What the EBA had to say about the role of an ‘AML/CFT compliance officer’?
By Michelle Bailey
The European Banking Authority (EBA) has written a new consultation paper on draft guidelines on the role of AML/CFT Compliance Officer. Whilst these draft guidelines will affect the EU, we think that the UK may take a similar approach going forward.
Why did the EBA update the guidance?
The EBA found that previous guidance wasn’t applied equally across all member states and therefore opens it up to money laundering and terrorist financing risks. The EBA outline the examples below in their draft guidance:
Senior management in some areas have been placing AML/ CFT issues as a low priority which has meant a lack of sufficiently qualified staff hired and their function not seen as a priority.
There is a lack of risk management systems and controls amongst credit institutions.
Within banks, there is no legal requirement in some member states to appoint an AML/CTF compliance officer at a senior level and therefore a lack of interaction with senior management.
There are several key components to the draft guidance which I have summarised below:
The draft guidelines specify the duties and tasks for the management body in relation to their ML and CFT framework. They must have full oversight of all requirements within the prevention of ML and TF, by overseeing internal control frameworks and internal governance. Individuals must have adequate knowledge and experience in order to understand the firms ML and TF exposure and the related risks in their operating sector. They must perform business wide ML/TF risk assessments, oversee the implementation of AML/CFT policy, as well as reviewing (at a minimum) an annual report on any exposures to higher ML/TF risks and ensuring that the AML/CFT compliance officer has sufficient resources allocated to them.
The EBA believes that this higher-level involvement from senior management only serves to strengthen the prevention of ML/TF risks.
The guidance outlines that a member of the management body must be appointed as responsible for AML/CFT and outlines their responsibilities. This member must be the point of contact for the AML/CFT compliance officer. Amongst others, this individual must have sufficient AML/CFT knowledge and demonstrable experience in this field. They must know and understand the financial sector applicable to their firm and understand the ML and TF risks posed. Where there is no management body, a senior manager must be appointed to fulfil the same role.
The member of the management board or senior manager must ensure that AML/CFT policies and procedures are adequate and proportionate to the business and financial sector in which the firm operates. They should identify whether or not a specific AML/CFT unit including an AML/CFT compliance officer is needed and document and present findings to the management body. They must ensure that the management body (where applicable) are aware of ML/TF risks and the impact of these on the business. Also ensuring that the management board receive periodic and timely information on any interaction with the national competent authority and FIU. The member should be able to make recommendations to the management board and implement these should they be approved and they should be the main point of contact for the AML/CFT Compliance Officer.
If deemed necessary, an AML/CFT Compliance Officer should be appointed. This is in order to ensure that there is sufficient interaction between themselves and the management body in order to bridge the gap previously outlined by the EBA as a concern. They must have sufficient time and resources to carry out this role and report back to the management body on a regular basis. They should have sufficient seniority and it may be decided that this role needs to be the sole role of an employee rather than added to an existing position. This individual should have the autonomy to propose necessary changes based on their own initiative in order to strengthen AML/CFT measures. They should have access to all resources relevant for them to undertake their role and have an independent reporting line to the management body (if one exists).
Where it is decided that an AML/CFT compliance officer is not required, the firm should ensure that the tasks designated to this individual as outlined in the draft guidance are carried out by the member of the management board or the senior manager who is responsible for AML/CFT compliance.
Where a firm is part of a larger group, a group AML/CFT compliance offer should be appointed within the parent company. This is to ensure that group wide AML and CFT policies are in place and are effective. By establishing this it allows for better communication, ensuring that any shortcomings in any part of the group are identified and are corrected (as applicable) across the entire group.
Competent authorities should be able to request information and documentation in order to review the AML/CFT compliance function in order to determine the effectiveness of their AML/CFT controls.
What is the current approach in the UK?
In the UK Firms authorised and regulated by the FCA must appoint an MLRO. The Senior Managers and Certification Regime (SM&CR) defines the MLRO as a senior management function – SMF17 and the individual must be pre-approved by the FCA before performing the role.
The FCA requires firms to appoint an MLRO who will have responsibility for the oversight of its compliance with the rules on systems and controls against money laundering. A firm must ensure the MLRO has authority, independence, and access to resources to be able to perform that role.
The MLRO will have oversight of AML/CFT systems and controls and monitor the effectiveness of AML/CFT policy and procedures. They will provide an annual report on the firm’s compliance with its AML/CFT obligations and ensure they remain up to date on relevant legislation and regulation. The MLRO will Raise awareness of developing ML/TF typologies and ensure they have oversight of staff training with respect to AML/CFT.
In many ways an MLRO already performs many of the functions outlined in the EBA draft guidance, however the EBA guidance looks more closely at management level roles and responsibilities and ensuring that the compliance manager has the relevant resources they require to carry out their role. With this in mind, we expect that the FCA will also review and revise their AML/CFT compliance officer and management requirements in the near future. But for now, we will follow the consultation process put forward by the EBA and await any updates from the FCA in due course.
If you would like to read the EBA consultation it can be found here
Acronyms we’ve used
EBA- European Banking Authority
ML- Money Laundering
TF- Terrorist Financing
AML- Anti Money Laundering
CFT- Combatting the Financing of Terrorism