Response to consultation on draft Guidelines on the role, tasks and responsibilities AML/CFT compliance officers
Go back
The Italian Banking Association (ABI) appreciates the opportunity to provide its feedback to the Draft Guidelines on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CFT Compliance Officer under Article 8 and Chapter VI of Directive (EU) 2015/849.
The topic partially overlap with the "Proposal for a regulation of the european parliament and of the council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing” where there are specific proposals dedicated to the Compliance function (I.e. article 9). We may envisage for an “alignment” between these initiatives.
Generally speaking, regarding the allocation of responsibilities individually to members of the management body we would like to reiterate the consideration already done in the occasion of the consultation of the draft Guidelines on internal governance guidelines. In one-tier systems, company law conceives the management body (board of directors) as one unique and inseparable body through which both management and supervisory functions are performed. All the members of the Board imperatively perform all the functions assigned to it as they are all, collectively, part of the decision-making process, and they all have the same rights and responsibilities; they are all under the same liability regime, for they act as one single collegial body. The allocation of different roles and responsibilities to different board members is thus inadequate for one-tier systems, given that no efficient or real separation of responsibilities can be implemented where company law conceives the board as one unique and inseparable body through which all functions are performed. Roles within the Board are primarily attributed for the enhancement of checks and balances, as well as to enable an optimum supervision and control and adequate running of the institution, but decisions within a collegial body carry no tags as to the types of members who adopted it. Moreover, roles are not assigned prior to a directors’ appointment, only after he/she becomes part of the Board, and they are part of a constant rotation process, alongside the Board itself. Taking also into consideration the public hearing held on 28 September, the current understanding is that the model suggested in the proposed Guidelines (allocation of roles and responsibilities between management bodies in the supervisory and managerial role), should not be defined as binding, as the expectation of EBA is not "a specific model but one that works ” (i.e. in line with the National Company Law and with the size and inherent risk of the single Legal entities).
Indeed, as a general and preliminary remark, we believe that it is extremely important to ensure (and clarify in the final Guidelines) that:
• the allocation of functions and responsibilities on the subjects is coherent, especially for banks, with the general provisions concerning the framework of risk management and control system;
• the responsibilities may be adapted to the specific characteristic of the different corporate governance systems in the EU Members States.
We ask, therefore, that each obliged entity may assign roles and responsibilities according to its own approach (even to a Senior Manager) as long as it is able to explain that the model is suitable for the purpose. In one tier system for example it should be clarified whether the role of management body with management function is mandatory assigned to the CEO or can be assigned to a single member of the management body in its supervisory function or to a Senior Manager.
Eventually, it would be appropriate to clarify better the relationship between "the member of the management body responsible for AML / CFT" and the "Compliance Officer”
General questions about the traditional model:
The final Guidelines should:
- clarify, in the traditional system, who is in charge of appointment of AML officer (in particular if it is either the board of Directors as management body with supervisory function or the management body with management function)
- confirm that in the traditional model the member of the administrative body with AML responsibility can be the CEO;
- indicate whether in the case of a bank that includes both its own role as a bank and as a holding company:
• it is possible to appoint two AML Officers (one for the bank and one for the holding company). In case it would be allowed, to define the relationship between the two. In fact, point 29 provides that “The AML/CFT compliance officer should be allowed to assign his/her tasks as set out in section 4.2.4 to other officers and employees acting under his/her direction and supervision”, so designing a framework of an hierarchical relationship, while at point 86 is reported “The AML/CFT compliance officer of a subsidiary or branch should have a direct reporting line for communication with the Group AML/CFT compliance officer.”, so limiting the relationship to communication only.
• indicate if instead the responsibility of AML/CFT should be assigned to only one individual representing both the holding and the bank to then rely on a local AML officer in line with the principle of proportionality to operationally fulfil the tasks (in this case to be clarified if it is required a hierarchical reporting line between the two or just a regular reporting on the activities).
• Section 4.1.2, paragraph 12
“The management body in its supervisory function should be responsible for setting, approving and overseeing the implementation of an adequate and effective internal governance and internal control framework to ensure compliance with applicable requirements in the context of the prevention of money laundering and terrorism financing (ML/TF). To this end it should possess adequate collective knowledge, skills and experience to be able to understand the ML/TF risks related to the financial sector operator's activities and business model, including the knowledge of the national legal and regulatory framework relating to the prevention of ML/TF”
We would like to have a clarification whether each member of the management body, both in its supervisory function and in its management function, is required to complete periodical training programs in order to possess adequate collective knowledge, skills and experience to be able to understand the ML/TF risks related to the financial sector operator's activities and business model.
• Section 4.1.2 paragraph 13 b)
“ 13. In addition to ESAs guidelines on internal governance, as applicable, a financial sector operator’s management body in its supervisory function should perform the following specific AML/CFT tasks:
b) overseeing the implementation of the AML/CFT policies and procedures and the extent to which these are adequate and effective in light of the ML/TF risks to which the financial sector operator is exposed and taking appropriate steps to ensure remedial measures are taken where necessary;”
It should be important to clarify if the activity of second level controls performed by AML / Compliance function aimed to verify on a sample basis the effective implementation of policies and procedures can be considered as proof of evidence of the overseeing activity requested.
• Section 4.1.2 paragraph 14 a)
“14. The management body in its supervisory function should ensure that the member of the management body mentioned in section 4.1.4 or the senior manager who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with the Directive (EU) 2015/849 mentioned in section 4.1.5: a) has adequate knowledge, skills and experience regarding the identification, assessment and management of the ML/TF risks, and the implementation of AML/CFT policies, controls and procedures”
We propose to modify the skills indicated in letter a) by referring mainly to the knowledge of the anti-money laundering legislation and the ability to identify and manage the related risks.
• Section 4.1.3, paragraph 16, letter c)
“In relation to internal policies, controls and procedures referred to in Articles 8(3) and 8(4) of Directive (EU) 2015/849, a financial sector operator’s management body in its management function should have the following AML/CFT tasks and responsibilities: approving the AML/CFT compliance officer’s activity report and ensuring its completeness, seriousness and accuracy”
We would like to have a confirmation that the approval of all AML/CFT reports is an exclusive task of the management body in its management function and that therefore no approval by the management body in its supervisory function is required.
• Section 4.1.3, paragraph 16, letter d)
“In relation to internal policies, controls and procedures referred to in Articles 8(3) and 8(4) of Directive (EU) 2015/849, a financial sector operator’s management body in its management function should have the following AML/CFT tasks and responsibilities: ensuring adequate, timely and sufficiently detailed AML/CFT reporting to the competent authority”
We would like to have a clarification on what is meant by "AML/CFT reporting to the competent authority", considering the different type of reporting which is mandatory by the law, and considering also that any request by the competent authorities is managed directly and without delay by the AML/CFT compliance officer, while, without prejudice to any non-disclosure principle, an ex-post information is submitted to the management body.
In particular, a request is to clarify if such reporting include also the reporting of suspicious transactions.
• Section 4.1.4, paragraph 17
“The member of the management body to be identified in accordance with Article 46(4) of Directive (EU) 2015/849 should in particular have adequate knowledge, skills and experience regarding the identification, assessment and management of the ML/TF risks, and the implementation of AML/CFT policies, controls and procedures, with a good understanding of the financial sector operator’s business model and the sector in which the financial sector operator operates, and the extent to which this exposes the financial sector operator to ML/TF risks”
There’s a need to clarify if the member of the management body responsible for AML/CFT can be appointed either among the management body in its supervisory functions or among the management body in its management functions.
• Section 4.1.4, paragraph 18
“The member of the management body referred to in Article 46(4) of Directive (EU) 2015/849 should have sufficient time and resources to perform his/her AML/CFT duties effectively. They should report comprehensively about their tasks as mentioned in section 4.1.6 and regularly inform and where necessary without undue delay the management body in its supervisory function”.
The consultation paper provides for a “new role” attributable to a single member of the management body, which is in charge of specific functions concerning AML/CFT risks, among which, ensuring that:
I. the AML/CFT policies procedures and measures are adequate and
II. the management body has taken the responsibility to implement the AML/CFT and is provided with comprehensive information on data on AML/CFT risks (Section 4.1.5, paragraph 14).
It is worth noting that a similar role is not regulated in other guidelines concerning the governance and the framework of risk management and control system. On the other hand, the consultation paper confirms the responsibility of the management body in its management functions for implementing the internal AML/CFT policies and procedures as well as the organizational and operational structure necessary to discharge the AML/CFT strategy defined by the management body.
In our view, the requirements related to the member of the management body responsible for AML/CFT, as currently envisaged by the consultation paper, would appear more designed for a two-tier governance system where the supervisory function and the management function are distinctly allocated between the tiers. In organizations operating under a one-tier system whereby the management functions, as described by the consultation paper, are already performed by a single board member, in his/her quality of Managing Director and CEO, the guidelines should be open to solutions permitting such Managing Director and CEO to be identified as the member of the management body responsible for AML/CFT.
This is compliant with those governance systems in which the Managing Director and CEO is also in charge of establishing and maintaining the internal control and risk management system and the Board of Directors plays an oversight role in guiding and assessing the adequacy of such system.
This also appears compliant with article 46.4 of the Directive (EU) 2015/849, as amended by the Directive 2018/843. Such provision actually sets out that “Member States shall require that, where applicable, obliged entities identify the member of the management board who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with this Directive.” With this regard, it seems coherent and reasonable to allow the banks to assign such functions to the Board member already performing management function and therefore responsible for the implementation of laws and regulations concerning the control systems (see note).
In light of the above, we kindly ask to confirm and precise that the banks adopting the one tier system can grant the role of the “member of the management body responsible for AML/CFT” to the board member already performing the management functions such as the Managing Director and CEO. Alternatively, such banks could be allowed to assign the tasks set out in paragraph 4.1.6 to a senior manager, appointed in accordance with the provisions of paragraph 4.1.5, such as the Chief Compliance Officer, who reports directly to the Managing Director and CEO or, in some organizations, also to the Board. With this regard, the important role of the AML/CFT compliance officer could be enhanced within the framework of the compliance functions, whose responsibility lies on the Chief Compliance Officer.
We therefore propose to amend Section 4.1.4, paragraph 18 as follows:
“[…] They should report comprehensively about their tasks as mentioned in section 4.1.6 and regularly inform and where necessary without undue delay the management body in its supervisory function.
The banks adopting the one tier system can grant the role of the “member of the management body responsible for AML/CFT” to the board member already performing the management function in the AML/CFT framework according to section 4.1.3. Alternatively, such banks are allowed to assign the tasks set out in paragraph 4.1.6 to a senior manager (appointed in accordance with the provisions of paragraph 4.1.5), who reports directly to the managing director and CEO”
With reference to the same paragraph:
• we would like to have a confirmation that the member of the management body responsible for AML/CFT should have dedicated budget/ staff to support him/her in carrying out his/her duties. If so, please clarify if the said should be provided by the financial sector operator.
• please specify if:
- this provision can be understood as follows: the member of the management body responsible for AML/CFT should report to the management body about his/her tasks at least on annual basis and inform, when necessary, the management body;
- the annual report should be done also to management body with supervisory function.
Note
Specifically, in companies operating under the one-tier system, management functions are performed by the Managing Director and CEO to whom the Board of Directors delegates the powers relating to the day-to-day management of the company and that already performs the duties that should be allocated according to the provisions under art. 46.4 of AML Directive. As an example, it is the Managing Director and CEO in its management function to ensure that recommendations approved by the board of directors “result in adequate and necessary action to remedy any AML/CFT issues or breaches identified” (as required in subparagraph 19 to the “member of the management body responsible for AML/CFT management”), as part of his/her general duties to adopt the most appropriate actions to remedy the shortcomings concerning the internal control system.
This additional solution should be pursued taking into account the requirement of time commitment requested to discharge the duties of the AML/CFT nominated member of the management body as provided in the Guidelines. The Guidelines should also consider that members of the Audit and Risk Committees established within the Board of Directors under the one-tier system already have to be assessed collectively as fit and proper in terms of knowledge and experience for the oversight of the internal controls system, including the AML procedures and controls. Therefore, both the solutions suggested - the one setting the role defined under paragraph 4.1.6 on the Managing Director and CEO and the second on the senior manager at the top of the same CEO reporting line - could address potential redundancies where the oversight functions on the management of internal controls, including ML/TF risks, is already allocated – within the same one-tier management body - to a Management Control Committee (Audit Committee) and the support of the Board in its supervisory function and strategic direction is allocated to the Risk Committee, both collectively suitable for their responsibilities, including AML controls and oversight.
Indeed, it should be noted that both the Risk Committee and the Management Control Committee monitor compliance with AML/CFT rules and ensures that AML control measures are effective, adequate, complete and properly set to address ML/TF risks. Further, Management control Committee is also in charge to verify that the duties and responsibilities relating to the prevention of ML/TF are clearly and appropriately allocated. The Chairperson of the Management Control Committee has adequate knowledge and skills regarding the assessment and management of ML/TF risks and the implementation of the relevant control activities
“27. The AML/CFT compliance officer should normally be located and work in the country of establishment of the financial sector operator”
The consultation paper provides for the functions and responsibilities of AML/CFT compliance officer in a precise and structured manner.
Nevertheless, some further specific clarifications could be added as for the power of AML/CFT compliance officer to coordinate the compliance officers appointed in foreign branches and companies at group level.
The consultation paper specifically provides for the coordination powers of the AML/CFT compliance officer of the parent company at a group level (Section 4.3.3). We understand that coordination functions are performed by the AML/CFT compliance officer with respect to both the AML/CFT compliance officer of the foreign branches and the AML/CFT compliance officer of subsidiaries (Section 4.3.3, paragraph 82, lett. e). For the sake of clarity, it would be in any case important to specify such power of coordination with respect to the AML/CFT compliance officer of the foreign branches under Section 4.2.1.
We therefore propose to amend section 4.2.1, paragraph 27, as follows:
“The AML/CFT compliance officer should normally be located and work in the country of establishment of the financial sector operator and is in charge of coordinating the activities performed by the AML/CFT compliance officer of the foreign branches”.
• Section 4.2.1, paragraph 30, letter c)
“In order to ensure the independence of the AML/CFT compliance officer, the following conditions should be met: the AML/CFT compliance officer should have an independent reporting line to the management body, where a management body exists in the financial sector operator’s structure”
First of all, there’s a need to better clarify the meaning of “independent reporting line”, to understand, in particular, if it is intended as direct access to the management body for reporting purposes or instead there’s a specific request to create an organizational reporting line (with independent access as well).
Moreover, we would like to have a confirmation that, for the banking groups where the AML function is outsourced to the parent company, the independent reporting line shall be ensured only to the management body of the parent company.
• Section 4.2.4, paragraph 40
“The AML/CFT compliance officer should report the results of the business-wide and individual ML/TF risk assessment to the management body, via the member of the management body or to the senior manager responsible for AML/CFT. The AML/CFT compliance officer should propose to the management body the measures to take to mitigate those risks. A new activity should not be undertaken until adequate resources to understand and manage the associated risks are available and effectively implemented”
With regard to this passage:
- We would like to have a confirmation that the said paragraph applies only to the results of the annual ML/TF self-risk assessment;
- the final guidelines should clarify, better, the roles and responsibilities between member of the management body and the AML/CFT compliance officer. It’s not clear if both need to report to the management body the result of the risk assessment or if AML/CFT compliance officer should only propose the measures to take to mitigate the risk; It’s our opinion that the result of the risk assessment it should be presented to the management body by the member of the management body responsible for AML/CFT and not by the AML/CFT compliance officer, who - as said before - should only propose the measures to take to mitigate the risks highlighted;
- the last part of the paragraph (i.e. the provision related to “new activity”) should be clarified as it is not clear if it is connected the previous part of the paragraph or if it stands alone.
• Section 4.2.4, paragraph 44
“The AML/CFT compliance officer should exercise an advisory role before a final decision is taken by senior management on onboarding new high risk customers or re-classifying existing customers into the high risk category, unless the power to approve the establishment of such relationships is entrusted directly to the AML/CFT compliance officer”,
We believe that this provision goes beyond the current Directive and the EU proposal package as it requires the AML Officer to approve all high-risk customers and not only the cases provided for by EU legislation.
• Section 4.2.4, paragraph 48
“The AML/CFT compliance officer should make recommendations to the management body on measures in relation to any supervisory examination by the competent authority and the findings resulting there from. Depending on the ML/TF risk exposure and the size of the financial sector operator, the AML/CFT compliance officer should also make recommendation on audits, whether carried out by the financial sector operator’s internal audit function, an external auditor or a third party appointed by the financial sector operator and the findings resulting there from”
The final Guidelines should clarify the specific role (supervisory or management functions) of the management body to whom the compliance officer should make the recommendations conceived in the abovementioned paragraph 48.
• Section 4.2.4, paragraph 49; 50; 40
“49 The AML/CFT compliance officer should advise the management body directly or via the member of the management body, or the senior manager, responsible for AML/CFT on measures to be taken to ensure compliance with applicable laws, rules, regulations and standards, and should provide their assessment of the possible impact of any changes in the legal or regulatory environment on the financial sector operator’s activities and compliance framework”
“50. The AML/CFT compliance officer should bring to the attention of the member of the management body….”
“40 The AML/CFT compliance officer should report the results of the business-wide and individual ML/TF risk assessment to the management body, via the member of the management body”.
With reference to the abovementioned paragraphs, and in particular to the passages highlighted in bold, it should be clarified if the lines of reporting change according to the specific reporting topic.
• Section 4.2.4, paragraph 53
“ In relation to the AML/CFT compliance officer’s obligation under Article 33(2) of Directive (EU) 2015/849 to transmit information referred to in paragraph (1) of that Article, he/she should make sure that other members of staff whose assistance is sought with the discharge of aspects of this function have the skills, knowledge and suitability to assist with that task. Due consideration should be given to the sensitivity and confidentiality of information that may be disclosed and the non-disclosure obligations the financial sector operator has to adhere to”.
We would like to have a clarification whether the wording adopted implies that the reports of suspicious transactions must therefore be made only by the compliance officer. In this regard we would like to highlight that currently, as allowed by law, in Italy the report of suspicious transaction could be made also by a person delegated by the bank.
This kind of provision, if left as it stands, would not be currently implementable in large groups.
• Section 4.2.6, paragraph 74, letter e)
“Strategic decisions in relation to AML/CFT should not be outsourced, in particular the following operational functions should not be outsourced (except for certain types of financial sector operators, i.e. collective investment funds, the AML/CFT compliance function is outsourced as such and not only the operation part of it since these entities have at a maximum a board or management in place and thus outsourcing will be beyond operational tasks): the establishment of criteria to detect unusual transactions”
There’s a need for clarification on how this provision fits in with financial sector operators’ structures where the functions of the AML/CFT compliance officer are outsourced to the parent company, including the performance of the second level controls, which may as well regard the establishment of the criteria to detect unusual transactions.
• Section 4.2.6, paragraph 74, letter g)
“Strategic decisions in relation to AML/CFT should not be outsourced, in particular the following operational functions should not be outsourced (except for certain types of financial sector operators, i.e. collective investment funds, the AML/CFT compliance function is outsourced as such and not only the operation part of it since these entities have at a maximum a board or management in place and thus outsourcing will be beyond operational tasks) : accepting high-risk customers; and..”
With reference to the responsibility of “accepting high-risk customers” we would like to have a clarification about the possibility that the approval stays within the business at high/proper level without the involvement of the Compliance function, as per the current EU Directive.
• Section 4.2.6, paragraph 76
“Outsourcing within a group should be subject to the same provisions as outsourcing to an external service provider. Financial sector operators making use of intragroup outsourcing should in particular take the measures necessary to identify and manage any conflicts of interest that could arise from such an outsourcing agreement. The parent entity of the group should
a) establish an inventory of cases of intra-group AML/CFT outsourcing, in order to determine which function relates to which legal entity; and
b) ensure that intra-group outsourcing does not compromise the compliance of each subsidiary with its AML/CFT obligations. ”
Considering the various organizational models and the outsourcing solutions adopted in the Groups operating in Europe, the Guidelines should clarify the margin of discretion left to the Groups themselves in the appointment of the various subjects (i.e. a single Compliance Manager and / or AML manager for Parent and subsidiary or even two different AML officers within the same LE when it operates both as a Holding and an operating company) obviously always in compliance with the criteria of proportionality and effectiveness of the model adopted.
According to this, we propose to evaluate a formulation of the sentence that allows greater flexibility of the obligations if outsourcing is intra-group.
With reference to the same paragraph we would also highlight that the final guidelines should clarify if the request of intra-group outsourcing mapping (i.e. lett.a) is requested only to the parent company for its subsidiaries or also at group function level (i.e.: mapping of all the intra-group outsourcing across the group).
“The parent entity should: designate a member of the group management body or senior manager responsible for AML/CFT among the senior managers directing the business at group level, a Group AML/CFT compliance officer and set up the organisational and operational coordination structure at group level with sufficient decision power for the group AML/CFT management to make this position effective at managing and mainly preventing ML/TF risks, according to proportionality principle and applicable domestic legislation”
According to this paragraph we would like have clarification on:
- what is meant by "group management body";
- whether in banking groups where the AML function is outsourced to the parent company, the member of the management body responsible for AML/CFT should be appointed only at the parent company level or in each entity of the group, both located in the same State of the parent company or in another Member state/third countries, including non-banking entities subject to AML regulation.
Moreover, we propose to insert at the end of the mentioned letter a) the following passage:
“The Group AML/CFT compliance officer must be involved in advance in the designation / replacement of the member of the group management body or senior manager responsible for AML/CFT) of the individual Group entities in order to be able to provide their own reasoned opinion in support of the resolutions by the management bodies”.
• Section 4.3.3, paragraph 82, letter e)
“The parent entity should: for financial sector operator that operates branches or subsidiaries in another member state or a third country, appoint a Group AML/CFT compliance officer as a coordinator, for ensuring the implementation by all the companies of the group, which are engaged in financial activities, of the group policy and the adequate and appropriate systems and procedures for the effective prevention of ML/TF. Hence, the Group AML/CFT compliance officer should monitor on a continuous basis the compliance with the obligations through on-site and off-site controls”
There’s a need for clarification on the matter related to the Group AML/CFT compliance officer and, in particular, if he/she may rely on third parties to perform the on-site and off-site controls (e.g., internal audit, consulting firms) and whether such controls should only be performed with respect to higher risks entities and/or entities located in third countries. The final guidelines should also clarify if the function in charge of on-site and off-site controls shall directly report to the AML/CFT compliance officer in his role of group coordinator.
• Section 4.3.3.
After paragraph 87. We would propose to insert the new, following, sentence:
“88. The Group AML/CFT compliance officer periodically assesses the work of the member of the group management body or senior manager responsible for AML/CFT of the individual Group entities, reporting to the management bodies of the parent company and subsidiaries on the results of their assessments”.
1. Do you have any comments on the section ‘Subject matter, scope and definitions’?
IntroductionThe Italian Banking Association (ABI) appreciates the opportunity to provide its feedback to the Draft Guidelines on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CFT Compliance Officer under Article 8 and Chapter VI of Directive (EU) 2015/849.
The topic partially overlap with the "Proposal for a regulation of the european parliament and of the council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing” where there are specific proposals dedicated to the Compliance function (I.e. article 9). We may envisage for an “alignment” between these initiatives.
Generally speaking, regarding the allocation of responsibilities individually to members of the management body we would like to reiterate the consideration already done in the occasion of the consultation of the draft Guidelines on internal governance guidelines. In one-tier systems, company law conceives the management body (board of directors) as one unique and inseparable body through which both management and supervisory functions are performed. All the members of the Board imperatively perform all the functions assigned to it as they are all, collectively, part of the decision-making process, and they all have the same rights and responsibilities; they are all under the same liability regime, for they act as one single collegial body. The allocation of different roles and responsibilities to different board members is thus inadequate for one-tier systems, given that no efficient or real separation of responsibilities can be implemented where company law conceives the board as one unique and inseparable body through which all functions are performed. Roles within the Board are primarily attributed for the enhancement of checks and balances, as well as to enable an optimum supervision and control and adequate running of the institution, but decisions within a collegial body carry no tags as to the types of members who adopted it. Moreover, roles are not assigned prior to a directors’ appointment, only after he/she becomes part of the Board, and they are part of a constant rotation process, alongside the Board itself. Taking also into consideration the public hearing held on 28 September, the current understanding is that the model suggested in the proposed Guidelines (allocation of roles and responsibilities between management bodies in the supervisory and managerial role), should not be defined as binding, as the expectation of EBA is not "a specific model but one that works ” (i.e. in line with the National Company Law and with the size and inherent risk of the single Legal entities).
Indeed, as a general and preliminary remark, we believe that it is extremely important to ensure (and clarify in the final Guidelines) that:
• the allocation of functions and responsibilities on the subjects is coherent, especially for banks, with the general provisions concerning the framework of risk management and control system;
• the responsibilities may be adapted to the specific characteristic of the different corporate governance systems in the EU Members States.
We ask, therefore, that each obliged entity may assign roles and responsibilities according to its own approach (even to a Senior Manager) as long as it is able to explain that the model is suitable for the purpose. In one tier system for example it should be clarified whether the role of management body with management function is mandatory assigned to the CEO or can be assigned to a single member of the management body in its supervisory function or to a Senior Manager.
Eventually, it would be appropriate to clarify better the relationship between "the member of the management body responsible for AML / CFT" and the "Compliance Officer”
General questions about the traditional model:
The final Guidelines should:
- clarify, in the traditional system, who is in charge of appointment of AML officer (in particular if it is either the board of Directors as management body with supervisory function or the management body with management function)
- confirm that in the traditional model the member of the administrative body with AML responsibility can be the CEO;
- indicate whether in the case of a bank that includes both its own role as a bank and as a holding company:
• it is possible to appoint two AML Officers (one for the bank and one for the holding company). In case it would be allowed, to define the relationship between the two. In fact, point 29 provides that “The AML/CFT compliance officer should be allowed to assign his/her tasks as set out in section 4.2.4 to other officers and employees acting under his/her direction and supervision”, so designing a framework of an hierarchical relationship, while at point 86 is reported “The AML/CFT compliance officer of a subsidiary or branch should have a direct reporting line for communication with the Group AML/CFT compliance officer.”, so limiting the relationship to communication only.
• indicate if instead the responsibility of AML/CFT should be assigned to only one individual representing both the holding and the bank to then rely on a local AML officer in line with the principle of proportionality to operationally fulfil the tasks (in this case to be clarified if it is required a hierarchical reporting line between the two or just a regular reporting on the activities).
2. Do you have any comments on Guideline 4.1 ‘Role and responsibilities of the management body in the AML/CFT framework and of the senior manager responsible for AML/CFT’?
• Section 4.1.2, paragraph 12
“The management body in its supervisory function should be responsible for setting, approving and overseeing the implementation of an adequate and effective internal governance and internal control framework to ensure compliance with applicable requirements in the context of the prevention of money laundering and terrorism financing (ML/TF). To this end it should possess adequate collective knowledge, skills and experience to be able to understand the ML/TF risks related to the financial sector operator's activities and business model, including the knowledge of the national legal and regulatory framework relating to the prevention of ML/TF”
We would like to have a clarification whether each member of the management body, both in its supervisory function and in its management function, is required to complete periodical training programs in order to possess adequate collective knowledge, skills and experience to be able to understand the ML/TF risks related to the financial sector operator's activities and business model.
• Section 4.1.2 paragraph 13 b)
“ 13. In addition to ESAs guidelines on internal governance, as applicable, a financial sector operator’s management body in its supervisory function should perform the following specific AML/CFT tasks:
b) overseeing the implementation of the AML/CFT policies and procedures and the extent to which these are adequate and effective in light of the ML/TF risks to which the financial sector operator is exposed and taking appropriate steps to ensure remedial measures are taken where necessary;”
It should be important to clarify if the activity of second level controls performed by AML / Compliance function aimed to verify on a sample basis the effective implementation of policies and procedures can be considered as proof of evidence of the overseeing activity requested.
• Section 4.1.2 paragraph 14 a)
“14. The management body in its supervisory function should ensure that the member of the management body mentioned in section 4.1.4 or the senior manager who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with the Directive (EU) 2015/849 mentioned in section 4.1.5: a) has adequate knowledge, skills and experience regarding the identification, assessment and management of the ML/TF risks, and the implementation of AML/CFT policies, controls and procedures”
We propose to modify the skills indicated in letter a) by referring mainly to the knowledge of the anti-money laundering legislation and the ability to identify and manage the related risks.
• Section 4.1.3, paragraph 16, letter c)
“In relation to internal policies, controls and procedures referred to in Articles 8(3) and 8(4) of Directive (EU) 2015/849, a financial sector operator’s management body in its management function should have the following AML/CFT tasks and responsibilities: approving the AML/CFT compliance officer’s activity report and ensuring its completeness, seriousness and accuracy”
We would like to have a confirmation that the approval of all AML/CFT reports is an exclusive task of the management body in its management function and that therefore no approval by the management body in its supervisory function is required.
• Section 4.1.3, paragraph 16, letter d)
“In relation to internal policies, controls and procedures referred to in Articles 8(3) and 8(4) of Directive (EU) 2015/849, a financial sector operator’s management body in its management function should have the following AML/CFT tasks and responsibilities: ensuring adequate, timely and sufficiently detailed AML/CFT reporting to the competent authority”
We would like to have a clarification on what is meant by "AML/CFT reporting to the competent authority", considering the different type of reporting which is mandatory by the law, and considering also that any request by the competent authorities is managed directly and without delay by the AML/CFT compliance officer, while, without prejudice to any non-disclosure principle, an ex-post information is submitted to the management body.
In particular, a request is to clarify if such reporting include also the reporting of suspicious transactions.
• Section 4.1.4, paragraph 17
“The member of the management body to be identified in accordance with Article 46(4) of Directive (EU) 2015/849 should in particular have adequate knowledge, skills and experience regarding the identification, assessment and management of the ML/TF risks, and the implementation of AML/CFT policies, controls and procedures, with a good understanding of the financial sector operator’s business model and the sector in which the financial sector operator operates, and the extent to which this exposes the financial sector operator to ML/TF risks”
There’s a need to clarify if the member of the management body responsible for AML/CFT can be appointed either among the management body in its supervisory functions or among the management body in its management functions.
• Section 4.1.4, paragraph 18
“The member of the management body referred to in Article 46(4) of Directive (EU) 2015/849 should have sufficient time and resources to perform his/her AML/CFT duties effectively. They should report comprehensively about their tasks as mentioned in section 4.1.6 and regularly inform and where necessary without undue delay the management body in its supervisory function”.
The consultation paper provides for a “new role” attributable to a single member of the management body, which is in charge of specific functions concerning AML/CFT risks, among which, ensuring that:
I. the AML/CFT policies procedures and measures are adequate and
II. the management body has taken the responsibility to implement the AML/CFT and is provided with comprehensive information on data on AML/CFT risks (Section 4.1.5, paragraph 14).
It is worth noting that a similar role is not regulated in other guidelines concerning the governance and the framework of risk management and control system. On the other hand, the consultation paper confirms the responsibility of the management body in its management functions for implementing the internal AML/CFT policies and procedures as well as the organizational and operational structure necessary to discharge the AML/CFT strategy defined by the management body.
In our view, the requirements related to the member of the management body responsible for AML/CFT, as currently envisaged by the consultation paper, would appear more designed for a two-tier governance system where the supervisory function and the management function are distinctly allocated between the tiers. In organizations operating under a one-tier system whereby the management functions, as described by the consultation paper, are already performed by a single board member, in his/her quality of Managing Director and CEO, the guidelines should be open to solutions permitting such Managing Director and CEO to be identified as the member of the management body responsible for AML/CFT.
This is compliant with those governance systems in which the Managing Director and CEO is also in charge of establishing and maintaining the internal control and risk management system and the Board of Directors plays an oversight role in guiding and assessing the adequacy of such system.
This also appears compliant with article 46.4 of the Directive (EU) 2015/849, as amended by the Directive 2018/843. Such provision actually sets out that “Member States shall require that, where applicable, obliged entities identify the member of the management board who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with this Directive.” With this regard, it seems coherent and reasonable to allow the banks to assign such functions to the Board member already performing management function and therefore responsible for the implementation of laws and regulations concerning the control systems (see note).
In light of the above, we kindly ask to confirm and precise that the banks adopting the one tier system can grant the role of the “member of the management body responsible for AML/CFT” to the board member already performing the management functions such as the Managing Director and CEO. Alternatively, such banks could be allowed to assign the tasks set out in paragraph 4.1.6 to a senior manager, appointed in accordance with the provisions of paragraph 4.1.5, such as the Chief Compliance Officer, who reports directly to the Managing Director and CEO or, in some organizations, also to the Board. With this regard, the important role of the AML/CFT compliance officer could be enhanced within the framework of the compliance functions, whose responsibility lies on the Chief Compliance Officer.
We therefore propose to amend Section 4.1.4, paragraph 18 as follows:
“[…] They should report comprehensively about their tasks as mentioned in section 4.1.6 and regularly inform and where necessary without undue delay the management body in its supervisory function.
The banks adopting the one tier system can grant the role of the “member of the management body responsible for AML/CFT” to the board member already performing the management function in the AML/CFT framework according to section 4.1.3. Alternatively, such banks are allowed to assign the tasks set out in paragraph 4.1.6 to a senior manager (appointed in accordance with the provisions of paragraph 4.1.5), who reports directly to the managing director and CEO”
With reference to the same paragraph:
• we would like to have a confirmation that the member of the management body responsible for AML/CFT should have dedicated budget/ staff to support him/her in carrying out his/her duties. If so, please clarify if the said should be provided by the financial sector operator.
• please specify if:
- this provision can be understood as follows: the member of the management body responsible for AML/CFT should report to the management body about his/her tasks at least on annual basis and inform, when necessary, the management body;
- the annual report should be done also to management body with supervisory function.
Note
Specifically, in companies operating under the one-tier system, management functions are performed by the Managing Director and CEO to whom the Board of Directors delegates the powers relating to the day-to-day management of the company and that already performs the duties that should be allocated according to the provisions under art. 46.4 of AML Directive. As an example, it is the Managing Director and CEO in its management function to ensure that recommendations approved by the board of directors “result in adequate and necessary action to remedy any AML/CFT issues or breaches identified” (as required in subparagraph 19 to the “member of the management body responsible for AML/CFT management”), as part of his/her general duties to adopt the most appropriate actions to remedy the shortcomings concerning the internal control system.
This additional solution should be pursued taking into account the requirement of time commitment requested to discharge the duties of the AML/CFT nominated member of the management body as provided in the Guidelines. The Guidelines should also consider that members of the Audit and Risk Committees established within the Board of Directors under the one-tier system already have to be assessed collectively as fit and proper in terms of knowledge and experience for the oversight of the internal controls system, including the AML procedures and controls. Therefore, both the solutions suggested - the one setting the role defined under paragraph 4.1.6 on the Managing Director and CEO and the second on the senior manager at the top of the same CEO reporting line - could address potential redundancies where the oversight functions on the management of internal controls, including ML/TF risks, is already allocated – within the same one-tier management body - to a Management Control Committee (Audit Committee) and the support of the Board in its supervisory function and strategic direction is allocated to the Risk Committee, both collectively suitable for their responsibilities, including AML controls and oversight.
Indeed, it should be noted that both the Risk Committee and the Management Control Committee monitor compliance with AML/CFT rules and ensures that AML control measures are effective, adequate, complete and properly set to address ML/TF risks. Further, Management control Committee is also in charge to verify that the duties and responsibilities relating to the prevention of ML/TF are clearly and appropriately allocated. The Chairperson of the Management Control Committee has adequate knowledge and skills regarding the assessment and management of ML/TF risks and the implementation of the relevant control activities
3. Do you have any comments on Guideline 4.2 ‘Role and responsibilities of the AML/CFT compliance officer’?
• Section 4.2.1, paragraph 27“27. The AML/CFT compliance officer should normally be located and work in the country of establishment of the financial sector operator”
The consultation paper provides for the functions and responsibilities of AML/CFT compliance officer in a precise and structured manner.
Nevertheless, some further specific clarifications could be added as for the power of AML/CFT compliance officer to coordinate the compliance officers appointed in foreign branches and companies at group level.
The consultation paper specifically provides for the coordination powers of the AML/CFT compliance officer of the parent company at a group level (Section 4.3.3). We understand that coordination functions are performed by the AML/CFT compliance officer with respect to both the AML/CFT compliance officer of the foreign branches and the AML/CFT compliance officer of subsidiaries (Section 4.3.3, paragraph 82, lett. e). For the sake of clarity, it would be in any case important to specify such power of coordination with respect to the AML/CFT compliance officer of the foreign branches under Section 4.2.1.
We therefore propose to amend section 4.2.1, paragraph 27, as follows:
“The AML/CFT compliance officer should normally be located and work in the country of establishment of the financial sector operator and is in charge of coordinating the activities performed by the AML/CFT compliance officer of the foreign branches”.
• Section 4.2.1, paragraph 30, letter c)
“In order to ensure the independence of the AML/CFT compliance officer, the following conditions should be met: the AML/CFT compliance officer should have an independent reporting line to the management body, where a management body exists in the financial sector operator’s structure”
First of all, there’s a need to better clarify the meaning of “independent reporting line”, to understand, in particular, if it is intended as direct access to the management body for reporting purposes or instead there’s a specific request to create an organizational reporting line (with independent access as well).
Moreover, we would like to have a confirmation that, for the banking groups where the AML function is outsourced to the parent company, the independent reporting line shall be ensured only to the management body of the parent company.
• Section 4.2.4, paragraph 40
“The AML/CFT compliance officer should report the results of the business-wide and individual ML/TF risk assessment to the management body, via the member of the management body or to the senior manager responsible for AML/CFT. The AML/CFT compliance officer should propose to the management body the measures to take to mitigate those risks. A new activity should not be undertaken until adequate resources to understand and manage the associated risks are available and effectively implemented”
With regard to this passage:
- We would like to have a confirmation that the said paragraph applies only to the results of the annual ML/TF self-risk assessment;
- the final guidelines should clarify, better, the roles and responsibilities between member of the management body and the AML/CFT compliance officer. It’s not clear if both need to report to the management body the result of the risk assessment or if AML/CFT compliance officer should only propose the measures to take to mitigate the risk; It’s our opinion that the result of the risk assessment it should be presented to the management body by the member of the management body responsible for AML/CFT and not by the AML/CFT compliance officer, who - as said before - should only propose the measures to take to mitigate the risks highlighted;
- the last part of the paragraph (i.e. the provision related to “new activity”) should be clarified as it is not clear if it is connected the previous part of the paragraph or if it stands alone.
• Section 4.2.4, paragraph 44
“The AML/CFT compliance officer should exercise an advisory role before a final decision is taken by senior management on onboarding new high risk customers or re-classifying existing customers into the high risk category, unless the power to approve the establishment of such relationships is entrusted directly to the AML/CFT compliance officer”,
We believe that this provision goes beyond the current Directive and the EU proposal package as it requires the AML Officer to approve all high-risk customers and not only the cases provided for by EU legislation.
• Section 4.2.4, paragraph 48
“The AML/CFT compliance officer should make recommendations to the management body on measures in relation to any supervisory examination by the competent authority and the findings resulting there from. Depending on the ML/TF risk exposure and the size of the financial sector operator, the AML/CFT compliance officer should also make recommendation on audits, whether carried out by the financial sector operator’s internal audit function, an external auditor or a third party appointed by the financial sector operator and the findings resulting there from”
The final Guidelines should clarify the specific role (supervisory or management functions) of the management body to whom the compliance officer should make the recommendations conceived in the abovementioned paragraph 48.
• Section 4.2.4, paragraph 49; 50; 40
“49 The AML/CFT compliance officer should advise the management body directly or via the member of the management body, or the senior manager, responsible for AML/CFT on measures to be taken to ensure compliance with applicable laws, rules, regulations and standards, and should provide their assessment of the possible impact of any changes in the legal or regulatory environment on the financial sector operator’s activities and compliance framework”
“50. The AML/CFT compliance officer should bring to the attention of the member of the management body….”
“40 The AML/CFT compliance officer should report the results of the business-wide and individual ML/TF risk assessment to the management body, via the member of the management body”.
With reference to the abovementioned paragraphs, and in particular to the passages highlighted in bold, it should be clarified if the lines of reporting change according to the specific reporting topic.
• Section 4.2.4, paragraph 53
“ In relation to the AML/CFT compliance officer’s obligation under Article 33(2) of Directive (EU) 2015/849 to transmit information referred to in paragraph (1) of that Article, he/she should make sure that other members of staff whose assistance is sought with the discharge of aspects of this function have the skills, knowledge and suitability to assist with that task. Due consideration should be given to the sensitivity and confidentiality of information that may be disclosed and the non-disclosure obligations the financial sector operator has to adhere to”.
We would like to have a clarification whether the wording adopted implies that the reports of suspicious transactions must therefore be made only by the compliance officer. In this regard we would like to highlight that currently, as allowed by law, in Italy the report of suspicious transaction could be made also by a person delegated by the bank.
This kind of provision, if left as it stands, would not be currently implementable in large groups.
• Section 4.2.6, paragraph 74, letter e)
“Strategic decisions in relation to AML/CFT should not be outsourced, in particular the following operational functions should not be outsourced (except for certain types of financial sector operators, i.e. collective investment funds, the AML/CFT compliance function is outsourced as such and not only the operation part of it since these entities have at a maximum a board or management in place and thus outsourcing will be beyond operational tasks): the establishment of criteria to detect unusual transactions”
There’s a need for clarification on how this provision fits in with financial sector operators’ structures where the functions of the AML/CFT compliance officer are outsourced to the parent company, including the performance of the second level controls, which may as well regard the establishment of the criteria to detect unusual transactions.
• Section 4.2.6, paragraph 74, letter g)
“Strategic decisions in relation to AML/CFT should not be outsourced, in particular the following operational functions should not be outsourced (except for certain types of financial sector operators, i.e. collective investment funds, the AML/CFT compliance function is outsourced as such and not only the operation part of it since these entities have at a maximum a board or management in place and thus outsourcing will be beyond operational tasks) : accepting high-risk customers; and..”
With reference to the responsibility of “accepting high-risk customers” we would like to have a clarification about the possibility that the approval stays within the business at high/proper level without the involvement of the Compliance function, as per the current EU Directive.
• Section 4.2.6, paragraph 76
“Outsourcing within a group should be subject to the same provisions as outsourcing to an external service provider. Financial sector operators making use of intragroup outsourcing should in particular take the measures necessary to identify and manage any conflicts of interest that could arise from such an outsourcing agreement. The parent entity of the group should
a) establish an inventory of cases of intra-group AML/CFT outsourcing, in order to determine which function relates to which legal entity; and
b) ensure that intra-group outsourcing does not compromise the compliance of each subsidiary with its AML/CFT obligations. ”
Considering the various organizational models and the outsourcing solutions adopted in the Groups operating in Europe, the Guidelines should clarify the margin of discretion left to the Groups themselves in the appointment of the various subjects (i.e. a single Compliance Manager and / or AML manager for Parent and subsidiary or even two different AML officers within the same LE when it operates both as a Holding and an operating company) obviously always in compliance with the criteria of proportionality and effectiveness of the model adopted.
According to this, we propose to evaluate a formulation of the sentence that allows greater flexibility of the obligations if outsourcing is intra-group.
With reference to the same paragraph we would also highlight that the final guidelines should clarify if the request of intra-group outsourcing mapping (i.e. lett.a) is requested only to the parent company for its subsidiaries or also at group function level (i.e.: mapping of all the intra-group outsourcing across the group).
4. Do you have any comments on Guideline 4.3 ‘Organisation of the AML/CFT compliance function at group level’?
• Section 4.3.3, paragraph 82, letter a)“The parent entity should: designate a member of the group management body or senior manager responsible for AML/CFT among the senior managers directing the business at group level, a Group AML/CFT compliance officer and set up the organisational and operational coordination structure at group level with sufficient decision power for the group AML/CFT management to make this position effective at managing and mainly preventing ML/TF risks, according to proportionality principle and applicable domestic legislation”
According to this paragraph we would like have clarification on:
- what is meant by "group management body";
- whether in banking groups where the AML function is outsourced to the parent company, the member of the management body responsible for AML/CFT should be appointed only at the parent company level or in each entity of the group, both located in the same State of the parent company or in another Member state/third countries, including non-banking entities subject to AML regulation.
Moreover, we propose to insert at the end of the mentioned letter a) the following passage:
“The Group AML/CFT compliance officer must be involved in advance in the designation / replacement of the member of the group management body or senior manager responsible for AML/CFT) of the individual Group entities in order to be able to provide their own reasoned opinion in support of the resolutions by the management bodies”.
• Section 4.3.3, paragraph 82, letter e)
“The parent entity should: for financial sector operator that operates branches or subsidiaries in another member state or a third country, appoint a Group AML/CFT compliance officer as a coordinator, for ensuring the implementation by all the companies of the group, which are engaged in financial activities, of the group policy and the adequate and appropriate systems and procedures for the effective prevention of ML/TF. Hence, the Group AML/CFT compliance officer should monitor on a continuous basis the compliance with the obligations through on-site and off-site controls”
There’s a need for clarification on the matter related to the Group AML/CFT compliance officer and, in particular, if he/she may rely on third parties to perform the on-site and off-site controls (e.g., internal audit, consulting firms) and whether such controls should only be performed with respect to higher risks entities and/or entities located in third countries. The final guidelines should also clarify if the function in charge of on-site and off-site controls shall directly report to the AML/CFT compliance officer in his role of group coordinator.
• Section 4.3.3.
After paragraph 87. We would propose to insert the new, following, sentence:
“88. The Group AML/CFT compliance officer periodically assesses the work of the member of the group management body or senior manager responsible for AML/CFT of the individual Group entities, reporting to the management bodies of the parent company and subsidiaries on the results of their assessments”.