Association for Financial Markets in Europe ('AFME')
The Association for Financial Markets in Europe (AFME) welcomes the opportunity to comment on the European Banking Authority’s (EBA) draft Guidelines on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CFT Compliance Officer under Article 8 and Chapter VI of Directive (EU) 2015/849. AFME has put in place internal arrangements to manage our work in compliance with the conditions set by the EBA on Adam Farkas’ appointment as CEO. As part of these, Adam Farkas has not been involved in the preparation of this consultation response.
• AFME believes that, overall, the EBA’s Guidelines on AML/CFT compliance officers could help to achieve a common understanding, by competent authorities and financial sector operators, of financial sector operators’ AML/CFT governance arrangements. Transparent and coherent rules in this space allow AFME members to have a clear understanding of the EBA’s expectations.
However, in order to avoid a proliferation of rules which may create a more complex regulatory landscape, we believe that the present guidelines should be aligned with the recently proposed AML Regulation and with existing guidance, such as the EBA Guidelines on internal governance, the joint EBA and ESMA Guidelines on the assessment of the suitability of members of the management body and key function holders, as well as the ESMA Guidelines on certain aspects of the MiFID II compliance function requirements.
• The guidelines should take into account the different corporate governance structures currently in place in the EU. We note that, whereas in some countries financial institutions have a one-tier management structure, in other member states financial institutions adopt a two-tier management structure, which includes a Board of Directors and an executive management team responsible for running the business.
Implementing the draft guidelines as they currently stand would create difficulties for the two-tier management structures. As an example, it would be problematic to appoint a member of the Board of Directors to the function of member of the management body responsible for AML/CFT. Therefore, in the two-tier corporate governance set-up, the management body should be interpreted as the executive management team and not the Board of Directors.
• We would like to invite the EBA to clarify the use of the term “compliance” in its draft guidelines. In our view, the term compliance refers to the activities carried out by the second line of defence. However, given that the set-ups adopted by financial institutions can differ, it should be noted that some tasks that the guidelines assign to the AML/CFT compliance officer are in several firms performed by the first line of defence.
4.1.1 Approval of the policies, controls and procedures
• Guideline 4.1.1 paragraph 11 states that where a management body exists, AML/CFT policies, controls and procedures should be approved by management body in accordance with Article 8 (5) of Directive (EU) 2015/849.
AFME believes that there should not be a mandatory requirement for the management body to approve AML/CFT policies, controls and procedures. Article 8(5) of Directive (EU) 2015/849 refers to approval from senior management rather than management body.
4.1.4 Identification of the member of the management body responsible for AML/CFT
• AFME welcomes Guideline 4.1.4 which states that the member of the management body to be identified in accordance with Article 46(4) of Directive (EU) 2015/849 should in particular have adequate knowledge, skills and experience regarding the identification, assessment and management of the ML/TF risks, and the implementation of AML/CFT policies, controls and procedures.
However, we believe that Guideline 4.1.4 needs to take into account the different corporate governance models adopted by firms, such as the two-tier management structure. Therefore, it is essential that the management body, in which a member responsible for AML/CFT shall be appointed, can be interpreted as the executive management team, and not only as the Board of Directors.
• In organisations operating under a one-tier system where the management functions are already performed by a single board member, the guidelines should be open to solutions allowing such board member to be identified as the member of the management body responsible for AML/CFT.
Therefore, AFME would like to invite the EBA to confirm that firms adopting the one-tier system can assign the role of “member of the management body responsible for AML/CFT” to the board member already performing management functions.
As an alternative solution, such firms should be allowed to assign the tasks set out in Guideline 4.1.6 to a senior manager, appointed in accordance with the provisions of section 4.1.5, such as the chief compliance officer, who reports directly to the board member.
In the light of the above, AFME would like to propose to amend Guideline 4.1.4 paragraph 18 as follows:
“[…] They should report comprehensively about their tasks as mentioned in section 4.1.6 and regularly inform and where necessary without undue delay the management body in its supervisory function. Firms can grant the role of “member of the management body responsible for AML/CFT” to the board member already performing the management function in the AML/CFT framework according to section 4.1.3. Alternatively, firms are allowed to assign the tasks set out in section 4.1.6 to a senior manager (appointed in accordance with the provisions of section 4.1.5), such as the chief compliance officer, who reports directly to the board member”.
4.1.6 Tasks and role of the member of the management body or senior manager responsible for AML/CFT
• Guideline 4.1.6 paragraph 22 states that the member of the management body, or the senior manager responsible for AML/CFT should be involved in the recruitment of staff into the firm’s AML/CFT unit.
AFME believes that it should not be a mandatory requirement for the member of the management body, or the senior manager responsible for AML/CFT, to necessarily be involved in the recruitment of staff for the ‘AML/CFT unit’. In our opinion, AML senior managers should be granted the flexibility to delegate the recruitment process to members of their team.
Furthermore, we would like to note that the term “involved” does not explain the actual role that the AML senior manager should have. We invite the EBA to provide more clarity on this point.
4.2.4 Tasks and role of the AML/CFT compliance officer
• Guideline 4.2.4 identifies a series of tasks to be performed by the AML/CFT officer, such as developing ML/TF risk assessments, preparing policies and assessing training needs.
AFME notes that these functions could also be performed by a firm’s first line of defence. We believe that financial institutions should have the right to set up their internal working methods and procedures, while fully respecting the role of the second line of defence.
• Guideline 4.2.4 paragraph 43 states that the AML/CFT compliance officer should prepare policies and procedures to comply with the customer due diligence requirements, including those provided by the EBA Revised Guidelines on ML/TF Risk Factors.
AFME notes that customer due diligence (CDD) policies and procedures could also be prepared by the first line of defence.
• Guideline 4.2.4 paragraph 44 states that the AML/CFT compliance officer should exercise an advisory role before a final decision is taken by senior management on onboarding new high risk customers or re-classifying existing customers into the high risk category, unless the power to approve the establishment of such relationships is entrusted directly to the AML/CFT compliance officer.
AFME believes that the EBA guidelines should clarify that it is not necessary for the senior management to approve the onboarding of every new high-risk customer or the re-classification of every existing customer.
We believe that firms should decide the level of involvement of their senior management based on the risk-based approach and on their risk-appetite. Furthermore, firms should be granted the flexibility to delegate high-risk client approvals to their compliance departments, which could refer the decision to their senior management when they deem it necessary.
• Guideline 4.2.4 paragraphs 45-46 states that the AML/CFT compliance officer should have the responsibility for ongoing monitoring of the implementation of the measures, policies, controls and procedures adopted to ensure the financial sector operator’s compliance with its AML/CFT obligations, and should carry out sample testing to establish levels of compliance.
AFME believes that the guidelines should clarify that the AML/CFT compliance officer should oversee the ongoing monitoring but he is not expected to perform it.
• Guideline 4.2.4 paragraphs 49-52 states that the AML/CFT compliance officer should advise the management body on measures to be taken to ensure compliance with applicable laws, rules, regulations and standards. Furthermore, the AML/CFT compliance officer should submit an activity report proportionate to the scale and nature of the activities of the financial sector operator.
AFME considers reporting to the management body as an essential instrument for an effective AML/CFT policy. We also welcome the non-exhaustive list of information that should be included in the activity report.
However, we note that the current draft guideline may be too detailed and prescriptive. We believe that financial firms and their management bodies should be granted the flexibility to organise their internal reporting commensurate to their risks, as long as firms fulfil the requirements to fully understand and manage the ML/TF risks they are subject to.
Moreover, as mentioned above, we consider that part of the reporting may be performed by the first line of defence depending on the organisational set-up adopted by financial institutions.
• Guideline 4.2.4 paragraph 63 suggests that the AML/CFT compliance officer prepares and implements the annual training plan and staff education.
AFME thinks that the guidelines should allow the AML/CFT compliance officer to delegate this task to other qualified members, while overseeing and verifying compliance with the regulatory requirement.
4.2.6 Outsourcing of operational functions of the AML/CFT compliance officer
• Guideline 4.2.6 paragraphs 74-77 states that strategic decisions in relation to AML/CFT should not be outsourced. The outsourcing of tasks of the AML/CFT compliance officer function to a service provider should meet additional conditions, and outsourcing within a group should be subject to the same provisions as outsourcing to an external service provider.
AFME notes that amongst the prescriptive list of functions that should not be outsourced are the establishment of criteria to detect unusual transactions and the responsibility of reporting of transactions to the FIU. We believe that the guidelines should allow firms to outsource these two functions within a group on a risk-based approach as appropriate to the size and complexity of a firm.
Furthermore, we believe that it is too stringent to require outsourcing within a group to be subject to the same provisions as outsourcing to an external service provider. We invite the EBA to make a distinction between these two types of outsourcing.
4.3.3 Organisational requirements at group level
• AFME would like to reiterate that the requirement to designate a member of the group management body or senior manager responsible for AML/CFT should take into account the structure of those financial institutions that adopt two-tier corporate governance models. Furthermore, we would like to highlight that the management body does not necessarily correspond to the Board of Directors.
• Regarding the tasks and reporting of the group AML/CFT officer, we would like to restate that the guidelines should take into to account the different organisational set-ups of financial institutions, where some may have divided certain tasks between their first and second lines of defence.
Association for Financial Markets in Europe ('AFME')