General comment on the Guide to AML/CFT compliance officers:
In general, we want to point out the different ways of transposition of the Anti-Money Laundering Directive in Member States, which led to a strong fragmentation in the AML landscape across Europe. The thereby erupted different national specificities have to be taken into account when setting the guideline. Therefore, no provisions of the guideline shall be in conflict with national legislation. If such a conflict is not avoidable, it is of utmost importance that the respective national legislative provisions prevail.
By the example of Norway, please see below how the guidelines may be in conflict with national legislation currently in place:
Pursuant to the current Norwegian AML legislation, a member of senior management with a special responsibility to follow up the routines within anti-money laundering ("AML responsible") shall be appointed. The Norwegian legislation further states that banks also shall establish an internal control to ensure compliance with the Act, and that control of compliance is carried out in accordance with the three lines of defense.
For banks required to etablish a second-line defense (compliance) pursuant to other regulations, the starting point is that the AML officer must be placed in the first line. The Norwegian FSA (Finanstilsynet) clarified during the autumn of 2019 that this requirement applies to the large regional savings banks, as they "are of such a nature and scope that it triggers a requirement for compliance with section 35 second paragraph of the Anti-Money Laundering Act" and that the AML officer must be placed in the first line.
Direct quote from final report after local supervision in the field of anti-money laundering in a large regional savings bank:
"In its guidelines for managing and controlling compliance risks, including AML risks, the Bank must make sure to clearly distinguish between tasks and responsibilities in the operational units of the first line and in the compliance function. Furthermore, the Bank must ensure that the compliance function organized separately from entities responsible for compliance in the first line.”
Banks who had previously placed the AML function within the compliance function was then required to provide “clearer separation and organization of the money laundering function in the first line and the compliance function in the second line, in according to the above notices."
The proposed guidelines therefore contradict certain aspects of current Norwegian AML legislation, FSA guidelines and supervision practice.
Regarding the section 'Subject matter, scope and definitions', please see the following comment:
The definitions of management body should be applicable to various corporate governance models in the EU, in example the one-tier model that is common in the Anglo-Saxon countries, the two-tier model that is common in several continental European countries and the Nordic governance model. For instance, in the latter model, the CEO is the sole member of the management body in its management function. Therefore, it is important that the scope of definitions also cover the CEOs management team, for example senior management.
The guidelines are not sufficiently clear on the relationship between and the roles and responsibilities of the senior manager responsible for AML/CFT and the management body.
According to Article 46(4) of AMLD4, the obliged entities are required to identify the member of the management board who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with the AMLD. However, point 22 (b) of the Guide-line states that the senior manager responsible for AML/CFT ensures that the management body has taken his responsibility instead. In addition, the independence of the compliance officer needs to be secured.
To align the wording with the Directive and to consider the principle of proportionality, the text should be amended as the following:
Where a management body exists, AML/CFT policies, controls and procedures should be approved by management body where appropriate, in accordance with Article 8(5) of Directive (EU) 2015/849.
On the other hand, the Guideline 4.1.4., which assumes the existence of identification of the member of the management body responsible for AML/CFT in accordance with Article 46(4) of Directive (EU) 2015/849 (AMLD4), we believe that it may not be applicable to all jurisdictions as the Member States have certain discretion in the transposition of the European Directives.
For instance, in Spain there is no such obligation after the transposition of the Directive by means of the Royal Decree Act 11/2018, of August 31st. The transposition does not introduce such obligation of identification of the member of the management body for AML/FT purposes in the national legislation. Such legislation (Art. 26 ter.1 of the Act 10/2010 on prevention of money laundering and terrorist financing) states that the obliged entity will designate a managing director, that has administrative or managing powers, as representative before SEPBLAC (the FIU in Spain). Such person may not be part of the management body, that in some cases is the Board of Directors. Therefore, such guideline creates confusion and inaccuracy regarding the concepts and definitions due to different interpretations and transpositions and should be amended accordingly.
Article 206 of EBA/GL/2021/05 is an example for the divergence in national legislations. According to EBA/GL/2021/05 Article 206 “The compliance function … should be independent of the business lines and internal units it controls …“. As this might include an ability to test, evaluate and verify the compliance with AML regulatory requirements without taking responsibility for carrying out any AML-related work/tasks (such as training, transactions monitoring, etc.), in some national jurisprudences, like Norway, this line of independence is broken when the guidelines as-sign such tasks to the AML/CFT compliance officer, whereas, at the same time, the guidelines are clear on the principle that the AML/CFT compliance officer should not have responsibility for tasks that this function should monitor and control. In addition, the fact that the guidelines do say that the AML/CFT compliance officer should have the ability to have an AML/CFT Unit to assist the function do further complicate this matter for national legislations just like Norway.
The proposed guidelines should also elaborate more on the relationship between the senior manager responsible for AML/CFT and the AML compliance officer. Furthermore, a more detailed explanation on the relationship between the general compliance function and the AML/CFT compliance function is needed.
Especially for many regionally-focussed savings and retail banks, the following remarks are of great relevance:
Particularly Guideline 4.26 significantly restricts the possible scope of outsourcing of so called “strategic decisions”. This concerns for example
- the validation of the business-wide ML/TF risk assessment,
- the internal organisation of AML/CFT system,
- the adoption and revision of internal AML/CFT policies and procedures,
- the assignment of the risk profile,
- the establishment of criteria to detect unusual transactions and
- the responsibility of reporting of suspicious transactions to the FIU. In view of the increasingly complex requirements for the prevention of money laundering and terrorist financing through the future Money Laundering Regulation, the Money Laundering Directive, the respective national laws, the future technical standards of AMLA as well as the national supervisory authorities, it is, however, especially for the smaller and medium-sized credit institutions of considerable importance, to be able to outsource the AML/CFT compliance function as such, or at least individual aspects thereof as comprehensively as possible, to highly specialised and reliable service providers.
For many of the above-mentioned institutions, this is currently done within the framework of contractual agreements and under the full responsibility of the outsourcing credit institution as well as in the knowledge of the supervisory authority. In doing so, neither the management options of the obliged entities nor the supervision by the supervisory authority are impaired.
Therefore, the outsourcing of safeguards to prevent money laundering and terrorist financing has not only proven its worth for more than 20 years, but has led to a constant improvement of the prevention measures, for example through overlapping findings within the framework of the multi-client service, which can be used for the prevention measures as a whole. In order to ensure a high-quality standard of outsourcing, Article 40 paragraphs 1 and 3 to 5 of the draft AML/CFT-Regulation already contains detailed requirements, which can be supplemented, if necessary, by a duty to notify the competent supervisory authority of the outsourcing and by a right of the supervisory authority to audit the insourcer.
For these reasons, we urgently call for at least the above-mentioned “strategic decisions”, which are assigned to the AML/CFT compliance officer, to be removed from the exclusion catalogue, as these can be fulfilled by an outsourcing as such in a very high quality and at the same time efficiently, without having a loss of responsibility or an impairment of money laundering supervision. With regard to many regionally-focussed institutions, the outsourcing of the AML/CFT compliance officer should also be allowed in view of enabling small and medium-sized banks to have a continued high-quality money laundering prevention in the future.
Furthermore, the circumstances in which the AML/CFT compliance officer can be located in another jurisdiction should be further clarified. We ask for proportionality when it comes to foreign small and uncomplicated branches. Additionally, point 28 should clarify the requirement “the financial sector operator should have the necessary systems and controls in place to ensure that the AML/CFT compliance officer has the necessary knowledge and understanding of local AML/CFT laws and regulations and can equally carry out its functions in an effective and independent manner”. Since the requirement is not phrased as competency requirement for the compliance officer, an additional guidance is needed to interpret this provision.
Point 30(c) is conflicting with point 22(f), as the former requires a direct reporting line between the AML/CFT compliance officer while the latter requires the senior manager responsible for AML/CFT to ensure that there is periodical reporting to the management body on the activities carried out by the AML/CFT compliance officer etc. In fact, flexibility regarding reporting routes should be allowed.
Moreover, the organisational structure of some entities might not be able to allow a separate division. However, it is important that, where the AML/CFT compliance officer is subordinated to a person who is in charge of management activities, conflicts of interests are mitigated, for example through a clear separate reporting line.
To ensure consideration of the principle of proportionality, the text should be amended as follows:
30. A notwithstanding the overall responsibility of members of the management body for the financial sector operator, the AML/CFT compliance officer in general should not be subordinate to a person who has responsibility for managing any of the activities the AML/CFT compliance officer monitors if the organisational set up allows it;
To consider the principle of proportionality the text should be amended:
46.The AML/CFT compliance officer should carry out sample testing to establish levels of compliance where appropriate.
Regarding 4.2.4 – 50:
Please clarify what exactly is to be understood as “remedial programs”. We understand that this entails inconsistencies in the application of risk procedures and remediation processes to ensure compliance once such an issue is identified.
The activity report, the minimum requirements stated in the current draft are considered excessive. It is understood that the aspects mentioned are important. However, even the minimum requirements make it necessary to require additional resources to prepare such a detailed report.
Please consider reviewing the text in general in line with the principle of proportionality. The content of the report should be kept to a minimum and should contain only data and information which benefits an efficient AML/CTF prevention. In addition, it needs to be clearly stated that such a report is to be prepared only once a year.
52.1.e in general should be limited to aggregated numbers.
Please specify what is to be understood as “unusual transaction” (52.1.e.i). We understand that these are ex-ante and ex-post alerts.
Please specify what is to be understood as “judicial requests/ subpoenas” (52.1.e.vi).
We understand that “orders requiring the postponement” (52.1.e.vii) entails orders from the competent authority to an obligated entity to not execute a transaction.
Please clarify “number of replies provided to FIU “(52.1.e.viii). SARs are filed to the authority and one might receive a reply, but “replies” are not provided to the authority in general as for our understanding. Therefore, the meaning is not clear.
63. Such training program should include appropriate training workshops or seminars taking into account the tasks performed by the persons concerned and their exposure to ML/TF risks.
The organisational structure of some entities might not be able to allow a separate division. To follow the principle of proportionality the text should be amended as follows:
69. The independent audit function referred to in Article 8(4)(b) of Directive (EU) 2015/849 should not be combined with the AML/CFT compliance function if the organisational set up allows it.
The guidelines do not make clear whether financial sector operator – a group consisting of banks – and financial sector operator – a group consisting of a bank and one or several other financial services providing companies – should follow the same organisational requirements at group level, including setting-up of AML/CFT compliance officer function in each of the entities.
Some of the same reflections that are made under number 3 are also relevant here.
In addition, there can be national regulations that prohibit certain types of information to be communicated between a bank and its subsidiaries.
Legal uncertainties are to be avoided and should be clarified, in example data protection and banking secrecy.
Please refer to our comments regarding the activity report in 4.2, the requirements in 4.3.3 – 84 would be an addition to the already excessive report.
Please clarify what is to be understood regarding “business lines“ 84.a. As from our understanding, it means customer segment.