There has been a requirement to have a person responsible for directing and coordinating a firm’s systems and controls in relation to AML since the 1990’s. This person came to be known as the Money Laundering Reporting Officer. The 4th EU Money Laundering Directive in 2015 required institutions to appoint a member of the management body who is ultimately responsible for the implementation of law and regulation to comply with the AML/CFT requirements.
On 14th June, the European Banking Authority published guidelines on the roles and responsibilities of the Management Body in the AML/CTF framework and the appointed AML/CTF compliance officer. The intention is that there should be a common understanding of the competencies required to undertake such roles. Each competent authority has to confirm that they are going to comply with these guidelines.
It is intended that these guidelines will become effective from 1/12/22. Whilst these guidelines are applicable to EU entities only, they replicate many of the requirements of the UK Senior Manager regime.
The guidance clearly specifies what the management body need to consider as part of their responsibilities. The paper proposes that the management body are responsible for the appropriate and effective structure to comply with the AML/CTF strategy and in particular the human and technical resources allocated to accomplish the strategy. This clearly places the onus on the management body as the responsible entity and where there are failures in the AML/CTF systems and controls, they will be held accountable, which is consistent with the UK Senior Manager requirements.
The guidance is quite specific as to the information that needs to be provided to the management body to ensure that they are informed of the risks and includes; being informed of the results of the AML/CTF business risk assessment; ensure that AML/CTF policies are implemented effectively and take action to address any shortcomings; obtain regular information especially on activities that may expose the firm to increased ML/TF risks and at least annually review the activity report of the AML/CTF compliance officer.
The management body need to appoint someone who is responsible for ensuring that the institution complies with the Money Laundering Regulations, however the guidance stipulates that the person must have the necessary knowledge skill and experience to be able to do so. The person must also have a good understanding of the institution’s business model and the AML/CTF risks that the firm is exposed to.
In respect of the appointment of the AML/CTF compliance officer (MLRO), the management body should take into account the scale and complexity of the firm and its risk exposure to AML/CTF. The MLRO should be appointed at management level. This is an indication that often the MLRO was not a senior role in the organisation and consequently did not have sufficient authority.
The guidance details that the MLRO should be part of the 2nd line of defence and independent of the business. THE MLRO cannot be subordinate to those that are operating the business and details suitability skills and experience that an MLRO must possess. The firm should have produced internal procedures that have been established to permit the MLRO to have unrestricted access to all information necessary to undertake their role, which should be clearly defined and documented.
The guidance lists the tasks that the MLRO is expected to undertake and includes; development of a risk assessment framework; development of policies and procedures; being consulted on dealing with high-risk customers; monitoring compliance with policies; reporting to the management body; reporting suspicious activity; training and awareness.
The guidance also covers the role of parent or group functions and requires that a member of the parent management body be designated as the group AM/CTF officer. The group AML/CTF officer is responsible for the coordination of the Group risk assessment, defining group standards, policies and procedures, coordination of AML/CTF activities; production of an annual report. Specific mention is made to being able to share information with the group, especially in relation to suspicious activity reports.
The guidance seeks to provide a more precise definition of roles, responsibilities and accountabilities of those involved in managing the risks of financial crime. If adopted by the relevant competent authorities this will undoubtedly become the benchmark by which firms will be assessed.
Gracechurch has a number of specialists that can assist and develop your governance and target operating frameworks.
John Flynn
4 July 2022