Understanding the role of money laundering compliance under the Fourth Directive
The Fourth EU Directive on money laundering (4AMLD) requires that credit or financial institutions have an AML / CFT compliance officer at a management level, and appoint a management body responsible for the implementation of AML law, regulations and administrative provisions necessary for compliance.
However until now, there were no details or guidelines as to how this should be accomplished. In June 2022, the European Banking Authority (EBA) published a final report setting out clear expectations of the role, tasks and responsibilities of the AML compliance officer and management body.
EU competent authorities have until 1 December 2022 to report compliance with the new guidelines from the EBA.
Why harmonise AML compliance?
The EBA and European authorities had raised concerns that financial institutions had given low priority to AML issues, particularly when paired with a corporate culture that pursued profits at the expense of robust compliance. This includes senior management not adequately resourcing AML areas or not hiring suitably qualified compliance staff.
A 2019 report from the European Commission found many credit institutions had not established adequate risk management systems and controls, and had deficiencies in their internal reporting, group policies and senior management responsibilities and accountability.
There was an additional risk found that in some EU Member States, there was no regulatory requirement for financial institutions to appoint an AML compliance officer senior enough to report to their management body. The EBA also noted last year there was still a sizable proportion of national authorities finding some business controls remained poor, with existing deficiencies in the AML process.
Therefore the EBA decided it was important to standardise the roles and responsibilities of AML compliance officers and the management body, and apply and enforce those roles consistently throughout the European Union to ensure sound and effective AML systems and controls.
What are the AML guidelines for management bodies?
Management bodies of credit or financial institutions should be responsible for approving the institution’s overall AML / CFT strategy and for overseeing its implementation. This means the management body must collectively possess adequate knowledge, skills and experience to understand the money laundering risks for the institution’s activities and business model. They must also have knowledge of the national legal and regulatory framework.
What does this mean in practice?
This means that in the management body’s supervisory function, they must:
- Be informed of the results of the business-wide money laundering and terrorist financing risk assessment
- Oversee and monitor the extent to which AML procedures are adequate and effective
- Review the exposure areas and take action
- At least once a year, review the activity report of the AML compliance officer and obtain interim reports more frequently for higher risk activities
- At least once a year, assess the effective functioning of the compliance function, including through audits
In terms of the information the management body is required to have access to, this will include timely and direct access to the activity report of the AML compliance officer, the report of the internal audit function, the findings and observations of external auditors, findings of the competent authority, and relevant communications with the FIU.
How to ensure management body compliance?
- Undertake a needs analysis of the management body
- Map the flows of information and reporting structures to the management body
- Identify any gaps in knowledge, skills, or reporting
- Roll out a senior management training programme on money laundering
- Standardise training for all new members of the management body at induction
- Implement a systematic reporting process to ensure the management body has oversight
What are the AML guidelines for compliance officers?
The AML compliance officer should be appointed at a management level. They must have sufficient authority to propose, on their own initiative, all necessary or appropriate measures to ensure the compliance and effectiveness of the internal AML measures to the management body.
A compliance officer can be full time, part time, or outsourced, but the management body must identify all possible conflicts of interests and take steps to manage these. The management body must ensure the compliance officer can devote sufficient time to the functions.
The AML compliance officer should make themselves available to the competent authority on request, and should generally work in the country where the institution is established.
The compliance officer should be able to:
- Delegate tasks to other employees
- Be independent from the business lines or units they control
- Not be subordinate to a person who has responsibility for managing any of those business lines or units
- Has, at all times, unrestricted and direct access to all necessary information
- Decisions on which information the compliance officer needs access to is theirs alone
- Should be able to report and have direct access to the management body
Who should appoint an AML compliance officer?
Unless the credit or financial institution is a sole trader or has a very limited number of employees, a compliance officer should be appointed. Even when not appointed, the tasks and roles of a compliance officer should be handled by the management body or a senior manager, or outsourced.
Who should be an AML compliance officer?
A compliance officer must have suitability, skills and expertise. The compliance officer must possess:
- Reputation, honesty and integrity to perform their function
- Appropriate AML skills and expertise
- Knowledge of the applicable legal and regulatory framework and the implementation of policies, controls and procedures
- Sufficient knowledge and understanding of the money laundering and terrorist financing risks associated with the business model
- Relevant experience regarding identification, assessment and management of these risks
- Sufficient time and seniority to perform their functions independently and autonomously
What are the tasks and roles of the AML compliance officer?
The AML compliance officer’s tasks and roles should be clearly documented. They include:
- Development of a risk assessment framework
- Development of policies and procedures
- Onboarding customers, including high risk customers
- Monitoring compliance
- Reporting to the management body
- Reporting suspicious transactions
- Training and awareness
The AML compliance officer is a significant responsibility and must be adequately resourced by the institution. The compliance officer should be consulted frequently, including at the launch of new products or services, the development of new markets, and the onboarding of high-risk customers.
Find out how Compliance Office offers outsourced support to assist your COLP to fulfil their duties.