The draft guidelines set out in great detail the role, tasks and responsibilites of the AML/CFT compliance officer and the management body. In contrast, the AML directive provides a general obligation to have in place policies, controls and procedures to mitigate and manage effectively AML/TF risks which may include the appointment of a compliance officer (article 8) and a specially designated member of the management board (article 46.4). In some cases the approval of senior management must also be obtained, cf article 8.5. Hence, the role, tasks and responsibilities of the different functions that the draft guidelines deal with are not specified in the directive and in particular not the role, tasks and responsibilities of the ”management body”, a term which is in fact not used in the directive in this context.
A detailed approach like the one in the draft guidlines must take into consideration that corporate governance models differ between member states. There may for instance be differences as to the extent the board of directors is involved in day-to-day manage-ment/operative tasks and as to whether resonsibility can be distributed between board members or not. Such differences may in turn frame the application of AML specific regulation, for instance of who is eligible for the role designated in article 46.4 of the AML directive. Apart from company law obliged entities must also comply with sector specific legislation that may require certain governance functions. The definition of manage¬ment body must be flexible enough to accomodate such differences. In light of this we think that it should be clarified that a member of the management body does not in all cases need to be a member of the board of directors, but can also include senior management, cf the definition of senior management in article 3 (12) of the AML directive.
See our comments under 1. The need for clarification of the term management body set out above is also demonstrated by the fact that the draft guideline in 4.1.1. uses a different term (management body) than the directive (senior management) about the actor that in accordance with article 8.5 of the directive should approve policies, controls and proce¬dures. The term senior management is defined in the directive as a person that needs not, in all cases, be a member of the board of directors (article 3 (12)). We assume that the definition of management body in the draft guidelines does not deviate from and narrow down the definition laid down in the directive.
As pointed out above the level of detail of the draft guidelines is very high and contrasts with the corresponding provisions of the AML directive. This is particularly noticeable in the guideline on the role and responsibilities of the AML/CFT compliance officer, for instance in 4.2.4 e) on reporting to the management body and 4.2.4 g) on training and awareness. The new activity report, which forms part of the reporting to the managment body, is a case in point. There is an almost three pages long minimum list of items to be included, which - in relation to training activities (52 2) l)) – should contain information among other things on
• number of training hours by type of employees and by type of department/function and percentage of employees having completed the training;
• date of participation in a seminar, title and duration of the seminar and modality of distribution (i.e. e-learning, online and face to face) as well as the names of trainers;
• whether the lecture/seminar was prepared within the financial sector operator or offered by an external organisation or consultants; and
• summary information for the program/content of the lectures/seminar.
In a similiar vein, the draft guidline also deals with processes for internal reports related to reporting suspicious transactions (54 c) and specific AML/CFT training for different staff categories, including software developers (62).
It is important that obliged entities will be in a position to adjust their approach thereby focussing their resources on real risk. Risks differ between sectors, for instance between banks and insurance. FATF has pointed out that gene¬rally the ML/TF risk associated to the life insurance sector is lower than that associated with other financial products or other sectors. In our view, the level of detail in the draft guidelines makes it more difficult to apply a risk based approach.
The high level of detail also concerns aspects of organisation such as the allocation of very specific tasks to certain functions, for instance charging the AML/CFT compliance officer with the tasks mentioned in 54 c) and 62 above. We believe that the exact organisation of the business should as far as possible be left for obliged entitites to decide themselves provi¬ded that ML/TF risks can be appropriately handled. Moreover, some of the tasks that the AML/CFT compliance officer is charged with under the draft guidline deal with implementation rather than control, for instance preparing policies and procedures (41-43). This may blur the difference between the first and the second line, thus making it more difficult to ensure the independence of the role.