Response to consultation on draft Guidelines under Articles 17 and 18(4) of Directive (EU) 2015/849 on customer due diligence and ML/TF risk factors
Go back
In connection to the definition of ´risk appetite´, we find that an even more precise formulation would be to include the types of risks, the containment of risk within the institutions´ risk capacity, as well as the goal – the achievement of the firm´s long-term strategy. Therefore, the definition would read ´the level and type of risk a firm is prepared to accept within its risk capacity in order to achieve its strategic objectives´.
Furthermore, on 1.28. it could be useful to look for coherence within the GDRP and AMLD in terms of retention of personal data.
On a general note, we support the risk-based approach to customer due dilligence. We however want to stress the higher demands the AML rules places on employees, especially in the current context where a significant number of transactions are carried out through digital means, from a distance, in higher volume and using various platforms. The COVID-19 measures, including several policies on aiding the economy, need to be administered with the help of financial institutions, hence increasing the resources needed to ensure compliance.
In relation to the work on the prevention of money laundering and terrorist financing, three segments are important from an employee perspective – firstly, ensuring one safe and reliable reporting mechanisms / whistle-blowing structures that help Member States and Supervisory Authorities to prevent, detect and address breaches to, among else, anti-money laundering and terroist financing rules. Employees play a central role in these processes.
Secondly, the protection against threats and other hostile consequences is still needed. Despite the introduction of protection provisions in the AMLD, the problem has not been solved. Incidents with threats against employees involved in reporting suspicious transactions are still noted.
In connection to this, thirdly, anonymity and protection of employees who report breaches need to be ensured throughout the process of further handling by institutions. The reports on suspected money laundering must be safeguarded, ensuring to the fullest extent possible and no reported or unauthorized person should be informed or have access to them, respectively.
In addition to being provided training, which should be ongoing, taking place during working hours, and employer-financed, it is essential that employees are given enough time and resources to implement the gained knowledge to correct and appropriate carryout of their tasks. Training initatives should also be updated continuously i.e. in accordance with legal and regulatory changes. Attention should be paid though to ensure that eduation/upskilling and certification is not confounded. If an employee is required by law to update their certifications on a regular basis, the time spent in preparing for and taking these tests should not be counted among the hours allocated for training, which unfortunately is the case in many companies so far in Europe. This leaves employees with preciously few hours available to learn actual new skills, in cases where certification must be updated every 6 months.
To ensure full alignment with Article 46 (1) from Directive 2015/849, we would suggest including training on relevant data protection requirements.
Question 1: Do you have any comments with the proposed changes to the Definitions section of the Guidelines?
NFU fully supports the work against money laundering and terrorist financing and recognizes the significant role of employees at financial institutions in discovering possible money laundering, given the scope of employees´ daily operations and insight.In connection to the definition of ´risk appetite´, we find that an even more precise formulation would be to include the types of risks, the containment of risk within the institutions´ risk capacity, as well as the goal – the achievement of the firm´s long-term strategy. Therefore, the definition would read ´the level and type of risk a firm is prepared to accept within its risk capacity in order to achieve its strategic objectives´.
Question 2: Do you have any comments on the proposed amendments to Guideline 1 on risk assessment?
With regards to 1.17 (b), we are pleased to see that the responsibility of firms in taking steps to ensure that employees understand the business-wide risk assessment and its effects is mentioned. We suggest to, also in line with Article 46 from Directive 2015/849, that the guideline highlights the need for instructions for staff on how they should proceed in such cases. Being aware of the risk assessment is important, but it should be complemented with staff being provided with enough time and resources to obtain knowledge of risks, sufficient instructions and carry out procedures in case risks materialize, in order to ensure full extent of implementation.Furthermore, on 1.28. it could be useful to look for coherence within the GDRP and AMLD in terms of retention of personal data.
Question 3: Do you have any comments on the proposed amendments to Guideline 2 on identifying ML/TF risk factors?
N/AQuestion 4: Do you have any comments on the proposed amendments and additions in Guideline 4 on CCD measures to be applied by all firms?
With regards to 4.33, the scope of risks should be expanded to include a wider consideration of cyber risks, having in mind the variety of platforms through which the identification and verification means may operate.On a general note, we support the risk-based approach to customer due dilligence. We however want to stress the higher demands the AML rules places on employees, especially in the current context where a significant number of transactions are carried out through digital means, from a distance, in higher volume and using various platforms. The COVID-19 measures, including several policies on aiding the economy, need to be administered with the help of financial institutions, hence increasing the resources needed to ensure compliance.
In relation to the work on the prevention of money laundering and terrorist financing, three segments are important from an employee perspective – firstly, ensuring one safe and reliable reporting mechanisms / whistle-blowing structures that help Member States and Supervisory Authorities to prevent, detect and address breaches to, among else, anti-money laundering and terroist financing rules. Employees play a central role in these processes.
Secondly, the protection against threats and other hostile consequences is still needed. Despite the introduction of protection provisions in the AMLD, the problem has not been solved. Incidents with threats against employees involved in reporting suspicious transactions are still noted.
In connection to this, thirdly, anonymity and protection of employees who report breaches need to be ensured throughout the process of further handling by institutions. The reports on suspected money laundering must be safeguarded, ensuring to the fullest extent possible and no reported or unauthorized person should be informed or have access to them, respectively.
Question 5: Do you have any comments on the amendments to Guideline 5 on record keeping?
N/AQuestion 6: Do you have any comments on Guideline 6 on training?
NFU welcomes the inclusion on Guideline 6 concerning training. Continuous training and competence development for employees is essential both for better understanding their tasks, company policies and procedures, as well as to take up the role of ´watchdog´ that has wider implications for society as a whole.In addition to being provided training, which should be ongoing, taking place during working hours, and employer-financed, it is essential that employees are given enough time and resources to implement the gained knowledge to correct and appropriate carryout of their tasks. Training initatives should also be updated continuously i.e. in accordance with legal and regulatory changes. Attention should be paid though to ensure that eduation/upskilling and certification is not confounded. If an employee is required by law to update their certifications on a regular basis, the time spent in preparing for and taking these tests should not be counted among the hours allocated for training, which unfortunately is the case in many companies so far in Europe. This leaves employees with preciously few hours available to learn actual new skills, in cases where certification must be updated every 6 months.
To ensure full alignment with Article 46 (1) from Directive 2015/849, we would suggest including training on relevant data protection requirements.