EBA describes in paragraphs 8–11 the need for these new guidelines, even though there are already guidelines on internal governance and control in place. EBA cites, among other things, insufficient implementation of AMLD and of the guidelines on internal governance. We would like to question, however, whether failed national implementation of the AML Directive can be resolved with additional guidelines? It´s also hard to see how non-compliance with existing guidelines on internal governance would be remedied by adding further guidelines. Instead, increased supervisory activities and more communication from supervisory authorities would help to improve the application of existing rules.
EBA communicated at the public hearing regarding the proposed guidelines that the existing guidelines are not applicable to all types of obliged entities and that this was a strong incentive to issue these guidelines. Adding more guidelines to existing ones makes the regulatory landscape very complicated and entails risk that the wording in different guidelines is conflicting or at least points out different directions. It also drives a “tick-box-compliance” approach that leaves less room for a risk-based approach. Therefore, it would be more appropriate to let the scope of these proposed guidelines be those types of obliged entities that aren´t subject to the current guidelines regarding internal governance.
An overall comment is that the role of AML/CFT Compliance Officer include operational tasks. . Therefore, the role of AML/CFT Compliance Officer could be hard to align with the principle of three lines of defence if the role is placed within the second line Compliance function If the AML/CFT Compliance Officer is part of the compliance function in the second line, the responsibility for risk management is partly transferred from the first line to the second line (compliance). It will also be difficult to maintain the independence of the compliance function. The mix of operational and controlling tasks also runs the risk of the AML Compliance Officer controlling its´ own operational work if the role is placed within the second line Compliance function. Thus, it is of highest importance that that the guidelines offer flexibility and a certain freedom of organization regarding where in the organization the AML/CFT Compliance Officer should be placed to secure an organization and governance structure that best suites the obliged entity.
4.1.4 Identification of the member of the management body responsible for AML/CFT
P. 7 on page 14 states that” These guidelines apply to all existing management body structures irrespective of the allocation of competences in accordance with national company and of the management body structure.” The Swedish implementation of the AMLD is made with consideration to the Swedish Companies Act and the Swedish corporate governance model. In that model the Board (the management body in its´ supervisory function) makes collective decisions and the Board members are collectively responsible. It´s not possible to allocate responsibility for specific issues to specific board members. The Senior Manager responsible for AML/CFT can therefore not be a Board Member. The management body in its management function is, according to the Swedish corporate governance model, the CEO. For some obliged entities it may be appropriate for the CEO to be the Senior Manager. However, when considering the requirements in p. 14 and 18 it´s clear that a CEO in many cases would not possess the required experience and skill regarding AML/CFT and will not have the possibility to give the AML/CFT-issues the time expected. Therefore, it must be possible to allow the task of Senior Manager to a suitable person in the senior management – a very high position within the obliged entity, but that is not part of the Management Body as defined in the definitions. This is not sufficiently reflected in the proposed guidelines. This, of course, is relevant for all Swedish obliged entities and not just banks.
p. 17 – We note that the requirements regarding the Senior Mangers qualifications are already stated in p. 14, there seems to be no purpose to repeat them.
p. 21 – Since the identification and managing of conflicts of interests already are a requirement according to other regulations and guideline for many types of obliged entities, it would be helpful if EBA could give some further guidance regarding specifically AML/CFT-related conflicts of interest.
p. 22 (b) – The paragraph is unclear: who is responsible for what? According to the AML Directive Article 46 (4), referred to in paragraph 22, Member States shall require the responsible entities to identify, where appropriate, the member of the Management Board responsible for the implementation of the laws, regulations, and administrative provisions necessary to comply with the Directive. According to the directive, it is the Senior Manager that must be responsible for implementing AML-related policies, routines, and controls. In p. 22, however, EBA writes that the Senior Manager´s responsibility is to ensure that the management has taken responsibility for implementing these. Should the Senior Manger ensure that the management has taken responsibility for doing what is the Senior Manger´s tasks?
p. 22 (d) If the AML/CFT Compliance Officer is placed within the second line Compliance function, the appropriateness for the Senior Manager to assess the AML Compliance Officer´s need of resources could be questioned; since this could compromise the independence of the AML Compliance Officer and give rise to conflicts of interest. As mentioned above, it is therefore of highest importance that that the guidelines offer flexibility and a certain freedom of organization regarding where in the organization the AML/CFT Compliance Officer should be placed to secure an organization and governance structure that best suites the obliged entity.
p. 22 (f) – It is important that the AML/CFT Compliance Officer can report directly to the Management Body in its Supervisory Function if he or she is placed within the second line of defence and is part of the Compliance function. Since the compliance function is the CEO's control body, the function must also report directly to the CEO. The independence of the control function must not be violated by any other function.
p. 22 (g) - Given the responsibility of the Senior Manager according to p. 22 a and b - how should the situation be managed where the Senior Manager makes recommendations to Management Body (Board and CEO), but Management Body doesn´t approve of the recommendations and takes no action? Thus: the Senior Manager identifies shortcomings and proposes measures but is not heard by the Management Body. The Senior Manager then does not perform its task according to 22 a and b, but has no tools to handle the situation. Either it must be made clear that it is sufficient for the Senior Manager to be able to show that he/she has identified the shortcomings and reported them to the Management Body and so has fulfilled his/her assignment, or the Senior Manager must be given some additional tools. Such tools could be to report his/her observations directly to the board of directors. Otherwise, the Senior Manger ends up in an impossible situation.
p. 27 - There is a strong focus on the physical location of the AML Compliance Officer, in contrast to the requirements for the Data Protection Officer (DPO). It´s not proportionate to have an AML Compliance Officer in each country where the obliged entity operates, e.g., if it´s a matter of small and uncomplicated branches.
p. 28 – We would be very grateful if EBA could clarify what is meant by the writing "having the necessary systems and controls in place to ensure that the AML Compliance Officer has the necessary knowledge and understanding". It is not written as a competence requirement, i.e., what factors are required for the person to be considered to have the necessary knowledge and experience, but instead the systems and controls to ensure this. The writing does not provide guidance on how to meet this requirement and what systems and controls EBA has in mind.
p. 30 (c) – We certainly agree that the AML Compliance Officer should have an independent reporting line to the management body, but this conflicts with the writing in p. 22 (f).
p. 38 – Since this has already been stated in p. 30 (b), it seems to serve no purpose to state it again.
p. 39 – If the AML/CFT Compliance Officer is placed within the second line Compliance function it´s not advisable to task the AML Compliance Officer with developing a detailed risk assessment methodology, because then the AML Compliance Officer becomes operative and will end up controlling himself/herself.
p. 40 – We would be very grateful if EBA could clarify what “new activity” is the scope of the last sentence? Is it EBA/GL/2021/05 p. 211?
p. 44 – We are hesitant that the second part of this paragraph will work in cases where the AML Compliance Officer is placed within the second line Compliance function as this part of the paragraph involves operational decisions. The second line of defence then makes business decisions and is no longer independent. One question is also whether EBA intends that all decisions regarding all high-risk customers should be escalated to competent decision-makers; this requirement entails a significant extension of the current requirements. We think that flexibility is needed here.
p. 49 – It is positive that the guideline offers some flexibility regarding the reporting to the Management body. If the AML/CFT Compliance officer is placed within the second line Compliance function, it is very important that the AML/CFT Compliance Officers can report independently to the Management Body, se comment regarding p. 22 (f) above.
p. 52 (a) – The reference to the AML Directive seems to refer to the wrong article. Article 8(2) states that the supervisory authority may decide on exemptions for certain sectors.
(e) iv – We would be very grateful if EBA could clarify what is meant by “AML/CFT-concerns”. Is it customers terminated due to suspicion of ML/TF and reporting to the FIU or is it customers terminated due to that the customer hasn´t presented the required KYC-information?
viii) – We think that the scope of this requirement is far too ambitious and that EBA doesn´t really mean that all measures taken regarding all reported customers should be included in the report. That could involve thousands of actions (i.e., page up and page down) and it may not be relevant to report at that level of detail. A summary of how these customers have been handled must suffice. It could also be more appropriate for the obliged entity to develop relevant Key Risk Indicators (KRI) and Key Performance Indicators (KPI) and report those.
(f) – We would be very grateful if EBA could clarify what is meant by the word “prospective view”? Is it a future prediction of the ML/TF-risks?
(l) – We think that the reporting requirements regarding training are far to detailed and it must be strongly questioned what the benefit is for the Management Body to know the date, name, etc. of each training activity held? It would be more appropriate for the obliged entity to develop relevant Key Risk Indicators (KRI) and Key Performance Indicators (KPI) regarding training and report those.
(m) and (n) – These two paragraphs appear to be of quite a broad character and don’t serve as guidance Therefore, we suggest that they should be removed.
Regarding section F Reporting of suspicious transactions, we would like to state that it´s a very operative task. If it´s performed by the second line compliance function it will be hard claim the control functions independence. We think that a better risk management could be obtained if many of the tasks described would be placed in the first line.
p. 54 – We think that there is a risk that the wording gives the impression that it´s a single individual person, the AML Compliance Officer, who must personally submit all reports to the FIU. This is of course not practically possible, at least not in a larger institute. We would be grateful if EBA could make clear that the AML Compliance Officer can delegate tasks to person or persons in the AML Compliance Officer´s organization.
G Training and awareness – we think that also this section contains tasks that would rather be performed by the first line to obtain an effective risk management. Compliance would then make the appropriate controls.
P. 68 –The freedom of organisation is very important, and it must be possible to arrange the internal organisation that would optimise the ability to manage risk. . It is positive that the paragraph caters for a flexibility to adjust the organization and governance structure in a way that best suites the obliged entity. Therefore, we would be grateful if EBA would elaborate on the relationships between different functions, e.g., the relationship between AML Compliance Officer and Compliance in cases where they are separated.
p. 72 – We would be grateful if EBA could develop the text to also include cooperation between the AML Compliance Officer and Compliance in cases where these are not part of the same function.
p. 74 (b) – We would be grateful if EBA could elaborate on what is meant by “AML/CFT-systems”.
(h)- We would be grateful if EBA could elaborate on what is meant by “according to its nature”.
p.76 – We notice that intra group outsourcing is covered by the same requirements as external outsourcing which means that p. 74 also applies to intra group outsourcing. We would like to point out that this may, for example in a group, lead to poorer opportunities for managing risk, if the obliged entity can´t place tasks where it´s most appropriate.
p. 85 c - We would be grateful if EBA could elaborate on the word “crystallization”.