EBA issues detailed guidelines on role and responsibilities of the AML/CFT compliance officer and management body

 

On 14 June 2022, the European Banking Authority (“EBA”) published its guidelines (“the Guidelines”) on the role and responsibilities of the anti-money laundering/countering the financing of terrorism (“AML/CFT”) compliance officer and of the management body of credit or financial institutions under Article 8 and Chapter VI of Directive (EU) 2015/849 (“MLD4”). In this article, Victoria Turner, Rachael Callister and Ruth Paley take a look at the new guidelines and talk through next steps for senior managers and the AML compliance function.

Why were the guidelines published?

The EBA produced the Guidelines at the European Commission’s request following its Supranational Risk Assessment in 2017 which found that a number of member states were not implementing MLD4 consistently or effectively, which has created issues with AML controls including specific failures in the appointment of AML/CTF compliance officers.

This inconsistent approach between sectors and Member States is not surprising given that MLD4 does not set out the day-to-day duties of the AML/CFT compliance officer, nor does it define the officer’s wider responsibilities or their relationship with financial authorities.

The aim of the Guidelines is to establish a common interpretation and adequate implementation of AML/CFT internal governance arrangements across the EU in line with requirements of MLD4.  The intention is that this will be achieved by creating “a common understanding” between competent authorities and credit or financial institutions with regards to AML and CFT operations and actions that are expected from firms.

When finalised, the Guidelines will apply to credit or financial institutions as defined in Article 3(1) and 3(2) of MLD4. The UK’s Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 as amended (“MLR 2017”) apply to the same institutions.

The Guidelines

The Guidelines focus on three main areas:

1. the role and responsibilities of the management body in the institution’s AML/CFT framework and of the senior manager responsible for AML/CFT (noting that this is a separate role to that of the compliance officer - see below):  The senior manager responsible for AML/CFT is typically someone at board level or within the organisation’s senior management who takes overall responsibility for the AML/CFT compliance framework. MLD4 defines senior management as “an officer or employee with sufficient knowledge of the institution’s money laundering and terrorist financing risk exposure and with sufficient seniority to take decisions affecting its risk exposure” and notes that the position doesn’t always need to be at Board level. Within the UK, regulation 21(1)(a) of the MLR 2017 requires such a senior person to hold this role;
2. the role and responsibilities of the AML/CFT compliance officer:  appointment of a compliance officer at management level is a specific requirement of MLD4 as part of the requirement to ensure policies, controls and procedures are put in place to mitigate and manage money laundering risks.  The compliance officer is typically not a member of the board but is part of the second line of defence with respect to money laundering and terrorist financing and should report on AML/CFT to the management body or the senior manager responsible for AML/CFT; and
3. the organisation of the AML/CFT compliance function at group level.

The Guidelines complement, but do not replace, relevant other guidelines issued by the EBA on wider governance arrangements and suitability checks. The Guidelines are to be applied proportionally by individual institutions, considering factors such as company size, industry and complexity.

What are the roles and responsibilities of the management body and senior AML/CFT manager?

The Guidelines stress that the management body should be responsible for approving the credit or financial institution’s overall AML/CFT strategy and for overseeing its implementation. As such, it should collectively possess adequate knowledge, skills and experience to be able to understand the ML/TF risks related to the credit or financial institution’s activities and business model, including the knowledge of the national legal and regulatory framework relating to the prevention of ML/TF.

Key aspects of the roles and responsibilities of the management body include:

• ensuring it is informed of the results of the business-wide ML/TF risk assessment;

• providing oversight of AML/CFT policies and procedures to ensure they are adequate in light of the relevant ML/TF risks and take appropriate steps to ensure remedial measures are taken where necessary;

• at least once a year, review the activity report of the AML/CTF compliance officer and obtain interim updates more frequently for activities that expose the credit or financial institution to higher ML/TF risks;

• considering the conclusions of internal and external audits to assess the effective functioning of the AML/CTF compliance functioning. Such assessments should be conducted at least once a year and should consider the appropriateness of human and technical resources allocated the AML/CFT compliance officer;

• ensuring that individuals responsible for AML/CFT functions possess sufficient knowledge, experience and skills to perform their duties effectively and are kept informed of business decisions or any other factors that affect compliance risks; and

• review the AML/CFT compliance officer’s report, at least annually.

A member of the management body should be identified as being responsible for AML/CFT.

Where no management body is in place, the institution should appoint a senior manager who is ultimately responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with MLD4.

This individual should have sufficient time, resources and authority to perform their duties effectively which includes:

• ensuring that the AML/CFT policies, procedures and internal control measures are adequate and proportionate, taking into account the characteristics of the credit or financial institution and the ML/TF risks to which it is exposed;
• carrying out with the management body the assessment of whether it would be appropriate to appoint a separate AML/CFT compliance officer at management level;
• supporting the management body in assessing the need for a dedicated AML/CFT unit to assist the AML/CFT compliance officer in carrying out their functions;
• ensuring that there is periodical reporting to the management body on the activities carried out by the AML/CFT compliance officer and that the management body is provided with sufficiently comprehensive and timely information and data on ML/TF risks and AML/CFT compliance;
• informing the management body of any serious or significant AML/CFT issues and breaches and recommending actions to remedy them; and
• ensuring that the AML/CFT compliance officer (i) has direct access to all the information necessary to perform their tasks, (ii) has sufficient human and technical resources and tools to be able to adequately perform the tasks assigned to them, and (iii) is well informed of the AML/CFT-related incidents and shortcomings identified by the internal control systems and by the national and, in the case of groups, foreign supervisory authorities.

What are the roles, tasks and responsibilities of an AML/CTF compliance officer?

The appointment of an AML/CFT compliance officer should be proportional to a firm’s compliance needs. As such, smaller firms may choose not to appoint an AML/CFT officer as long as they set out their justification for doing so in writing.

If an AML/CFT compliance officer is appointed, that person should be of sufficient seniority and have the power to propose on their own initiative, all necessary or appropriate measures to ensure the compliance and effectiveness of the internal AML/CFT measures to the management body in its supervisory and management function.

Emphasis is placed on the need for the AML/CTF compliance officer to act with honesty and integrity. The Guidelines highlight the need for officers to have the expertise, time and authority to carry out their duties effectively, independently and autonomously.

The tasks to be conducted by an AML/CTF compliance officer include:

• developing and maintaining a risk assessment framework for business-wide and individual ML/TF risk assessments;

• ensuring that adequate policies and procedures are put in place, kept up to date and implemented effectively on an ongoing basis;

• providing a view before a final decision is taken by senior management on onboarding new high-risk customers or maintaining business relationships with high-risk customers in line with the risk- based internal AML/CFT policies;

• monitoring whether the measures, policies, controls and procedures implemented by the credit or financial institution comply with institution’s AML/CFT obligations; and

• advising the management body on measures to be taken to ensure compliance with applicable laws, rules, regulations and standards, and provide their assessment on the possible impact of any changes in the legal or regulatory environment on the credit or financial institution’s activities and compliance framework.

The role as described in the Guidelines appears similar to that which would typically be expected from a money laundering reporting officer (MLRO) in the UK. 

How should the AML/CFT compliance function be organised at group level?

When the credit or financial institution is part of a group, the Guidelines prescribe that a group AML/CFT compliance officer should be appointed. Internal control frameworks should be adapted to reflect the complexity of the business and the associated risks, taking into account the group context. The aim is to ensure that shortcomings in the AML/CFT framework affecting the entire group or a large part of the group are addressed effectively.

What happens next?

The Guidelines will be translated into the official EU languages and published on the EBA website.

The Guidelines will apply from 1 December 2022.

The deadline for Member State competent authorities to report whether they comply with the guidelines will be six months after the publication of the translations.  In the absence of any notification by this deadline, competent authorities will be considered by the EBA to be non-compliant. Any change in the status of compliance must also be reported to the EBA. It is unclear at this stage what steps, if any, will be taken to assess whether individual institutions apply the Guidelines.

What does this mean in practice?

The Guidelines provide welcome clarity by setting an EU-wide benchmark. A common understanding between jurisdictions, applied consistently and enforced as necessary, is key to strengthening the EU’s AML/CFT defences.

Firms operating within the EU should ensure the roles and responsibilities of the management body, senior AML/CTF manager and compliance officer are clear, well-documented and understood. Firms should undertake a full review of the AML/CFT compliance function to ensure alignment with the Guidelines, and ensure that any changes are implemented before the Guidelines come into effect. 

Equally, firms operating outside of the EU, and in particular in the UK (where the AML regime closely mirrors that of the EU) should also take note.  Whilst the Guidelines may not have any formal effect in non-EU institutions they are instructive and set out best practice.

When considering how the Guidelines apply to a firm’s existing internal structure and roles, it is important to note that the Guidelines are applicable to all existing management body structures and do not advocate any particular structure.  It is for each institution to determine the appropriate structure for the firm’s business.  

The roles identified by the EBA appear to some extent to mirror those which are required under UKs AML regulation. For example, Regulation 21 of the MLR 2017 (as amended) requires one individual who is a member of the board of directors (or if there is no board, of its equivalent management body) or of its senior management, to be appointed as the officer responsible for the institution’s compliance with the regulations. This role appears to be similar to that of the senior manager responsible for AML/CTF. Whilst some of the specific tasks allocated to each role differ, the general responsibilities are very similar.

One of the responsibilities of the senior manager responsible for AML/CTF is to support the management body in assessing the need for a dedicated AML/CFT unit to assist the AML/CFT compliance officer in carrying out his/her functions. Many large organisations will already have a dedicated financial crime or AML team which is ultimately led by the MLRO.  The role of the AML/CFT Compliance Officer as set out in the Guidelines appears to closely mirror that which an MLRO would be undertaking within the second line of defence in most mature financial institutions. 

As such, for most institutions these Guidelines are unlikely to herald any major new changes.  However, the development of these new guidelines nonetheless presents an opportunity for firms to review the structure of the organisation, and to refresh and update roles and responsibilities accordingly. Senior managers and the Board should be particularly careful to document the institution’s awareness of these new Guidelines and to record any steps taken to bring the firm’s practices into compliance accordingly.