The EACB welcomes the opportunity to comment on the EBA new Guidelines on the role, tasks and responsibilities of anti-money laundering and countering the financing of terrorism (AML/CFT) compliance officers.
As general comments, we would highlight the following issues:
In general, the timeline for these EBA guidelines is very unfavorable for obliged entities: Taking into consideration that the AMLA (EU Anti-Money Laundering Authority) should be implemented already in 2024 and will issue new guidelines on this topic, it is burdensome for obliged entities to first implement the EBA guidelines, and then the subsequently amended guidelines by the AMLA.
The stipulations of this new GL should not lead to a decline of well-functioning and risk-mitigating outsourcing models in decentralized banking sectors. As such this is very important for the model of cooperative banks, and their reliance on intragroup outsourcing.
Answer to Question 1
Background and Rationale, para 15, p. 7
Para. 15 which is titled “proportionality” refers only to other EBA Guidelines for the purpose of introducing definition of the concepts such as “the management body” or “management in its supervisory function but the said paragraph does not include any guidelines on the application of the proportionality principle. We therefore propose the following wording:
"“Background and Rationale (…)
15. These guidelines should be applied, in accordance with the proportionality principle encoded in Article 74(2) of Directive 2013/36/EU and EBA Guidelines on internal governance under Directive 2013/36/EU , in a manner that is effective and proportionate to the financial sector operator’s type, size, internal organization, the nature, scope and complexity of its activities, and the ML/TF risks to which the financial sector operator is exposed.
The proportionality principle should be applied, in particular, to subsidiaries and member institutions affiliated to a central body within the meaning of Article 10 of the Regulation 2013/36/EU, where it may be adequate to apply these Guidelines at the level of the parent undertaking or central body only."
Scope of application, para. 6, p. 14
In line with the proportionality principle elaborated above, it should be possible to exempt subsidiaries of financial sector operators. Institutions affiliated to a central body within the meaning of Article 10 of the Regulation 2013/36/EU are comparable to subsidiaries and should be treated in the same way as subsidiaries. We propose the following amendments:
“6. These guidelines apply to financial sector operators as defined in Article 4(1a) of Regulation (EU) No 1093/2010. However, subsidiaries of those financial sector operators and to institutions affiliated to a central body within the meaning of Article 10 of Regulation (EU) No 575/2013 may be exempted from the application of these guidelines, if the parent undertaking or central body meets these guidelines and can ensure an effective monitoring and mitigation of ML/FT risks [and the subsidiary or affiliated institution is located in the same Member State as the parent undertaking or central body]."
Scope of application, para. 7, p. 14
The Board of Directors can, in many jurisdictions, only have a collective legal responsibility. It is, therefore, confusing to require a single Board member to be responsible for AML matters, or, for that matter, for any single responsibility of the Board. This would also serve to reduce the interest of the rest of the Board to familiarize themselves with those matters. Moreover, Art. 46 (4) of the Directive 2015/849/EU explicitly states that “Member States shall require that, where applicable, obliged entities identify the member of the management board who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with this Directive.” At least in some EU jurisdictions this provision has been understood as conflicting with national company law and has not, therefore, been transposed into national law. This para (and Section 4.1. below) should, therefore, explicitly reflect the fact that the guidelines can only be applied to the extent they do not contradict the national law.
“7. These guidelines apply, in accordance with national law, to all existing management body structures irrespective of the allocation of competences and of the management body structured.”
Definitions, para. 9, p. 14 -15
The table with definitions should be amended by adding a separate definition on senior management. See the comments to section 4.1 below for the justification of this amendment:
9. Unless otherwise specified, terms used and defined in Directive (EU) 2015/849 have the same meaning in the guidelines. In addition, for the purposes of these guidelines, the following definitions apply:
senior management means those natural persons who exercise executive functions within an institution and who are responsible, and accountable to the management body, for the day-to-day management of the institution”
Date of application, p. 16
A transition period of at least 12 months is required to ensure adequate time to reorganize, where necessary, the internal governance structure of institutions so that they are able to meet the new requirements.
The Background of the draft Guidelines (para 10, p.5), the EBA notes that “senior management of some financial sector operators afforded low priority to AML/CFT issues and that this lack of senior management buy-in meant that ensuring adequate resources and hiring suitably qualified staff for AML/CFT roles was not seen as a priority, which appeared to have affect the quality of financial institution’s AML/CFT controls.”
While we agree on this analysis regarding the role of the senior management in tackling AML/CFT issues of some financial sector operators, we find the requirements related to the management body as set out by the EBA proposed GL problematic both from the legal and practical points of view:
The Board of Directors can, in many jurisdictions, only have a collective legal responsibility. It is, therefore, confusing to require a single Board member to be responsible for AML matters, or, for that matter, for any single responsibility of the Board. This would also serve to reduce the interest of the rest of the Board to familiarize themselves with those matters. Moreover, Art. 46 (4) of the Directive 2015/849/EU explicitly states that “ Member States shall require that, where applicable, obliged entities identify the member of the management board who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with this Directive.” At least in some EU jurisdictions this provision has been understood as conflicting with national company law and has not, therefore, been transposed into national law. This section (and para 7 above) should, therefore, explicitly reflect the fact that the guidelines can only be applied to the extent they do not contradict the national law.
It should also be noted that in most cases the management body does not consist of members employed by the institution on a full-time basis but have (or have retired from) senior positions in other organizations. It is not practicable, or, particularly in smaller national markets and in smaller institutions, even possible to organize the work of such an external Board on the basis of the members specializing on individual areas within the responsibility of the management body, particularly on heavily regulated areas, which require detailed knowledge of the related regulation.
We would also like to draw attention to the fact that the key responsibility of the management body is to ensure that the institution meets its strategic business objectives and capital and liquidity targets. Overburdening the management body, particularly where it is responsible for both the management and supervisory function, with individual detailed responsibilities related to compliance is, therefore, counterproductive as it distracts the management body from its key responsibilities, which it cannot delegate to the senior management. It is not realistic to assume that, particularly, in institutions, with external management bodies as described above, the members of the management body could have a full command of individual matters at a level of detailed required by the current regulation, including these draft guidelines.
We, therefore, propose the following amendments on this Section:
4.1.3 Role of the management body in its management function in the AML/CFT framework, para. 16 (a), p. 18
“16. In relation to internal policies, controls and procedures referred to in Articles 8(3) and 8(4) of Directive (EU) 2015/849, a financial sector operator’s management body in its management function should have the following AML/CFT tasks and responsibilities:
a) responsibility for implementing the organisational and operational structure necessary to discharge the AML/CFT strategy defined by management body, including, where applicable, the identification of the member of the senior management referred to in paragraph 17 and paying particular attention to the adequacy of the human and technical resources allocated to the AML/CFT compliance officer function, the need for a dedicated AML/CFT unit to assist the AML/CFT compliance officer.”
4.1.3 Role of the management body in its management function in the AML/CFT framework, para. 16 (e), p. 19
The wording in para. 16 (e) “operational functions of the AML/CFT compliance officer are outsourced”” should be clarified, specifically to have clarity whether the term “outsourced” covers intragroup outsourcing.
e) where some operational functions of the AML/CFT compliance officer are outsourced, approving the service provider in line with the outsourcing written agreement and with the ESAs guidelines on outsourcing arrangements and ESAs guidelines on Internal Governance, and receiving regular reporting from the service provider to inform the management body.”
4.1.4 Identification of the member of the management body or senior management responsible for AML/CFT, para. 17 and para. 18, p. 19
“17. The member of the management body identified in accordance with national law transposing Article 46(4) of Directive (EU) 2015/849, where applicable, or a member of the senior management identified in accordance with paragraph 16 point (a) should in particular have adequate knowledge, skills and experience regarding the identification, assessment and management of the ML/TF risks, and the implementation of AML/CFT policies, controls and procedures, with a good understanding of the financial sector operator’s business model and the sector in which the financial sector operator operates, and the extent to which this exposes the financial sector operator to ML/TF risks.
18. The member of the management body or senior management should have sufficient time and resources to perform his/her AML/CFT duties effectively. They should report comprehensively about their tasks as mentioned in section 4.1.6 and regularly inform and where necessary without undue delay the management body in its supervisory function.”
4.1.5 Identification of a senior manager responsible for AML/CFT where no management body is in place, para. 19 and 20, p. 19
We would suggest deletion of paragraphs 19 and 20.
With regard to paragraph 52, it should be clarified that the activity report with the minimum content described has to be produced on an annual basis.
4.2.6 Outsourcing of operational functions of the AML/CFT compliance officer
This Section significantly restricts the possible scope of outsourcing of so called “strategic decisions”. This concerns e.g.
- the validation of the business-wide ML/TF risk assessment,
- the internal organisation of AML/CFT system,
- the adoption and revision of internal AML/CFT policies and procedures,
- the assignment of the risk profile,
- the establishment of criteria to detect unusual transactions and
- the responsibility of reporting of suspicious transactions to the FIU.
In view of the increasingly complex requirements for the prevention of money laundering and terrorist financing through the future Money Laundering Regulation, the Money Laundering Directive, the respective national law, the future technical standards of AMLA as well as the national supervisory authority, it is, however, of considerable importance, especially for smaller and medium-sized credit institutions, to be able to outsource the AML/CFT compliance function as such or at least individual aspects thereof as comprehensively as possible to highly specialised and reliable service providers. This is currently done within the framework of contractual agreements and under the full responsibility of the outsourcing credit institution as well as in the knowledge of the supervisory authority. In doing so, neither the management options of the obliged entities nor the supervision by the supervisory authority are impaired. Therefore, the outsourcing of safeguards to prevent money laundering and terrorist financing has not only proven its worth for more than 20 years but has also led to a constant improvement of the prevention measures, e.g., through overlapping findings within the framework of the multi-client service, which can be used for the prevention measures as a whole. In order to ensure a high-quality standard of outsourcing, Art. 40 para. 1 and 3 - 5 of the draft AML/CFT-Regulation already contains detailed requirements, which can be supplemented, if necessary, by a duty to notify the competent supervisory authority of the outsourcing and by a right of the supervisory authority to audit the insourcer.
We therefore urgently call for at least the above-mentioned “strategic decisions”, which are assigned to the money laundering officer, to be removed from the exclusion catalogue, because these can be fulfilled by an outsourcing as such in a very high quality and at the same time efficiently, without this entailing a loss of responsibility or an impairment of money laundering supervision.
Para. 74 a
More specifically, on para. 74 a), in decentralised banking sector, the validation of the business-wide risk assessment can be fulfilled by centralised units (e.g., by the internal audit function or external auditors). Similarly, the tasks listed in para. 75 c) can be fulfilled by centralised units.
With regard to para. 76, the general requirement subjecting outsourcing within a group to the same provisions as when outsourcing to an external service provider, is too far reaching. Outsourcing outside of a group bears higher risk (e.g., operational risk). Within a group, the outsourcing entity can have more reliance on the service provider based on e.g., internal standards and available information on the background and track-record of the service provider.
In order to enable small and medium-sized banks to continue to provide high-quality money laundering prevention in the future, it is essential to allow the outsourcing of the function of the money laundering officer in its entirety.
The stipulations of this section should not lead to a decline of well-functioning and risk-mitigating outsourcing models in decentralized banking sectors. As such this is very important for the model of cooperative banks, and their reliance on intragroup outsourcing.
Furthermore, it should be clarified that the same person can be the compliance officer of the parent company and the subsidiary at the same time.
Section 4.3.3, firstly on para. 82 a),
With regard to section 4.3.3, firstly on para. 82 a), the role and the specific tasks of the member of the management body at group level or senior manager defined as “responsible for AML/CFT among the senior managers directing the business at group level” is unclear and should be clarified.
Secondly, the tasks of a group AML/CFT compliance officer are too excessive as listed in para. 84. In particular, the task (para. 84 a)) to coordinate the drafting and effective implementation by each entity of internal procedures for the ML/TF risk assessment, and the task (para. 84 c)) to coordinate the definition of the AML/CFT-related policies and procedures of the different group entities are excessive.
Instead, according to acknowledged and well-functioning international market practice the respective tasks of the group function (in paragraphs a) and c)) should be reduced to
• set up group standards according to the applicable AML/CFT regulations
• oblige all group entities to implement the group standards and adhere to them (including a procedure for the approval of deviations from group standard)
• perform adequate controls on the effective implementation of the group standards
• define and monitor mitigating actions in case that gaps to the group standard have been identified in group entities
Finally, it should be clarified that the topics of the report listed in para. 85 as a part of the activity report have to be reported only on an annual basis.
In addition, the following mandatory contents of the reports should be reduced respectively deleted:
“a) Statistics consolidated at group-level, especially on risk exposure and suspicious activities broken down by business lines, geographies and distribution channels”
The requirement, that statistics on SARs have to be broken down by business lines geographies and distribution channels should be deleted.
“b) Sectoral trends of ML/TF risks across subsidiaries and branches, possibly based on the National Risk Assessment and other sources of information; “
It should be sufficient that these risks are considered in the ML/TF risk analysis.
“c) Monitoring of risks, that have occurred in one subsidiary or branch, across other subsidiaries and branches, in a timely fashion before crystallization;”
On an event-driven base, ad hoc risk-mitigating measures in other group entities might be necessary if risks occur in a subsidiary. Besides that, it should be sufficient that risks occurring in a subsidiary are considered in the consolidated group ML/TF risk analysis and there is no need to cover this aspect also in the annual report.
The alignment requirement in para. 87 is too indefinite. We refer to the proposed approach with reference to para. 84:
The required alignment should therefore be defined as follows: Local procedures and policies of subsidiaries should have to be in line with the AML/CFT group standards defined by the group AML/CFT compliance officer and any deviations from these group standards should have to be requested from the subsidiary and approved by the group function in advance.
Based on this approach, there is no need for the provision in para. 87 and this provision should therefore be deleted without replacement.