EBA issues the final report on the clear role and responsibilities for the compliance officer and management body

EBA issues the final report on the clear role and responsibilities for the compliance officer and management body

On June 15th, 2022, the final report on policies and procedures in relation to compliance management and the roles and responsibilities of the AML/CFT (Anti-Money Laundering/Combating the Financing of Terrorism) Compliance Officer has been issued by the European Banking Authority (EBA). EBA specifies that credit or financial institutions should appoint one member of their management body who will manage the implementation of the AML/CFT obligations and clarifies the tasks and function of that person. Additionally, an AML compliance officer must be selected by the management body. These instructions have relevance to every existing body structure, but it does not set out in detail how these provisions should be applied.

The goal of the Guidelines is to make a clear understanding of the expectations of the role, tasks, and obligations of the assigned AML/CFT compliance officer and the responsible member of the management; hence It can protect the use of the financial system for the grounds of money laundering or terrorist funding. There have been requirements already set out as the part of the AML/CFT fight, but these requirements have been implemented unevenly across different sectors and Member States which caused adverse consequences for the uprightness in the AML scheme. There were deficiencies found in credit institution’s AML/CFT governance arrangements, internal reports, group policies and senior management’s responsibilities.

The Guidelines will apply to every financial or credit institution from 1st of December 2022. It addresses all the financial sector operators proportionally but has significant attention on the group structured multi-national companies. 

The role and responsibilities of the management body /senior manager in the AML/CFT framework

The Guidelines describe the collective responsibilities and role of the management body (appointed from the Management Board/ Board of Directors) with respect to AML/CFT. The management body in its supervisory function should manage overseeing and checking the implementation of the internal governance. He/she should have sufficient knowledge, skills, and experience about:

• ML/TF risks
• implementation of AML/CFT policies, controls, and procedure
• credit or financial institution’s business model
• the sector in which the credit or financial institution runs

The management body must be aware of the results of the business-wide ML/TF risk assessment and should ensure remedial measures are taken proportionately. Associated with the wide range of internal policies and processes, the operator’s management body should assure implementation of internal AML/CFT policies, and at least once a year review the activity report of the AML/CFT compliance by considering the conclusions of any AML/CFT-related internal and/or external audits that may have been conducted.

The role of the management body includes:

• the implementation of the effective operational structure necessary to follow the AML/CFT strategy adopted, particularly the sufficient authority and the human and technical resources given to the compliance officer function
• the execution of the internal AML/CFT policies and procedures 
• the review of the AML/CFT compliance officer’s activity report at least annually

Where no management body is in place, the financial sector operator should appoint a senior manager fulfilling the implementation of the AML and CFT regulations and administrative services. He/she should be given sufficient time, resources and authority to perform his/her duties effectively.

The role and responsibilities of the AML/CFT compliance officer

A credit or financial institution should appoint a separate AML/CFT compliance officer unless it has a limited number of employees, customers or transactions. As an internal function, AML/CFT compliance should be found as the second line of defence of the credit and financial institutions, independently from all the other business lines. Appointment of the AML/CFT compliance officer should be done at management level. The colleague shall be an experienced member of the team with a commanding view of the scale and complexity of the financial institution’s operations and its risk exposure to ML/TF.

The AML/CFT compliance officer should:

• cooperate with the risk function for the purpose of setting AML/CFT methodologies coherent with the risk management strategy of the credit or financial institution
• supply the relevant information and data necessary to the risk managers to perform their role, including details from relevant corporate and control functions
• develop a risk assessment structure, in line with the EBA guidelines on ML/TF risk factors and watch it daily
• report to the management body
• assess the specific training needs for everybody working under his responsibility or being in contact with customers (conducting their transactions)

Given the compliance officer holds other positions already, the management body must avoid the possibility of conflicts of interest. For this position, the proper skills and ability must be considered, but about the personality; reputation, honesty, and integrity are necessary. In the case of a significant incident, the AML/CFT compliance officer should have direct access to the management body.

When the management body decides not to appoint a separate AML/CFT compliance officer, the reasons should be justified and documented, and explicitly refer to at least the following criteria:

• nature of the credit or financial institution’s business and the ML/TF risks associated therewith
• the size of its operations or/and the legal form of the credit or financial institution, including whether the credit or financial institution is part of a group

Outsourcing of operational functions of the AML/CFT compliance officer

It takes the possibility of outsourcing into account and declares that it may be possible to have either out / intra-group sourcing if the following key principles are not harmed:

• the ultimate responsibility for compliance with legal and regulatory obligations will lie with the credit or financial institution 
• strategic decisions concerning AML/CFT should never be outsourced
• the principal institutions must remain responsible for the decision to report suspicious transactions to the FIU

In the special case of intra-group outsourcing, the necessary measurements must be done to find and manage any conflicts of interest that could arise. The outsourcing of tasks related to AML/CFT to service providers established in third countries should be subject to additional safeguard measures in order to ensure that the outsourcing does not, as a result of the location of the service provider, increase the risk of non-compliance with the legal and regulatory requirements or of inefficient performance of the outsourced tasks, nor hinders the competent authority’s capacity to effectively exercise its supervisory power with regard to the service provider.

The organization of the AML/CFT compliance function at the group level

As well as the Guideline addresses the credit or financial institutions should adapt their internal control framework considering the group context if that applies for them. The parent undertaking the group must have sufficient data and information to assess the groupwide ML/TF risk profile and appoint a member of its management body or senior manager responsible for AML/CFT along with a compliance officer setup. Where the credit or financial institution is the parent of a group, it should ensure that each management body, business line and internal unit, including each internal control function, has the information necessary to be able to perform its duties.

Exchange of adequate information between the business lines and the AML/CFT compliance function, shall be guaranteed between the heads of the internal control functions and the management body of the credit or financial institution. In this respect, the parent entity of the group should consider, in its ML/TF risk management system at group level, both the individual risks of the various entities of the group and their interrelations that could have a significant impact on the group-wide risk exposure. While the group AML/CFT compliance officer should have at least the following tasks: coordinate the business-wide assessment of the ML/TF risks conducted at local level by entities of the group and organize the aggregation of their results or draft a group-wide ML/TF risk assessment.

Upon their entry into force, with these Guidelines EBA is raising the subject of the role and responsibilities for the compliance officer and management body to a managerial level. However, the goals are clear it will be a challenge to implement those guidelines until 1^st of December. Therefore, the full set of these Guidelines must be applied in a proportionate manner, considering the heterogeneity of financial sector operators and their size. Indeed, the Guidelines are drafted to be adjusted to the level of exposure to money laundering and terrorism financing by financial sector operators.

Deloitte can help you navigate on the new set of requirements and support you in the implementation of the new EBA Guidelines.