On 14 June 2022, the European Banking Authority ("EBA") released its guidelines on policies and procedures in relation to compliance management and the role and responsibilities of the anti-money laundering and counter-terrorist financing ("AML/CFT") Compliance Officer under Article 8 and Chapter VI of Directive (EU) 2015/849 (the "Guidelines").
The Guidelines describe the role of the management body of a credit or financial institution (the "Entity") both in its supervisory and management functions in the AML/CFT framework. In its supervisory functions, the management body is notably responsible for overseeing and monitoring the AML/CFT internal governance and internal control framework. In its management functions, the management body is notably in charge of implementing the organisational and operational structure necessary to comply with the AML/CFT strategy and ensure the implementation of internal AML/CFT policies and procedures. In relation more specifically to the role of the AML/CFT compliance officer, the Guidelines specify that the need to appoint a separate AML/CFT compliance officer at management level should be assessed. As a matter of principle, this should be the case, unless the relevant Entity is a sole trader or has a very limited number of employees or certain reasons justify the non-appointment (nature and risks of the business, size of operations, legal form of the institution, etc.).
Furthermore, the management body assesses the need for a dedicated AML/CFT unit to assist the AML/CFT compliance officer in carrying out his/her functions. In fact, the management body has to ensure that the AML/CFT compliance officer (i) has direct access to all the information necessary to perform his/her tasks, (ii) has sufficient human and technical resources and tools to be able to adequately perform the tasks assigned to him/her, and (iii) is well informed of the AML/CFT-related incidents and shortcomings identified by the internal control systems and by the national and, in the case of groups, foreign supervisory authorities. The member of the management body or the senior manager where designated for AML/CFT is the main contact point for the AML/CFT compliance officer within the management. The member of the management body or the senior manager where designated for AML/CFT should ensure that any AML/CFT concerns that the AML/CFT compliance officer has are duly addressed. In the case of a significant incident, the AML/CFT compliance officer should have direct access to the management body in its supervisory function.
As part of the second line of defense, the AML/CFT compliance officer must be (i) independent from the business lines or units he/she controls, (ii) of good repute with appropriate AML/CFT skills and expertise and with sufficient time and seniority and (iii) operating on an ongoing basis as part of overall business continuity management.
His/her role and responsibilities are clearly defined and documented: he/she is responsible for monitoring whether the measures, policies, controls, and procedures implemented by the Entity comply with AML/CFT obligations. More specifically, he/she should (i) develop and maintain an ML/TF risk assessment framework on a business-wide and individual basis, (ii) ensure that adequate policies and procedures are put in place, kept up to date and implemented effectively on an ongoing basis, (iii) advise the management body on measures to be taken to ensure compliance with applicable laws, rules, regulations and standards, (iv) produce an activity report on at least an annual basis, which at least contains information set out under the Guidelines, and (vi) duly inform staff about the ML/TF risks to which the Entity is exposed.
He/she is also consulted before a final decision is taken by senior management on onboarding new high-risk customers or maintaining business relationships with high-risk customers. He/she also performs specific tasks regarding the reporting of suspicious transactions as set forth in the Guidelines.
The AML/CFT compliance function may be combined with the general compliance function, but it must be different from the audit function. A good cooperation to exchange of information should take place between the head of risk management and the AML/CFT compliance officer.
For an Entity that operates branches or subsidiaries domestically, or in another Member State or a third country, the group should ensure that the policies and procedures entities put in place are aligned with the group's procedures and policies to the extent permitted under applicable national law. Furthermore, the parent Entity (i) appoints an AML/CFT compliance officer at the level of the parent undertaking and at the level of the group, (ii) approves the group's internal AML/CFT policies and procedures and (iii) sets up internal AML/CFT control mechanisms at group level.
The group AML/CFT compliance officer has extensive powers at group level and cooperates fully with the AML/CFT officer of each entity. Inter alia, he/she (i) coordinates the business-wide assessment of the ML/TF risks carried out at local level by entities of the group, (ii) drafts a group-wide ML/TF risk assessment, (iii) defines group-level AML/CFT standards and ensures that local, entity-level policies and procedures comply with the AML/CFT legislation and regulations applicable to each entity of the group individually, (iv) coordinates the activities of the various local AML/CFT compliance officers in the group's operational entities, (v) monitors compliance of the branches and the subsidiaries located in third countries with EU AML/CFT provisions, (vi) ensures that the entities of the group have adequate procedures on suspicious transaction report, and (vii) produces an activity report on at least an annual basis and presents it to the group management body. The AML/CFT compliance officer of a subsidiary or branch should have a direct reporting line with the group AML/CFT compliance officer.
Finally, where operational functions of the AML/CFT compliance officer are outsourced, whether within the group or with a service provider established in the EU or in third country, the relevant key principles provided for in the Guidelines and the ESA guidelines on outsourcing must be complied with. For instance, the outsourcing must not concern strategic decisions in relation to AML/CFT as e. g. the approval of the business-wide ML/TF risk assessment or adoption of internal AML/CFT policies and procedures. In an intra-group outsourcing, the Entity identifies and manages any conflicts of interest arising from an outsourcing agreement and, where the service provider is established in a third county, additional safeguard measures may be taken. Finally, in all cases, the ultimate responsibility for compliance with legal and regulatory obligations lies with the Entity.
More generally, the Guidelines must be complemented by other guidelines, such as (i) EBA guidelines on internal governance, (ii) joint EBA and ESMA guidelines on the assessment of the suitability of members of the management body and key function holders, (iii) ESMA guidelines on certain aspects of the MiFID II compliance function requirements, (iv) ESMA guidelines on outsourcing to cloud service providers and (v) EIOPA guidelines on outsourcing to cloud service providers.
The Guidelines will apply from 1 December 2022.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.