The Central Bank of Ireland (CBI) has been consistent in reinforcing the importance of the compliance function in regulated entities, and particularly so in the context of credit institutions and payments firms where the AML/CFT risk is elevated.
Earlier this year (April 2022), in the context of its fitness and probity regime, the CBI designated a compliance officer role with specific responsibility for AML/CFT. In June 2021, the CBI published a revised set of Anti-Money Laundering and Countering the Financing of Terrorism Guidelines for the Financial Sector to assist credit and financial institutions in understanding their AML/CFT obligations under Part 4 of the Criminal Justice (Money Laundering and Terrorist Financing) Act 2010. The Guidelines were preceded by a “Dear CEO Letter” in December 2020 which provided an overview of findings identified by the CBI as a result of supervisory engagements with designated persons who are required to register with the CBI under the AML/CFT regime.
In the period 2017 to date, the CBI has imposed fines of approximately EUR7.2m on regulated entities for breaches of AML requirements, which further demonstrates the continuing focus of CBI on firms’ compliance with their AML/CFT requirements.
In recognition of the enduring degree of risk of AML/CFT within the financial system across the region, (and also globally), the EU has continued to enhance the regulatory framework which is designed to limit the opportunities for bad actors to utilise the financial system for AML/CFT-related activities1.
In view of the importance of compliance with AML/CFT requirement within the banking sector, the European Banking Authority (EBA) has published guidelines which detail the role and responsibilities of the AML/CFT officer2. The Guidelines are principally rooted in the requirements of Articles 8(4) and 46(4) EU Directive 2015/8493 (AMLD4).
The EBA believes that the Guidelines are necessary on the basis that it had become aware of a number of reports that suggest that the requirements set out in AMLD4 “have been implemented unevenly across different sectors and Member States, and that they are not always applied effectively.”4 The EBA expects that the Guidelines will create a common understanding by competent authorities (in Ireland, the CBI) and financial institutions of the required governance arrangements, and will lead to a more consistent application of, and enforcement of, the legislative requirements relating to AML/CFT.
The Guidelines seek to focus on three main areas: (i) the role of the management body, (ii) the role of the compliance officer, and (iii) the compliance function at group level.
Role and responsibilities of the management body in the AML/CFT framework
When selecting a member of the management body to be responsible for AML, Guideline 4.1 states that certain criteria should be fulfilled such as sufficient knowledge, skill and experience in AML and the implementation of AML policies, along with sufficient time and resources to carry out their duties.
If there is no management body in place within the particular institution, a senior manager should be appointed. Such persons should ensure that the management body or senior management is aware of the impact of AML risks, that the internal AML policies are adequate and proportionate and that there is periodical reporting to the management board on the activities of the compliance officer. They should also inform the management board of any serious AML concerns and/or breaches and recommend remedies.
The management body itself should ensure that it is informed of the outcome of a business wide risk-assessment and monitor the adequacy and effectiveness of AML policies.
The roles and responsibilities of the AML/CFT compliance officer
When deciding whether to appoint an AML compliance officer, the guidelines advise firms to take into account the scale and complexity of its operations. If a firm decides not to appoint a compliance officer, it should document the reasons for not doing so and refer to the nature of their business, its size and its legal form.
A compliance officer must have the sufficient skills, time, resources, reputation and understanding of AML policies to perform their duties. A compliance offer must also have sufficient authority to propose the necessary and appropriate measures to ensure compliance with AML obligations and be independent from the business lines they control. The firm should also ensure that the compliance officer has unrestricted access to all relevant information and can report directly to the management body when necessary.
The Guidelines also set out (in Guideline 4.2) the responsibilities of an AML compliance officer which include:
- developing and maintaining a risk assessment framework;
- ensuring that adequate AML policies are put in place, kept up to date and implemented effectivity on an ongoing basis;
- advising senior management before a final decision is taken on engaging new high-risk customers;
- monitoring AML policies and procedures for compliance with obligations;
- advising the management body on measures to be taken;
- producing an annual activity report;
- reporting suspicious transactions to the national Financial Intelligence Unit; and
- overseeing internal AML training and awareness raising.
Organisation of the AML/CFT compliance function at group level
If a parent company in a group of companies is a credit or financial institution, its management should ensure that the group entities perform their AML risk assessments in a coordinated way, while taking into account their individual risks.
Guideline 4.3 advises that parent companies appoint a member of its management body to be responsible for AML at that level, as well as a group AML compliance officer to oversee compliance at group level.
The responsibilities of the group compliance officer should include:
- coordinating a business-wide assessment of the AML risks of group entities at local level;
- drafting a group-wide AML risk assessment;
- defining group-level AML standards that also ensure compliance with local legislation and regulation;
- coordinating the work of local AML compliance officers of a branch or subsidiary to ensure a consistent approach across the group; and
- producing an annual activity report for management.
The Guidelines are directed at “credit or financial institutions” (as defined in AMLD45) which in effect encompasses all entities which are regulated by the CBI, including banks, payment firms, investment firms, insurers, brokers etc. where AML/CFT risks are prevalent. Regulated entities can take valuable learnings from the EBA Guidelines and are likely to find them to be of assistance when seeking to strengthen their own AML/CFT frameworks and their approach to compliance.
The Guidelines apply from 1 December 2022, and competent authorities and financial institutions are required to “make every effort to comply with the guidelines”. National authorities are expected to inform the EBA whether they comply with the guidelines or to adequately explain reasons for non-compliance.