EFAMA welcomes the proportionality-based approach adopted by the Draft Guidelines with respect to the carrying out of compliance functions. As highlighted in the Executive Summary to the EBA’s consultation document on the Draft Guidelines (at Para 4), it is necessary to ensure that the rules are applied, “in a manner that is effective and proportionate to the financial sector operator’s type, size, internal organization, the nature, scope and complexity of its activities and the ML/TF risks to which the financial sector operator is exposed.”
Given the wide variety of financial sector operators encompassed by the rules, a proportionality-based approach tailored to the specificities of the entity in question ensures that the resources of smaller and lower-risk entities are not unnecessarily strained in circumstances unlikely to have a tangible impact in preventing ML/TF.
EFAMA also supports the approach of the Draft Guidelines (at Para 21) in having a member of the management body, or the senior manager, coordinate the implementation of the AML/CFT laws, regulations and administrative provisions, while importantly maintaining the collective responsibility of the management body. While logistically useful for a single individual to act as a general lead and point of contact for AML/CFT matters, is imperative that collective responsibility remain with the management body given the “collective knowledge, skills and experience to be able to understand the ML/TF risks related to the financial sector operator’s activities and business model” (highlighted at Para 12). For this reason, the involvement of all members of the management body is necessary to ensure an effective first line of defence.
We would point out that Articles 9(1) and (2) of the new draft AML Regulation proposed by the European Commission on 20 July 2021 does not expressly reference the collective responsibility of the management body. As such, the reference to collective responsibility of the management body within the Draft Guidelines will provide welcome clarification on this point.
We also welcome the collective responsibility approach as being a more proportionate approach for smaller entities which may not have appropriately skilled and experienced personnel within their ranks to assume sole responsibility of the relevant functions.
We note with approval the measures to ensure the independence of the compliance officer at Para 30, and suggest that similar guidance be set out to ensure the independence of the member of the management body/senior manager. While the member of the management body/senior manager will necessarily occupy a senior position, it cannot be taken for granted that every organisational structure will by default ensure the independence of this individual and we would emphasise that it is necessary to ensure that that individual is not, for example, in a position subordinate to a person who has responsibility for managing any of the activities that he/she monitors.
EFAMA welcomes and agrees with the recognition given to the nature of the collective investment sector in the context of its guidance with respect to compliance officers acting on behalf of two or more entities not from within the same group (at Para 34). Equally, EFAMA agrees with the similar recognition given to the unique structure of collective investment funds in the context of outsourcing of functions of the compliance officer (at Para 74). Governance arrangements are unique to each individual firm, influenced by sectoral and international business structures as well as the firm’s nature, scale and complexity. In particular, sectors such as the collective investment sector may be characterised by different legal entities, potentially in different jurisdictions, performing AML/CFT duties. As such, the roles and responsibilities within the Draft Guidelines may in practice be performed by separate entities including delegated service providers. The recognition of such sectoral specificities, as noted at paras 34 and 74, may be furthered by the inclusion of a general principal that the obligations can be contextualised by a firm’s existing governance arrangements.
We would welcome a clarification in the Draft Guidelines as regards the ability to outsource the tasks of the compliance officer outside of the group. While this may be implicit from the text, an express clarification is necessary in light of the ambiguity in Article 9(3) of the Draft AML Regulation which provides that “[a]n obliged entity that is part of a group may appoint as its compliance officer an individual who performs that function in another entity within that group.” We believe that permitting the functions of the compliance officer to be performed by a suitable individual outside of the group would represent a more proportionate approach for smaller entities which may not have sufficiently skilled and experienced personnel to carry out this function.
We would also seek clarity as to whether the prohibition on outsourcing strategic decisions (at Para 74) applies to internal outsourcing within a group as well as outsourcing outside of the group. If this is the case, it would run contrary to Article 9(3) of the Draft AML Regulation, cited above, which permits the entire function of the compliance officer to be outsourced to another intra-group entity. In addition, where outsourcing of the compliance officer’s tasks within a group is subject to all of the ‘same provisions’ as outsourcing to an external service provider (as per Para 76), this may lead to some confusion where, for instance, functions of a subsidiary are outsourced to that of a parent. In this example, Para 75(c) would require the compliance officer of the subsidiary to monitor the performance of the parent entity, while Para 86, for example, requires the compliance officer of a subsidiary to directly report to the Group compliance officer as appointed by the parent entity.
EFAMA would also highlight potential inconsistencies between existing national rules on the non-disclosure obligations (outlined in Para 56). Specifically, certain national FIU reporting systems make visible the names of the individuals who wrote and approved the SAR. Also, certain national laws, such as the Interpretation and Application Guidance issued by BaFIN in relation to the German Anti-Money Laundering Act, require the compliance officer to inform the individual who filed the SAR internally to be informed as to whether an SAR is filed with the FIU.
As regards the training to be provided by the compliance officer (Para 57), we would query whether the term ‘right ethical approach’ is a reference to a harmonised standard or whether this is a matter for interpretation by each financial sector operator.
We would also note a measure of ambiguity from the wording of the tasks and role of the compliance officer as regards the responsibility for AML/CFT policies and procedures. The compliance officer is tasked with assessing the effectiveness of policies and procedures, with responsibility for their implementation lying with the management body (per Paras 16 and 22). However the current wording, for example, makes the compliance officer responsible for items such as ensuring policies and procedures “are put in place, maintained and implemented effectively” (Para 41) and to “ensure the effectiveness of AML/CFT controls” (Para 45). Clarification would be welcome that the role of the compliance officer is to assess effectiveness, while the management body remains responsible for ensuring implementation.
The Draft Guidelines set out the minimum tasks to be carried out by the management body of the parent financial sector operator (Para 80). However, it is unclear how this is to be applied in the case of groups where the ultimate parent entity is not located in an EU member state. We would welcome further clarity on this point.