Response to consultation on draft amending Guidelines on risk-based AML/CFT supervision
Go back
The EBF therefore supports the clarification in the draft guidelines that the extent of supervisory actions should be commensurate to the ML/TF risks, and not determined solely on the grounds of nature and/or size of the enterprise. We would in addition recommend that a reference be included to the need for a degree of risk tolerance based on a professional evaluation of the entity’s risk-based approach.
Enhancing cooperation is key in improving the effectiveness of the AML/CFT framework. The EBF hence also supports the references to multilateral agreements between competent authorities and the ECB, which set out the practical modalities for cooperation between competent authorities and certain other stakeholders in third countries, particularly FIUs. We would suggest that those references are expanded to also include cooperation with law enforcement authorities and Europol. Guidance on the limits of the information competent authorities can share with other stakeholders would also be beneficial.
In line with our response to Question 2, we recommend the addition of a reference to law enforcement authorities and Europol. Furthermore, the EBF recognises the important role public-private partnerships (PPPs) play in improving the effectiveness of the AML/CFT efforts. The potential of public-private partnerships (PPPs) involving banks, FIUs and law enforcement authorities should be better exploited in the AML/CFT context. Such PPPs would enable the interception of activities of complex criminal networks, including those operating across borders. We hence call for PPPs to be included as sources of information.
The extension of the list of sources is a welcome change. However, some of the amendments may need to be revisited. For example, replacing ‘newspaper reports’ by “publicly available information from reputable sources” could lead to exclusion of ‘smaller’ distributors of news while certain trends or typologies can be specifically identified by a collection of multiple ‘smaller’ distributors. Moreover, “reputable source” can be interpretated widely and can lead to divergences in interpretation. Similarly, the guidelines do not provide sufficient clarity on what could be perceived as “reliable information” as referred to in paragraph 40.
With regards to the section on domestic risk factors, the removal of the reference to information from “private entities” and the notion that all such sources are unreliable seem unconvincing. Such sources could indeed bring value in the process of assessing risks. We therefore suggest replacing the proposed term “relevant bodies” with “credible private bodies and other relevant bodies”.
The EBF maintains nonetheless that further clarity should be provided on the effective implementation of group-wide policies and procedures in branches and subsidiaries of subjects of assessment, as referenced in paragraph 62 of the guidelines. However, unlike in paragraph 100, which pertains to “Step 3 – Supervision” and where the term “effectively” is explicitly defined with a list of criteria in the context of an effective AML/CFT system, in this section such definition is missing. It thus remains unclear what the “measures of effectiveness” are for assessing “effective” implementation of group-wide policies. For example, those might include evidence of local policy transposition, a clear exceptions process or the evaluation of the maturity of the underlying controls behind a given policy requirement. It is hence critical to receive clear guidance on how “effective” policy implementation will be interpreted.
Certain paragraphs may also need to be reworded to better foster convergence. This includes, for example, paragraph 69 where it is stated that competent authorities should “decide on the most appropriate way to categorise the risk” and should “consider classifying subjects of assessment, sectors and sub-sectors”. To achieve convergence and enhance cooperation there should be a common understanding on risk profiles and categories.
The EBF welcomes the acknowledgement by the EBA of the existence of inflexible and over-prescriptive supervisory processes set out in supervisory manuals, which make it difficult for supervisors to adjust their approach in line with the ML/TF risks they have identified during inspections. As per our response to Question 2, the EBF would suggest an additional reference to the need for supervisory manuals to acknowledge the need for a degree of risk tolerance and provide high-level guidance on evaluating entities’ risk-based approach.
On De-Risking
With regards to the section on de-risking, the EBF supports the finding that competent authorities should consider whether their guidance could have unintended consequences such as wholesale de-risking of entire categories of customers, and mitigate any adverse effects their guidance may have on certain sectors or subjects of assessment. We would recommend including a reference to consider the need for greater supervision of regulated customer segments, such as Money Services Businesses (MSBs).
Moreover, evidence of de-risking in some sectors or subjects of assessment, or evidence that subjects of assessment avoid risks rather than manage ML/TF risks effectively is set out as an indicator for competent authorities to assess whether there is a need for further guidance in the sector. To ensure effectiveness, however, the focus should fall not only on “evidence of de-risking”, but it should also recognise financial institutions that pro-actively engage with “at risk” (and underbanked) segments and build an appropriate control framework to respond to the risks. Overall, an assessment of an “effective” AML/CFT system and set of controls should also give credit to financial institutions who work to address financial exclusion.
On Training
The EBF acknowledges the importance of emphasising the need for staff training within competent authorities given that the lack of sufficient and adequate training may have negative impacts on competent authorities’ approach to supervision. We further suggest adding a reference to training on RegTech and risk-based approaches to compliance.
On Effectiveness
In its current formulation, paragraph 98 states that competent authorities should assess a subject’s “AML/CFT systems and controls, as well as the effectiveness of the systems and controls”. This seems to indicate that there are two distinct assessments of systems and controls, and only one of those assessments is focused on “effectiveness”. We nevertheless maintain that the assessment should be focused wholly on effectiveness.
The list of factors used to assess effectiveness are outlined in paragraph 100. However, the list seems to miss one of the core principles of the AML/CFT regulatory regime, namely “providing highly useful information to relevant government agencies in defined priority areas. Moreover, there is no reference in the list to suspicious activity reporting. Effectiveness is to a large extent defined by the identification of suspicious activity and its reporting. Another indicator in that regard, which is missing, are Member States’ FIU’s views and/or evaluations of the reporting quality coming from financial institutions. Another indicator for effectiveness could be a financial institution’s participation in PPPs aimed at improving the detection, disruption and deterrence of financial crime.
In EBF’s view, the aforementioned factors constitute highly relevant measures of effectiveness for an AML/CFT programme and should be included in the list of factors to assess effectiveness.
Finally, paragraph 100(d) appears to contain a typo. It is unclear to us whether more information following “business-wide risk assessment” was intended to be included.
Q1. Do you have any comments with the proposed changes to the ‘Subject matter, scope and definitions’?
The EBF supports the amendments to this part of the guidelines.Q2. Do you have any comments with the proposed changes to the Guideline 4.1 ‘Implementing the RBS model’?
The EFB welcomes the EBA’s conclusions that the four steps of the existing RBS model have on some occasions been interpreted and applied inconsistently by competent authorities across the EU. We also agree with the identified need for additional guidance for competent authorities on each of the steps to ensure that the RBS model is developed and implemented effectively across all sectors and across the EU. At present, there are inconsistent national approaches to defined higher risk categories set out in the AMLD, in some cases extending the scope of risk-sensitive measures and restricting obliged entities’ flexibility in how to apply these measures according to the varied risks of particular cases. This includes varied supervisory expectations, in some cases focusing on the application of prescriptive and inflexible processes and requirements, rather than on the management of ML/TF risk.The EBF therefore supports the clarification in the draft guidelines that the extent of supervisory actions should be commensurate to the ML/TF risks, and not determined solely on the grounds of nature and/or size of the enterprise. We would in addition recommend that a reference be included to the need for a degree of risk tolerance based on a professional evaluation of the entity’s risk-based approach.
Enhancing cooperation is key in improving the effectiveness of the AML/CFT framework. The EBF hence also supports the references to multilateral agreements between competent authorities and the ECB, which set out the practical modalities for cooperation between competent authorities and certain other stakeholders in third countries, particularly FIUs. We would suggest that those references are expanded to also include cooperation with law enforcement authorities and Europol. Guidance on the limits of the information competent authorities can share with other stakeholders would also be beneficial.
Q3. Do you have any comments on the proposed changes to the Guideline 4.2 ‘Step 1- Identification of risk and mitigating factors’?
The EBF supports the inclusion in the guidelines of new sources of information and particularly the reference to AML/CFT supervisors in third countries.In line with our response to Question 2, we recommend the addition of a reference to law enforcement authorities and Europol. Furthermore, the EBF recognises the important role public-private partnerships (PPPs) play in improving the effectiveness of the AML/CFT efforts. The potential of public-private partnerships (PPPs) involving banks, FIUs and law enforcement authorities should be better exploited in the AML/CFT context. Such PPPs would enable the interception of activities of complex criminal networks, including those operating across borders. We hence call for PPPs to be included as sources of information.
The extension of the list of sources is a welcome change. However, some of the amendments may need to be revisited. For example, replacing ‘newspaper reports’ by “publicly available information from reputable sources” could lead to exclusion of ‘smaller’ distributors of news while certain trends or typologies can be specifically identified by a collection of multiple ‘smaller’ distributors. Moreover, “reputable source” can be interpretated widely and can lead to divergences in interpretation. Similarly, the guidelines do not provide sufficient clarity on what could be perceived as “reliable information” as referred to in paragraph 40.
With regards to the section on domestic risk factors, the removal of the reference to information from “private entities” and the notion that all such sources are unreliable seem unconvincing. Such sources could indeed bring value in the process of assessing risks. We therefore suggest replacing the proposed term “relevant bodies” with “credible private bodies and other relevant bodies”.
Q4. Do you have any comments on the proposed changes to the Guideline 4.3 ‘Step 2 – Risk assessment’?
The EBF welcomes the approach taken by the EBA to provide further guidance on the relationship between sectoral and individual risk assessments and to set requirements for competent authorities to use sectoral risk assessments as a basis for their individual risk assessments and to use individual risk assessments collectively to develop their understanding of risks within the sector. We believe this would contribute to decreasing the divergence in views between competent authorities.The EBF maintains nonetheless that further clarity should be provided on the effective implementation of group-wide policies and procedures in branches and subsidiaries of subjects of assessment, as referenced in paragraph 62 of the guidelines. However, unlike in paragraph 100, which pertains to “Step 3 – Supervision” and where the term “effectively” is explicitly defined with a list of criteria in the context of an effective AML/CFT system, in this section such definition is missing. It thus remains unclear what the “measures of effectiveness” are for assessing “effective” implementation of group-wide policies. For example, those might include evidence of local policy transposition, a clear exceptions process or the evaluation of the maturity of the underlying controls behind a given policy requirement. It is hence critical to receive clear guidance on how “effective” policy implementation will be interpreted.
Certain paragraphs may also need to be reworded to better foster convergence. This includes, for example, paragraph 69 where it is stated that competent authorities should “decide on the most appropriate way to categorise the risk” and should “consider classifying subjects of assessment, sectors and sub-sectors”. To achieve convergence and enhance cooperation there should be a common understanding on risk profiles and categories.
Q5. Do you have any comments with the proposed changes to the Guideline 4.4 ‘Step 3 - Supervision’?
On Supervisory Practices and the Supervisory ManualThe EBF welcomes the acknowledgement by the EBA of the existence of inflexible and over-prescriptive supervisory processes set out in supervisory manuals, which make it difficult for supervisors to adjust their approach in line with the ML/TF risks they have identified during inspections. As per our response to Question 2, the EBF would suggest an additional reference to the need for supervisory manuals to acknowledge the need for a degree of risk tolerance and provide high-level guidance on evaluating entities’ risk-based approach.
On De-Risking
With regards to the section on de-risking, the EBF supports the finding that competent authorities should consider whether their guidance could have unintended consequences such as wholesale de-risking of entire categories of customers, and mitigate any adverse effects their guidance may have on certain sectors or subjects of assessment. We would recommend including a reference to consider the need for greater supervision of regulated customer segments, such as Money Services Businesses (MSBs).
Moreover, evidence of de-risking in some sectors or subjects of assessment, or evidence that subjects of assessment avoid risks rather than manage ML/TF risks effectively is set out as an indicator for competent authorities to assess whether there is a need for further guidance in the sector. To ensure effectiveness, however, the focus should fall not only on “evidence of de-risking”, but it should also recognise financial institutions that pro-actively engage with “at risk” (and underbanked) segments and build an appropriate control framework to respond to the risks. Overall, an assessment of an “effective” AML/CFT system and set of controls should also give credit to financial institutions who work to address financial exclusion.
On Training
The EBF acknowledges the importance of emphasising the need for staff training within competent authorities given that the lack of sufficient and adequate training may have negative impacts on competent authorities’ approach to supervision. We further suggest adding a reference to training on RegTech and risk-based approaches to compliance.
On Effectiveness
In its current formulation, paragraph 98 states that competent authorities should assess a subject’s “AML/CFT systems and controls, as well as the effectiveness of the systems and controls”. This seems to indicate that there are two distinct assessments of systems and controls, and only one of those assessments is focused on “effectiveness”. We nevertheless maintain that the assessment should be focused wholly on effectiveness.
The list of factors used to assess effectiveness are outlined in paragraph 100. However, the list seems to miss one of the core principles of the AML/CFT regulatory regime, namely “providing highly useful information to relevant government agencies in defined priority areas. Moreover, there is no reference in the list to suspicious activity reporting. Effectiveness is to a large extent defined by the identification of suspicious activity and its reporting. Another indicator in that regard, which is missing, are Member States’ FIU’s views and/or evaluations of the reporting quality coming from financial institutions. Another indicator for effectiveness could be a financial institution’s participation in PPPs aimed at improving the detection, disruption and deterrence of financial crime.
In EBF’s view, the aforementioned factors constitute highly relevant measures of effectiveness for an AML/CFT programme and should be included in the list of factors to assess effectiveness.
Finally, paragraph 100(d) appears to contain a typo. It is unclear to us whether more information following “business-wide risk assessment” was intended to be included.