The MLRO is the key reference point of the business when it comes to AML/CFT.
The MLRO is the key reference point of the business when it comes to AML/CFT. This entails an agile approach as one navigates through the professional and personal dynamics synonymous with the role.
Independence & Autonomy
The independence and autonomy of the MLRO stems from seniority and authority. Any actions taken or detained should be at the discretion of the MLRO, who should not be influenced in the decision-making process. Access to the data and resources required to perform the role effectively should be unrestricted, and the MLRO should have the freedom to share all relevant data with the regulators. Obliged entities can support the MLRO's independence and autonomy by endorsing a shared understanding of the legal obligations for persons acting as MLROs across the business, and by engaging independent auditors to review and test the performance of the MLRO to provide assurance around independence and autonomy.
Conflicts of Interest
The consideration and management of possible conflicts of interest lies within the responsibility of the management body. Potential conflicts of interest may arise where other functions assigned to the MLRO are remunerated depending upon whether specific business targets are met. Having said that, as best practice, independence from business lines is recommended, particularly where business and AML/CFT objectives diverge. In such situations it becomes even more important for there to be regular independent audits, to test the effectiveness of the obliged entity's AML/CFT policies, procedures, and controls.
Obliged entities should ensure that the MLRO has sufficient time to complete the core AML/CFT functions diligently and promptly. To this end, obliged entities should re-assess the effectiveness of their arrangement with the MLRO periodically by considering factors such as the volume of transactions processed, the volume of internal reports generated for the MLRO's review, and the volume and quality of the requests for information (“RFIs”) received from regulators. Such considerations are relevant within the context of multiple part-time appointments as an MLRO and when the MLRO holds other roles within that obliged entity.
Knowledge, Skills & Expertise
Obliged entities need to understand the prospective MLRO's skill set to decide whether the individual could be a good fit for their company given the nature and size of the business. Some of the areas which obliged entities might want to delve into when considering a prospective MLRO include:
- AML/CFT knowledge and experience;
- experience in the identification, assessment, and management of ML/FT risks; and,
- level of understanding of the AML/CFT risks associated with the business model of the obliged entity.
Obliged entities can further invest in the MLRO's skill set through adequate and ongoing training opportunities, including opportunities for the MLRO to gain a thorough understanding of the obliged entity's business operations, and by providing the necessary resources to complete the function effectively. A professional qualification as a lawyer, auditor or accountant cannot, of itself, be considered as enough, as this does not necessarily translate into a proper appreciation of ML/FT risks, trends, and typologies.
Since June 2020, the FIAU extended its power to impose personal liability on MLROs. This brought about several positive shifts, such as:
- it is a deterrent to negligence and/or abuse;
- it encourages MLROs to keep abreast with regulatory changes, industry best practices, trends, and typologies;
- is a means of ensuring that the necessary time and attention is dedicated to the MLRO's function; and,
- it holds MLROs accountable for AML/CFT contraventions in cases where, through an act or omission, they might have caused, or contributed to, AML/CFT breaches by the obliged entity.
An MLRO may be held personally liable for breaches by an obliged entity of its AML/CFT obligations, through cause, contribution or gross negligence. This provision does not apply where the MLRO demonstrates having done everything possible to address the breaches in question. However, where it becomes clear that further action was possible to address a risky situation, personal liability may be triggered, and this could result in the imposition of administrative penalties ranging from €1,000 to €250,000. Oversights which may lead to the imposition of an administrative penalty on the MLRO include:
- failure/delays in replying to RFIs from the regulators;
- failure to draw senior management's attention to issues around the obliged entity's AML/CFT programme or the MLRO's role; and,
- failure to implement remedial actions which were expressly entrusted to the MLRO.
The data retained on file by obliged entities in relation to their customers should include a record of all the decisions and actions taken or refrained by the MLRO. Such records should include an explanation of:
- the reasoning behind the decisions taken;
- potential obstacles encountered and the actions taken to address them;
- the reasons and/or factors which may have prevented the MLRO from being compliant with regulatory obligations under specific circumstances;
- actions taken to highlight and, where possible, address, issues that are hampering the effective performance of the MLRO; and,
- Unresolved issues brought to the fore through internal reviews and the action points required to address them.
Records should be kept in an ordered and accessible manner to allow for the easy reconstruction and understanding of scenarios, and to demonstrate a consistent approach to the decisions being taken.
Monitoring and managing the dynamics of the MLRO's role should be an ongoing and collaborative effort engaged by the obliged entity and the MLRO, where through open communication any concerns or challenges being encountered can be tackled in a timely manner. A re-consideration of the above-mentioned areas might especially be merited when there are changes in the business and/or business activities or when changes with respect to the MLRO's role are being considered. However, as best practice, in the absence of such changes, the contractual agreement in place between the obliged entity and the MLRO should still be revisited on an annual basis, to ensure that it remains relevant to the entity's business model and activities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.