15 July 2022

EBA - new compliance management guidelines for credit and financial institutions

The European Banking Authority (EBA) has published new guidelines on compliance management policies and procedures. The guidelines are set to affect the roles and responsibilities of management bodies, the AML/CFT compliance officer, and the organisation of the compliance function at group level. Credit or financial institutions must implement these into their policies and procedures per 1 December 2022. The new guidelines will complement guidelines issued by the European Supervisory Authorities (ESA) on wider governance arrangements and suitability checks.

Guidance on role of AML compliance

In 2017, in its supranational risk assessment, the European Commission asked the ESA to develop guidance to clarify the role of AML/CFT compliance officers in credit or financial institutions. These EBA guidelines aim to achieve consistency across EU member states, strengthening the AML/CFT role. The guidelines complement other ESA guidelines on wider governance arrangements and suitability checks, such as the joint EBA and ESMA guidelines on the assessment of the suitability of members of the management body and key function holders. EBA decided not to comment on future developments, such as the European Commission's AML package (published on 20 July 2021), which is under consultation.

New responsibilities for management body

The management body is responsible for setting, approving, and overseeing the overall AML/CFT strategy and its implementation of the internal governance and internal control framework, to ensure compliance with the AML/CFT requirements collectively. In its supervisory function, the management body must have access to data and information of sufficient detail and quality to enable it to discharge its AML/CFT functions effectively.

The management body must also designate a member (from within the management body) responsible for AML/CFT (AML Board Member) who has sufficient knowledge, skills, and experience regarding ML/TF risks and the implementation of AML/CFT policies, controls and procedures, with a good understanding of the credit or financial institution's business model and the sector in which it operates. This member must be aware of the impact of ML/TF risks on its business-wide risk profile and must regularly inform the management body in its supervisory function about mitigating and effectively managing the ML/TF risks.

The AML Board Member is the main contact for the AML/CFT compliance officer (Compliance Officer). In the event of a significant incident, the Compliance Officer should have direct access to the management body in its supervisory function.

AML/CFT compliance officer

A Compliance Officer must perform the function effectively, independently and autonomously, dedicate sufficient time to the necessary tasks, and have enough resources to perform AML/CFT duties, including having a dedicated AML/CFT unit to assist the Compliance Officer. The Compliance Officer must have the authority to propose all necessary or appropriate measures to ensure the compliance and effectiveness of the internal AML/CFT measures to the management board in its supervisory and management function.

The Compliance Officer should recommend corrective measures to the management body. These measures should be based on weaknesses identified by internal or external auditors. The independent AML/CFT audit function may not be combined with the function of Compliance Officer.

At least once a year, the Compliance Officer must prepare a detailed activity report, including a progress report which includes information on ML/TF risks and an iteration on whether the human and technical resources allocated to the AML/CFT compliance function are sufficient.

The head of risk management and the Compliance Officer must exchange information for the purpose of setting AML/CFT methodologies that are coherent with the risk management strategy.

In addition to developing and implementing compliance education and training, the Compliance Officer should assess the specific training needs within the credit or financial institution and ensure that adequate, theoretical, and practical education is provided.

What's needed at the group level

A group Compliance Officer is required at the group level, and must be appointed by the parent credit or financial institution. The group Compliance Officer should cooperate fully with the local Compliance Officers who are appointed at the local management level. The local Compliance Officer may operate for different entities if the entities are part of the same group. The local Compliance Officer should have a direct reporting line with the group Compliance Officer. The group Compliance Officer must present its activity report (at least yearly) to the group management body.