On 14 June 2022, the European Banking Authority (EBA) published its final guidelines on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CFT compliance officer under Article 8 and Chapter VI of the Fourth Money Laundering Directive (Directive (EU) 2015/849) (the Guidelines).

The Guidelines follow publication, on 2 August 2021, of a consultation paper in which the views of stakeholders were sought on the proposed draft guidelines (Consultation Paper).

The Guidelines can be accessed here.


The Fourth Money Laundering Directive requires that Member States ensure that firms appoint an AML/CFT compliance officer at management level "where appropriate with regard to the size and nature of the business."1 The Directive also requires Member States to ensure that, "where applicable", firms that have a management body (e.g. a Board of Directors) identify the member of the management body who is responsible for compliance with AML/CFT requirements.2

The EBA notes, however, that there has been a number of reports suggesting that the requirements set out in the Fourth Money Laundering Directive have been implemented unevenly across different sectors and Member States, which ultimately has adverse consequences for the integrity of the EU's AML framework.

The purpose of the Guidelines is to set clear expectations of the role and responsibilities of both the AML/CFT compliance officer and the management body (or the senior manager where no management body exists) with regards to AML/CFT.

The EBA expects the Guidelines to be applied in a manner that is effective and proportionate to a firm's type, size, internal organisation, the nature, scope and complexity of its activities and the ML/TF risks to which the firm is exposed.

The Guidelines will apply to all financial services firms regulated by the Central Bank of Ireland.

Key Areas addressed by the Guidelines

The Guidelines are divided into four sections addressing the following key points:

1. Role and responsibilities of the management body in the AML/CFT framework and of the senior manager responsible for AML/CFT

This section addresses the role and responsibilities of the firm's management body, or the senior manager identified by the firm where no management body is in place, with respect to AML/CFT.

It also specifies the role and tasks of the member of the management body identified as responsible for AML/CFT pursuant to Article 46(4) of the Fourth Money Laundering Directive.

2. Role and responsibilities of the AML/CFT compliance officer

This section addresses the appointment of an AML/CFT compliance officer at management level. It is stated that when considering whether to appoint an AML/CFT compliance officer, the management body should take into account the scale and complexity of the firm's operations and its risk exposure to ML/TF pursuant to the proportionality criteria. In addition, the management body should determine whether the role will be full-time or performed by an employee or officer in addition to their existing functions within the firm.

With regard to proportionality, the Guidelines state that "a credit or financial institution should appoint a separate AML/CFT compliance officer unless it is a sole trader or has a very limited number of employees or the reasons set out in paragraph 33 justify the non-appointment". Paragraph 33 states that where the management body decides not to appoint a separate AML/CFT compliance officer, the reasons should be justified and documented, and explicitly refer to at least the following criteria: (i) the nature of the firm's business and the associated ML/TF risks, (ii) the size of the firm's operations in the jurisdiction and (iii) the legal form of the firm, including whether it is part of a group.

Guidance is also provided for circumstances in which an AML/CFT compliance officer acts for two or more entities within a group.

The AML/CFT compliance officer should have sufficient authority to propose to the management body, on their own initiative, all necessary or appropriate measures to ensure the compliance and effectiveness of the firm's internal AML/CFT measures.

This section also sets out the roles and responsibilities of the AML/CFT compliance officer which should be clearly identified and documented by the firm, including the development of a risk assessment framework, development of policies and procedures, monitoring compliance, reporting to the management body and reporting of suspicious transactions. The suitability criteria for the AML/CFT compliance officer are also addressed.

Finally, guidance is provided regarding the outsourcing of the operational functions of the AML/CFT compliance officer, noting that the ultimate responsibility for compliance with legal and regulatory obligations remains with the firm.

3. Organisation of the AML/CFT compliance function at group level

This section addresses the role of the management body in respect of AML/CFT at group level and the appointment of a group AML/CFT officer. The Guidelines state that where a firm is part of a group, the firm should adapt its internal AML framework to the specificity of its business and the associated risks, taking into account the group context.

Guidance is provided on the role of the management body where the parent company is a firm to which the Guidelines apply. It goes on to address organisational requirements at group level with respect to AML/CFT. For example, when implementing group-wide AML/CFT policies and procedures, the parent company should designate a member of its management body or senior manager responsible for AML/CFT among the senior managers at the level of the parent undertaking, as well as a group AML/CFT compliance officer. Guidance is also provided regarding the tasks of the group AML/CFT compliance officer.

The Consultation Paper included an additional section titled "Review of the AML/CFT compliance function by competent authorities". This section was incorporated in the EBA's revised Risk-based Supervision Guidelines (EBA/GL/2021/16), published on 16 December 2021.

Next Steps

The Guidelines will be translated into the official EU languages and published on the EBA website. Following this, competent authorities will have six months to report whether they comply with the Guidelines. We expect the Central Bank of Ireland to notify the EBA of its intention to comply with the Guidelines in full.

The Guidelines will apply from 1 December 2022.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.