Response to consultation on draft Guidelines on the role, tasks and responsibilities AML/CFT compliance officers
Go back
We suggest clearly defining the scope of the guidelines, specifying to which obliged entities they are addressed. We also propose to replace the words “financial sector operators” with “credit and financial institution” in line with the terms used in Directive (EU) 2015/849 and in the EBA Guidelines on risk factors.
In line with the definitions proposed in the Section 2 of the Draft Guidelines and in the other ESAs guidelines on internal governance, we believe that the management body in its management function should be responsible for the implementation of the strategies set by the management body in its supervisory function to face and manage ML/TF risks.
In this respect, we would suggest clarifying that:
- the AML/CTF policies should be approved by the management body in its supervisory function;
- The AML/CTF procedures should be approved by the management body in its management function.
4.1.2 Role of the management body in its supervisory function in the AML/CTF framework
We note with approval that the paragraph 12 states that the management body in its supervisory function should be collectively responsible to ensure compliance with the applicable requirements under the AML/CTF framework.
This responsibility should also be reflected in the duties that should be assigned to the management body in its supervisory function. In addition, it should be made clear that the tasks concerning AML/CTF strategic guidelines and policies should be assigned to the management body in its supervisory function while the management body in its management function should be responsible for the implementation of the policies.
In this regard, we would suggest amending paragraph 13 as follows:
------
13. In addition to ESAs guidelines on internal governance, as applicable, a financial sector operator’s management body in its supervisory function should perform the following specific AML/CFT tasks:
a) being informed of the results of the business-wide ML/TF risk assessment;
b) overseeing the implementation of the AML/CFT policies (deleted the words “and procedures) and the extent to which these are adequate and effective in light of the ML/TF risks to which the financial sector operator is exposed and taking appropriate steps to ensure remedial measures are taken where necessary;
c) reviewing at least once a year the activity report of the AML/CFT compliance officer and obtaining interim updates more frequently for activities that expose financial sector operators to higher ML/TF risks;
d) assessing the effective functioning of the AML/CFT compliance function, at least once a year, by assessing, in particular, the adequacy of the human and technical resources allocated to the AML/CFT compliance officer;
e) approving the AML/CTF policies and any other strategic guidelines to prevent ML/TF risks; (new)
f) appointing the AML/CTF compliance officer. (new)"
----
The paragraph 14 should be amended to clarify that it only applies where the credit or financial institution has appointed a member of the management body responsible for AML/CFT. As explained in our comments to section 4.1.4, we strongly believe that the appointment of a member of the management body responsible for AML/CTF is not mandatory, especially if it is not required by national law. For that reason, we would suggest amending paragraph 14 as follows:
----
Where credit and financial institutions appoint a member of the management body responsible for AML/CTF (new), the management body in its supervisory function should ensure that the member of the management body mentioned in section 4.1.4 or the senior manager who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with the Directive (EU) 2015/849 mentioned in section 4.1.5:
[…]
----
4.1.4 Identification of the member of the management body responsible for AML/CFT
Assogestioni is concerned that the draft guidelines do not provide adequate flexibility in order to consider how Member States have implemented the Directive (EU) 2015/849.
The wording of paragraph 19 of the section “Background and rationale” and of paragraph 17 of the Draft Guidelines seems to assume that in all Member States the appointment of a member of the management body responsible for AML/CTF is mandatory. This is not always the case.
For example, the Italian regulatory framework establishes that the management body is collectively responsible for AML/CTF and there is no requirement for credit and financial institutions to appoint a member of the management body responsible for AML/CTF.
For that reason, there is a clear need to establish that all the guidelines referring to the member of the management body responsible for AML/CTF are applicable only to the extent permitted by national law.
We also note that the guidelines do not establish any proportionality criteria for the appointment of the member of the management body responsible for AML/CTF.
In this regard, we would like to remember that the article 46 (4) of Directive (EU) 2015/849 establishes that “Member States shall require that, where applicable, obliged entities identify the member of the management board who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with this Directive”
We would therefore suggest EBA to consider the words “where applicable” when defining its guidelines on the identification of the member of the management board who is responsible for AML/CTF. In our view, it is crucial that the guidelines ensure the application of Article 46 (4) of Directive (EU) 2015/849 in accordance with the principle of proportionality and with the regulatory framework applicable to the financial institutions.
In general, the regulatory framework for asset managers states that the management body is collectively responsible for ensuring compliance with all laws and regulations. (See article 60 of the Commission delegated Regulation (EU) n. 213/2013 of 19 December 2012 supplementing Directive 2011/61/EU of the European Parliament and of the Council with regard to exemptions, general operating conditions, depositaries, leverage, transparency and supervision and article 25 of Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive)
For that reason, we believe that the provision set out in article 46 (4) of Directive (EU) 2015/849 would not be consistent with the general approach of the asset management regulatory framework, even though the draft guidelines specify that the member of the management body responsible for AML/CTF is appointed without prejudice to the overall and collective responsibility of the management body.
4.1.6 Tasks and role of the member of the management body or senior manager responsible for AML/CFT
In connection with the remarks referred to the section 4.1.4., we believe that section 4.1.6. should be amended to take into account that not all financial institutions have appointed a member of the management body responsible for AML/CTF. We also believe that further flexibility is needed in accordance with paragraph 4 of the Executive summary of the draft guidelines. (“The provisions set out in these guidelines should be applied in a manner that is effective and proportionate to the financial sector operator’s type, size, internal organisation, the nature, scope and complexity of its activities, and the ML/TF risks to which the financial sector operator is exposed”)
In this regard, we would suggest:
- amending the paragraph 22 to delete the words “at least”;
- removing activities that overlap with those of the of management body in its supervisory function. For example, the paragraph 13 of the draft guidelines sets out that the management body in its supervisory function should “overseeing the implementation of the AML/CFT policies and procedures and the extent to which these are adequate and effective in light of the ML/TF risks to which the financial sector operator is exposed and taking appropriate steps to ensure remedial measures are taken where necessary” and the paragraph 22 (a) establishes that the member of the management body responsible for AML/CTF should ensure “that the AML/CFT policies, procedures and internal control measures are adequate and proportionate, taking into account the characteristics of the financial sector operator and the ML/TF risks to which the financial sector operator is exposed”.
- clarifying the relationship between the member referred to in section 4.1.4. and the overall management body. If the member of the management board is responsible for the implementation of the AML/CTF framework (paragraph 12), it is not clear why he/she should “ensure that the management body has taken the responsibility to implement the AML/CTF policies, procedures and internal control measures” (paragraph 22, letter b).
According to article 8(4)(a) of Directive 2015/849, we believe that paragraph 24 should establish that the AML/CTF compliance officer should be appointed at management level. For that reason, we would suggest amending paragraph 24 as follows:
---
24. The AML/CFT compliance officer as referred to in Article 8(4)(a) of Directive (EU) 2015/849 should be appointed at management level or (new) at a level which entails the powers to propose, on his/her own initiative, all necessary or appropriate measures to ensure the compliance and effectiveness of the internal AML/CFT measures to the management body in its supervisory and management function.
----
4.2.4 Tasks and role of the AML/CFT compliance officer
General remarks.
We note that the guidelines refer to the AML/CTF compliance officer and only in some cases to the AML/CTF compliance function. The section 4.2.4 assigns a detailed list of role and responsibilities directly to the AML/CTF compliance officer who, according to paragraph 29, “should be allowed to assign his/her tasks to other officers and employees acting under his/her direction and supervision, under the condition that ultimate responsibility for the effective fulfilment of those tasks remains with the AML/CFT compliance officer”.
This approach seems to be the exact opposite of the one used in the regulation of banking and financial institutions where duties and responsibilities are attributed to the compliance function which must also have a compliance officer.
In order to ensure consistency with sectorial regulations, we believe that the guidelines should focus on the AML/CTF compliance function specifying its tasks and responsibilities and establishing that an AML/CTF compliance officer responsible for the function shall be appointed.
For that reason, we would suggest replacing, where necessary, “AML/CTF compliance officer” whit “AML/CTF compliance function”.
In our view, the AML/CTF compliance function is an internal control function like the compliance and the risk management function. For that reason, it is crucial that the AML/CTF compliance function:
- has the same independence and hierarchical position as the other internal control functions;
- is organisationally separate from the activities they are assigned to monitor and control;
- reports directly to the management body in its supervisory functions and in its management function (and not via the member of the management body responsible for AML/CTF).
We believe that the guidelines should be amended to take these considerations into account, in order to ensure that the AML/CTF compliance function can adequately perform its role as “second line of defence”.
a. Development of a risk assessment.
We believe that in relation to the risk assessment it should be made clear that:
- the management body is responsible for the identification and assessment of risk referred in article 8(1) of Directive (EU) 2015/849;
- the AML/CTF compliance function is involved in the risk assessment together with the other internal functions.
For that reason, we suggest amending paragraph 39 to establish that, without prejudice of the overall and collective responsibility of the management body, the risk assessment referred to in Article 8 should be carried out by the AML/CTF function with the support of the other internal functions.
c. Customers, including high-risk customers
We disagree with paragraph 43. The responsibility for preparing policies to comply with the CDD requirements should not be a task of the AML/CTF compliance function but rather of the management body in its management function.
We also disagree with paragraph 44. As established in article 19 (c) and 20 (b) of Directive (EU) 2015/849 and paragraph 4.64 of the EBA revised Guidelines on ML/TF risks factors, only the senior management can approve a business relationship with new or existing high-risk customers. For that reason, it is crucial amending paragraph 44 to delete the words “unless the power to approve the establishment of such relationships is entrusted directly to the AML/CFT compliance officer”.
Section 4.3.3. sets out the tasks and activities of the Group AML/CTF compliance officer.
We believe that, in the same vein, the section should specify the suitability requirements for the role of the AML/CTF compliance officer of the branches as well as establish the tasks and responsibilities of the person employed in this role.
The branches of asset management companies often have simple structures and a very limited number of employees.
We understand that the asset management companies shall ensure that the branches comply with the national provisions of the Member States in which they are established. However, we would like to suggest rearranging and streamlining the role and responsibilities in section 4.2. to make them more appropriate for the AML/CTF compliance officers of the branches.
1. Do you have any comments on the section ‘Subject matter, scope and definitions’?
We note that the paragraph “Scope of application” states that “the guidelines apply to financial sector operators as defined in Article 4 (1a) of Regulation (EU) No 1093/2010”. The following paragraph “Addressees” sets out that the guidelines are “addressed to competent Authorities and to financial sector operators as defined in Article 4(1a) of Regulation (EU) No 1093/2010, which are credit and financial institutions as defined in Articles 3(1) and 3(2) of Directive (EU) 2015/849”.We suggest clearly defining the scope of the guidelines, specifying to which obliged entities they are addressed. We also propose to replace the words “financial sector operators” with “credit and financial institution” in line with the terms used in Directive (EU) 2015/849 and in the EBA Guidelines on risk factors.
2. Do you have any comments on Guideline 4.1 ‘Role and responsibilities of the management body in the AML/CFT framework and of the senior manager responsible for AML/CFT’?
4.1.1 Approval of the policies, controls and proceduresIn line with the definitions proposed in the Section 2 of the Draft Guidelines and in the other ESAs guidelines on internal governance, we believe that the management body in its management function should be responsible for the implementation of the strategies set by the management body in its supervisory function to face and manage ML/TF risks.
In this respect, we would suggest clarifying that:
- the AML/CTF policies should be approved by the management body in its supervisory function;
- The AML/CTF procedures should be approved by the management body in its management function.
4.1.2 Role of the management body in its supervisory function in the AML/CTF framework
We note with approval that the paragraph 12 states that the management body in its supervisory function should be collectively responsible to ensure compliance with the applicable requirements under the AML/CTF framework.
This responsibility should also be reflected in the duties that should be assigned to the management body in its supervisory function. In addition, it should be made clear that the tasks concerning AML/CTF strategic guidelines and policies should be assigned to the management body in its supervisory function while the management body in its management function should be responsible for the implementation of the policies.
In this regard, we would suggest amending paragraph 13 as follows:
------
13. In addition to ESAs guidelines on internal governance, as applicable, a financial sector operator’s management body in its supervisory function should perform the following specific AML/CFT tasks:
a) being informed of the results of the business-wide ML/TF risk assessment;
b) overseeing the implementation of the AML/CFT policies (deleted the words “and procedures) and the extent to which these are adequate and effective in light of the ML/TF risks to which the financial sector operator is exposed and taking appropriate steps to ensure remedial measures are taken where necessary;
c) reviewing at least once a year the activity report of the AML/CFT compliance officer and obtaining interim updates more frequently for activities that expose financial sector operators to higher ML/TF risks;
d) assessing the effective functioning of the AML/CFT compliance function, at least once a year, by assessing, in particular, the adequacy of the human and technical resources allocated to the AML/CFT compliance officer;
e) approving the AML/CTF policies and any other strategic guidelines to prevent ML/TF risks; (new)
f) appointing the AML/CTF compliance officer. (new)"
----
The paragraph 14 should be amended to clarify that it only applies where the credit or financial institution has appointed a member of the management body responsible for AML/CFT. As explained in our comments to section 4.1.4, we strongly believe that the appointment of a member of the management body responsible for AML/CTF is not mandatory, especially if it is not required by national law. For that reason, we would suggest amending paragraph 14 as follows:
----
Where credit and financial institutions appoint a member of the management body responsible for AML/CTF (new), the management body in its supervisory function should ensure that the member of the management body mentioned in section 4.1.4 or the senior manager who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with the Directive (EU) 2015/849 mentioned in section 4.1.5:
[…]
----
4.1.4 Identification of the member of the management body responsible for AML/CFT
Assogestioni is concerned that the draft guidelines do not provide adequate flexibility in order to consider how Member States have implemented the Directive (EU) 2015/849.
The wording of paragraph 19 of the section “Background and rationale” and of paragraph 17 of the Draft Guidelines seems to assume that in all Member States the appointment of a member of the management body responsible for AML/CTF is mandatory. This is not always the case.
For example, the Italian regulatory framework establishes that the management body is collectively responsible for AML/CTF and there is no requirement for credit and financial institutions to appoint a member of the management body responsible for AML/CTF.
For that reason, there is a clear need to establish that all the guidelines referring to the member of the management body responsible for AML/CTF are applicable only to the extent permitted by national law.
We also note that the guidelines do not establish any proportionality criteria for the appointment of the member of the management body responsible for AML/CTF.
In this regard, we would like to remember that the article 46 (4) of Directive (EU) 2015/849 establishes that “Member States shall require that, where applicable, obliged entities identify the member of the management board who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with this Directive”
We would therefore suggest EBA to consider the words “where applicable” when defining its guidelines on the identification of the member of the management board who is responsible for AML/CTF. In our view, it is crucial that the guidelines ensure the application of Article 46 (4) of Directive (EU) 2015/849 in accordance with the principle of proportionality and with the regulatory framework applicable to the financial institutions.
In general, the regulatory framework for asset managers states that the management body is collectively responsible for ensuring compliance with all laws and regulations. (See article 60 of the Commission delegated Regulation (EU) n. 213/2013 of 19 December 2012 supplementing Directive 2011/61/EU of the European Parliament and of the Council with regard to exemptions, general operating conditions, depositaries, leverage, transparency and supervision and article 25 of Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive)
For that reason, we believe that the provision set out in article 46 (4) of Directive (EU) 2015/849 would not be consistent with the general approach of the asset management regulatory framework, even though the draft guidelines specify that the member of the management body responsible for AML/CTF is appointed without prejudice to the overall and collective responsibility of the management body.
4.1.6 Tasks and role of the member of the management body or senior manager responsible for AML/CFT
In connection with the remarks referred to the section 4.1.4., we believe that section 4.1.6. should be amended to take into account that not all financial institutions have appointed a member of the management body responsible for AML/CTF. We also believe that further flexibility is needed in accordance with paragraph 4 of the Executive summary of the draft guidelines. (“The provisions set out in these guidelines should be applied in a manner that is effective and proportionate to the financial sector operator’s type, size, internal organisation, the nature, scope and complexity of its activities, and the ML/TF risks to which the financial sector operator is exposed”)
In this regard, we would suggest:
- amending the paragraph 22 to delete the words “at least”;
- removing activities that overlap with those of the of management body in its supervisory function. For example, the paragraph 13 of the draft guidelines sets out that the management body in its supervisory function should “overseeing the implementation of the AML/CFT policies and procedures and the extent to which these are adequate and effective in light of the ML/TF risks to which the financial sector operator is exposed and taking appropriate steps to ensure remedial measures are taken where necessary” and the paragraph 22 (a) establishes that the member of the management body responsible for AML/CTF should ensure “that the AML/CFT policies, procedures and internal control measures are adequate and proportionate, taking into account the characteristics of the financial sector operator and the ML/TF risks to which the financial sector operator is exposed”.
- clarifying the relationship between the member referred to in section 4.1.4. and the overall management body. If the member of the management board is responsible for the implementation of the AML/CTF framework (paragraph 12), it is not clear why he/she should “ensure that the management body has taken the responsibility to implement the AML/CTF policies, procedures and internal control measures” (paragraph 22, letter b).
3. Do you have any comments on Guideline 4.2 ‘Role and responsibilities of the AML/CFT compliance officer’?
4.2.1 Appointment of the AML/CFT compliance officerAccording to article 8(4)(a) of Directive 2015/849, we believe that paragraph 24 should establish that the AML/CTF compliance officer should be appointed at management level. For that reason, we would suggest amending paragraph 24 as follows:
---
24. The AML/CFT compliance officer as referred to in Article 8(4)(a) of Directive (EU) 2015/849 should be appointed at management level or (new) at a level which entails the powers to propose, on his/her own initiative, all necessary or appropriate measures to ensure the compliance and effectiveness of the internal AML/CFT measures to the management body in its supervisory and management function.
----
4.2.4 Tasks and role of the AML/CFT compliance officer
General remarks.
We note that the guidelines refer to the AML/CTF compliance officer and only in some cases to the AML/CTF compliance function. The section 4.2.4 assigns a detailed list of role and responsibilities directly to the AML/CTF compliance officer who, according to paragraph 29, “should be allowed to assign his/her tasks to other officers and employees acting under his/her direction and supervision, under the condition that ultimate responsibility for the effective fulfilment of those tasks remains with the AML/CFT compliance officer”.
This approach seems to be the exact opposite of the one used in the regulation of banking and financial institutions where duties and responsibilities are attributed to the compliance function which must also have a compliance officer.
In order to ensure consistency with sectorial regulations, we believe that the guidelines should focus on the AML/CTF compliance function specifying its tasks and responsibilities and establishing that an AML/CTF compliance officer responsible for the function shall be appointed.
For that reason, we would suggest replacing, where necessary, “AML/CTF compliance officer” whit “AML/CTF compliance function”.
In our view, the AML/CTF compliance function is an internal control function like the compliance and the risk management function. For that reason, it is crucial that the AML/CTF compliance function:
- has the same independence and hierarchical position as the other internal control functions;
- is organisationally separate from the activities they are assigned to monitor and control;
- reports directly to the management body in its supervisory functions and in its management function (and not via the member of the management body responsible for AML/CTF).
We believe that the guidelines should be amended to take these considerations into account, in order to ensure that the AML/CTF compliance function can adequately perform its role as “second line of defence”.
a. Development of a risk assessment.
We believe that in relation to the risk assessment it should be made clear that:
- the management body is responsible for the identification and assessment of risk referred in article 8(1) of Directive (EU) 2015/849;
- the AML/CTF compliance function is involved in the risk assessment together with the other internal functions.
For that reason, we suggest amending paragraph 39 to establish that, without prejudice of the overall and collective responsibility of the management body, the risk assessment referred to in Article 8 should be carried out by the AML/CTF function with the support of the other internal functions.
c. Customers, including high-risk customers
We disagree with paragraph 43. The responsibility for preparing policies to comply with the CDD requirements should not be a task of the AML/CTF compliance function but rather of the management body in its management function.
We also disagree with paragraph 44. As established in article 19 (c) and 20 (b) of Directive (EU) 2015/849 and paragraph 4.64 of the EBA revised Guidelines on ML/TF risks factors, only the senior management can approve a business relationship with new or existing high-risk customers. For that reason, it is crucial amending paragraph 44 to delete the words “unless the power to approve the establishment of such relationships is entrusted directly to the AML/CFT compliance officer”.
4. Do you have any comments on Guideline 4.3 ‘Organisation of the AML/CFT compliance function at group level’?
4.3.3. Organisational requirements at group levelSection 4.3.3. sets out the tasks and activities of the Group AML/CTF compliance officer.
We believe that, in the same vein, the section should specify the suitability requirements for the role of the AML/CTF compliance officer of the branches as well as establish the tasks and responsibilities of the person employed in this role.
The branches of asset management companies often have simple structures and a very limited number of employees.
We understand that the asset management companies shall ensure that the branches comply with the national provisions of the Member States in which they are established. However, we would like to suggest rearranging and streamlining the role and responsibilities in section 4.2. to make them more appropriate for the AML/CTF compliance officers of the branches.