On June 15th, 2022, the final report on policies and procedures in relation to compliance management and the roles and responsibilities of the AML/CFT (Anti-Money Laundering/Combating the Financing of Terrorism) Compliance Officer has been issued by the European Banking Authority (EBA). EBA specifies that credit or financial institutions should appoint one member of their management body who will manage the implementation of the AML/CFT obligations and clarifies the tasks and function of that person. Additionally, an AML compliance officer must be selected by the management body. These instructions have relevance to every existing body structure, but it does not set out in detail how these provisions should be applied.
The goal of the Guidelines is to make a clear understanding of the expectations of the role, tasks, and obligations of the assigned AML/CFT compliance officer and the responsible member of the management; hence It can protect the use of the financial system for the grounds of money laundering or terrorist funding. There have been requirements already set out as the part of the AML/CFT fight, but these requirements have been implemented unevenly across different sectors and Member States which caused adverse consequences for the uprightness in the AML scheme. There were deficiencies found in credit institution’s AML/CFT governance arrangements, internal reports, group policies and senior management’s responsibilities.
The Guidelines will apply to every financial or credit institution from 1st of December 2022. It addresses all the financial sector operators proportionally but has significant attention on the group structured multi-national companies.
The Guidelines describe the collective responsibilities and role of the management body (appointed from the Management Board/ Board of Directors) with respect to AML/CFT. The management body in its supervisory function should manage overseeing and checking the implementation of the internal governance. He/she should have sufficient knowledge, skills, and experience about:
The management body must be aware of the results of the business-wide ML/TF risk assessment and should ensure remedial measures are taken proportionately. Associated with the wide range of internal policies and processes, the operator’s management body should assure implementation of internal AML/CFT policies, and at least once a year review the activity report of the AML/CFT compliance by considering the conclusions of any AML/CFT-related internal and/or external audits that may have been conducted.
The role of the management body includes:
Where no management body is in place, the financial sector operator should appoint a senior manager fulfilling the implementation of the AML and CFT regulations and administrative services. He/she should be given sufficient time, resources and authority to perform his/her duties effectively.
A credit or financial institution should appoint a separate AML/CFT compliance officer unless it has a limited number of employees, customers or transactions. As an internal function, AML/CFT compliance should be found as the second line of defence of the credit and financial institutions, independently from all the other business lines. Appointment of the AML/CFT compliance officer should be done at management level. The colleague shall be an experienced member of the team with a commanding view of the scale and complexity of the financial institution’s operations and its risk exposure to ML/TF.
The AML/CFT compliance officer should:
Given the compliance officer holds other positions already, the management body must avoid the possibility of conflicts of interest. For this position, the proper skills and ability must be considered, but about the personality; reputation, honesty, and integrity are necessary. In the case of a significant incident, the AML/CFT compliance officer should have direct access to the management body.
When the management body decides not to appoint a separate AML/CFT compliance officer, the reasons should be justified and documented, and explicitly refer to at least the following criteria:
It takes the possibility of outsourcing into account and declares that it may be possible to have either out / intra-group sourcing if the following key principles are not harmed:
In the special case of intra-group outsourcing, the necessary measurements must be done to find and manage any conflicts of interest that could arise. The outsourcing of tasks related to AML/CFT to service providers established in third countries should be subject to additional safeguard measures in order to ensure that the outsourcing does not, as a result of the location of the service provider, increase the risk of non-compliance with the legal and regulatory requirements or of inefficient performance of the outsourced tasks, nor hinders the competent authority’s capacity to effectively exercise its supervisory power with regard to the service provider.
As well as the Guideline addresses the credit or financial institutions should adapt their internal control framework considering the group context if that applies for them. The parent undertaking the group must have sufficient data and information to assess the groupwide ML/TF risk profile and appoint a member of its management body or senior manager responsible for AML/CFT along with a compliance officer setup. Where the credit or financial institution is the parent of a group, it should ensure that each management body, business line and internal unit, including each internal control function, has the information necessary to be able to perform its duties.
Exchange of adequate information between the business lines and the AML/CFT compliance function, shall be guaranteed between the heads of the internal control functions and the management body of the credit or financial institution. In this respect, the parent entity of the group should consider, in its ML/TF risk management system at group level, both the individual risks of the various entities of the group and their interrelations that could have a significant impact on the group-wide risk exposure. While the group AML/CFT compliance officer should have at least the following tasks: coordinate the business-wide assessment of the ML/TF risks conducted at local level by entities of the group and organize the aggregation of their results or draft a group-wide ML/TF risk assessment.
Upon their entry into force, with these Guidelines EBA is raising the subject of the role and responsibilities for the compliance officer and management body to a managerial level. However, the goals are clear it will be a challenge to implement those guidelines until 1st of December. Therefore, the full set of these Guidelines must be applied in a proportionate manner, considering the heterogeneity of financial sector operators and their size. Indeed, the Guidelines are drafted to be adjusted to the level of exposure to money laundering and terrorism financing by financial sector operators.
Deloitte can help you navigate on the new set of requirements and support you in the implementation of the new EBA Guidelines.
Fanni joined Deloitte in 2021 as a manager, with a major focus on risk management and regulatory compliance. She has been involved in risk management since 2014 and has extensive experience in developing risk management frameworks and processes, as well as in financial sector regulatory compliance projects. In her previous work, she has supported a number of domestic and foreign financial institutions in projects concerning regulatory compliance and implementation. Her expertise includes Sustainable Finance, Basel framework, AML, PSD II, MIFID II, SFTR, EMIR, Benchmark Regulation, Solvency II, and other domestic and EU requirements affecting the financial sector. Fanni holds FRM (Certified Financial Risk Manager) certification.