Single Rulebook Q&A

Question ID: 2018_3956
Legal act : Directive 2013/36/EU as amended by Directive (EU) 2019/878 – CRD5
Topic : Internal governance
Article: 88
Paragraph:
Subparagraph:
COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2017/11 - Guidelines on internal governance
Article/Paragraph : 187
Type of submitter: Individual
Subject matter : Compliance Function and Anti-Money Laundering tasks, Data Protection Officer or FATCA&CRS Responsible Officer, and Fraud Management
Question:

Is it in line with a) EBA/GL/2017/11 (Guidelines on internal governance) under Directive 2013/36/EU and b) with monitoring/advisory nature of the Compliance Function as a second line of defense, that the Compliance function in a Credit Institution is the main responsible for:

  1. establishing and maintaining compliance with anti-money laundering (AML) regulatory requirements?
  1. achieving and establishing compliance with personal data protection (GDPR) or FATCA&CRS (tax reporting) regulation?
  1. internal and external fraud prevention i.e. Fraud Management?
Background on the question:

AML regulation is just one of many regulations a Credit Institution has to be compliant with. A Credit Institution has to appoint an AML Officer/Unit, but within the first line of defense. The main responsibility of an AML Officer/Unit is to establish and maintain compliance with AML regulation. However, a set up where Compliance Function/Officer is at the same time primarily responsible for compliance with AML regulation is a clear example conflict of interest. If one is responsible for achieving compliance, this unit/person cannot at a same time act as a Compliance Function and control itself.

In many EU Credit Institutions AML Officers/Units and Compliance Functions are the same or joined within one department e.g. Compliance or Compliance & AML, which is seen [by the submitter] to be contrary to the IG Guidelines.

General Data Protection Regulation (GDPR) and FATCA&CRS regulation are just one of many regulations a Credit Institution has to be compliant with. A Credit Institution has to appoint a Data Protection Officer or FATCA&CRS Responsible Officer but this should be done within the 1st line of defense. The main responsibility of Data Protection Officer i.e. FATCA&CRS Responsible Officer is to establish and maintain compliance with GDPR i.e. FATCA&CRS regulation. However, a set up where Compliance Function/Officer is at the same time primarily responsible for compliance with GDPR or FATCA&CRS regulation could be seen to represent a conflict of interest. If one is responsible for achieving compliance, this unit/person cannot at a same time act as a Compliance Function and control itself.

A similar concern could be that in many EU Credit Institutions Data Protection Officers and FATCA&CRS Responsible Officers are often employees of departments in charge of Compliance Function.

Date of submission: 04/06/2018
Published as Final Q&A: 18/01/2019
EBA answer:

EBA/GL/2017/11 (Guidelines on internal governance) specify the internal governance, arrangements, processes and mechanisms foreseen under Article 74 of Directive 2013/36/EU (CRD), aimed at ensuring the sound management of risks across all three lines of defence and, in particular, set out detailed requirements for the second line of defence (the independent risk management and compliance function) and the third line of defence (the internal audit function).

With regards to ensuring compliance with AML regulatory requirements different functions of the institutions have different responsibilities. More particularly, the business lines, as the first line of defence, take risks and are responsible for their operational management directly and on a permanent basis. The compliance function as the second line of defence, including the head of compliance, should be independent of the business lines and internal units it controls and have sufficient authority, stature and resources.

According to paragraph 30 of the Background and Rationale section to the EBA/GL/2017/11 (Guidelines on internal governance) “the compliance function monitors compliance with legal and regulatory requirements and internal policies”. Moreover, paragraph 191 of the Guidelines sets out that banks should “set up a process to regularly assess changes in the law and regulations applicable to its activities” and it is the management body which has overall responsibility to “oversee the implementation of a well-documented compliance policy”.

Furthermore, paragraph 192 of the Guidelines sets out that “the compliance function should advise the management body on measures to be taken to ensure compliance with applicable laws, rules, regulations and standards”. This means that the compliance function has an advisory role to the management body’s mandate to ensure the compliance with the laws, rules, regulations and standards The compliance function should ensure that compliance monitoring is carried out through a structured and well-defined compliance-monitoring programme and that the compliance policy is observed.

In light of the above, each different function/line of defence has a specific role to play in ensuring compliance with the AML regulatory requirements. In this context, the compliance function as the second line of defense should carry out its responsibilities as set above for the assessment of compliance with all laws, rules, regulations and standards including compliance with AML as foreseen under Article 8 of Directive (EU) 2015/849 (AMLD), data protection, tax laws, fraud prevention and any other laws applicable to bank activities. Additionally the internal audit function as the third line of defence may have a saying on the way that the compliance function exercises its role. Finally, it should be mentioned that the management body should have the final saying on the matters in hand.

Status: Final Q&A
Permanent link: link