Austrian Federal Economic Chamber, Division Bank and Insurance
The guidelines are not sufficiently clear on the relationship between and the roles and responsibilities of the senior manager responsible for AML/CFT and the AML/CFT Compliance officer. In addition, the independence of the Compliance Officer needs to be secured.
The guidelines do not sufficiently reflect upon the principles for segregation of duties between the first and second line of defence. Due to this fact the guidelines create several confusions on the roles and responsibilities of the compliance function (second line of defence) and the AML function (first line of defence).
The stipulations of this new GL should not lead to a decline of well-functioning and risk-mitigating outsourcing models in some banking sectors. As such this is very important for the model of cooperative banks, and their reliance on intragroup outsourcing.
In general, the timeline for these EBA guidelines is very unfavorable for obliged entities: Taking into consideration that the AMLA should be implemented already in 2024 and will issue new guidelines on this topic, it is burdensome for obliged entities to first implement the EBA guidelines, and then the subsequently amended guidelines by the AMLA.
Background and Rationale, para 15, p. 7
Para. 15 which is titled “proportionality” refers only to other EBA Guidelines for the purpose of introducing a definition of the concepts such as “the management body” or “management in its supervisory function” but the cited paragraph does not include any guidelines on the application of the proportionality principle. We propose the following wording:
“Background and Rationale (…)
15. These guidelines should be applied, in accordance with the proportionality principle encoded in Article 74(2) of Directive 2013/36/EU and EBA Guidelines on internal governance under Directive 2013/36/EU , in a manner that is effective and proportionate to the financial sector operator’s type, size, internal organization, the nature, scope and complexity of its activities, and the ML/TF risks to which the financial sector operator is exposed.
The proportionality principle should be applied, in particular, to subsidiaries and member institutions affiliated to a central body within the meaning of Article 10 of the Regulation 2013/36/EU, where it may be adequate to apply these Guidelines at the level of the parent undertaking or central body only.
Scope of application, para. 6, p. 14
In line with the proportionality principle elaborated above, it should be possible to exempt subsidiaries of financial sector operators. Institutions affiliated to a central body within the meaning of Article 10 of the Regulation 2013/36/EU are comparable to subsidiaries and should be treated in the same way as subsidiaries. We propose the following amendments:
“6. These guidelines apply to financial sector operators as defined in Article 4(1a) of Regulation (EU) No 1093/2010. However, subsidiaries of those financial sector operators and to institutions affiliated to a central body within the meaning of Article 10 of Regulation (EU) No 575/2013 may be exempted from the application of these guidelines, if the parent undertaking or central body meets these guidelines and can ensure an effective monitoring and mitigation of ML/FT risks [and the subsidiary or affiliated institution is located in the same Member State as the parent undertaking or central body].
Scope of application, para. 7, p. 14
The Board of Directors can, in many jurisdictions, only have a collective legal responsibility. It is, therefore, confusing to require a single Board member to be responsible for AML matters, or, for that matter, for any single responsibility of the Board. This would also serve to reduce the interest of the rest of the Board to familiarize themselves with those matters. Moreover, Art. 46 (4) of the Directive 2015/849/EU explicitly states that “ Member States shall require that, where applicable, obliged entities identify the member of the management board who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with this Directive.” At least in some EU jurisdictions this provision has been understood as conflicting with national company law and has not, therefore, been transposed into national law. This para (and Section 4.1. below) should, therefore, explicitly reflect the fact that the guidelines can only be applied to the extent they do not contradict the national law.
“7. These guidelines apply, in accordance with national law, to all existing management body structures irrespective of the allocation of competences and of the management body structured.”
Definitions, para. 9, p. 14 -15
The table with definitions should be amended by adding a separate definition on senior management. See the comments to section 4.1 below for the justification of this amendment:
9. Unless otherwise specified, terms used and defined in Directive (EU) 2015/849 have the same meaning in the guidelines. In addition, for the purposes of these guidelines, the following definitions apply:
senior management means those natural persons who exercise executive functions within an institution and who are responsible, and accountable to the management body, for the day-to-day management of the institution”
Date of application, p. 16
A transition period of at least 12 months is required to ensure adequate time to reorganize, where necessary, the internal governance structure of institutions so that they are able to meet the new requirements.
To align the wording with the Directive and to consider the principle of proportionality the text should be amended:
Where a management body exists, AML/CFT policies, controls and procedures should be approved by management body where appropriate, in accordance with Article 8(5) of Directive (EU) 2015/849.
The Background of the draft Guidelines (para 10, p.5), the EBA notes that “senior management of some financial sector operators afforded low priority to AML/CFT issues and that this lack of senior management buy-in meant that ensuring adequate resources and hiring suitably qualified staff for AML/CFT roles was not seen as a priority, which appeared to have affect the quality of financial institution’s AML/CFT controls.”
While we agree on this analysis regarding the role of the senior management in tackling AML/CFT issues of some financial sector operators, we find the requirements related to the management body as set out by the EBA proposed GL problematic both from the legal and practical points of view:
The Board of Directors can, in many jurisdictions, only have a collective legal responsibility. It is, therefore, confusing to require a single Board member to be responsible for AML matters, or, for that matter, for any single responsibility of the Board. This would also serve to reduce the interest of the rest of the Board to familiarize themselves with those matters. Moreover, Art. 46 (4) of the Directive 2015/849/EU explicitly states that “Member States shall require that, where applicable, obliged entities identify the member of the management board who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with this Directive.” At least in some EU jurisdictions this provision has been understood as conflicting with national company law and has not, therefore, been transposed into national law. This section (and para 7 above) should, therefore, explicitly reflect the fact that the guidelines can only be applied to the extent they do not contradict the national law.
It should also be noted that particularly in smaller institutions in many cases the management body does not consist of members employed by the institution on a full-time basis but have (or have retired from) senior positions in other organizations. It is not practicable, or, particularly in smaller national markets and in smaller institutions, even possible to organize the work of such an external Board on the basis of the members specializing on individual areas within the responsibility of the management body, particularly on heavily regulated areas, which require detailed knowledge of the related regulation.
We would also like to draw attention to the fact that the key responsibility of the management body is to ensure that the institution meets its strategic business objectives and capital and liquidity targets. Overburdening the management body, particularly where it is responsible for both the management and supervisory function, with individual detailed responsibilities related to compliance is, therefore, counterproductive as it distracts the management body from its key responsibilities, which it cannot delegate to the senior management. It is not realistic to assume that, particularly, in institutions, with external management bodies as described above, the members of the management body could have a full command of individual matters at a level of detailed required by the current regulation, including these draft guidelines.
We, therefore, propose the following amendments on this Section:
4.1.3 Role of the management body in its management function in the AML/CFT framework, para. 16 (a), p. 18
“16. In relation to internal policies, controls and procedures referred to in Articles 8(3) and 8(4) of Directive (EU) 2015/849, a financial sector operator’s management body in its management function should have the following AML/CFT tasks and responsibilities:
a) responsibility for implementing the organizational and operational structure necessary to discharge the AML/CFT strategy defined by management body, including, where applicable, the identification of the member of the senior management referred to in paragraph 17 and paying particular attention to the adequacy of the human and technical resources allocated to the AML/CFT compliance officer function, the need for a dedicated AML/CFT unit to assist the AML/CFT compliance officer.”
4.1.3 Role of the management body in its management function in the AML/CFT framework, para. 16 (e), p. 19
The wording “operational functions of the AML/CFT compliance officer are outsourced “outsourced” (par. 16 e)) should be clarified, specifically to have clarity whether the term “outsourced” covers intragroup outsourcing.
e) where some operational functions of the AML/CFT compliance officer are outsourced, approving the service provider in line with the outsourcing written agreement and with the ESAs guidelines on outsourcing arrangements and ESAs guidelines on Internal Governance, and receiving regular reporting from the service provider to inform the management body.”
4.1.4 Identification of the member of the management body or senior management responsible for AML/CFT, para. 17 and para. 18, p. 19
“17. The member of the management body identified in accordance with national law transposing Article 46(4) of Directive (EU) 2015/849, where applicable, or a member of the senior management identified in accordance with paragraph 16 point (a) should in particular have adequate knowledge, skills and experience regarding the identification, assessment and management of the ML/TF risks, and the implementation of AML/CFT policies, controls and procedures, with a good understanding of the financial sector operator’s business model and the sector in which the financial sector operator operates, and the extent to which this exposes the financial sector operator to ML/TF risks.
18. The member of the management body or senior management should have sufficient time and resources to perform his/her AML/CFT duties effectively. They should report comprehensively about their tasks as mentioned in section 4.1.6 and regularly inform and where necessary without undue delay the management body in its supervisory function.”
4.1.5 Identification of a senior manager responsible for AML/CFT where no management body is in place, para. 19 and 20, p. 19
We would suggest deletion of these paragraphs (19 and 20)
With regard to paragraph 52, it should be clarified that the activity report with the minimum content described has to be produced on an annual basis.
Para. 74 a
More specifically, on para. 74 a), in decentralised banking sectors, the validation of the business-wide risk assessment can be fulfilled by centralised units (e.g., by the internal audit function or external auditors). Similarly, the tasks listed in para. 75 c) can be fulfilled by centralised units.
With regard to para. 76, the general requirement subjecting outsourcing within a group to the same provisions as when outsourcing to an external service provider, is too far reaching. Outsourcing inside of a group bears lower risk (e.g. operational risk). Within a group, the outsourcing entity can have more reliance on the service provider based on e.g., internal standards and available information on the background and track-record of the service provider.
In order to enable small and medium-sized banks to continue to provide high-quality money laundering prevention in the future, it is essential to allow the outsourcing of the function of the money laundering officer in its entirety.
The stipulations of this section should not lead to a decline of well-functioning and risk-mitigating outsourcing models. As such this is very important for the model of cooperative banks, and their reliance on intragroup outsourcing.
Furthermore, it should be clarified that the same person can be the compliance officer of the parent company and the subsidiary at the same time.
Moreover, the guidelines create several confusions on the roles and responsibilities of the compliance function (second line of defence) and the AML function (first line of defence). Several responsibilities described to be part of the AML/CFT Compliance officer’s responsibilities seem to be tasks that today are clearly located to the first line of defence, and which the senior manager responsible for AML/CFT do have the responsibility for – including policies, guidelines, training. At the same time, the guidelines are clear on the principle that the AML/CFT Compliance officer should not have responsibility for tasks that this function should monitor and control. The fact that the guidelines do say that the AML/CFT Compliance officer should have the ability to have an AML/CFT Unit to assist the function do complicate this matter further.
The guidelines do not make clear how the relationship between the general compliance function and the AML/CFT compliance function should be. Should the general compliance function monitor the AML/CFT compliance function, as the EBA GL 2021/05 states that the responsibilities of the compliance function include AML/CFT compliance risks? Or is this to be two parallel, completely separate compliance functions within the second line of defence?
The organisational structure of some entities might not be able to allow a separate division. However, it is important that should the AML officer be a subordinate to a person responsible to manage activities that conflicts of interests are mitigated e.g. via a clear separate reporting line e.g. lit c.
To ensure consideration of the principle of proportionality the text should be amended:
30. a notwithstanding the overall responsibility of members of the management body for the
financial sector operator, the AML/CFT compliance officer in general should not be subordinate to a person who has responsibility for managing any of the activities the AML/CFT compliance officer monitors if the organisational set up allows it;
To consider the principle of proportionality the text should be amended:
46.The AML/CFT compliance officer should carry out sample testing to establish levels of compliance where appropriate.
Regarding: 4.2.4 - 50
Please clarify what exactly is to be understood as “remedial programs”. We understand that this entails inconsistencies in the application of risk procedures and remediation processes to ensure compliance once such an issue is identified.
Regarding 52 – the activity report, the minimum requirements stated in the current draft are considered excessive. It is understood that the aspects mentioned are important – however, even the minimum requirements make it necessary to require additional resources to prepare such a detailed report.
Please considered reviewing the text in general in line with the principle of proportionality. The content of the report should be kept to a minimum and should contain only data and information which benefits an efficient AML/CTF prevention.
In addition, it needs to be clearly stated that such a report is to be prepared only once a year.
52.1.e in general should be limited to aggregated numbers.
Please specify what is to be understood as “unusual transaction” (52.1.e.i). We understand that these are ex-ante and ex-post alerts.
Please specify what is to be understood as “judicial requests/ subpoenas” (52.1.e.vi).
We understand that “orders requiring the postponement” (52.1.e.vii) entails orders from the competent authority to an obligated entity to not execute a transaction.
Please clarify “number of replies provided to FIU “(52.1.e.viii). SARs are filed to the authority and one might receive a reply – “replies” are not provided to the authority in general? Therefore, the meaning is not clear.
63. Such training program should include appropriate training workshops or seminars taking into account the tasks performed by the persons concerned and their exposure to ML/TF risks. For this purpose
The organisational structure of some entities might not be able to allow a separate division. To follow the principle of proportionality the text should be amended:
69. The independent audit function referred to in Article 8(4)(b) of Directive (EU) 2015/849 should not be combined with the AML/CFT compliance function if the organisational set up allows it.
4.2.6 Outsourcing of operational functions of the AML/CFT compliance officer
This Section significantly restricts the possible scope of outsourcing of so called “strategic decisions”. This concerns e.g.
- the validation of the business-wide ML/TF risk assessment,
- the internal organisation of AML/CFT system,
- the adoption and revision of internal AML/CFT policies and procedures,
- the assignment of the risk profile,
- the establishment of criteria to detect unusual transactions and
- the responsibility of reporting of suspicious transactions to the FIU.
In view of the increasingly complex requirements for the prevention of money laundering and terrorist financing through the future Money Laundering Regulation, the Money Laundering Directive, the respective national law, the future technical standards of AMLA as well as the national supervisory authority, it is, however, of considerable importance, especially for smaller and medium-sized credit institutions, to be able to outsource the AML/CFT compliance function as such or at least individual aspects thereof as comprehensively as possible to highly specialised and reliable service providers. This is currently done within the framework of contractual agreements and under the full responsibility of the outsourcing credit institution as well as in the knowledge of the supervisory authority. In doing so, neither the management options of the obliged entities nor the supervision by the supervisory authority are impaired. Therefore, the outsourcing of safeguards to prevent money laundering and terrorist financing has not only proven its worth for more than 20 years but has also led to a constant improvement of the prevention measures, e.g. through overlapping findings within the framework of the multi-client service, which can be used for the prevention measures as a whole. In order to ensure a high quality standard of outsourcing, Art. 40 para. 1 and 3 - 5 of the draft AML/CFT-Regulation already contains detailed requirements, which can be supplemented, if necessary, by a duty to notify the competent supervisory authority of the outsourcing and by a right of the supervisory authority to audit the insourcer.
We therefore urgently call for at least the above-mentioned “strategic decisions”, which are assigned to the money laundering officer, to be removed from the exclusion catalogue, because these can be fulfilled by an outsourcing as such in a very high quality and at the same time efficiently, without this entailing a loss of responsibility or an impairment of money laundering supervision.
Some of the same reflections that are made under number 3 are also relevant here.
In addition, there can be national regulations that prohibit certain types of information to be communicated between a bank and its subsidiaries.
Legal uncertainties are to be avoided and should be clarified (data protection, banking secrecy).
Please refer to our comments regarding the activity report in 4.2, the requirements in 4.3.3 – 84 would be an addition to the already excessive report.
Please clarify what is to be understood regarding “business lines” 84.a. We understand that this is the customer segment.
Section 4.3.3, firstly on para. 82 a),
With regard to section 4.3.3, firstly on para. 82 a), the role and the specific tasks of the member of the management body at group level or senior manager defined as “responsible for AML/CFT among the senior managers directing the business at group level” is unclear and should be clarified.
Secondly, the tasks of a group AML/CFT compliance officer are too excessive as listed in para. 84. In particular, the task (para. 84 a) to coordinate the drafting and effective implementation by each entity of internal procedures for the ML/TF risk assessment, and the task (para. 84 c) to coordinate the definition of the AML/CFT-related policies and procedures of the different group entities are excessive.
Instead, according to acknowledged and well-functioning international market practice the respective tasks of the group function in paragraphs a) and c) should be reduced to
• set up group standards according to the applicable AML/CFT regulations
• oblige all group entities to implement the group standards and adhere to them (including a procedure for the approval of deviations from group standard)
• perform adequate controls on the effective implementation of the group standards
• define and monitor mitigating actions in case that gaps to the group standard have been identified in group entities
Finally, it should be clarified that the topics of the report listed in para. 85 as a part of the activity report have to be reported only on an annual basis.
In addition, the following mandatory contents of the reports should be reduced respectively deleted:
“a) Statistics consolidated at group-level, especially on risk exposure and suspicious activities broken down by business lines, geographies and distribution channels”
The requirement, that statistics on SARs have to be broken down by business lines geographies and distribution channels should be deleted.
“b) Sectoral trends of ML/TF risks across subsidiaries and branches, possibly based on the National Risk Assessment and other sources of information; “
It should be sufficient that these risks are considered in the ML/TF risk analysis.
“c) Monitoring of risks, that have occurred in one subsidiary or branch, across other subsidiaries and branches, in a timely fashion before crystallization;”
On a event-driven base, ad hoc risk-mitigating measures in other group entities might be necessary if risks occur in a subsidiary. Besides that, it should be sufficient that risks occurring in a subsidiary are considered in the consolidated group ML/TF risk analysis and there is no need to cover this aspect also in the annual report.
The alignment requirement in para. 87 is too indefinite. We refer to the proposed approach with reference to para. 84:
The required alignment should therefore be defined as follows: Local procedures and policies of subsidiaries should have to be in line with the AML/CFT group standards defined by the group AML/CFT compliance officer and any deviations from these group standards should have to be requested from the subsidiary and approved by the group function in advance.
Based on this approach, there is no need for the provision in para. 87 and this provision should therefore be deleted without replacement.
Austrian Federal Economic Chamber, Division Bank and Insurance