Response to consultation on draft Guidelines on the role, tasks and responsibilities AML/CFT compliance officers
Go back
Paragraph 13 lit. d): It should be clarified that the assessment may be carried out by internal auditors or else by means of other in-house or external audits. Moreover, an annual risk-adequate review of segments of the AML/CFT compliance function should suffice provided that all segments undergo a review within a three-year cycle.
Paragraph 16 lit b): As stated above, we believe that the management body does not bear management obligations for implementing the internal AML/CFT policies and procedures. In any case, it should be made clear that the direct performance of the mentioned tasks is incumbent upon the compliance officer. The development and updating of internal principles and procedures for the prevention of money laundering and terrorist financing, in particular work and organizational instructions and appropriate business- and customer-related protection systems belong to the tasks of the compliance officer.
Paragraph 16 lit. e): The management body is not required to approve the service provider if operational functions or internal safeguards are outsourced. The referenced EIOPA guidelines on outsourcing to cloud service providers only requires the management body to ensure that any decision to outsource critical or important operational functions or activities is based on a thorough risk assessment.
Paragraph 35 lit. a): We strongly request the EBA to refrain from using the term key function holder when referencing to the AML/CFT compliance officer. Key functions of obliged insurance undertakings are exhaustively defined in the sectoral legal framework.
Paragraph 52: While Directive (EU) 2015/849 does not stipulate a formal reporting requirement of the compliance officer towards the management body, we acknowledge that annual activity reports emerged as a best practice procedure. However, the structure and content of these reports should be left to the discretion of obliged entities in consideration of the AML/CTF risks they are exposed to. In contrast, the level of detail, data and information set out in Paragraph 52 as minimal content of activity reports is excessive and inappropriate. Given the absence of regulation on reporting in Directive (EU) 2015/849 subject to interpretation, we believe that Paragraph 52 is crossing the legal boundaries of EBAs mandate pursuant to Article 16 of Regulation (EU) No 1093/2010.
Paragraph 57: The obligation to inform the staff about the ML/TF risks to which the financial sector operator is exposed to should, for reasons of clarity, be limited to “relevant staff” to be in line with the distinction in Paragraph 59, 60 (“relevant staff”) and 64 (“relevant employees”). the requirement of the compliance officer to further contribute to promote the adoption of the right ethical approach within the financial sector operator should be abandoned given its lack of clarity.
Paragraph 59 and 64: We welcome that the training requirement is limited to staff concerned by ML/TF risk.
Paragraph 60: We request to clarify the EBA reference to independent agents which should be included in the AML/CFT training program.
Paragraph 70: We request to reconsider the incorporation of guidelines for the activities of the internal audit function which is supposedly not captured by this consultation paper.
Paragraphs 71 and 72: The compliance officer reports to the designated member of the management body. We do not see a reason nor a benefit to require cooperation with the risk management function especially as for the insurance sector the risk management function and the compliance function are separated.
Paragraph 74: It should be clarified that the function of the compliance officer itself can also be outsourced to a service provider. Apart from that, we question the legal foundation for the list of operational functions set out in lit. a)-h) that should not be subject to outsourcing. For instance, Directive (EU) 2015/849 does not prohibit to delegate the fulfillment of reporting obligations to a third party.
Paragraph 75 lit. b): We do not see a legal requirement to demand a justification of a outsourcing decision.
Paragraph 76 lit. a): We question the rationale and justification for establishing an inventory of cases of intra-group AML/CFT outsourcing.
1. Do you have any comments on the section ‘Subject matter, scope and definitions’?
Paragraph 9: The definition of the management body separates between the management body in its supervisory function and the management body in its management function. We do not see a legal base for making such a distinction. Directive (EU) 2015/849 mentions the management body only once regarding sanctions (Art. 58 Paragraph 3). This reference underpins the ultimate responsibility of the management body for setting up an appropriate risk management in internal control system but does not assign operative management obligations to the management body. Irrespective of the overall responsibility of the management body respectively the assigned member of the management body (Art. 46 Paragraph 4), the compliance officer (Art. 8 Paragraph 4) is responsible for compliance with the regulations on the prevention of money laundering and terrorist financing. Therefore, the distinction between supervisory and management function should be abandoned throughout the Draft Guidelines.2. Do you have any comments on Guideline 4.1 ‘Role and responsibilities of the management body in the AML/CFT framework and of the senior manager responsible for AML/CFT’?
General: Directive (EU) 2015/849 makes only scarce references to the management body or the designated member of the management body. These references emphasize the ultimate responsibility for the implementation of the laws, regulations and administrative provisions necessary to comply with the Directive but do not allocate operational tasks and measures to meet this responsibility. Therefore, we doubt EBAs mandate to impose such requirements in exhaustive detail. Apart from that, we consider the separation between tasks and role of the management body (sections 4.1.2 and 4.1.3 and the designated member of the management body (section 4.1.6) redundant.Paragraph 13 lit. d): It should be clarified that the assessment may be carried out by internal auditors or else by means of other in-house or external audits. Moreover, an annual risk-adequate review of segments of the AML/CFT compliance function should suffice provided that all segments undergo a review within a three-year cycle.
Paragraph 16 lit b): As stated above, we believe that the management body does not bear management obligations for implementing the internal AML/CFT policies and procedures. In any case, it should be made clear that the direct performance of the mentioned tasks is incumbent upon the compliance officer. The development and updating of internal principles and procedures for the prevention of money laundering and terrorist financing, in particular work and organizational instructions and appropriate business- and customer-related protection systems belong to the tasks of the compliance officer.
Paragraph 16 lit. e): The management body is not required to approve the service provider if operational functions or internal safeguards are outsourced. The referenced EIOPA guidelines on outsourcing to cloud service providers only requires the management body to ensure that any decision to outsource critical or important operational functions or activities is based on a thorough risk assessment.
3. Do you have any comments on Guideline 4.2 ‘Role and responsibilities of the AML/CFT compliance officer’?
General: This section incorporates the term “AML/CFT compliance function” (Paragraph 36). The meaning remains unclear as Directive (EU) 2015/849 does not refer to an AML/CFT compliance function. Section 4.2.6 also implies that the outsourcing of the AML/CFT compliance function (Paragraph 73) and the outsourcing of tasks of the AML/CFT compliance officer function (Paragraph 75) are different issues. We do not share this understanding and request EBA only to refer to terms which are defined and/or captured by Directive (EU) 2015/849.Paragraph 35 lit. a): We strongly request the EBA to refrain from using the term key function holder when referencing to the AML/CFT compliance officer. Key functions of obliged insurance undertakings are exhaustively defined in the sectoral legal framework.
Paragraph 52: While Directive (EU) 2015/849 does not stipulate a formal reporting requirement of the compliance officer towards the management body, we acknowledge that annual activity reports emerged as a best practice procedure. However, the structure and content of these reports should be left to the discretion of obliged entities in consideration of the AML/CTF risks they are exposed to. In contrast, the level of detail, data and information set out in Paragraph 52 as minimal content of activity reports is excessive and inappropriate. Given the absence of regulation on reporting in Directive (EU) 2015/849 subject to interpretation, we believe that Paragraph 52 is crossing the legal boundaries of EBAs mandate pursuant to Article 16 of Regulation (EU) No 1093/2010.
Paragraph 57: The obligation to inform the staff about the ML/TF risks to which the financial sector operator is exposed to should, for reasons of clarity, be limited to “relevant staff” to be in line with the distinction in Paragraph 59, 60 (“relevant staff”) and 64 (“relevant employees”). the requirement of the compliance officer to further contribute to promote the adoption of the right ethical approach within the financial sector operator should be abandoned given its lack of clarity.
Paragraph 59 and 64: We welcome that the training requirement is limited to staff concerned by ML/TF risk.
Paragraph 60: We request to clarify the EBA reference to independent agents which should be included in the AML/CFT training program.
Paragraph 70: We request to reconsider the incorporation of guidelines for the activities of the internal audit function which is supposedly not captured by this consultation paper.
Paragraphs 71 and 72: The compliance officer reports to the designated member of the management body. We do not see a reason nor a benefit to require cooperation with the risk management function especially as for the insurance sector the risk management function and the compliance function are separated.
Paragraph 74: It should be clarified that the function of the compliance officer itself can also be outsourced to a service provider. Apart from that, we question the legal foundation for the list of operational functions set out in lit. a)-h) that should not be subject to outsourcing. For instance, Directive (EU) 2015/849 does not prohibit to delegate the fulfillment of reporting obligations to a third party.
Paragraph 75 lit. b): We do not see a legal requirement to demand a justification of a outsourcing decision.
Paragraph 76 lit. a): We question the rationale and justification for establishing an inventory of cases of intra-group AML/CFT outsourcing.