EBA Guidelines: Compliance Management & the Role and Responsibilities of the AML/CTF Compliance Officer

In June 2022, the European Banking Authority (“EBA”) has issued its guidelines on policies and procedures in relation to compliance management and the role and responsibilities of the anti-money laundering/counterterrorism financing Compliance Officer under Article 8 and Chapter VI of Directive (EU) 2015/849 (“Guidelines”), which will enter into force on 1 December 2022.

The Guidelines aim at providing certain clarity on Article 8(4) of Directive (EU) 2015/849 of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (commonly known as the Fourth Anti-Money Laundering Directive) (the “Directive”), which requires obliged entities (within the meaning of the Directive, i.e. credit institutions, financial institutions and other professionals) to develop “internal policies, controls and procedures, including […], where appropriate with regard to the size and nature of the business, the appointment of a compliance officer at management level […].”

The European Commission as well as the European Supervisory Authorities (the “ESAs”) have found in numerous reports that, despite the text not being new (although the Directive has been subsequently modified since its publication, in particular, by Directive 2018/843 of 30 May 2018 (the Fifth Anti-Money Laundering Directive), the said provision has never been amended since its publication in 2015), many institutions do not comply with their obligations under Article 8(4) of the Directive and that the Directive has been implemented unevenly across different sectors and Member States.

By issuing the Guidelines, the EBA aims to achieve a common understanding, by the national competent authorities and credit or financial institutions, of the role of (i) the anti-money laundering/counterterrorism financing (“AML/CTF”) compliance officer and (ii) the management body with regard to AML/CTF (or the senior manager where no management body exists).

Proportionality criteria and the level of AML/CTF requirements

The Guidelines set forth that credit and financial institutions are required to appoint a member of the management body responsible for AML/CTF as well as an AML/CTF compliance officer (unless the appointment of the latter would not be justified in terms of proportionality with regard to among other things on the institution’s business and the associated money laundering and terrorism financing (“ML/TF”) risks).

By application of the proportionality criteria, four different degrees of AML/CTF requirements applicable to credit and financial institutions can be identified:

1. In the situation where the institution encounters only very low ML/TF risks, it may choose to appoint no AML/CTF compliance officer, but only a member of management in charge of AML/CTF. In this scenario, the latter must carry out all tasks which would usually be accomplished by the AML/CTF compliance officer.
2. The institution may choose to appoint an AML/CTF compliance officer on a part-time basis. Should this function be occupied by an employee of the institution, conflicts of interest must be avoided, i.e. the employee must be independent from business lines or units he/she controls and the AML/CTF compliance officer cannot be subordinate to a person who has responsibility for managing any of those business lines or units.
3. Should the institution consider that a part-time AML/CTF compliance officer does not suffice to confront the ML/TF risks of the institution, an AML/CTF compliance officer should be appointed on a full-time basis.
4. In addition to the AML/CTF management member and the AML/CTF compliance officer, the institution may be required to create an AML/CTF compliance unit consisting of employees acting under the direction and supervision of the AML/CTF compliance officer.

It may be worth mentioning that it is possible to outsource the AML/CTF compliance officer function, but it should be ensured that such arrangement is in compliance with the ESAs’ guidelines on outsourcing and on internal governance (e.g. the EBA Guidelines on outsourcing arrangements (EBA/GL/2019/02)).

The role and responsibilities of the management body

The Guidelines differentiate between (i) the management body in its supervisory function (acting in its role of overseeing and monitoring management decision-making) and (ii) the management body in its management function (acting in its role of day-to-day management of the institution).

• In its supervisory function, the tasks of the management body include inter alia the monitoring of the extent to which the AML/CTF policies and procedures are adequate and effective, as well as the assessment of the effective functioning of the AML/CTF compliance function.
• The management body in its executive function ensures, among other things, the implementation of internal AML/CTF policies and procedures, and the adequate, timely and sufficiently detailed AML/CTF reporting to the competent authority. Moreover, it must make sure that the AML/CTF compliance function has sufficient authority and (human and technical) resources to carry out its duties.

As already mentioned above, the management body appoints among its members one person ensuring the execution of the said tasks. This person is also the main contact point to the management body for the AML/CTF compliance officer.

The role and responsibilities of the AML/CTF compliance officer

While AML/CTF compliance and general compliance are two different functions within the institution, they are both situated in the second line of defence and can be carried out by the same person (subject to certain conditions). In contrast, the AML/CTF compliance function is not compatible with the independent audit function referred to in Article 8(4)(b) of the Directive.

The tasks and responsibilities of the AML/CTF compliance officer, which must be clearly defined and documented, mainly consist of:

• the development of the risk assessment framework (business-wide and individual risk assessment);
• the development of AML/CTF policies and procedures, including keeping them up to date and ensuring that they are implemented effectively on an ongoing basis;
• advising the senior management on the onboarding of high-risk customers;
• monitoring the institution’s compliance with legal requirements, including overseeing the effective application of AML/CTF controls applied by business lines and internal units (overseeing the first line of defence);
• reporting to the management body on, inter alia, ML/TF risk assessments, AML/CTF measures and policies as well as whether the resources of the AML/CTF compliance function suffice to carry out its tasks properly;
• reporting of suspicious transactions to the financial intelligence unit; and
• training the institution’s staff on ML/TF risks and on internal countermeasures.

Overall, the Guidelines often overlap with existing regulations and administrative practices – one example being the function of the money-laundering reporting officer (MLRO) conflicting with the tasks to be accomplished by the AML/CTF compliance officer. This is not surprising considering that they refer to a Directive released in 2015. For this reason, the Luxembourg financial regulator, the Commission de Surveillance du Secteur Financier (CSSF), has announced in its Communiqué of 20 July 2022 that it will analyse the impact of the Guidelines on different regulatory texts currently in place.

Cover picture: Copyright © Adobe Stock/wladimir1804