Overall, the draft Guidelines would benefit from the addition of further definitions to ensure consistent application across sectors and member states. Terms, such as ‘third party delegate’, ‘examination’, ‘validation’, etc. should be defined, and uniform language used throughout the document.
The EBA should ensure that when applied, the requirements are proportionate to the size, complexity and relative AML risk associated with financial institutions and groups throughout. We would welcome a clear reference to the applicability of the principle of proportionality; smaller firms may have a Head of Compliance who also manages AML/CTF risk, and has the appropriate skills to do so based on the level of AML risk.
4.1.2 Role of the management body in its supervisory function in the AML/CFT framework
Paragraph 13(b): The management body should approve the policies (and changes to policies) on which the procedures are based rather than oversee the implementation of policies and procedures.
Paragraph 14(c): Being 'informed' might infer some distance from the decision-making regarding new products / markets / functionality etc. The member of the management body/ senior manager responsible for AML compliance should be involved in the decision making that affects AML/CTF risk.
4.1.3 Role of the management body in its management function in the AML/CFT framework
Paragraph 16(a): In addition to the adequacy of resources allocated to the AML/CFT compliance officer function, their authority within the business should also be set out, e.g. access to staff and information. In the context of the dedicated AML/CFT unit, the management body should also be assigned responsibility for that unit to be adequately resourced.
Paragraph 16(b): The obligation of the management body is to ensure the implementation of policies and procedures, rather than to implement policies and procedures themselves.
4.1.5 Identification of a senior manager responsible for AML/CFT where no management body is in place
Paragraph 20: In addition to sufficient time and resources, the senior manager should also be given the necessary authority within the business to perform their duties effectively.
4.2.1 Appointment of the AML/CFT compliance officer
Paragraph 24: We understand the reference to 'on their own initiative' as conferring internal authority as mentioned in our comments on Paragraphs 16(a) and 20 above: this could be made clearer.
Paragraph 25: It would make sense to always maintain the role as a 'separate role' and have the internal decision-making process focused on whether the role requires specific staffing or can be performed by a staff member already performing an existing role.
Paragraph 27: We do not agree with the proposal that ‘the AML/CFT compliance officer should normally be located and work in the country of establishment of the financial sector operator.’ Given the international dimension of financial services and the use of outsourced service providers, it is more operationally effective for the location of the AML/CFT compliance officer to be as close to the centralised operations as possible. This may be in the country of establishment, or may be elsewhere. This is consistent with the provisions of paragraph 28 as set out below.
Paragraph 28 provides that the compliance officer may be appointed in another jurisdiction: The second sentence is however unclear: ‘In those cases, the financial sector operator should appoint the AML/CFT compliance officer within the governance arrangements of that financial sector operator.’ We would be grateful if this can be elaborated to ensure that the flexibility to appoint a compliance officer located in the most appropriate jurisdiction to best manage AML/CTF risk continues to be provided.
The last sentence provides: “The financial sector operator should also demonstrate to its competent authority that the measures it has put in place in this regard are adequate and effective.” It is onerous for the firm to be required to demonstrate adequacy and effectiveness of the arrangements. It would be more appropriate for the adequacy and effectiveness of the arrangements to be inferred from the effectiveness of the AML programme as a whole.
Paragraph 29 provides that the AML/CFT compliance officer may assign their tasks to other officers and employees acting under his/her direction and supervision. This is welcome and offers a pragmatic way for AML/CFT compliance officers to fulfil their obligations. Similarly the senior manager responsible for AML/CFT should be enabled to assign their operational tasks to officers and employees whilst overseeing them and remaining responsible.
Paragraph 30(b) The content relating to the 'authority' of the AML/CFT compliance officer is welcome. This could be underlined in other sections of the Guidance - in paragraphs 24, 20, 16(a) - see comments above.
Paragraph 30(c): We would be grateful for clarification regarding what an ‘independent’ reporting line entails.
4.2.2 Proportionality criteria for the appointment of a separate AML/CFT compliance officer
Paragraph 33: Further clarity on the intended scope of outsourcing would be helpful.
4.2.4 Tasks and role of the AML/CFT compliance officer
Paragraph 46: Prescribes sample testing in the context of compliance monitoring. In our view, the measures applied should be risk- based and sample- based testing may not always be the most efficient way to monitor compliance. Sample testing should be presented as one means of monitoring compliance, with reviews of materials, interviews with staff etc. supplementing this approach. This is consistent with the general requirements for monitoring of compliance measures provided at Paragraph 45.
Paragraph 48: The reference to ‘any supervisory examination by the competent authority’ and their results is unclear; are these reports published by supervisors of supervisory activities undertaken throughout the entire regulated sector or is this a reference to supervisory activity relating to the obliged entity itself? In addition we would welcome definition of the term examination.
Paragraph 62(c) requires training of ‘persons responsible for developing procedures or software or other tools applicable to activities that are, even indirectly, sensitive to ML/TF risk: this training should enable them to adequately integrate the AML/CFT issue.’ IT developers and IT operational personnel do not have any customer contact and will not be monitoring transactions or similar, and are therefore highly unlikely to detect suspicious activity. IT development and operations are often outsourced and large teams may be involved. Training these teams and any new joiners will require significant resources, which would be disproportionate to the risk they may be exposed to. We support the risk- based identification and evaluation of training needs, however it should be made clear that it is not an absolute requirement to train IT staff.
4.2.5 Relationship between AML/CFT compliance function and other functions
Paragraph 70: Reporting by the independent audit function to the management body / management committee should be added.
Paragraph 72: This is the only paragraph that refers to a 'Head of Risk management' – we would welcome clarification regarding the intended role being referenced, or alternately that it is removed from the Guidance so as to avoid any suggestion that this is a required role.
4.2.6: Outsourcing of operational functions of the AML/CFT compliance officer
Paragraph 74: provides that ‘Strategic decisions in relation to AML/CFT should not be outsourced, in particular the following operational functions should not be outsourced’. The proposed guidelines do not provide a definition of strategic decisions in this context, and the reference to operational functions suggests a combination of objectives that are not clearly defined. Furthermore, it would be helpful to clarify whether outsourcing includes outsourcing to other group entities or only to third parties.
Prohibition on outsourcing of certain functions: Whilst we agree with the proposal not to outsource policy setting, oversight and decision-making we believe that the guidelines should expand on and must not go beyond the requirements under existing 4MLD. A prohibition on outsourcing also sets a precedent in terms of Guidance exceeding the requirements in level 1 legislation. Paragraph 74 seems to mirror requirements under the draft EC AML/CTF regulations (Article 40), which is currently undergoing consultation. The final version of the outsourcing provisions in the planned ML/TF regulations is unknown and should not be anticipated by the draft guidance.
Paragraph 74(a) refers to the validation of the business- wide ML/TF risk assessment: it is not clear what ‘validation’ means or what it would involve.
Paragraph 74(b): ‘the internal organisation of AML/CFT system’: The expression is unclear and we would welcome clarification. Does this refer to staff, competencies or product controls? Is it a reference to the group function or reporting lines?
Paragraph 74(c): We agree with the prohibition on outsourcing the adoption of AML/CFT policies and procedures. However firms should have permission to outsource the revision of internal AML/CFT policies and procedures. These could e.g. be updated by a consultancy or at group level (if this would qualify at outsourcing) and would then be approved by the firm’s management body.
Paragraph 74(d): The sentence is unclear. We believe that this should be read as a requirement not to outsource the ‘approval of the methodology’ in the areas listed: Whilst firms’ management bodies will approve the methodology, operational tasks relating to the entry into a business relationship and the assignment of a risk profile under clear policies and processes may be outsourced.
Paragraph 74(f) is redundant as the prohibition to outsource responsibility is set out in paragraph 73.
Paragraph 74(h): ‘Any other decisions which, according to their nature, should be made within financial sector operator’ seems to be a placeholder: this requirement should be clarified or removed.
Paragraph 75(a) refers to the identification of risks before deciding to outsource tasks of the AML/CFT compliance officer function, ‘including the risks related to the use of new technologies’. New technologies are usually assessed as part of the product risk assessment; it is not clear where the risk relating to the use of new technologies lies in the context of outsourcing the operational functions of the compliance officer, and we would welcome an explanation regarding the new technologies referenced in this context.
Paragraph 75(c)(ii) Please clarify if the ‘third party delegate’ is the outsourced service provider; a consistent use of terminology would assist firms in understanding the requirements. The language used in this paragraph, such as ‘the obligation’s incumbent upon the third-party delegates’ is unclear.
Paragraph 77 refers to additional safeguard measures for outsourced service providers established in third countries; please clarify what measures are referred to here.
4.3.2 Role of the management body for AML/CFT at group level
Paragraph 80(a): The ‘cartography’ of the risks to which each group entity is exposed should be coordinated, yet it should be each entity’s own risk assessment: We would welcome clarity regarding the expectations of a coordinated, yet own risk assessment and what a ‘cartography of risks’ would entail.
4.3.3 Organisational requirements at group level
Paragraph 82(a) refers to ‘managing and mainly preventing ML/TF risks’. This is unclear: is this a reference to the mitigation of risk or to the prevention of crime?
Paragraph 82(b) requires the parent entity to ‘validate the group's internal AML/CFT procedures’: There seems to be no reference to policy and we would welcome clarification on what ‘validation’ would entail.
Paragraph 82(c): We would welcome further clarification on the internal AML/CFT control mechanisms to be set up at group level referenced in this paragraph; are these in addition to the internal controls under 82(e)?
Paragraph 84: The Group AML/CFT compliance officer's tasks are set out in great detail and may result in significant bureaucratic burden and overhead. It would be preferable to define the outcomes rather than the process to allow firms to implement risk- based, more flexible approaches. This is particularly important for smaller firms or where the AML/CTF risk is low.
Paragraph 85(d): ‘Impact analysis on AML/CFT compliance for the group of certain risks if not mitigated at subsidiary or branch level’. The statement is unclear: what is intended to be captured?
Paragraph 85(e): We would welcome clarification regarding the term ‘examination’: are these ongoing reviews, spot checks, audits, etc.?
Paragraph 87: Whilst firms will streamline their policies and procedures as far as possible within a group, this will not always be possible as they operate in different jurisdictions, regulatory regimes, offer different products and may have different risk profiles across group entities. Their obligation is to meet the regulatory requirements, taking into account the products offered and geographies covered. It may for example be more appropriate to diverge in order to address specific risks than to seek perfect alignment.
‘As per proportionality principle, a committee structure can be put in place between subsidiaries or branches and the group.’ This is unclear; we would welcome further elaboration.
Paragraph 89 (b): The request (by competent authorities) to share the management body’s suitability assessment of the AML/CFT compliance officer is implemented on a risk sensitive basis. There is however no elaboration on the criteria that will be used to undertake this risk assessment. Transparency of the process and risk criteria would be appreciated.
Paragraph 90 refers to a range of measures competent authorities could adopt if they consider that the individual acting as AML/CFT compliance officer is not suitable. The paragraph provides two examples; we would appreciate further information on possible measures.
Paragraph 91 suggests that, as an alternative to replacement of the AML/CFT compliance officer, other conditions could be imposed, but only if the individual is a key function holder. It would be helpful to clarify that other conditions, such as additional training, are an option in any case and not just for key function holders.