National association of insurance companies - ANIA
The consultation paper provides for requirements and responsibilities belonging respectively to the “management body”, the management body in its supervisory function, the management body in its management function.
The above functions and responsibilities need to be adapted to the specific features of the different corporate governance systems in the EU Members States.
Considering the different governance systems in place in some EU countries, the terminology used in the Consultation paper may be better clarified. In particular, we suggest to include examples based on the most common legal entity types in the European Union. This would be appreciated especially for the term “Board of Directors” which is used in Directive (EU) 2015/849 but it is not used in the Consultation Paper.
4.1.1 Approval of the policies, controls and procedures
11.The Article 8(5) of Directive (EU) 2015/849 states that Member States shall require obliged entities to obtain approval from their senior management for the policies, controls and procedures that they put in place and to monitor and enhance the measures taken, where appropriate.
As per the IV Directive ‘senior management’ means an officer or employee with sufficient knowledge of the institution's money laundering and terrorist financing risk exposure and sufficient seniority to take decisions affecting its risk exposure, and need not, in all cases, be a member of the board of directors.
Otherwise, the point 11 of the Guidelines states that where a management body exists, AML/CFT policies, controls and procedures should be approved by management body in accordance with Article 8(5) of Directive (EU) 2015/849. This does not seem coherent to the Directive.
We would propose that the AML/CTF Policy is approved by the Board of Directors (Management Board in its supervisory function, depending on the governance system in place), while the AML/CTF procedures (more operational and granular documents than the AML/CTF policy) and AML/CTF controls are to be approved by a senior manager as defined by IV AML Directive (like the AML Officer) or the Compliance Manager as defined by the Consultation paper. This is mainly because the senior manager has that knowledge of the ML/TF risks which places him as the right person to approve operational guidelines and controls to prevent ML/TF risk.
4.1.2 Role of the management body in its supervisory function in the AML/CFT framework
The management body in its supervisory function shall establish the strategies governing the AML/CFT framework and overseeing the implementation. We propose the following change to reinforce this responsibility: with reference to the point 13 subsection a., we propose to integrate the wording as follows: “being informed of the results of the business-wide ML/TF risk assessment and taking them into consideration in order to require actions to ensure that internal governance and internal control framework are adequate and effective”.
In addition, to apply effectively the point 12 and considering the one-tier governance model adopted by many financial institutions, we propose to assign to the management body in its supervisory function the task as per article 16c for management function (“approving the AML/CFT compliance officer’s activity report and ensuring its completeness, seriousness and accuracy”).
4.1.4 Identification of the member of the management body responsible for AML/CFT
The consultation paper foresees a role assigned to a member of the management body, responsible of specific activities referring to the AML/CFT risks, among which ensuring that the AML/CFT policies procedures and measures are adequate and the entire management body is provided with comprehensive information on data on AML/CFT risks (Section 4.1.6, paragraph 22).
The consultation paper also highlights the role of the management body in its management function with regard to the implementation of the AML/CFT policies and procedures.
In financial institutions with a one-tier governance model, the management function as described in the consultation paper is typically leaded by a single board member such as the Managing Director or the CEO, who is generally an executive member of the Board. The requirements for the selection and appointment of the member of the management body responsible for AML/CFT could be more detailed.
4.2.4 Tasks and role of the AML/CFT compliance officer
As AML/CFT compliance officer is placed within the second line of defense, and? the word “ensure” is used also for other roles, we propose to amend the point 41 as follows:
“The AML/CFT compliance officer should control and assess that adequate policies and procedures are put in place, maintained and implemented effectively […]”.
This may better clarify the allocation of different responsibilities and improve the accountability among the various functions.
Equally, considering that point 16b assigns the responsibility for implementing the internal AML/CFT policies and procedures to the management body in its management function, we propose to amend point 41b as follows:
“control and assess that AML/CFT policies and procedures have been implemented effectively”.
Moreover, in relation to the power of approving high risk business relationships, we propose to keep the ultimate decision only within the first line of defense, consistently with the financial institution delegation of powers, however applying when necessary an escalation process within an higher level in the operative functions. For these cases (i.e., approvals of relationship with high risk customers), the AML Officer shall advise senior management accordingly, therefore we propose to amend point 44 as follows:
“The AML/CFT compliance officer should exercise an advisory role before a final decision is taken by senior management (or their delegates) on onboarding new high risk customers or re-classifying existing customers into the high risk category". (TO BE DELETED: unless the power to approve the establishment of such relationships is entrusted directly to the AML/CFT compliance officer)
Finally, we propose to amend point 45 as follows:
“The AML/CFT compliance officer should have the responsibility for ongoing monitoring of the implementation of the measures, policies, controls and procedures adopted to control and assess that the financial sector operator’s complies with its AML/CFT obligations. The AML/CFT compliance officer should ensure the effectiveness of AML/CFT controls applied by business lines and internal units”
Consistently, to apply the same principle also for the Groups, we propose to amend article 84c as follows:
“In this respect, the Group AML/CFT compliance officer should control and assess that local policies and procedures not only guarantee compliance with the AML/CFT legislations and regulations applicable to each entity of the group individually, but also aim, more broadly, to identify, control and reduce local ML/TF risks in a manner consistent with the principles applicable in this respect throughout the group”.
4.3.3 Organisational requirements at group level
In order to reinforce the authority of the Group AML/CFT compliance officer, we would propose to amend the article 86 as follows
“The AML/CFT compliance officer of a subsidiary or branch should have a direct reporting line with the Group AML/CFT compliance officer”. (TO BE DELETED: "for communication")
Consistently with this, we propose to amend article 27 as follows:
“The AML/CFT compliance officer should normally be located and work in the country of establishment of the financial sector operator and is in charge of coordinating the activities performed by the AML/CFT compliance officer of the foreign branches and subsidiaries”.
We take the opportunity to thank you in advance for allowing us to join this consultation and we remain available for any information you may require.
National association of insurance companies - ANIA