EFI welcomes the opportunity to contribute to this consultation given that clear guidance for competent authorities is critical to achieving consistency across jurisdictions, thereby strengthening AML/CFT defences.
In our experience, given the dynamic regulatory risk environment faced by the financial sector, reviewing and refreshing the importance of the various AML/CFT compliance roles, responsibilities, and accountabilities is helpful.
It is considered helpful, in definitions, to separate the responsibilities within the management body that are attributable to the supervisory and management functions. This separation of responsibilities helps firms to build a robust and risk focussed governance framework.
Role of management body in its supervisory Function in the AML/CFT Framework
It is essential that firm’s governance frameworks are robust and risk focussed such that compliance issues are identified and articulated on a timely basis with any remedial activity prioritised in accordance with the risk assessment. The additional guidance is helpful to the regulated sector and contributes to the AML/CFT risk-based approach, in particular:
4.1.2 13 (a)
Ensuring that the AML/CFT risk assessment is separately communicated to the management body, and not simply subsumed within a general Risk Management Assessment should ensure that AML/CFT risks are known and understood.
4.1.2 13 (b)
Responsibility to ensure that the AML/CFT policies and procedures are adequate and effective and that any remedial activities are deployed on a risk assessed basis helps to articulate the importance of the AML/CFT Compliance Officer’s activities.
4.1.2 13 (c)
It is helpful in strengthening AML/CFT defences to introduce a specific requirement to review periodically (at least annually) on a risk assessed basis the AML/CFT activity report of the AML/CFT Compliance Officer.
4.1.2 13 (d)
The clarification of AML/CFT regulatory expectation is helpful regarding the assessment of the AML/CFT function. There are jurisdictional differences that competent authorities will need to navigate, dovetailing AML/CFT compliance requirements with other similar regimes locally implemented. For example, in the UK, the Senior Managers and Certification regime requires senior managers considered to be performing key roles within a firm to receive PRA or FCA approval before starting their roles. Each senior manager has a statement of responsibilities that clearly says what they are responsible and accountable for. Persons responsible for AML compliance currently fall within this senior manager regime.
EFI considers it helpful to reiterate in guidance the types of evidence expected to support completion of the above actions.
Suitability skills and expertise
EFI considers this guidance to be helpful. However, consideration could also be given in guidance to assessment of continued competency whilst in the role.
Tasks and role
‘Unconditional and direct access to all information’ is a very clear statement to assist the individual in their role.
Guidance would be helpful regarding the regularity of risk assessment, policy and procedure reviews. It is helpful to outline the regulatory expectation regarding the regularity of progress reports for ‘significant’ remedial programmes. However, defining what constitutes ‘significant’ either in relation to size or risk will help to clarify the intention of this paragraph. The ‘2019 Report from the Commission to the European Parliament on the assessment of recent alleged money laundering cases involving EU credit institutions’ indicated the three lines of defence governance framework can be misunderstood or omitted. Further guidance may be helpful.
The guidance is helpful and maintaining a consistent standard within groups is desirable, subject to any local legal restrictions that may impact on this.
We would encourage clarification in the guidance for evidence provided by the firm to the supervisory body to include details of the risk assessments including the risk appetite of the firm to support the level of policies, procedures and controls implemented under the risk-based approach.