Internal control bodies: EBA publishes new guidelines on role and responsibilities of the compliance officer
The goal is to ensure a common understanding and implementation of the requirements by compliance officers to avoid uneven implementation of measures across the European Union.
On June 14, the EBA published the new Guidelines on the role and responsibilities of the AML/CFT compliance officer. These guidelines are intended to ensure a common understanding and implementation of the requirements in Directive 2015/849 with a view to resolving the adverse consequences that have arisen for the EU’s financial system from the requirements being implemented unevenly and not always being applied effectively. If further implements article 9 “Compliance functions” of the Proposal for a Regulation of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (Proposal for an AML/CTF Regulation).
It is notable that both the Proposal for an AML/CTF Regulation and the guidelines adopt a model that strengthens the role of compliance manager (as described below), in contrast to the Spanish model which has a collective Internal Control Body with representation in the various areas of the obliged entity’s business, as the individual responsible for implementation of AML/CTF policies and procedures.
The guidelines relate to three key areas:
- Firstly, they set out the role and responsibilities of the management body. In relation to its supervisory role, the document sets out that the management body is responsible for overseeing and monitoring implementation of the governance and internal control framework to ensure compliance with the AML/CTF legislation. To fulfill this role, the management body must be informed of the results of the business-wide ML/TF risk assessment, oversee and monitor the extent to which the AML/CTF policies and procedures are adequate and effective in light of the risks, review, at least once a year, the activity report of the compliance officer and assess, at least once a year, the effective functioning of the AML/CFT compliance function.
As part of its management function, provided for in Directive 2015/849, the management body should, among other responsibilities, implement the structure necessary to comply with the AML/CTF strategy, ensure adequate, and sufficiently detailed AML/CTF reporting to the competent authority and ensure compliance with the European supervisory authorities’ guidelines.
The management body should also designate one of its members to be responsible for AML/CTF, and where no management body is in place, a senior manager responsible for AML/CTF which the Proposal for an AML/CTF Regulation refers to as compliance manager, who must satisfy certain requirements relating to knowledge and experience and who will be the main contact point for the compliance officer with the management body. The guidelines set out among the compliance manager’s functions the obligation to ensure that AML/CFT policies, procedures and internal control measures are adequate and proportionate; the assessment of whether it would be appropriate to appoint a separate AML/CTF compliance officer and a support unit for the performance of the officer’s functions; the obligation to ensure that the management body receives sufficient information on AML/CTF matters and that there is periodical reporting on the activities carried out by the AML/CFT compliance officer; to inform the management body of any serious or significant AML/CFT issues and breaches and recommend actions to remedy them. - Secondly, the guidelines contain the role and responsibilities of the compliance officer. Financial or credit institutions should appoint a separate compliance officer, unless they have a limited number of employees, or the nature of their associated business or risks, the number of customers or the number or volume of transactions justify not appointing that separate compliance officer. Where a separate compliance officer is not appointed, the compliance officer’s tasks should be performed by the compliance manager or by outsourcing them. Additionally, the compliance officer must meet the suitability, skills and expertise requirements set out in paragraphs 35 and 36 of the Guidelines.
The EBA has also included the compliance officer’s tasks which should be clearly defined and documented and consist of:
- developing a risk assessment framework for business-wide and individual risk assessment;
- setting out the AML/CTF policies and procedures to be adopted by the institution and ensuring that they are effectively implemented. They should include, at least, the ML/TF risk assessment methodology, customer due diligence, internal reporting, record keeping and provisions for monitoring AML/CTF compliance;
- ensuring that policies are revised and updated where necessary and proposing how to address any change;
- being consulted before onboarding new high risk customers or maintaining business relationships with those types of customers;
- monitoring whether the AML/CTF measures, policies, controls and procedures implemented by the credit or financial institution comply with the credit or financial institution’s AML/CFT obligations laid down by the legislation (as a “second line of defense”) and oversee the effective application of AML/CFT controls applied by business lines and internal units (“first line of defense”);
- reporting to and advising the management body on measures to be taken to ensure compliance with the applicable rules;
- giving due consideration to the sensitivity and confidentiality of the information that may be disclosed and the non-disclosure obligations the credit or financial institution has to adhere to in the transmission of information on suspicious transactions
- duly inform staff about the ML/TF risks to which the credit or financial institution is exposed and ensure that all employees receive AML/CTF training.
The guidelines also contain rules and principles on outsourcing the compliance officer's tasks, including the principle that ultimate responsibility for compliance with the obligations lies with the institution, the need to define and set out in a written document the rights and obligations of the credit or financial institution and the service provider, the obligation to monitor and oversee the quality of the service provided by the institution, the establishment of the same regulatory framework for intra-group outsourcing as outsourcing to service providers and the prohibition on the outsourcing of functions being able to result in delegation of the management body’s responsibilities.
- Lastly, the EBA's guidelines set out the organization of the AML/CTF compliance function at a group level and recommend that the credit or financial institution should adapt its internal control to the specify of its business, taking into account the group context.
The parent company should designate a member of its management body or senior manager responsible for AML/CFT, as well as a group AML/CFT compliance officer; set up an organizational and operational coordination structure at group level; approve the group's internal AML/CFT policies and procedures; and evaluate the effectiveness of the AML/CFT policies that are implemented.
They specify that institutions operating with branches or subsidiaries in another member state, or third country should designate a group compliance officer as coordinator. The tasks of this compliance officer should be to coordinate assessment of the ML/TF risks for each entity of the group, draft a group-wide ML/TF risk assessment, define group-level AML/CFT standards, coordinate the activities of the various local AML/CFT compliance officers, monitor the AML/CTF compliance of the branches and the subsidiaries located in third countries, set group-wide policies, procedures and measures concerning data protection and sharing of information within the group, and ensure that group entities have adequate suspicious transaction reporting procedures. The group compliance officer should also produce an activity report at least once a year and present it to the group management body.
Contact