in more than a decade. The scope was ambitious. The updated framework extended its reach to all forms of payment or value transfer, introduced alignment checks for beneficiary institutions and standardised originator data requirements for cross-border peer-to-peer transactions above the USD/EUR 1,000 threshold. The guiding principle was unambiguous: same activity, same risk, same rules.

Yet one category of payment activity was quietly preserved in its pre-existing cocoon. Card-based purchases of goods and services, whether made with credit, debit or prepaid instruments, continue to sit outside the full scope of the revised standard. The rationale is pragmatic. The question is whether pragmatism, left unexamined, becomes complacency.

The R16 exemption is not new, but the landscape is

The card exemption has existed in various forms since Recommendation 16 (R16) was first adopted. Its original logic was straightforward: card transactions for goods and services flow through established payment networks with their own fraud controls, merchant due diligence procedures and chargeback mechanisms. Issuers and acquirers are identifiable through network directories. The risk profile, the argument ran, is fundamentally different from a peer-to-peer wire transfer moving value across borders. From an anti-money laundering (AML) perspective, that argument had weight.

That logic was defensible in a payment landscape dominated by physical point-of-sale terminals and face-to-face retail. It is considerably less comfortable in 2026. The nature of what constitutes a purchase of goods and services has expanded well beyond what the original exemption contemplated. Digital goods, in-app purchases, subscription services, online marketplaces, buy-now-pay-later arrangements and stored-value wallet top-ups now occupy the spaces between traditional retail and value transfer. The boundary between buying something and moving money is no longer crisp.

As VerifyVASP noted in its response to the FATF’s public consultation, the distinction between a purchase and a transfer of money is ‘virtually impossible’ in practice. The gap has collapsed. Modern marketplaces and the emergence of virtual assets as stores of value have seen to that.

The revised R16 acknowledged this complexity. The FATF clarified that the exemption applies only to genuine purchases, not to person-to-person transfers facilitated through card instruments. Where a card funds a peer-to-peer transfer, the full information requirements apply. This is a necessary clarification. It is not a sufficient one.

Merchant category codes are not risk indicators

The practical enforcement of the card exemption rests on the ability to distinguish a genuine purchase from a disguised value transfer. In the card payment landscape, that distinction is largely mediated by merchant category codes (MCCs): four-digit classifications assigned by acquiring institutions and card networks. MCCs were designed for interchange fee calculation and chargeback management. They were not designed as AML risk indicators. They do not perform that function reliably.

A merchant classified under a retail MCC may nonetheless facilitate transactions that function as value transfers. Gift card purchases, high-value electronics bought for resale and transactions with online marketplaces that permit instant conversion to cash or crypto-assets all sit within the nominal scope of a purchase. Yet they carry risk characteristics far more closely aligned with peer-to-peer transfers. The label does not match the reality.

Transaction laundering represents a further dimension of risk that MCCs cannot capture. A seemingly legitimate merchant processes payments on behalf of illicit businesses, and the classification system sees only the front. The US General Accounting Office (GAO) observed as early as 2002 that the extent of money laundering through credit card systems was unknown. Acquirers, it found, generally lacked AML programmes targeted at merchant activity. Two decades on, the structural gap persists.

The FATF’s revised standard provides that issuer and acquirer details need not travel within payment messages but must remain accessible through card network directories upon request. This is a sensible concession to operational reality. It does not address the more fundamental question: is the underlying transaction genuinely a purchase, or a value transfer dressed in commercial clothing?

Prepaid cards test the exemption’s limits

The revised R16 applies the card exemption equally to credit, debit and prepaid instruments. The FATF confirmed this in the June 2025 revisions, invoking the principle of consistency across card types. Not everyone agreed. BNP Paribas and others raised concerns during the public consultation. Their argument was clear: prepaid cards that can be loaded anonymously present a materially different risk profile from cards tied to verified account holders. The FATF acknowledged the concern. It did not act on it.

The risk is well documented. The FATF’s own 2010 report on money laundering using new payment methods identified anonymity, global reach, portability and accessible funding as features that criminals exploit for placement, layering and integration of illicit funds. The European Union’s Fifth Anti-Money Laundering Directive responded by reducing permissible transaction limits for anonymous prepaid instruments. National regulators across multiple jurisdictions have flagged prepaid card programmes as requiring enhanced due diligence.

Applying the same exemption to a fully verified credit card holder and to an anonymous prepaid card loaded with cash at a retail outlet is difficult to reconcile with the risk-based approach. The principle of ‘same activity, same risk, same rules’ cuts both ways: if the risk is not the same, the rules should not be either. The FATF has indicated that forthcoming guidance will clarify the scope further. The standard as currently drafted, however, treats all card types as functionally equivalent for exemption purposes. That equivalence is questionable.

Cross-border card transactions amplify the exposure

The exemption becomes particularly difficult to justify in cross-border settings. Consider the asymmetry. A consumer using a card issued in one jurisdiction to purchase from a merchant in another generates a transaction that crosses national boundaries and may pass through jurisdictions with uneven AML oversight. The revised R.16 imposes rigorous information requirements on cross-border peer-to-peer transfers above the de minimis threshold: name, address and date of birth. A cross-border card purchase of equivalent value attracts none of these requirements. The gap is stark.

The asymmetry is difficult to defend on risk grounds. Cross-border card transactions are not inherently lower risk than cross-border wire transfers. In many cases, they are less transparent. Card network directories provide a mechanism for authorities to trace issuer and acquirer details after the fact, but reactive traceability is not the same as the proactive transparency that accompanies a fully compliant wire transfer. For financial intelligence units seeking to identify suspicious flows in real time, the card exemption creates a gap in the data landscape. Criminals can, and do, exploit it.

The boundary between purchase and transfer will not hold

The most significant challenge to the card exemption is structural rather than technical. Payment methods are converging. Embedded finance is proliferating. Non-traditional payment channels are multiplying. Together, these forces are eroding the conceptual distinction on which the exemption depends. Gaming platforms with stored-value wallets, e-commerce marketplaces that function as payment intermediaries and buy-now-pay-later providers all inhabit this space. The line between purchasing and transferring value is increasingly artificial.

The FATF’s decision to retain the exemption reflects a pragmatic calculation. Card networks process billions of transactions daily. Requiring full R16 compliance for every card purchase would impose enormous operational costs and generate more data noise than actionable intelligence. The Clearing House Association, in its submission to the FATF’s second consultation, went further. It argued the exemption should be broadened to cover purchase transactions through any payment network with a comparable AML risk profile. The industry position, in other words, is that the exemption is not too wide but too narrow.

That position deserves scrutiny, not reflexive acceptance. The argument that card network fraud controls provide adequate AML coverage rests on an assumption: that fraud detection and money laundering detection are functionally interchangeable. They are not. Fraud controls protect the card issuer and the network from financial loss. AML controls protect the financial system from criminal exploitation. A transaction may be entirely legitimate from a fraud perspective and entirely suspicious from an AML perspective. The two disciplines overlap. They are not substitutes.

Implications for firms

For compliance teams within card-issuing institutions, acquiring banks and payment service providers, the retention of the card exemption should not be read as permission to look away. The exemption defines what must be included in payment messages under R16. It does not define what firms should monitor, assess and report. The distinction matters.

Firms should reassess whether their transaction monitoring systems can detect patterns of card usage that indicate value transfer rather than genuine purchase activity. Merchant onboarding matters too. Are due diligence procedures robust enough to identify transaction laundering risk? Do prepaid card programmes, particularly those with anonymous issuance, receive proportionate AML scrutiny? These are not peripheral questions.

The forthcoming FATF guidance on payment transparency, expected during the phased implementation period running to 2030, may provide additional clarity. It may not arrive quickly. Firms that wait before acting may find themselves behind the regulatory curve.

Pragmatism is not a permanent defence

The R16 card exemption is a pragmatic compromise. Pragmatism has its place in standard-setting. Applying the full weight of payment transparency requirements to every card purchase would be disproportionate, operationally burdensome and unlikely to produce intelligence of value. The exemption recognises that card transactions benefit from existing network controls. Those controls provide a degree of traceability, even if through different mechanisms than the originator-beneficiary data model.

Yet pragmatism becomes complacency when the assumptions on which it rests go unexamined. The assumption that a purchase is categorically distinct from a value transfer is weakening. The assumption that fraud controls provide adequate AML coverage is unproven. The assumption that prepaid, debit and credit cards carry equivalent risk is contested. Three assumptions. None secure. The revised R16 has modernised payment transparency for a new era of financial services. The card exemption, retained largely in its original form, belongs to the era that preceded it.

Transparency that stops at the point of sale is not transparency. It is a boundary drawn for convenience. Convenience is not a principle on which to build an effective financial crime framework.

Is your firm’s approach to card payment AML risk keeping pace with the changing definition of what a ‘purchase’ really means?

At OpusDatum, we help firms navigate the evolving payment transparency landscape with clarity and rigour. Our advisory and data solutions support institutions in understanding where regulatory expectations are heading, identifying gaps in existing controls and building compliance frameworks that reflect the reality of modern payment flows.

Contact us to discuss how we can support your payment transparency strategy.