Response to consultation on draft Guidelines on the role, tasks and responsibilities AML/CFT compliance officers
Go back
We would strongly recommend that the EBA establishes a clear list of entities to which these Guidelines apply.
(b) The IFSP asks for clarification on the extent to which these proposed Guidelines are intended also for regulatory authorities, in that para 8 states that the Guidelines are addressed to competent authorities but this is not made clear and para. 6 merely states that they apply to ‘financial sector operators’.
We believe that these basic issues defining the scope and reach of the Guidelines need to be made clear in the final version.
(c) A fundamental concern relating to scope emerges from a combination of para. 6 and para. 8 insofar as while para. 6 states that the Guidelines apply to financial sector operators (as defined), para. 8 then states that the Guidelines are also addressed to financial sector operators “which are credit and financial institutions as defined in article 3(1) and 3(2)” of the EU AMLD – obliged entities that are credit and financial institutions are clearly more restrictive than the general term ‘financial sector operators’.
(d) the IFSP has concerns that the proposed Guidelines are too prescriptive, and do not leave much latitude for interpretation by obliged entities. This goes against the principle of a risk-based approach advocated by the EU AMLD for numerous years. It also appears to us that the Guidelines have been drafted with the realities of larger organisations in mind, thereby failing to take into account the practicalities faced by smaller firms which are prevalent across the EU.
(e) The draft Guidelines seem to create various roles, not least:
(i) the compliance function in general (which is referred to a number of times in the Guidelines);
(ii) the Management Body in its Supervisory function;
(iii) the Management Body in its Management function;
(iv) the member of the Board with responsibility for AML/CFT;
(v) the AML/CFT Compliance Officer.
All these different roles seem impractical in the case of smaller operators. Besides the specific utility (and feasibility, besides practicality) of having both the member of the management body with specific AML-CFT responsibilities as well as the separate role of AML/CFT Compliance Officer (which would seem to overlap with the former) is difficult to perceive and seems like overkill to us (especially for the smaller operators). The IFSP believes that a ‘one size fits all’ approach cannot be adopted requiring all obliged entities to identify a member of the management body – in some cases small operators may need to delegate this function to a third party.
(b) in para. 12, the IFSP believes that it should be emphasised that what is required is high-level knowledge;
(c) in section 4.1.3, for small operators that do not have a management layer, it is not clear whether the role will then fall on the Board or else on the AML/CFT Compliance Officer;
(d) furthermore, it is not immediately clear what being responsible ‘for implementing the organisational and operational structure necessary to discharge the AML/CFT strategy’ and the ‘AML/CFT policies and procedures’ is – is it merely ensuring that systems are in place, or does it require the actual implementation itself of the various policies and procedures (which the management body would not seem properly geared up for)?;
(e) in section 4.1.3, it is not clear whether the management body in its management function in the AML/CFT function is intended to identify one manager with responsibility for AML/CFT or is intended to regulate the AML/CFT responsibilities of the entire management;
(f) as regards section 4.1.4, the IFSP notes that the EU AMLD contemplates the possibility of the appointment of a member of the management body (as an option), the Guidelines seemingly make this obligatory;
(f) Para. 22(a) raises a key concern because having the member of the management body responsible for ‘ensuring that the AML/CFT policies, procedures and internal control measures are adequate and proportionate’ firstly seems to be the role properly suited to the AML/CFT Compliance Officer and secondly does not seem to be feasible for a member of the management body.
(b) Another point that seems unclear in the ‘proportionality’ section arises from para. 31 when juxtaposed against para. 32 – thus, while para. 31 contemplates the possibility of an AML/CFT Compliance Officer not being appointed by sole traders or entities having a very limited number of employees or members, para. 32 then introduces the word ‘separate’ and lays down conditions to be satisfied when the management body decides not to appoint a ‘separate ML/CFT Compliance Officer’ so it is not clear whether this applies in those instances where the AML/CFT role is shared with other roles or whether it applies to the case contemplated by para. 31 where a Compliance Officer is not required to be appointed at all;
(c) We also note that while the EU AMLD refers to the appointment of a member of the management body with responsibility for AML/CFT, it requires this only “where appropriate” – this requirement is not, however, reflected throughout the Guidelines;
(d) in para. 25, there is a wrong cross reference to para. 16 which, we believe, should be to para. 24;
(e) as regards para 30(b), it is not clear what is meant by putting ‘in place processes to ensure that the AML/CFT compliance officer has at all times unrestricted and direct access…’ – what is envisaged in practice?
(f) in para. 34, restricting the possibility of AML/CFT compliance officers operating for different entities only if they are part of the same group is unduly restrictive and highly impractical for small jurisdictions such as Malta, where the same people may offer their services to different unrelated clients and where different obliged entities might not strictly fall within the definition of “group” of that Member State;
(g) para. 52(1)(b) would appear to be extra if the responsibility for the BRA is shared with the management body as is being proposed in this document – the same applies to 52(1)(e)(ix);
(h) para. 72 should be qualified with ‘to the extent that the financial services operator has a risk management function’ because not all of them will necessarily have a dedicated function;
(i) section 4.2.6 only caters for the outsourcing of the operational functions of the AML/CFT Compliance officer but not the engagement of an external Compliance Officer.
1. Do you have any comments on the section ‘Subject matter, scope and definitions’?
(a) The IFSP firstly notes that, unfortunately, the proposed Guidelines include many cross-references to EU Directives and Regulations, and it is an almost impossible task to try and understand what is being referenced since the Document in turn cross-refers to other references or worse still to entire directives with a simple requirement that if any requirement in that directive applies to an entity, such entity is caught within the scope of the Guidelines. Moreover, some of the Directives and Regulations are no longer in force. Stylistically this is very difficult to follow and works against the purpose of Guidelines which should make it easy for entities to know that the Guidelines apply to them. While we appreciate that the EBA may broadly regard any entity that is an obliged entity for AML-CFT purposes and which is regulated by one of the 3 EU regulatory authorities as being subject to the Guidelines, this does not emerge (clearly at least) from the Guidelines.We would strongly recommend that the EBA establishes a clear list of entities to which these Guidelines apply.
(b) The IFSP asks for clarification on the extent to which these proposed Guidelines are intended also for regulatory authorities, in that para 8 states that the Guidelines are addressed to competent authorities but this is not made clear and para. 6 merely states that they apply to ‘financial sector operators’.
We believe that these basic issues defining the scope and reach of the Guidelines need to be made clear in the final version.
(c) A fundamental concern relating to scope emerges from a combination of para. 6 and para. 8 insofar as while para. 6 states that the Guidelines apply to financial sector operators (as defined), para. 8 then states that the Guidelines are also addressed to financial sector operators “which are credit and financial institutions as defined in article 3(1) and 3(2)” of the EU AMLD – obliged entities that are credit and financial institutions are clearly more restrictive than the general term ‘financial sector operators’.
(d) the IFSP has concerns that the proposed Guidelines are too prescriptive, and do not leave much latitude for interpretation by obliged entities. This goes against the principle of a risk-based approach advocated by the EU AMLD for numerous years. It also appears to us that the Guidelines have been drafted with the realities of larger organisations in mind, thereby failing to take into account the practicalities faced by smaller firms which are prevalent across the EU.
(e) The draft Guidelines seem to create various roles, not least:
(i) the compliance function in general (which is referred to a number of times in the Guidelines);
(ii) the Management Body in its Supervisory function;
(iii) the Management Body in its Management function;
(iv) the member of the Board with responsibility for AML/CFT;
(v) the AML/CFT Compliance Officer.
All these different roles seem impractical in the case of smaller operators. Besides the specific utility (and feasibility, besides practicality) of having both the member of the management body with specific AML-CFT responsibilities as well as the separate role of AML/CFT Compliance Officer (which would seem to overlap with the former) is difficult to perceive and seems like overkill to us (especially for the smaller operators). The IFSP believes that a ‘one size fits all’ approach cannot be adopted requiring all obliged entities to identify a member of the management body – in some cases small operators may need to delegate this function to a third party.
2. Do you have any comments on Guideline 4.1 ‘Role and responsibilities of the management body in the AML/CFT framework and of the senior manager responsible for AML/CFT’?
(a) The IFSP believes that saddling responsibility for the preparation and adoption of the Business Risk Assessment (“BRA”) on the AML/CFT Compliance Officer alone is unfair and that rather than merely having the Board ‘informed of the results of the business-wide ML/TF risk assessment’ since the BRA is one of the key elements in combatting ML/TF, the Board should also specifically be involved in the adoption and approval of the BRA.(b) in para. 12, the IFSP believes that it should be emphasised that what is required is high-level knowledge;
(c) in section 4.1.3, for small operators that do not have a management layer, it is not clear whether the role will then fall on the Board or else on the AML/CFT Compliance Officer;
(d) furthermore, it is not immediately clear what being responsible ‘for implementing the organisational and operational structure necessary to discharge the AML/CFT strategy’ and the ‘AML/CFT policies and procedures’ is – is it merely ensuring that systems are in place, or does it require the actual implementation itself of the various policies and procedures (which the management body would not seem properly geared up for)?;
(e) in section 4.1.3, it is not clear whether the management body in its management function in the AML/CFT function is intended to identify one manager with responsibility for AML/CFT or is intended to regulate the AML/CFT responsibilities of the entire management;
(f) as regards section 4.1.4, the IFSP notes that the EU AMLD contemplates the possibility of the appointment of a member of the management body (as an option), the Guidelines seemingly make this obligatory;
(f) Para. 22(a) raises a key concern because having the member of the management body responsible for ‘ensuring that the AML/CFT policies, procedures and internal control measures are adequate and proportionate’ firstly seems to be the role properly suited to the AML/CFT Compliance Officer and secondly does not seem to be feasible for a member of the management body.
3. Do you have any comments on Guideline 4.2 ‘Role and responsibilities of the AML/CFT compliance officer’?
(a) Section 5.1 (Accompanying documents) includes a discussion on the principle of Proportionality (paragraphs 18 to 20). The IFSP notes that there are numerous references to proportionality throughout the proposed Guidelines. Given the wide scope of the Guidelines, in terms of varying size of entities across EU Member States, and the extent of services offered, proportionality is undoubtedly of great importance, in order to ensure that regulation is not crippling small entities which are typical in smaller jurisdictions such as Malta. The IFSP therefore exhorts the EBA to provide examples to regulators on how the principle of proportionality is to be applied in practice. This will also ensure homogenous treatment across Member States rather than leaving it to the discretion of regulators in each Member State to define their own version of proportionality. Unfortunately, as drafted, the paragraphs on ‘proportionality’ appear to be far too generic.(b) Another point that seems unclear in the ‘proportionality’ section arises from para. 31 when juxtaposed against para. 32 – thus, while para. 31 contemplates the possibility of an AML/CFT Compliance Officer not being appointed by sole traders or entities having a very limited number of employees or members, para. 32 then introduces the word ‘separate’ and lays down conditions to be satisfied when the management body decides not to appoint a ‘separate ML/CFT Compliance Officer’ so it is not clear whether this applies in those instances where the AML/CFT role is shared with other roles or whether it applies to the case contemplated by para. 31 where a Compliance Officer is not required to be appointed at all;
(c) We also note that while the EU AMLD refers to the appointment of a member of the management body with responsibility for AML/CFT, it requires this only “where appropriate” – this requirement is not, however, reflected throughout the Guidelines;
(d) in para. 25, there is a wrong cross reference to para. 16 which, we believe, should be to para. 24;
(e) as regards para 30(b), it is not clear what is meant by putting ‘in place processes to ensure that the AML/CFT compliance officer has at all times unrestricted and direct access…’ – what is envisaged in practice?
(f) in para. 34, restricting the possibility of AML/CFT compliance officers operating for different entities only if they are part of the same group is unduly restrictive and highly impractical for small jurisdictions such as Malta, where the same people may offer their services to different unrelated clients and where different obliged entities might not strictly fall within the definition of “group” of that Member State;
(g) para. 52(1)(b) would appear to be extra if the responsibility for the BRA is shared with the management body as is being proposed in this document – the same applies to 52(1)(e)(ix);
(h) para. 72 should be qualified with ‘to the extent that the financial services operator has a risk management function’ because not all of them will necessarily have a dedicated function;
(i) section 4.2.6 only caters for the outsourcing of the operational functions of the AML/CFT Compliance officer but not the engagement of an external Compliance Officer.