On 1 September 2022 the European Banking Authority (EBA) published its second report on the functioning of anti-money laundering (AML) and counter terrorist financing (CTF) supervisory colleges (the EBA Supervisory College Report).1 The EBA expects relevant competent authorities to implement its guidelines and recommendations and, where necessary, modify their methods and supervisory tools.
This Client Alert assesses the key impacts of the EBA Supervisory College Report and its findings in the context of other AML/CTF reform efforts being advanced by the EBA and the resulting impact for financial services firms given that the EBA.
Outcomes and key findings in the EBA Supervisory College Report
In December 2019 EBA and its other two sister European Supervisory Authorities (i.e., the European Securities and Markets Authority – ESMA and the European Insurance and Occupational Pensions Authority – EIOPA) published guidelines (JC 2019/81 – the Guidelines) on cooperation and information exchange between competent authorities supervising credit and financial institutions for the purposes of the EU's Anti-Money Laundering Directives (AMLDs). The 4th AMLD set out a legislative requirement on cooperation and coordination (Art. 49 to 57 AMLD4). The operational cooperation framework, which is based on the use of AML/CTF colleges, is set out in these Guidelines, which national competent authorities (NCAs) had until January 2022 to implement.2 Moreover, the EBA published on 16 December 2021 its final report containing guidelines on cooperation and information exchange between prudential supervisors, AML/CTF supervisors and financial intelligence units under the CRD IV Directive (as amended).3
AML/CTF supervisory colleges are permanent structures that bring together different NCAs responsible for the supervision of a cross-border financial institution, which operates in at least three EU Member States and outside the EU. In addition to fulfilling its legal duty to lead, coordinate and monitor the AML/CTF efforts across the EU, the EBA is also a permanent member in all AML/CTF supervisory colleges.
In light of the above EBA personnel during 2021 actively kept track of 16 already existing and 21 newly established AML/CTF supervisory colleges operating across a variety of EU Member States and financial institutions. In this report, good practices are illustrated with concrete examples.
Similar to the findings of its first report on the topic published 15 December 20204 , the EBA Supervisory College Report concluded that while NCAs are dedicated to putting the AML/CTF colleges framework into place, they should have moved passed finding their feet and instead need to take additional steps to make sure that there is ongoing collaboration and proactive information exchange within the supervisory colleges. Moreover, even though AML/CTF colleges continue to operate more effectively, it became clear to EBA staff conducting the review that the majority of them still lack maturity. This includes the following examples:
- A significant adverse inspection finding or allegations of widespread money laundering that surfaced outside of the scheduled college meeting were two examples of significant information that was only shared after EBA staff specifically requested it in several supervisory colleges. This shows that AML/CTF supervisory colleges have not yet succeeded in their goal of ensuring that all college members are informed of emerging risks and encouraged to take appropriate action before those risks crystallise; and
- Since many AML/CTF supervisory colleges were founded and only held their first meetings in 2021, many of them encountered operational difficulties as a result of the completion of cooperation agreements and the conditions for observers' participation. Due to difficulties determining the equivalence of these observers, observers from third countries did not participate in the majority of these colleges. This indicates that these colleges have not yet met with their entire membership and have not yet had in-depth group discussions about AML/CTF risks.
The EBA summarised its overall views in its press release accompanying the EBA Supervisory College Report as follows:
"This Report sets out findings and observations from EBA staff participation in AML/CTF college meetings and from its monitoring activities. In the report, the EBA sets out its observations of good practices with an aim to help competent authorities to enhance their effectiveness in future. These include well-structured and organised college meetings by lead supervisors, pro-active participation and sharing of comprehensive information by some members and an effective involvement of prudential supervisors in some colleges.
The report also highlights areas for improvement. In particular, it points out that, due to their immaturity, AML/CTF colleges are not yet fully embedded in supervisory processes. The Report reminds the supervisors of the importance to exchange information in colleges on an ongoing basis and without delay, particularly where material weaknesses in the institution's AML/CTF framework have been identified. It also emphasises the need for colleges to be organised in a more risk-sensitive manner with more frequent meetings being held for those cross-border institutions that are exposed to higher risks of ML/TF."
Additionally, EBA staff noticed that supervisors' attendance at AML/CTF supervisory colleges improved coordination, with more frequent information exchanges between participants as well as, over time, increased information sharing concerning financial crime risks and how these are assessed. The same also applied to more frequent meetings and dialogue amongst AML/CTF supervisory colleges leading to a greater degree of findings from inspections and lessons learned from administrative sanctions or supervisory measures as applied against supervised financial institutions.
Based on best practices currently seen in AML/CTF supervisory colleges, EBA staff recommended that the lead supervisors and other college members take the following six actions to further enhance the operation of AML/CTF colleges in the future:
- enhance supervisory convergence in AML/CTF colleges;
- finalise the structural components of the AML/CTF colleges, including the Cooperation Agreement and Terms of Participation of observers;
- foster ongoing information exchange within the colleges;
- apply a risk-based approach to college meetings;
- take steps to identify potential areas for a common approach or joint actions; and
- enhance discussion during the colleges' meetings.
The EBA urges all supervisors to use the Guidelines and recommendations presented in this report and, where necessary, modify their methods. It is quite possible that the EBA, like its sister organisation, ESMA will consider using common supervisory actions (CSAs), including through the supervisory colleges that could see EU-wide on-site investigations of AML/CTF compliance amongst supervised firms.
The EBA's March 2022 AML/CTF Implementation Report
It should also be noted that the EBA Supervisory College Report is distinct to the EBA's deep dive on individual NCAs' implementation efforts on their approach to AML/CTF supervision of banks in the EU and the EEA. On 22 March 2022 the EBA published a report following its assessment during 2020 and 2021 of seven NCAs from EU and EEA Member States as well as how prudential supervisors (including in the context of Banking Union) tackled AML/CTF risks in line with their supervisory remit and scope (the EBA AML/CTF Implementation Report).5 The EBA AML/CTF Implementation Report makes recommendations tailored to each NCA. This second round of reviews built on the first, which occurred in 2019 and 2020.
The EBA discovered that all of the NCA examined had made significant efforts to implement a risk-based approach to AML and CTF. Supervisory staff were committed to combating financial crime and had a good understanding of international and EU AML and CTF standards. Supervisory cooperation was a clear priority for all of the NCAs examined and they had begun to implement mechanisms for information exchange – yet this should be contrasted with the findings of the EBA Supervisory College Report.
However, NCAs continued to face challenges in putting the risk-based approach to be applied to AML/CTF supervision into practice. Some of these challenges are unique to individual NCAs, but others are shared by the majority of the NCAs examined. Common obstacles to the implementation of an effective risk-based approach to AML and CTF supervision include:
- Difficulties identifying AML and CTF risks in the banking industry and individual banks;
- AML and CTF risk assessments (including national and sectoral risk assessments) are being translated into risk-based supervisory strategies;
- Using available resources wisely, including ensuring adequate onsite and offsite supervision;
- Taking proportionate and dissuasive enforcement measures to address AML and CTF compliance flaws; and
- In addition, the EBA discovered that cooperation with financial intelligence units (FIUs) was not always systematic and was frequently ineffective.
According to a related press release6 , the EBA is currently conducting the third round of reviews, and NCAs that have not yet been reviewed will be evaluated during this round. Furthermore, the EBA is following up with assessed NCAs to learn about the steps they have taken to strengthen their approaches to AML and CTF supervision.
The EBA's recent reports in the context of its other guidance and reform efforts
The work flowing from the EBA Supervisory College Report and the EBA AML/CTF Implementation Report may coincide with further reform efforts that the EBA is leading on in respect of its:
- guidelines on the role of AML/CTF officers at supervised firms; 7
- (revised) guidelines on AML/CTF risk factors; 8 and
- work on operationalising a central database on AML/CTF (EuReCA) at the EU-level which aims to provide supervisors with a shared resource to identifying, mitigating and managing AML/CTF risks at the financial institutions they supervise – including outside the context of AML/CTF colleges. 9
It is important to note that the EuReCA will include information on material weaknesses identified by NCAs in individual EU financial institutions. NCAs will also report on the steps they have taken to correct material weaknesses in financial institutions. Inadequate AML/CTF policies and procedures, such as the absence of transaction monitoring at the group level and the absence of policies and procedures for high-risk customers, are examples of material weaknesses. EuReCA also includes internal audit findings discovered by a prudential authority during an on-site inspection, about which the senior management and/or management body appeared to have been informed but chose not to correct.
The EBA will use EuReCA data to inform its assessment of AML, CTF and financial crime risks affecting the EU financial sector. It will also share EuReCA information with NCAs, such as if specific AML/CTF risks or trends emerge.
Outlook and next steps
In many ways the EBA Supervisory College Report but also the EBA AML/CTF Implementation Report (along with the EBA's other reform efforts) should be seen as an important indicator for policymakers' next steps on replacing the AMLDs with an EU AML Regulation as well as the creation of a dedicated EU-level AML, CTF and financial crime regulatory authority – currently with the working title AMLA (see separate coverage from PwC Legal's EU RegCORE on those proposals and reform efforts).
While the EBA Supervisory College Report and the EBA AML/CTF Implementation Report primarily makes recommendations for how supervisors should supervise, these reports will, along with the EBA's other reform efforts, have direct impacts on supervised firms. Many may need to consider their next steps. Notably, on how affected firms identify, mitigate and manage the AML, CTF and financial crime risks in the markets and business lines in which they operate. All of these (necessary and overdue) reforms to establishing a more single supervisory culture in the EU's Single Market for financial services may translate into further (and stricter) supervisory scrutiny that financial services firms will need to forward-plan compliance with and possibly reform their own policies and procedures along with systems and controls – irrespective of when AMLA and the AML Regulation may become an operational reality.
2 The Guidelines and a Compliance Table of competent authorities applying them are available here. These should also be read in conjunction with the (revised) guidelines (and compliance table) (both available here) on risk-based supervision, which sets out the steps that supervisors are expected to take to ensure adequate AML/CTF oversight of their sector and relevant supervisory tools.
3 These guidelines and the final report are available here. Under Article 117 of CRD IV (as amended by CRD V) relevant authorities must work closely together within their respective competences and share information relevant to their respective tasks. Article 117(6) of the CRD IV Directive requires the EBA to develop guidelines outlining the manner in which relevant authorities should cooperate and exchange information for this purpose. Those guidelines, which took effect on 1 June 2022, outline the mechanisms by which the relevant authorities should collaborate and share information that is available to them, gathered, or created as part of their respective tasks. They also specify how cooperation and information exchange should be applied in the context of: " authorisation processes, proposed acquisitions of qualifying holdings, suitability assessments as well as authorisation withdrawal; " ongoing monitoring; and " sanctions and supervisory measures.
4 Available here.
5 Available here.
6 Available here.
7 These guidelines and compliance table (once available – that deadline was June 2022) are available here. These guidelines, which took effect on 1 December 2022 apply to all existing management body structures and are described as complementing relevant guidelines issued by the European Supervisory Authorities (ESAs) on wider governance arrangements and suitability checks. These guidelines set out expectations of the role, tasks and responsibilities of the AML/CTF compliance officer and the management body. Among other things, they specify that credit or financial institutions should appoint one member of their management body who will ultimately be responsible for the implementation of AML/CTF obligations and clarify the tasks and functions of that person. They also describe the roles and responsibilities of the AML/CTF compliance officer, when this person is appointed by the management body under proportionality criteria. When the credit or financial institution is part of a group, the guidelines prescribe that a group AML/CTF compliance officer should be appointed and set out this person's tasks and responsibilities.
8 These revised guidelines and compliance table are available here.
9 On 31 January 2022, the EBA published a press release announcing the launch of EuReCA. Details on the draft Regulatory Technical Standards (RTS) on a central database on AML/CTF in the EU are available here. Among other things, the draft RTS clarify how its reporting obligations interact with other notifications such as those under Article 62 of AMLD4. Importantly, EuReCA will not start to collect personal data until the approval of the draft RTS by the European Commission.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.