Section 4.1.4 – Identification of the management body responsible for AML/CFT
Article 46(4) of AMLD4 permits Member States to require firms to appoint a member of the management body who will be responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with AMLD4. Both Article 46(4) and Paragraph 4.1.4 indicate that this would need to be a member of the highest decision-making body within a firm. For example, for most companies or incorporated entities, this would be the board of directors. However, in some member states the transposition of Article 46(4) into national law only requires firms to appoint a member of senior management to this role which means that the person does not necessarily need to be a board member.
While the Guidelines do not refer to any specific type of management body, it would be helpful if the Guidelines could clarify whether the person referred to in Section 4.1.4 must be a member of the board or the highest decision-making body in the firm, i.e., are the Guidelines effectively saying that this must be a board member.
In our view, firms should have some flexibility as to the level of the appointment so long as the person is sufficiently senior within the firm. For example, the Head of Compliance should be able to fulfil this role without needing to be a member of the board of directors. Clarity in this area is important as Section 4.1.6 of the Guidelines imposes several significant responsibilities on the relevant person. In our view, those responsibilities would be more effectively carried out by a full-time member of senior management rather than a member of the board.
Section 4.2.1 - Appointment of the AML/CFT compliance officer
We note that Section 4.2.1 refers to the compliance officer appointed under Article 8(4)(a) of AMLD4. We assume that this only applies to the extent that firms are required by the local financial supervisors to appoint a compliance officer under national law. We also assume that the guidelines on the role of the compliance officer only apply to compliance officers appointed pursuant to Article 8(4)(a), and that they do not apply to other compliance office type roles within a firm, in particular, persons appointed as central contact points for AML/CFT purposes under AMLD4. The role of the central contact point is already prescribed in separate Regulatory Technical Standards issued by the Commission. It would be helpful for the EBA to provide clarify on the above points.
Paragraph 27 indicates that the compliance officer should normally be located and work in the country of establishment of the financial sector operator. Following the Covid-19 pandemic, firms and regulators have adapted to new ways of working including remote working. It is arguable that both firms and regulators have adopted effectively to working in a remote environment, including in the context of regulatory engagement between firms and regulators. In our view, firms should be allowed more flexibility in terms of the location of the compliance officer to reflect changes in working practices.
Section 4.2.2 - Tasks and role of the AML/CFT compliance officer
Paragraph 52 refers to the preparation of an activity report by the compliance officer which will be prepared on at least an annual basis and will be provided to the management body and the member of the management body responsible for AML/CFT. Paragraph 52 sets out in more detail the information to be included in that activity report. In practice, many firms already report this information to senior management during the year on a staggered basis. This enables senior management, in particular the board of directors, more time and capacity to consider the relevant information in greater detail. In our view consolidating all this information in a single report may be counter-productive to the aim of ensuring that senior management have full visibility over all of the AML/CFT activities of the relevant firm. For example, for some firms the presentation of the annual risk assessment requires the presentation of a significant amount of information to the board of directors, and this information may be best reviewed by the board where presented on a standalone basis. While we accept that the management body should receive all the information referred to in Paragraph 52, firms should have the flexibility to stagger presentation of this information during the course of the year. To the extent that an annual activity report is required, this should be a higher-level summary of the activities carried out during the year, rather than a more detailed report.
Section 4.2.6 - Outsourcing of operational functions of the AML/CFT compliance officer
Section 4.2.6 seeks to limit the ability of firms to outsource certain operational functions relating to AML/CFT compliance. Paragraph 74 provides that “Strategic decisions in relation to AML/CFT should not be outsourced, in particular the following operational functions should not be outsourced” and goes on to list a range of AML/CFT compliance activities.
We accept that firms should remain ultimately responsible for all elements of compliance with the AML/CFT requirements, and that firms should ultimately have oversight and approval of all policies, procedures and controls put in place to ensure compliance. However, we feel that Paragraph 74 is potentially too restrictive in terms of outsourcing operational functions. This is particularly relevant to financial service providers that operate through a group and apply global AML/CFT compliance programs or rely on affiliates to help apply AML/CFT controls. Firms should have more flexibility to outsource the operational elements of AML/CFT compliance (especially in group settings) while ultimately retaining responsibility for the oversight of those activities. The EBA should take into consideration that the use of shared services within a group can have positive benefits in terms of compliance as it can act as a center of excellence/expertise within a group. It is also worth noting (as acknowledged at Paragraph 73) that many regulated entities are subject to detailed outsourcing obligations (for example, the EBA Guidelines on Outsourcing), and are therefore required to have in place robust frameworks to oversee outsourced activities which should address many of the concerns around accountability for AML compliance.