Response to consultation on draft Guidelines on the role, tasks and responsibilities AML/CFT compliance officers
Go back
We note, however, that it would be appropriate to include the definition of “senior management”, which is crucial for an adequate understanding of the guidelines’ provisions. The definition would read as follows:
'senior management' means those natural persons who exercise executive functions within an institution and who are responsible, and accountable to the management body, for the day-to-day management of the institution;
Additionally, we understand that the proposed definition of “management body in its management function” is inadequate and should be deleted. First and foremost, it does not derive from the CRD, unlike the other definitions. More importantly, it is imprecise, given that the day-to-day management of the entity (institution, in the wording of the CRD) is a function of the senior management, as explained above.
In one-tier systems, there exists no ad hoc “management body” for day-to-day management. As correctly envisaged in the EBA Guidelines on internal governance:
In Member States where the management body delegates, partially or fully, the executive function to a person or an internal executive body (e.g., a chief executive officer (CEO), management team or executive committee), the persons who perform those executive functions and direct the business of the institution on the basis of that delegation should be understood as constituting the management function of the management body. For the purposes of these guidelines, any reference to the management body in its management function should be understood as including also the members of the executive body or the CEO, as defined in these guidelines, even if they have not been proposed or appointed as formal members of the institution’s governing body or bodies under national law.
The management body is empowered to set the institution’s strategy, objectives and overall direction, and oversees and monitors management decision-making. The management body in its management function directs the institution. Senior management is accountable to the management body for the day-to-day running of the institution. The management body in its supervisory function oversees and challenges the management function and provides appropriate advice. The oversight roles include reviewing the performance of the management function and the achievement of objectives, challenging the strategy, and monitoring and scrutinising the systems that ensure the integrity of financial information as well as the soundness and effectiveness of risk management and internal controls.
Prior to that, the EBA Guidelines on internal governance rightly acknowledge that:
The guidelines are intended to apply to all existing board structures without interfering with the general allocation of competences in accordance with national company law or advocating any particular structure. Accordingly, they should be applied irrespective of the board structure used (a unitary and/or a dual board structure and/or another structure) across Member States. The management body, as defined in Points (7) and (8) of Article 3(1) of Directive 2013/36/EU, should be understood as having management (executive) and supervisory (non-executive) functions.
The terms ‘management body in its management function’ and ‘management body in its supervisory function’ are used throughout these guidelines without referring to any specific governance structure, and references to the management (executive) or supervisory (non-executive) function should be understood as applying to the bodies or members of the management body responsible for that function in accordance with national law.
The same acknowledgement is embedded in the level 1 text (CRD), which rightly regulates institutions’ corporate governance obligations on the basis of the recognition that a management body is attributed both executive and supervisory functions, notwithstanding the natural person(s) or body in charge of carrying them out on a daily basis.
This is best explained in paragraphs 55 and 56 of the preamble:
“Different governance structures are used across Member States. In most cases a unitary or a dual board structure is used. The definitions used in this Directive are intended to embrace all existing structures without advocating any particular structure. They are purely functional for the purpose of setting out rules aimed at a particular outcome irrespective of the national company law applicable to an institution in each Member State. The definitions should therefore not interfere with the general allocation of competences in accordance with national company law.
[...] A management body should be understood to have executive and supervisory functions”.
In accordance with the foregoing, and in accordance with the EBA’s role of harmonizing the regulatory framework, we kindly request that these draft guidelines are revised and aligned with the EBA Guidelines on internal governance.
We welcome the EBA’s efforts to achieve a common understanding by competent authorities and financial sector operators of the role and responsibilities relating to AML/CTF, including within the management body.
However, we would like to highlight the importance of duly taking into account that different corporate governance models and, especially, different management body structures, result in the need for the draft Guideline to incorporate due flexibility, in order for it to be adequately implemented in all Member States and across all obliged entities.
In this sense, the comments hereunder bring forward some key implementing difficulties that would arise should the draft Guidelines be left as they currently stand. They focus on the specificities applicable to credit institutions which are, at the same time, listed companies, given that their management bodies, in accordance with applicable laws, have to adopt the form of a board of directors.
The comments are followed by an amendment proposal.
● Regarding the allocation of responsibilities individually to members of the management body
In one-tier systems, company law conceives the management body (board of directors) as one unique and inseparable body through which both management and supervisory functions are performed. All the members of the board imperatively perform all the functions assigned to it as they are all, collectively, part of the decision-making process, and they all have the same rights and responsibilities; they are all under the same liability regime, for they act as one single collegial body.
The allocation of different responsibilities to different board members is thus inadequate for one-tier systems, given that no efficient or real separation of responsibilities can be implemented where company law conceives the board as one unique and inseparable body through which all functions are performed.
Roles within the board are primarily attributed for the enhancement of checks and balances, as well as to ensure optimum supervision and control and an adequate running of the institution, but decisions within a collegial body carry no tags as to the types of members who adopted it.
In this sense, one could highlight the importance of the creation of specialised support structures (board committees) within the board and composed of board members, specifically charged with direct supervisory and control functions, as warranted by the significance and variety of the supervision and control functions lodged with the board of directors. Committees are thus charged with the in-depth and comprehensive supervision and control of matters for which the board is ultimately responsible (i.e., general supervision of the institution). The performance of these functions does not, however, entail an ad hoc responsibility regime, which remains with the body as a whole and all of its members jointly and severally.
The Guidelines’ wording should thus be adapted to avoid assuming that, when a management body exists, there will be an individual member of the management body responsible for AML/CTF.
An example of the recognition that such allocation of responsibilities is inadequate in one-tier systems can be found in Member States’ transposition of article 46 of Directive (EU) 2015/849, which reads:
4. Member States shall require that, where applicable, obliged entities identify the member of the management board who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with this Directive.
The Directive’s wording “where applicable” is key to the issue at hand, for it has allowed member states to embrace the obligation in accordance with national corporate law. By way of example, it has allowed member states to transpose the Directive attributing that role to a member of the senior management, given that they are the persons/team responsible for the day-to-day management of the institution and, consequently, the persons fit for taking on direct responsibilities for the different key matters that comprise the management of the institution (including AML/CTF compliance responsibilities).
The same flexibility is needed within the Guidelines, in order for them to be implemented in accordance with the different board structures.
● Regarding the allocation of responsibilities specifically to the management body when they already rest with an independent senior manager
In line with what has been put forward under the previous section, the fact that the Guidelines expect institutions to allocate AML/CTF responsibilities to a member of the management body would be hard to implement in institutions where such responsibility lies with a member of the senior management.
Especially when prior regulations at the EU level, specifically those applicable to credit institutions, have focused on the importance of delineating a second line of defence independent from the first line of defence, and with direct access to the management bodies.
The EBA Guidelines on internal governance, recently updated, provide a good example of the foregoing. Paras. 172-173 read:
177 Heads of internal control functions should be established at an adequate hierarchical level that provides the head of the control function with the appropriate authority and stature needed to fulfil his or her responsibilities. Notwithstanding the overall responsibility of the management body, heads of internal control functions should be independent of the business lines or units they control. To this end, the heads of the risk management, compliance and internal audit functions should report and be directly accountable to the management body, and their performance should be reviewed by the management body [...]
173. Where necessary, the heads of internal control functions should be able to have access and report directly to the management body in its supervisory function to raise concerns and warn the supervisory function, where appropriate, when specific developments affect or may affect the institution. This should not prevent the heads of internal control functions from reporting within the regular reporting lines as well.”
Prior to that, the Guidelines specifically allocate AML/CTF responsibilities to the Head of Compliance (or a specific Head of AML/CTF) -i.e., to the independent control function. Para. 171 reads, in this sense:
171. Without prejudice to national law implementing Directive 2015/849/EU, institutions should assign the responsibility for ensuring the institution’s compliance with the requirements of that directive and the institution’s policies and procedures to a staff member (e.g. head of compliance). Institutions may establish a separate AML/TF compliance function as an independent control function.44 The person responsible for AML/CTF should, where necessary, be able to directly report to the management body in its management and its supervisory function.
The independence of internal control functions and their accountability to the management body regarding, precisely, issues such as AML/CTF risk and compliance was a major breakthrough in the 2017 amendment and has driven major organizational reforms within institutions. It is thus hard to see the rationale behind a new accountability regime, single only to AML/CTF issues, where the responsibility would lie with a director instead of with the corresponding internal control head, accountable directly to the management body as a whole (as mandated by the Guidelines).
It follows from the above comments that the allocation of AML responsibilities to an executive board member might be more easily reconciled in dual board-systems, where the person responsible for AML/CTF could be a member of the management board accountable to the supervisory board, but in one-tier systems it would entail assigning that responsibility, quite likely, to the CEO, who is in many instances the sole executive member within the board “effectively directing the institution”, and that would put into question the independence and accountability framework from internal control functions to the management body in its supervisory function which is envisaged in the Guidelines, particularly the paragraphs cited above.
The EBA’s proposal provides no rationale or reasoning underlying the proposed allocation of responsibilities, which should be amended in order for them to be duly implemented.
In line with the above, we kindly request the EBA to revise the following sections/ paragraphs of the draft guidelines:
● Para. 6 of the background section: the paragraph omits the words “where applicable” included in article 46, which are the key to due implementation of this provision in one-tier systems and, therefore, should be included.
● Para. 11 of the background section: the wording “where no management body exists” should be deleted, in accordance with the explanation provided above.
● Para. 17 of the background section: the wording “where no management body exists” should be deleted, in accordance with the explanation provided above.
● Para. 19 of the background section: the wording should be clarified in relation to those entities where the AML/CTF compliance officer is, in time, the senior manager responsible for reporting / raising concerns to the management body and ensuring that management body-recommendations are implemented.
● Section 4.1.4: the wording “the member of the management body” should be completed by “the member of the management or senior management, as applicable”.
● Section 4.1.5: “where no management body is in place” should be eliminated.
● Section 4.1.6:
○ Para. 22b): “ensuring that the management body has taken” should be replaced by “ensuring that the senior management has taken”.
In line with the explanation put forward above, in one-tier systems, it is not within the scope of the management body’s functions to implement the institution's policies, procedures, etc, but to supervise/monitor the implementation carried out by the senior management.
Alternatively, the EBA could adopt the wording envisaged under letter d), which attributes the function to “the management body in its management function, where it exists”, thereby acknowledging that management bodies are not necessarily composed of a management board and a supervisory board.
1. Do you have any comments on the section ‘Subject matter, scope and definitions’?
We welcome the incorporation of certain CRD (Directive 2013/36/UE, as amended) definitions within the draft guidelines.We note, however, that it would be appropriate to include the definition of “senior management”, which is crucial for an adequate understanding of the guidelines’ provisions. The definition would read as follows:
'senior management' means those natural persons who exercise executive functions within an institution and who are responsible, and accountable to the management body, for the day-to-day management of the institution;
Additionally, we understand that the proposed definition of “management body in its management function” is inadequate and should be deleted. First and foremost, it does not derive from the CRD, unlike the other definitions. More importantly, it is imprecise, given that the day-to-day management of the entity (institution, in the wording of the CRD) is a function of the senior management, as explained above.
In one-tier systems, there exists no ad hoc “management body” for day-to-day management. As correctly envisaged in the EBA Guidelines on internal governance:
In Member States where the management body delegates, partially or fully, the executive function to a person or an internal executive body (e.g., a chief executive officer (CEO), management team or executive committee), the persons who perform those executive functions and direct the business of the institution on the basis of that delegation should be understood as constituting the management function of the management body. For the purposes of these guidelines, any reference to the management body in its management function should be understood as including also the members of the executive body or the CEO, as defined in these guidelines, even if they have not been proposed or appointed as formal members of the institution’s governing body or bodies under national law.
The management body is empowered to set the institution’s strategy, objectives and overall direction, and oversees and monitors management decision-making. The management body in its management function directs the institution. Senior management is accountable to the management body for the day-to-day running of the institution. The management body in its supervisory function oversees and challenges the management function and provides appropriate advice. The oversight roles include reviewing the performance of the management function and the achievement of objectives, challenging the strategy, and monitoring and scrutinising the systems that ensure the integrity of financial information as well as the soundness and effectiveness of risk management and internal controls.
Prior to that, the EBA Guidelines on internal governance rightly acknowledge that:
The guidelines are intended to apply to all existing board structures without interfering with the general allocation of competences in accordance with national company law or advocating any particular structure. Accordingly, they should be applied irrespective of the board structure used (a unitary and/or a dual board structure and/or another structure) across Member States. The management body, as defined in Points (7) and (8) of Article 3(1) of Directive 2013/36/EU, should be understood as having management (executive) and supervisory (non-executive) functions.
The terms ‘management body in its management function’ and ‘management body in its supervisory function’ are used throughout these guidelines without referring to any specific governance structure, and references to the management (executive) or supervisory (non-executive) function should be understood as applying to the bodies or members of the management body responsible for that function in accordance with national law.
The same acknowledgement is embedded in the level 1 text (CRD), which rightly regulates institutions’ corporate governance obligations on the basis of the recognition that a management body is attributed both executive and supervisory functions, notwithstanding the natural person(s) or body in charge of carrying them out on a daily basis.
This is best explained in paragraphs 55 and 56 of the preamble:
“Different governance structures are used across Member States. In most cases a unitary or a dual board structure is used. The definitions used in this Directive are intended to embrace all existing structures without advocating any particular structure. They are purely functional for the purpose of setting out rules aimed at a particular outcome irrespective of the national company law applicable to an institution in each Member State. The definitions should therefore not interfere with the general allocation of competences in accordance with national company law.
[...] A management body should be understood to have executive and supervisory functions”.
In accordance with the foregoing, and in accordance with the EBA’s role of harmonizing the regulatory framework, we kindly request that these draft guidelines are revised and aligned with the EBA Guidelines on internal governance.
2. Do you have any comments on Guideline 4.1 ‘Role and responsibilities of the management body in the AML/CFT framework and of the senior manager responsible for AML/CFT’?
1. Comments regarding the role and responsibilities of the management bodyWe welcome the EBA’s efforts to achieve a common understanding by competent authorities and financial sector operators of the role and responsibilities relating to AML/CTF, including within the management body.
However, we would like to highlight the importance of duly taking into account that different corporate governance models and, especially, different management body structures, result in the need for the draft Guideline to incorporate due flexibility, in order for it to be adequately implemented in all Member States and across all obliged entities.
In this sense, the comments hereunder bring forward some key implementing difficulties that would arise should the draft Guidelines be left as they currently stand. They focus on the specificities applicable to credit institutions which are, at the same time, listed companies, given that their management bodies, in accordance with applicable laws, have to adopt the form of a board of directors.
The comments are followed by an amendment proposal.
● Regarding the allocation of responsibilities individually to members of the management body
In one-tier systems, company law conceives the management body (board of directors) as one unique and inseparable body through which both management and supervisory functions are performed. All the members of the board imperatively perform all the functions assigned to it as they are all, collectively, part of the decision-making process, and they all have the same rights and responsibilities; they are all under the same liability regime, for they act as one single collegial body.
The allocation of different responsibilities to different board members is thus inadequate for one-tier systems, given that no efficient or real separation of responsibilities can be implemented where company law conceives the board as one unique and inseparable body through which all functions are performed.
Roles within the board are primarily attributed for the enhancement of checks and balances, as well as to ensure optimum supervision and control and an adequate running of the institution, but decisions within a collegial body carry no tags as to the types of members who adopted it.
In this sense, one could highlight the importance of the creation of specialised support structures (board committees) within the board and composed of board members, specifically charged with direct supervisory and control functions, as warranted by the significance and variety of the supervision and control functions lodged with the board of directors. Committees are thus charged with the in-depth and comprehensive supervision and control of matters for which the board is ultimately responsible (i.e., general supervision of the institution). The performance of these functions does not, however, entail an ad hoc responsibility regime, which remains with the body as a whole and all of its members jointly and severally.
The Guidelines’ wording should thus be adapted to avoid assuming that, when a management body exists, there will be an individual member of the management body responsible for AML/CTF.
An example of the recognition that such allocation of responsibilities is inadequate in one-tier systems can be found in Member States’ transposition of article 46 of Directive (EU) 2015/849, which reads:
4. Member States shall require that, where applicable, obliged entities identify the member of the management board who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with this Directive.
The Directive’s wording “where applicable” is key to the issue at hand, for it has allowed member states to embrace the obligation in accordance with national corporate law. By way of example, it has allowed member states to transpose the Directive attributing that role to a member of the senior management, given that they are the persons/team responsible for the day-to-day management of the institution and, consequently, the persons fit for taking on direct responsibilities for the different key matters that comprise the management of the institution (including AML/CTF compliance responsibilities).
The same flexibility is needed within the Guidelines, in order for them to be implemented in accordance with the different board structures.
● Regarding the allocation of responsibilities specifically to the management body when they already rest with an independent senior manager
In line with what has been put forward under the previous section, the fact that the Guidelines expect institutions to allocate AML/CTF responsibilities to a member of the management body would be hard to implement in institutions where such responsibility lies with a member of the senior management.
Especially when prior regulations at the EU level, specifically those applicable to credit institutions, have focused on the importance of delineating a second line of defence independent from the first line of defence, and with direct access to the management bodies.
The EBA Guidelines on internal governance, recently updated, provide a good example of the foregoing. Paras. 172-173 read:
177 Heads of internal control functions should be established at an adequate hierarchical level that provides the head of the control function with the appropriate authority and stature needed to fulfil his or her responsibilities. Notwithstanding the overall responsibility of the management body, heads of internal control functions should be independent of the business lines or units they control. To this end, the heads of the risk management, compliance and internal audit functions should report and be directly accountable to the management body, and their performance should be reviewed by the management body [...]
173. Where necessary, the heads of internal control functions should be able to have access and report directly to the management body in its supervisory function to raise concerns and warn the supervisory function, where appropriate, when specific developments affect or may affect the institution. This should not prevent the heads of internal control functions from reporting within the regular reporting lines as well.”
Prior to that, the Guidelines specifically allocate AML/CTF responsibilities to the Head of Compliance (or a specific Head of AML/CTF) -i.e., to the independent control function. Para. 171 reads, in this sense:
171. Without prejudice to national law implementing Directive 2015/849/EU, institutions should assign the responsibility for ensuring the institution’s compliance with the requirements of that directive and the institution’s policies and procedures to a staff member (e.g. head of compliance). Institutions may establish a separate AML/TF compliance function as an independent control function.44 The person responsible for AML/CTF should, where necessary, be able to directly report to the management body in its management and its supervisory function.
The independence of internal control functions and their accountability to the management body regarding, precisely, issues such as AML/CTF risk and compliance was a major breakthrough in the 2017 amendment and has driven major organizational reforms within institutions. It is thus hard to see the rationale behind a new accountability regime, single only to AML/CTF issues, where the responsibility would lie with a director instead of with the corresponding internal control head, accountable directly to the management body as a whole (as mandated by the Guidelines).
It follows from the above comments that the allocation of AML responsibilities to an executive board member might be more easily reconciled in dual board-systems, where the person responsible for AML/CTF could be a member of the management board accountable to the supervisory board, but in one-tier systems it would entail assigning that responsibility, quite likely, to the CEO, who is in many instances the sole executive member within the board “effectively directing the institution”, and that would put into question the independence and accountability framework from internal control functions to the management body in its supervisory function which is envisaged in the Guidelines, particularly the paragraphs cited above.
The EBA’s proposal provides no rationale or reasoning underlying the proposed allocation of responsibilities, which should be amended in order for them to be duly implemented.
In line with the above, we kindly request the EBA to revise the following sections/ paragraphs of the draft guidelines:
● Para. 6 of the background section: the paragraph omits the words “where applicable” included in article 46, which are the key to due implementation of this provision in one-tier systems and, therefore, should be included.
● Para. 11 of the background section: the wording “where no management body exists” should be deleted, in accordance with the explanation provided above.
● Para. 17 of the background section: the wording “where no management body exists” should be deleted, in accordance with the explanation provided above.
● Para. 19 of the background section: the wording should be clarified in relation to those entities where the AML/CTF compliance officer is, in time, the senior manager responsible for reporting / raising concerns to the management body and ensuring that management body-recommendations are implemented.
● Section 4.1.4: the wording “the member of the management body” should be completed by “the member of the management or senior management, as applicable”.
● Section 4.1.5: “where no management body is in place” should be eliminated.
● Section 4.1.6:
○ Para. 22b): “ensuring that the management body has taken” should be replaced by “ensuring that the senior management has taken”.
In line with the explanation put forward above, in one-tier systems, it is not within the scope of the management body’s functions to implement the institution's policies, procedures, etc, but to supervise/monitor the implementation carried out by the senior management.
Alternatively, the EBA could adopt the wording envisaged under letter d), which attributes the function to “the management body in its management function, where it exists”, thereby acknowledging that management bodies are not necessarily composed of a management board and a supervisory board.