In marginal number 7, the scope of application is defined with reference to national company laws. The word „law“ seems missing.
The draft Guidelines distinguish between the „management body in its supervisory function“ and the „management body in its management function“. In section 4.1.1, marginal number 11 initially refers to Article 8(5) of Directive (EU) 2015/849 in order to describe the understanding of the term „management body“ in accordance with the AMLD5. Here it must be noted that Article 8(5) of Directive (EU) 2015/849 refers to the „senior management“.
Furthermore, in its rationale, the consultation paper in marginal number 19 sets out that the Guidelines also aim at specifying the tasks and role of the member of the management board or senior manager responsible for AML/CFT as referred to in Article 46(4) of Directive (EU) 2015/849.
For terms of defintion for the implementation of the whole AMLD5, Art. 3 point 12 of Directive (EU) 2015/849 defines ‘senior management’, and, most importantly, sets out that the senior management shall not need to be, in all cases, a member of the board of directors. And the board of directors should be the same as the management board in Article 46(4) of Directive (EU) 2015/849.
To sum up, the draft Guidelines elaborate in a distinction between the „management body in its supervisory function“ and the „management body in its management function“ and refer for the purposes of the contents of the Guidelines to AMLD5; and in AMLD5, a distinction between „senior management“ and „board of directors“/“management board“ can be found that seems not to be taken into account for the purposes of the Guidelines. Especially as in national implementations of AMLD5, the disctinction between „senior management“ and „board of directors“/“management board“ are reflected in national transposition measures (laws, admininstrative practice), the Guidelines should at least incorporate a clarifying section on how its two-fold term of management body fits to the AMLD5 structure of „senior management“ and „board of directors“/“management board“. This needs to be set out in a clear and unmistakable manner because such roles, distributed competencies and responsibilities that are describes in the Guidelines are also subject of audits on side of the obliged entities.
With regards to section 4.2.1, marginal number 27 sets out that the AML/CFT compliance officer should normally be located and work in the country of establishment of the financial sector operator. In this regard, the Guidelines should clarify that „located“ should be understood in terms of the organisational set-up of the obliged entity. This should not be mistaken as a rule that the AML/CFT compliance officer should not only work in the country of establishment, but also should actually live there, as this could be seen as incompatible with the EU freedom of movement for workers.
Section 4.2.6 contains specific requirements on outsourcing of operational functions of the AML/CFT compliance officer that shall also be implemented in the supervisory and administrative pracitices of the national comptetent authorities (NCAs). At the core of the new AML/CFT outsourcing provisions of EBA, marginal number 74 sets out a general outsourcing prohibition for strategic decisions in relation to AML/CFT, and furthermore concretizes several operational functions that should not be outsourced. Although the following list of operational functions is mostly in line, or at least comparable, with the outsourcing restrictions as foreseen in the upcoming EU AML Regulation (cf. Art. 40 para. 2 sent. 2 AMLR draft), it must be observed that the currently valid AMLD5 does not provide such concrete outsourcing restrictions (cf. Art. 29 of Directive (EU) 2015/849). Therefore, it should be clarified in the Guidelines that „should not outsource“ does not represent an outsourcing prohibition of the strategic decisions in relation to AML/CFT in general and of the enumated operational functions in particular and should instead be seen as a recommendation. The Guidelines (Level 3) shall not forestall not yet adopted future legislation in form of the upcoming AML Regulation (Level 1).
Furthermore, marginal number 76 in the same section sets out that outsourcing within a group should be subject to the same provisions as outsourcing to an external service provider. Instead of the term „provisions“, marginal number 76 should refer the term „requirements“. If intragroup outsourcing takes place to other entities within the group obliged according to the EU AMLD, at least in this case it should be taken into account that obliged entities fulfil the reqirements of equivalent AML/CFT measures.
Additionally, in the last sentence of marginal number 76, requirements for parent entities in the context of outsourcing relations with other group entitites are laid down. In this regards, lit. b only refers subsidiaries. In sight of the understanding of group structures in the following section 4.3 of the Guidelines, there are also branches in other Member States (or third countries) mentioned. And as branches in other Member States are also obliged entities unter national AML/CFT law, national supervisors may also tend to classify the reliance of a branch on the functions/capabilities of its head quarter in another Member State as outsourcing, too. In this regard, it should be clarified that in the understanding of the Guidelines, the reliance of a branch on the functions/capabilities of its head quarter in another Member State are not be seen as outsourcing as marginal number 76 does not encompass this.
Section 4.3.2 describes the role of the management body for AML/CFT at group level. In this regard, it should be clarified that the parent financial sector operator must be obliged entity itself. The section should not apply to parent entities that are respectively will be formed as intermediate parent undertakings (IPU) according to the CRD.