The guidelines do not sufficiently reflect upon the principles for segregation of duties between the first and second line of defence. Due to this fact the guidelines create several confusions on the roles and responsibilities of the compliance function (second line of defence) and the AML function (first line of defence). The definition of
- Management body
- Management body in its supervisory function
- Management body in its management function
needs to clarify whether or not those bodies are separate bodies.
1. Comments regarding "[…] 4.1.2 Role of the management body in its supervisory function in the AML/CFT framework
12. The management body in its supervisory function should be responsible for setting, approving and overseeing the implementation of an adequate and effective internal governance and internal control framework to ensure compliance with applicable requirements in the context of the prevention of money laundering and terrorism financing (ML/TF). To this end it should possess adequate collective knowledge, skills and experience to be able to understand the ML/TF risks related to the financial sector operator's activities and business model, including the knowledge of the national legal and regulatory framework relating to the prevention of ML/TF.[…]"
If the management body in its supervisory function (hereinafter referred to as the supervisory board) were to be responsible for defining and approving an appropriate internal management and control framework, this would constitute a critical encroachment on the management authority of the management body in its management function (executive board / managing director: hereinafter referred to as the management). On the other hand, a conflict of interest would arise, since the supervisory board is also supposed to be responsible for monitoring the appropriate internal management and control framework. It would thus ultimately monitor what it itself has previously determined and approved.
As far as experience, which is typically (only) acquired practically, is required for the members of the supervisory board, there are reservations: Experience with the business model of the specific financial service provider is not infrequently acquired only after taking up the supervisory board mandate. However, sufficient knowledge and skills should be available at least from the beginning or very early on when taking up the mandate. Sound (theoretical) knowledge should be allowed to compensate for a lack of (practical) experience.
2. Comments regarding "13. In addition to ESAs guidelines on internal governance, as applicable, a financial sector operator’s management body in its supervisory function should perform the following specific AML/CFT tasks:
d) assessing the effective functioning of the AML/CFT compliance function, at least once a year, by assessing, in particular, the adequacy of the human and technical resources allocated to the AML/CFT compliance officer; […]"
The assessment of effective functioning and, in particular, the adequacy of human and technical resources should be the responsibility of management, which typically uses and should use an internal audit review/assessment for this purpose.
3. Comments regarding "4.1.3 Role of the management body in its management function in the AML/CFT framework
16. In relation to internal policies, controls and procedures referred to in Articles 8(3) and 8(4) of Directive (EU) 2015/849, a financial sector operator’s management body in its management function should have the following AML/CFT tasks and responsibilities:[…]
c) approving the AML/CFT compliance officer’s activity report and ensuring its completeness, seriousness and accuracy;
e) where some operational functions of the AML/CFT compliance officer are outsourced, approving the service provider in line with the outsourcing written agreement and with the ESAs guidelines on outsourcing arrangements and ESAs guidelines on Internal Governance, and receiving regular reporting from the service provider to inform the management body."
• Ensuring the completeness and sufficient accuracy of the activity report is not a task of the management, but of the money laundering officer himself. It remains unclear what is meant by seriousness: Typically, activity reports are formulated in a binding manner.
• It remains unclear in e) what is specifically meant.
In General: The guidelines create several confusions on the roles and responsibilities of the compliance function (second line of defence) and the AML function (first line of defence). Several responsibilities described to be part of the AML/CFT Compliance officer’s responsibilities seems to be tasks that today are clearly located to the first line of defence, and which the senior manager responsible for AML/CFT do have the responsibility for – including policies, guidelines, training and at last, but not at least the transactions monitoring of reporting. At the same time, the guidelines are clear on the principle that the AML/CFT Compliance officer should not have responsibility for tasks that this function should monitor and control. The fact that the guidelines do say that the AML/CFT Compliance officer should have the ability to have an AML/CFT Unit to assist the function do complicate this matter further.
The guidelines do not make clear how the relationship between the general compliance function and the AML/CFT compliance function should be. Should the general compliance function monitor the AML/CFT compliance function, as the EBA GL 2021/05 states that the responsibilities of the compliance function include AML/CFT compliance risks? Or is this to be two parallel, completely separate compliance functions within the second line of defence?
1. Comments regarding "4.2.4 Tasks and role of the AML/CFT compliance officer
d. Monitoring compliance
45. The AML/CFT compliance officer should have the responsibility for ongoing monitoring of the implementation of the measures, policies, controls and procedures adopted to ensure the financial sector operator’s compliance with its AML/CFT obligations. The AML/CFT compliance officer should ensure the effectiveness of AML/CFT controls applied by business lines and internal units.[…]"
The money laundering officer cannot ensure the effectiveness of the 1st line controls described. However, he can and must work towards their effectiveness with the instruments at his disposal (control, advice/support, protection, reporting, escalation).
2. Comments regarding "[…]
e. Reporting to the management body
50. The AML/CFT compliance officer should bring to the attention of the member of the management body or the senior manager responsible for AML/CFT:
a) the areas where the operation of AML/CFT controls should be implemented or improved;[…]"
The money laundering officer should (see above) first work towards the introduction, modification or extension of certain 1st line controls and report on this in his activity report. If the 1st line does not follow these findings and recommendations of the money laundering officer, he must escalate to the management.
3. Comments regarding "52. The activity report by the AML/CFT compliance officer should be proportionate to the scale and nature of the activities of the financial sector operator, and contain at least the following information:
1) On ML/TF risk assessment:
e) A structured overview of the work carried out by the AML/CFT compliance officer function in the past year, including information and statistical data on:
i) the nature, number and amount of the unusual transactions detected;
ii) the nature, number and amount of the unusual transactions effectively analysed;
iii) the nature, number and amount of the reports of suspicious transactions or activity to the FIU (distinguished by country of operations);
vi) number of judicial requests/subpoenas received;"
• It is not entirely clear what is meant by "unusual": all anomalies ("hits") generated by a transaction screening system or only those transactions that are particularly complex, unusually large, follow an unusual transaction pattern or occur without an obvious economic or legal purpose. At least the latter should always be examined: There should be no difference between i) and ii) in this respect. In most credit institutions, however, there should also be no difference between i) and ii), since it is usually intended to examine all hits.
• The comparison of the number of "unusual transactions" and the number of suspicious activity reports is counterproductive for money laundering prevention: it fuels the recurring discussion about whether the AML/CFT measures are not far excessive, in that e.g. process optimisers / cost-cutters / internal and external consultants put the low number of suspicious activity reports in relation to the high number of "hits": Typically, there are only a few suspicious activity reports compared to a large number of "hits".
•What is meant in vi) - the number of requests for information from (especially) public prosecutors and tax authorities?
4. Comments regarding "[…] 2) On resources: […]
h) A brief description of the human and technical resources allocated to AML/CFT compliance function by the financial sector operator, and the confirmation that these resources are sufficient or, if that is not the case, an assessment of the additional resources that are deemed necessary to enable the financial sector operator to meet its AML/CFT obligations;
The leading goal would be to assign the internal audit department as a neutral authority with the evaluation of sufficient resources.
This requirement should primarily be addressed to the FIU and the law enforcement authorities: There, the name of the reporting money laundering officer must be kept confidential; at best, the name of the reporting money laundering officer or his employee is not recorded at all.
6. Comments regarding "63. Such training program should include appropriate training workshops orseminars taking into account the tasks performed by the persons concerned and their exposure to ML/TF risks. For this purpose, the AML/CFT compliance officer prepares and implements, in cooperation with the human resources department of the financial sector operator, an annual plan of training and education of staff. This annual plan of training and education, as well as its realization, should be documented in writing and be referred to in the activity report to the management body as per paragraph 52. […]"
The AML/CFT compliance officer does not necessarily have to train the staff himself, but can also delegate this to another body. This should be made clear.
7. Comments regarding "4.2.6 Outsourcing of operational functions of the AML/CFT compliance officer
74. Strategic decisions in relation to AML/CFT should not be outsourced, in particular the following operational functions should not be outsourced (except for certain types of financial sector operators, i.e. collective investment funds, the AML/CFT compliance function is outsourced as such and not only the operation part of it since these entities have at a maximum a board or management in place and thus outsourcing will be beyond operational tasks);
a) the validation of the business-wide ML/TF risk assessment;
b) the internal organisation of AML/CFT system;
c) the adoption and revision of internal AML/CFT policies and procedures;
d) the approval of the methodology for individual risk assessment, the entry into the business relationship and the assignment of the risk profile;
e) the establishment of criteria to detect unusual transactions;
f) the responsibility of reporting of suspicious transactions to the FIU;
g) accepting high-risk customers; and
h) any other decisions which, according to their nature, should be made within financial sector operator.
4.2.6 limits the scope of outsourcings and significantly restricts the possible scope of outsourcing of so called “strategic decisions”. This concerns e.g.
- the validation of the business-wide ML/TF risk assessment,
- the internal organisation of AML/CFT system,
- the adoption and revision of internal AML/CFT policies and procedures,
- the assignment of the risk profile,
- the establishment of criteria to detect unusual transactions and
- the responsibility of reporting of suspicious transactions to the FIU.
To our understanding EBA’s guidance may not constitute new legal requirements. Legally outsourcings are permitted, therefore it is not up to EBA to limit outsourcings with regard to certain tasks. Further it is not up to EBA to define outsourcing pre-conditions.
In view of the increasingly complex requirements for the prevention of money laundering and terrorist financing through the future Money Laundering Regulation, the Money Laundering Directive, the respective national law, the future technical standards of AMLA as well as the national supervisory authority, it is, however, of considerable importance, especially for smaller and medium-sized credit institutions, to be able to outsource the AML/CFT compliance function as such or at least individual aspects thereof as comprehensively as possible to highly specialised and reliable service providers. This is currently done within the framework of contractual agreements and under the full responsibility of the outsourcing credit institution as well as in the knowledge of the supervisory authority. In doing so, neither the management options of the obliged entities nor the supervision by the supervisory authority are impaired. Therefore, the outsourcing of safeguards to prevent money laundering and terrorist financing has not only proven its worth for more than 20 years, but has also led to a constant improvement of the prevention measures, e.g. through overlapping findings within the framework of the multi-client service, which can be used for the prevention measures as a whole. In order to ensure a high quality standard of outsourcing, Art. 40 para. 1 and 3 - 5 of the draft AML/CFT-Regulation already contains detailed requirements, which can be supplemented, if necessary, by a duty to notify the competent supervisory authority of the outsourcing and by a right of the supervisory authority to audit the insourcer.
We therefore urgently call for at least the above-mentioned “strategic decisions”, which are assigned to the money laundering officer, to be removed from the exclusion catalogue, because these can be fulfilled by an outsourcing as such in a very high quality and at the same time efficiently, without this entailing a loss of responsibility or an impairment of money laundering supervision.
In order to enable small and medium-sized banks to continue to provide high-quality money laundering prevention in the future, it is essential to allow the outsourcing of the function of the money laundering officer in its entirety.
8. Comments regarding "76. Outsourcing within a group should be subject to the same provisions as outsourcing to an external service provider. Financial sector operators making use of intragroup outsourcing should in particular take the measures necessary to identify and manage any conflicts of interest that could arise from such an outsourcing agreement. The parent entity of the group should:[…]"
What is meant with „same provisions“? Are the provisions of Nr. 75 meant? If yes, this would lead to the following scenario: the Compliance Officer of the subsidiary that is outsourcing the compliance functions to the parent company will have to control the parent company and monitor its performance (please see Nr. 75 lit. c of the Guidelines). In cases in which the Compliance Officer of the parent company is also the Compliance Officer of the subsidiary and the subsidiary is outsourcing the compliance functions to the parent company, the Compliance Officer would have to control himself and monitor his own performance; this wouldn‘t make any sense. Would it be even possible for the Compliance Officer of the parent company to be at the same time also the Compliance Officer of the subsidiary?
Some of the same reflections that are made under number 3 are also relevant here. In addition, there can be national regulations that prohibit certain types of information to be communicated between a bank and its subsidiaries.