AML/CFT Compliance Officer

AML/CFT Compliance Officer

EBA-Guidelines on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CFT Compliance Officer under Article 8 and Chapter VI of Directive (EU) 2015/849 – EBA/GL/2022/05

1. Guidelines

1.1 The role and responsibilities of the management body in the AML/CFT framework and of the senior manager responsible for AML/CFT

1. The management body should be responsible for approving the credit or financial institution’s overall AML/CFT strategy and for overseeing its implementation. To this end, it should collectively possess adequate knowledge, skills and experience to be able to understand the ML/TF risks related to the credit or financial institution’s activities and business model, including the knowledge of the national legal and regulatory framework relating to the prevention of ML/TF.

1.1.1 The role of the management body in its supervisory function in the AML/CFT framework

2. The management body in its supervisory function should be responsible for overseeing and monitoring the implementation of the internal governance and internal control framework to ensure compliance with applicable requirements in the context of the prevention of money laundering and terrorism financing (ML/TF).

3. In addition to the provisions set out in the ESAs’ guidelines on internal governance14, as applicable, a credit or financial institution’s management body in its supervisory function should:

a) be informed of the results of the business-wide ML/TF risk assessment;

b) oversee and monitor the extent to which the AML/CFT policies and procedures are adequate and effective in light of the ML/TF risks to which the credit or financial institution is exposed and take appropriate steps to ensure remedial measures are taken where necessary;

c) at least once a year, review the activity report of the AML/CFT compliance officer and obtain interim updates more frequently for activities that expose the credit or financial institution to higher ML/TF risks;

d) at least once a year, assess the effective functioning of the AML/CFT compliance function, including by taking into account the conclusions of any AML/CFT-related internal and/or external audits that may have been carried out, including with regard to the appropriateness of the human and technical resources allocated to the AML/CFT compliance officer.

4. The management body in its supervisory function should ensure that the member of the management body referred to in section 4.1.3. or where applicable the senior manager referred to in section 4.1.4., who is responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with Directive (EU) 2015/849:

a) has the knowledge, skills and experience necessary to identify, assess and manage the ML/TF risks to which the credit or financial institution is exposed, and the implementation of AML/CFT policies, controls and procedures;

b) has a good understanding of the credit or financial institution’s business model and the sector in which it operates and the extent to which this business model exposes the credit or financial institution to ML/TF risks;

c) is informed in a timely manner of decisions that may affect the risks to which the credit or financial institution is exposed.

5. The management body in its supervisory function should have access to and take into account data and information of sufficient detail and quality to enable it to discharge its AML/CFT functions effectively. At a minimum, the management body in its supervisory function should have timely and direct access to the activity report of the AML/CFT compliance officer, the report of the internal audit function, the findings and observations of external auditors, where applicable, as well as the findings of the competent authority, relevant communications with the FIU and supervisory measures or sanctions imposed.

4.1.2. The role of the management body in its management function in the AML/CFT framework

6. In relation to internal policies, controls and procedures referred to in Articles 8(3) and 8(4) of Directive (EU) 2015/849, a credit or financial institution’s management body in its management function should:

a) implement the appropriate and effective organisational and operational structure necessary to comply with the AML/CFT strategy adopted by the management body, paying particular attention to the sufficient authority and the appropriateness of the human and technical resources allocated to the AML/CFT compliance officer function, including the need for a dedicated AML/CFT unit to assist the AML/CFT compliance officer;

b) ensure implementation of internal AML/CFT policies and procedures;

c) review the AML/CFT compliance officer’s activity report, at least annually;

d) ensure adequate, timely and sufficiently detailed AML/CFT reporting to the competent authority;

e) where operational functions of the AML/CFT compliance officer are outsourced, ensure compliance with the ESAs guidelines on outsourcing arrangements15 and ESAs guidelines on internal governance 16 , where applicable, and receive regular reporting from the service provider to inform the management body.

4.1.3. Identification of the member of the management body responsible for AML/CFT

7. The member of the management body to be identified in accordance with Article 46(4) of Directive (EU) 2015/849 should, in particular, have sufficient knowledge, skills and experience regarding ML/TF risks, and the implementation of AML/CFT policies, controls and procedures, with a good understanding of the credit or financial institution’s business model and the sector in which the credit or financial institution operates.

8. The member of the management body referred to in Article 46(4) of Directive (EU) 2015/849 should commit sufficient time and have sufficient resources to perform his/her AML/CFT duties effectively. He/she should report comprehensively about his/her tasks as mentioned in section 4.1.5. and regularly inform, where necessary and without undue delay, the management body in its supervisory function.

4.1.4. Identification of a senior manager responsible for AML/CFT where no management body is in place

9. Where no management body is in place, the credit or financial institution should appoint a senior manager who is ultimately responsible for the implementation of the laws, regulations and administrative provisions necessary to comply with Directive (EU) 2015/849, with sufficient time, resources and authority to perform his/her duties effectively.

10. The senior manager referred to in paragraph 19 should have sufficient knowledge, skills and experience regarding ML/TF risks, and the implementation of AML/CFT policies, controls and procedures, with a good understanding of the credit or financial institution’s business model and the sector in which the credit or financial institution operates. In addition, he/she should be given sufficient time, resources and authority to perform his/her duties effectively.

4.1.5. Tasks and role of the member of the management body or senior manager responsible for AML/CFT

11. Without prejudice to the overall and collective responsibility of the management body, when appointing the member of the management body, or the senior manager referred to in paragraphs 17 and 19, credit or financial institutions should identify and take into account potential conflicts of interest and take steps to avoid or mitigate them.

12. The member of the management body, or the senior manager where designated, responsible for AML/CFT should ensure that the entire management body, or the senior management where no management body is in place, is aware of the impact of ML/TF risks on their business-wide risk profile. The responsibilities of the member of the management body, or the senior manager where designated, responsible for AML/CFT, in view of the performance of their task as referred to in Article 46(4) of Directive (EU) 2015/849, and in particular in relation to the implementation of policies, controls and procedures to mitigate and manage effectively the risks of ML/TF as referred to in Article 8 of that Directive, should include at least:

a) ensuring that the AML/CFT policies, procedures and internal control measures are adequate and proportionate, taking into account the characteristics of the credit or financial institution and the ML/TF risks to which it is exposed;

b) carrying out with the management body the assessment of whether it would be appropriate to appoint a separate AML/CFT compliance officer at management level, as referred in section 4.2.2.;

c) supporting the management body in assessing the need for a dedicated AML/CFT unit to assist the AML/CFT compliance officer in carrying out his/her functions, taking into account the scale and complexity of the credit or financial institution’s operations and exposure to the ML/TF risks. Staff within this unit should possess the necessary expertise, skills and knowledge to assist the AML/CFT compliance officer, who should be involved in the recruitment process;

d) ensuring that there is periodical reporting to the management body on the activities carried out by the AML/CFT compliance officer and that the management body is provided with sufficiently comprehensive and timely information and data on ML/TF risks and AML/CFT compliance, which is necessary to allow the management body to carry out the role and functions entrusted to it. Such information should also cover the credit or financial institution’s engagements with the national competent authority and communications with the FIU, without prejudice to the confidentiality of STRs, and any ML/TF-related findings of the competent authority against the credit or financial institution including measures or sanctions imposed;

e) informing the management body of any serious or significant AML/CFT issues and breaches and recommending actions to remedy them;

f) ensuring that the AML/CFT compliance officer (i) has direct access to all the information necessary to perform his/her tasks, (ii) has sufficient human and technical resources and tools to be able to adequately perform the tasks assigned to them, and (iii) is well informed of the AML/CFT-related incidents and shortcomings identified by the internal control systems and by the national and, in the case of groups, foreign supervisory authorities.

13. The member of the management body, or the senior manager where designated, responsible for AML/CFT should be the main contact point for the AML/CFT compliance officer within the management. In addition, the member of the management body, or the senior manager where designated, responsible for AML/CFT should ensure that any AML/CFT concerns that the AML/CFT compliance officer has are duly addressed and, where this is not possible, are duly considered by the management body in its management function or by the senior management where applicable. If the management body in its management function or senior management where applicable decide not to follow the recommendation of the AML/CFT compliance officer, they should duly justify and record their decision in light of the risks and concerns raised by the AML/CFT compliance officer. In the case of a significant incident, the AML/CFT compliance officer should have direct access to the management body in its supervisory function.

1.2 The role and responsibilities of the AML/CFT compliance officer

1.2.1 Appointment of the AML/CFT compliance officer

14. When deciding whether to appoint the AML/CFT compliance officer in accordance with Article 8(4) of Directive (EU) 2015/849, the management body should take into account the scale and complexity of the credit or financial institution’s operations and its risk exposure to ML/TF pursuant to the criteria set out in section 4.2.2.

15. The AML/CFT compliance officer should be appointed at management level. He/she should have sufficient authority to propose, on his/her own initiative, all necessary or appropriate measures to ensure the compliance and effectiveness of the internal AML/CFT measures to the management body in its supervisory and management function.

16. Where the AML/CFT compliance officer is appointed in accordance with Article 8(4) of Directive (EU) 2015/849, the management body should determine whether that role will be carried out on a full-time basis or whether it may be carried out by an employee or an officer in addition to his/her existing functions within the credit or financial institution.

17. Where the functions of the AML/CFT compliance officer are to be entrusted to an officer or employee who already has other duties or functions within the credit or financial institution, the management body should identify and consider possible conflicts of interest and take the steps necessary to avoid or, where this is not possible, manage these. The management body should ensure that that person can allocate sufficient time to the functions of AML/CFT compliance officer.

18. The AML/CFT compliance officer should make themselves available to the competent authority and the FIU upon request, and should therefore normally be contracted and work in the country in which the credit or financial institution is established.

19. Where commensurate with the ML/TF risk to which the credit or financial institution is exposed and to the extent that this is permitted under the national law, the AML/CFT compliance officer may be contracted to work in another jurisdiction. In those cases the credit or financial institution should have the necessary systems and controls in place to ensure that the AML/CFT compliance officer has access to all the necessary information and systems required to perform his/her tasks and is available to meet the local FIU and the competent authority without delay. The credit or financial institution should also be able to demonstrate to its competent authority that the measures it has put in place in this regard are adequate and effective.

20. The AML/CFT compliance officer should be able to assign and delegate his/her tasks as set out in section 4.2.4. to other officers and employees acting under his/her direction and supervision, provided that ultimate responsibility for the effective fulfilment of those tasks remains with the AML/CFT compliance officer.

21. The AML/CFT compliance officer should be part of the second line of defence and, as such, part of an independent function, and the following conditions should be met:

a) The AML/CFT compliance officer should be independent from the business lines or units he/she controls and he/she cannot be subordinate to a person who has responsibility for managing any of those business lines or units.

b) The credit or financial institution has put in place internal procedures to ensure that the AML/CFT compliance officer has at all times unrestricted and direct access to all information that is necessary to the performance of his/her function. The decision on which information he/she needs to access in this regard should be the AML/CFT compliance officer’s alone.

c) In the case of a significant incident, the AML/CFT compliance officer should be able to report and have direct access to the management body in its supervisory function or to the senior management where no management body is in place.

1.2.2 Proportionality criteria for the appointment of a separate AML/CFT compliance officer

22. A credit or financial institution should appoint a separate AML/CFT compliance officer unless it is a sole trader or has a very limited number of employees or the reasons set out in paragraph 33 justify the non-appointment.

23. When the management body decides not to appoint a separate AML/CFT compliance officer, the reasons should be justified and documented, and explicitly refer to at least the following criteria:

a) the nature of the credit or financial institution’s business and the ML/TF risks associated therewith, taking into account its geographical exposure, customer base, distribution channels and products and services offering;

b) the size of its operations in the jurisdiction, the number of its customers, the number and volume of its transactions and the number of its full-time equivalent employees;

c) the legal form of the credit or financial institution, including whether the credit or financial institution is part of a group.

24. Where a separate AML/CFT compliance officer is not appointed, the credit or financial institution should organise the performance of the AML/CFT compliance officer tasks (see below section 4.2.4 on Tasks and role of the AML/CFT compliance officer) by either the member of the management body as referred to in section 4.1.3 or the senior manager responsible for AML/CFT as referred to in section 4.1.4, or by outsourcing operational functions as mentioned in section 4.2.6, or by a combination of the previous options.

25. When the AML/CFT compliance officer acts for two or more entities within the group or is charged with other tasks, the credit or financial institution should ensure that these multiple appointments still allow the AML/CFT compliance officer to effectively perform his/her functions. The AML/CFT compliance officer should operate for different entities only if the entities are part of the same group. However, due to the specific nature of the collective investment undertakings sector17, the AML/CFT compliance officer could service several funds.

1.2.3 Suitability, skills and expertise

26. In relation to employee screening referred to in Article 8(4) (a) of Directive (EU) 2015/849, credit or financial institutions should, prior to the appointment, assess whether the AML/CFT compliance officer possesses:

a) the reputation, honesty and integrity necessary to perform his/her function;

b) the appropriate AML/CFT skills and expertise, including knowledge of the applicable legal and regulatory AML/CFT framework, and the implementation of AML/CFT policies, controls and procedures;

c) sufficient knowledge and understanding of the ML/TF risks associated with the business model of the credit or financial institution to perform his/her function effectively;

d) relevant experience regarding the identification, assessment and management of the ML/TF risks; and

e) sufficient time and seniority to perform his/her functions effectively, independently and autonomously.

27. The credit or financial institutions should ensure that the AML/CFT compliance function operates on an ongoing basis as part of its overall business continuity management. It should cater for the possibility of having the AML/CFT compliance officer discontinue his/her functions and the availability of a delegate with appropriate skills and expertise to take over the functions of the AML/CFT compliance officer in the event that he/she is absent for a period of time or the integrity of the AML/CFT compliance officer is called into question.

1.2.4 Tasks and role of the AML/CFT compliance officer

28. The role and responsibilities of the AML/CFT compliance officer should be clearly defined and documented.

a. Development of a risk assessment framework

29. In relation to the identification and assessment of risk referred to Article 8(1) of Directive (EU) 2015/849, the AML/CFT compliance officer should develop and maintain an ML/TF risk assessment framework for business-wide and individual ML/TF risk assessments in line with the EBA guidelines on ML/TF risk factors18.

30. The AML/CFT compliance officer should report the results of the business-wide and individual ML/TF risk assessment to the management body, via the member of the management body, or to the senior manager responsible for AML/CFT, or directly, if he/she deems it necessary. The AML/CFT compliance officer should propose to the management body the measures to take to mitigate those risks. The launch of a new product or service or significant changes to existing ones, the development of a new market or the undertaking of new activities should not be initiated until adequate resources to understand and manage the associated risks are available and effectively implemented.

b. Development of policies and procedures

31. The AML/CFT compliance officer should ensure that adequate policies and procedures are put in place, kept up to date and implemented effectively on an ongoing basis. The policies and procedures should be commensurate with the ML/TF risks that the credit or financial institution has identified. The AML/CFT compliance officer should at least:

a) set out the AML/CFT policies and procedures to be adopted by the credit or financial institution, as well as the controls and systems to be implemented under Article 8(4) of Directive (EU) 2015/849;

b) ensure that AML/CFT policies and procedures are implemented effectively by the credit or financial institution as explained under section d on Monitoring compliance;

c) ensure that AML/CFT policies and procedures are reviewed regularly and amended or updated where necessary;

d) propose how to address any changes in legal or regulatory requirements or in ML/TF risks as well as how to best address deficiencies or shortcomings identified through monitoring or supervisory activities.

32. The policies, controls and procedures referred to in Article 8(4) of Directive (EU) 2015/849 should at least include the following:

a) the business-wide and individual ML/TF risk assessment methodology;

b) customer due diligence including that provided by the EBA revised guidelines on ML/TF risk factors19, and a customer acceptance process as explained below in section c on Customers, in particular for high-risk customers;

c) internal reporting (analysis of unusual transactions) and the submission of STRs to the FIU;

d) record keeping; and

e) provisions for monitoring AML/CFT compliance as in section d on Monitoring compliance.

c. Customers, including high-risk customers

33. The AML/CFT compliance officer should be consulted before a final decision is taken by senior management on onboarding new high-risk customers or maintaining business relationships with high-risk customers in line with the risk-based internal AML/CFT policies of the credit or financial institution, and in particular in situations where the senior management’s approval is explicitly required under Directive (EU) 2015/849. If senior management decides not to follow the advice of the AML/CFT compliance officer, it should duly record its decision and address how it proposes to mitigate the risks raised by the AML/CFT compliance officer.

d. Monitoring compliance

34. As a second line of defence, the AML/CFT compliance officer should be responsible for monitoring whether the measures, policies, controls and procedures implemented by the credit or financial institution comply with the credit or financial institution’s AML/CFT obligations. The AML/CFT compliance officer should also oversee the effective application of AML/CFT controls applied by business lines and internal units (first line of defence).

35. The AML/CFT compliance officer should ensure that the AML/CFT framework is updated where necessary, and in any case when deficiencies are detected, new risks emerge or the legal or regulatory framework has changed.

36. The AML/CFT compliance officer should recommend to the management body corrective measures to be taken to address identified weaknesses in the credit or financial institution’s AML/CTF framework, including weaknesses identified by competent authorities or by internal or external auditors.

e. Reporting to the management body

37. The AML/CFT compliance officer should advise the management body on measures to be taken to ensure compliance with applicable laws, rules, regulations and standards, and should provide his/her assessment of the possible impact of any changes in the legal or regulatory environment on the credit or financial institution’s activities and compliance framework.

38. The AML/CFT compliance officer should bring to the attention of the member of the management body or the senior manager responsible for AML/CFT:

a) the areas where the operation of AML/CFT controls should be implemented or improved;

b) the appropriate improvements suggested in relation to point (a) above;

c) a progress report of any significant remedial programmes, at least once a year as part of the activity report referred to in paragraph 50 and on an ad hoc basis or periodically, depending on the improvements, to provide information about the level of exposure to the ML/TF risks, and the measures taken or recommended to reduce and effectively manage these risks;

d)  whether the human and technical resources allocated to the AML/CFT compliance function are insufficient and should be reinforced.

39. The credit or financial institution needs to stand ready to share a copy of the activity report referred to in paragraph 50 with the competent authority.

40. The AML/CFT compliance officer should produce an activity report on at least an annual basis. The activity report should be proportionate to the scale and nature of the activities of the credit or financial institution. The activity report may, where appropriate, be based on information already sent to the national competent authorities in the form of other reports. The activity report should contain at least the following information:

1) On the ML/TF risk assessment:

a) a summary of the main findings of the business-wide ML/TF risk assessment as referred to in Article 8 of Directive (EU) 2015/849, where such an update has been performed in the past year, and a confirmation of whether it was required by the competent authority to be submitted for the reporting year;20

b) a description of any changes related to the method used by the credit or financial institution to assess the individual customer risk profile, highlighting how such change is aligned to the credit or financial institution’s business-wide ML/TF risk assessment;

c) the classification of customers by risk category, including the number of customer files by risk category for whom CDD reviews and updates are outstanding;

d) information and statistical data on:

i) the number of unusual transactions detected;

ii) the number of unusual transactions analysed;

iii) the number of reports of suspicious transactions or activity to the FIU (distinguished by country of operations);

iv) the number of customer relationships ceased by the credit or financial institution due to AML/CFT concerns;

v) the number of requests for information received from the FIU, courts and law enforcement agencies.

2) On resources:

e) a brief description of the AML/CFT organisation structure and, where appropriate, of any significant changes made in the past year and of the underlying reasoning;

f) a brief description of the human and technical resources allocated to the AML/CFT compliance function by the credit or financial institution;

g) where applicable, the list of AML/CFT processes outsourced with a description of the oversight performed by the credit or financial institution on those activities.

3) On policies and procedures:

h) a summary of important measures taken and procedures adopted during the year, including a brief description of the recommendations, problems, shortcomings and irregularities identified in the year of the reporting;

i) a description of the compliance monitoring actions undertaken to assess application of the credit or financial institution’s AML/CFT policies, controls and procedures by the credit or financial institution’s employees, agents, distributors and service providers, as well as the adequacy of any monitoring tools employed by the credit or financial institution for AML/CFT purposes;

j) a description of the AML/CFT training activities completed, and of the training plan for next year;

k) a plan of activities of the AML/CFT compliance officer function for the subsequent year;

l) findings of internal and external audits relevant to AML/CFT and any progress made by the credit or financial institution to address these findings;

m) supervisory activities, including communications with the credit or financial institution, carried out by the competent authority, reports submitted, breaches identified and sanctions imposed together with how the credit or financial institution is undertaking to remedy the breaches identified and the stage at which the remedial action is, without prejudice to any other periodical report that may be required in the case of supervisory activity or remedial action.

f. Reporting of suspicious transactions

41. In relation to the AML/CFT compliance officer’s obligation under Article 33(2) of Directive (EU) 2015/849 to transmit information referred to in paragraph (1) of that Article, he/she should make sure that other members of staff whose assistance is sought with the discharge of aspects of this function have the skills, knowledge and suitability to assist with that task. Due consideration should be given to the sensitivity and confidentiality of information that may be disclosed and the non-disclosure obligations the credit or financial institution has to adhere to.

42. When the AML/CFT compliance officer transmits information to the FIU in accordance with Article 33(2) of Directive (EU) 2015/849, he/she should ensure that the information is transmitted in a format and through means which comply with any guidelines issued by the national FIU, in an effective manner. As part of his/her role under that provision, the AML/CFT compliance officer should:

a) understand the functioning and design of the transaction monitoring system, including scenarios covered according to the ML/TF risks posed to the credit or financial institution and internal procedures to handle alerts;

b) receive reports from the credit or financial institution’s employees, agents or distributors, or reports generated otherwise by the credit or financial institution’s systems, of knowledge or suspicion of ML/TF, or that a person may have been, is or may be connected with ML/TF;

c) ensure that these reports are considered promptly so as to determine whether there is knowledge or suspicion that funds are proceeds of criminal activity including ML/TF, or whether a person may have been, is or may be connected with ML/TF; the AML/CFT compliance officer should also determine, document and implement a prioritisation process for the internal reports received so that internal reports concerning especially high-risk situations are treated with the necessary urgency;

d) while assessing the reports received, keep a record of all evaluations carried out as well as any feedback received from the FIU subsequently to improve the detection of future suspicious transactions;

e) ensure that knowledge or suspicion of ML/TF or of a person’s connection with ML/TF are promptly reported to the FIU, submitting with the report such facts, events or information and documentation as necessary to substantiate the suspicion or instances of reasonable grounds to suspect ML/TF;

f) ensure a prompt and exhaustive response to any request for information made by the FIU; and

g) consider regularly the reasons why alerts of unusual activity or transactions were not escalated as internal reports so as to determine whether there are any issues that need to be addressed to ensure effective detection of suspicious activity or transactions.

43. The AML/CFT compliance officer should ensure that the credit or financial institution’s internal controls will enable it to comply with any guidance provided by the FIU.

44. Credit or financial institutions should draw the attention of their managers and employees to the obligation to comply strictly with the prohibition on informing the customer or third parties that an ML/TF analysis is ongoing or may be started and to limit access to this information to the persons who need it for the performance of their functions. While there is a non-disclosure obligation applicable within the credit or financial institution, the AML/CFT compliance officer should still consider carefully to whom information on either any reports submitted to the FIU or any request for information received from the FIU is provided within the credit or financial institution. The reporting procedure should be confidential and the identity of the persons involved in the preparation and forwarding of the report should be protected by privacy policy.

g. Training and awareness

45. In accordance with the obligation under Article 46(1) of Directive (EU) 2015/849 and as specified in the EBA revised guidelines on ML/TF risk factors21, the AML/CFT compliance officer should duly inform staff about the ML/TF risks to which the credit or financial institution is exposed including ML/TF methods, trends and typologies, as well as of the risk-based approach implemented by the credit or financial institution to mitigate these risks. This information may take various forms, such as company letters, the intranet, meetings.

46. The AML/CFT compliance officer should oversee the preparation and implementation of an ongoing AML/CFT training programme. In cooperation with the human resources department of the credit or financial institution, an annual plan of training and education of staff should be documented and be referred to in the activity report to the management body as per paragraph 50.

47. The AML/CFT compliance officer should ensure that the internal reporting procedures adopted by the credit or financial institution are brought to the attention of all staff.

48. In addition to general education, for the purposes of Article 46(1) of Directive (EU) 2015/849 the AML/CFT compliance officer should assess the specific training needs within the credit or financial institution and ensure that adequate theoretical and practical training is provided to the persons exposed to different level of ML/FT risks, such as:

a) persons working in the compliance function under the responsibility of the AML/CFT compliance officer;

b) persons in contact with customers or tasked with carrying out their transactions (employees, agents and distributors);

c) persons responsible for developing procedures or internal tools applicable to activities that may be sensitive to ML/TF risk.

49. The content of the specific training programmes delivered to persons with different levels of exposure to ML/TF risks should be adjusted on a risk-sensitive basis as described in the EBA revised guidelines on ML/TF risk factors22.

50. The AML/CFT compliance officer should determine indicators of assessment to check the effectiveness of training provided.

51. Where the credit or financial institution adopts a training and awareness-raising programme developed abroad, e.g. by its registered office or parent company, the AML/CFT compliance officer should ensure that this programme is adapted to the legal and regulatory rules applicable at national level, as well as with respect to ML/TF typologies and specific activities of the credit or financial institution.

52. Where certain training activities are outsourced to a service provider, the AML/CFT compliance officer should ensure (i) that the service provider has the required AML/CFT knowledge to guarantee the quality of the training to be provided, (ii) that the management conditions of the outsourcing are set and respected, and (iii) that the content of this training is adapted to the specific features of the credit or financial institution concerned.

1.2.5 Relationship between the AML/CFT compliance function and other functions

53. Both the compliance function and the independent AML/CFT compliance function should be located in the second line of defence of the credit and financial institutions.

54. Where the AML/CFT compliance function is different from the general compliance function, in addition to the provisions of ESAs guidelines on internal governance23 on a transparent and documented decision-making process and clear allocation of responsibilities and authority within its internal control framework, credit or financial institutions should meet the provisions set out in this section.

55. The independent audit function referred to in Article 8(4)(b) of Directive (EU) 2015/849 should not be combined with the AML/CFT compliance function.

56. The risk management function, to the extent that the credit or financial institution has a risk management function, and, where established, the risk committee, should have access to relevant information and data necessary to perform their role, including information and data from relevant corporate and internal control functions, such as AML/CFT compliance.

57. A good cooperation to exchange information should take place between the head of risk management and the AML/CFT compliance officer. The AML/CFT compliance officer should cooperate with the risk function for the purpose of setting AML/CFT methodologies coherent with the risk management strategy of the credit or financial institution.

1.2.6 Outsourcing of operational functions of the AML/CFT compliance officer

58. In addition to the ESAs guidelines on outsourcing 24 , as applicable, and where the outsourcing of operational functions of the AML/CFT compliance officer is permitted under national law, credit or financial institutions should have regard to the following key principles:

a. The ultimate responsibility for compliance with legal and regulatory obligations, whether or not specific functions are outsourced, lies with the credit or financial institution.

b. The rights and obligations of the credit or financial institution and the service provider should be clearly allocated and set out in a written agreement.

c. The credit or financial institution relying on an outsourcing arrangement should remain accountable to monitor and oversee the quality of the service provided.

d. Intra-group outsourcing should be subject to the same regulatory framework as outsourcing to service providers outside the group25.

e. The outsourcing of functions cannot result in the delegation of the management body’s responsibilities. Strategic decisions in relation to AML/CFT should not be outsourced. These decisions include, in particular:

i. the approval of the business-wide ML/TF risk assessment;

ii. the decision on the internal organisation of the AML/CFT framework of the credit and financial institution;

iii. the adoption of internal AML/CFT policies and procedures;

iv. the approval of the methodology used to determine the ML/TF risk presented by a given business relationship and the assignment of the risk profile;

v. the approval of the criteria to be used by the credit or financial institution to detect suspicious or unusual transactions for its ongoing monitoring and/or reporting purposes.

Credit and financial institutions remain ultimately responsible for the decision to report suspicious transactions to the FIU, including in situations where the identification and reporting of suspicious transactions is outsourced.

59. Credit and financial institutions should follow the outsourcing process, as set out in the EBA’s guidelines on outsourcing arrangements, when outsourcing operational tasks of the AML/CFT compliance officer function to a service provider. This includes the identification and assessment of relevant risks of the outsourcing arrangement, the justification of the decision to outsource in light of the objectives pursued (whether it aims to ensure an optimal allocation of AML/CFT resources throughout the group or on the basis of the proportionality criteria), undertaking due diligence on the prospective service provider, and the contractualisation of the outsourcing agreement.

60. The credit or financial institution which outsources tasks of the AML/CFT compliance function should entrust its AML/CFT compliance officer with:

i) monitoring the service provider’s performance to ensure that the outsourcing effectively enables the credit or financial institution to comply with all its legal and regulatory AML/CFT obligations;

ii) carrying out a regular control of compliance by the service provider with the commitments arising from the agreement. In accordance with the documented analysis, the regular control should ensure that the AML/CFT compliance function is provided with means to test and monitor regularly and occasionally compliance with the obligations incumbent upon the service provider. As regards its customer’s data, the AML/CFT compliance function and the competent authority should have access rights to the systems/databases of the service provider;

iii) reporting on the outsourcing to the management body as part of the AML/CFT compliance officer’s activity report or whenever circumstances require, in particular so that any necessary remediation measures are implemented as soon as possible.

61. Where the credit or financial institution does not have any officers or employees of its own other than a management body, it may outsource the AML/CFT compliance function to a service provider. In such instances the AML/CFT compliance officer should be the AML/CFT compliance officer of one of the service providers who has experience or knowledge on the type of activity or transactions carried out by the credit or financial institution.

62. In situations whereby the credit or financial institution is making use of intra-group outsourcing, it should in particular take the measures necessary to identify and manage any conflicts of interest that could arise from such an outsourcing agreement. The parent entity of the group should:

a)  ensure that an inventory of cases of intra-group AML/CFT outsourcing, in order to determine which function relates to which legal entity, is established in the concerned entities and regularly made available for its consultation; and

b) ensure that intra-group outsourcing does not compromise the compliance of each subsidiary, branch or other form of establishment with its AML/CFT obligations.

63. The outsourcing of tasks related to AML/CFT to service providers established in third countries should be subject to additional safeguard measures in order to ensure that the outsourcing does not, as a result of the location of the service provider, increase the risk of non- compliance with the legal and regulatory requirements or of inefficient performance of the outsourced tasks, nor hinders the competent authority’s capacity to effectively exercise its supervisory power with regard to the service provider.

1.3 Organisation of the AML/CFT compliance function at group level

1.3.1 General provisions on the group context

64. The credit or financial institution should adapt its internal control framework to the specificity of its business, its complexity and the associated risks, taking into account the group context.

65. The credit or financial institution should ensure that the parent undertaking, where it is a credit or financial institution, has sufficient data and information and is able to assess the group- wide ML/TF risk profile, in line with the EBA guidelines on ML/TF risk factors.

66. Where the credit or financial institution is the parent of a group, it should ensure that each management body, business line and internal unit, including each internal control function, has the information necessary to be able to carry out its duties. In particular it should ensure exchange of adequate information between the business lines and the AML/CFT compliance function, and the compliance function where those are different functions, at the group level and between the heads of the internal control functions at the group level and the management body of the credit or financial institution.

1.3.2 Role of the management body in respect of AML/CFT at group level

67. Where the parent is a credit or financial institution and thus an obliged entity under Directive (EU) 2015/849, its management body should carry out at a minimum the following tasks:

a) in order to have a cartography of the ML/TF risks to which each group entity is exposed, ensure that the group entities perform their own business-wide ML/TF risk assessments in a coordinated way and based on a common methodology, yet reflecting their own specificities, taking into account Article 8(1) of Directive (EU) 2015/849 and the EBA revised guidelines on ML/TF risk factors27;

b) when being informed, by members of the group management body or senior manager responsible for AML/CFT or directly by the group AML/CFT compliance officer, of supervisory activities carried out in entities of the group by a competent authority, or deficiencies identified therein, ensure that remediation measures are completed by the subsidiary or branch in a timely and effective manner.

1.3.3 Organisational requirements at group level

68. When implementing group-wide policies and procedures as referred to in Article 45 of Directive (EU) 2015/849, conflicting interests, meaning ML/TF risk-generating tasks such as the commercial function, between a parent credit or financial institution, which is an obliged entity under Directive (EU) 2015/849, and a subsidiary or branch, should not jeopardise the compliance with AML/CFT requirements, and should be mitigated.

69. The parent credit or financial institution should:

a) designate a member of its management body or senior manager responsible for AML/CFT among the senior managers at the level of the parent undertaking, as well as a group AML/CFT compliance officer;

b) set up an organisational and operational coordination structure at group level with sufficient decision-making power for the group AML/CFT management to make this position effective at managing and preventing ML/TF risks, in line with the proportionality principle and applicable domestic legislation;

c) approve the group’s internal AML/CFT policies and procedures and ensure that these are consistent with the group’s structure and with the size and characteristics of the credit or financial institutions belonging to it;

d) set up internal AML/CFT control mechanisms at group level;

e) regularly evaluate the effectiveness of the AML/CFT policies and procedures at group level; and

f) for a credit or financial institution that operates branches or subsidiaries domestically, or in another Member State or a third country, appoint a group AML/CFT compliance officer as a coordinator, for ensuring the implementation by all the entities of the group, which are engaged in financial activities, of the group policy and the adequate and appropriate systems and procedures for the effective prevention of ML/TF.

70. The group AML/CFT compliance officer should cooperate fully with the AML/CFT compliance officer of each entity.

71. The group AML/CFT compliance officer should have at least the following tasks:

a) coordinate the business-wide assessment of the ML/TF risks carried out at local level by entities of the group and organise the aggregation of their results in order to have a good understanding of the nature, intensity and location of the ML/TF risks to which the group as a whole is exposed;

b) draft a group-wide ML/TF risk assessment. In this respect, the parent entity of the group should take into account, in its ML/TF risk management system at group level, both the individual risks of the various entities of the group and their possible interrelations that could have a significant impact on the group-wide risk exposure. In this respect, particular attention should be paid to the risks to which the group’s branches or subsidiaries established in third countries are exposed, especially if they are of high ML/TF risk;

c) define group-level AML/CFT standards and ensure that local, entity-level policies and procedures comply with the AML/CFT legislation and regulations applicable to each entity of the group individually, and are also aligned to the group standards defined;

d) coordinate the activities of the various local AML/CFT compliance officers in the group’s operational entities in order to ensure that they work consistently;

e) monitor compliance of the branches and the subsidiaries located in third countries with EU AML/CFT provisions, in particular where requirements for the prevention of ML/TF are less strict than those set out in Directive (EU) 2015/849;

f) set group-wide policies, procedures and measures concerning, in particular, data protection and sharing of information within the group for the purposes of AML/CFT, in accordance with the national legal provisions;

g) ensure that the entities of the group have adequate STRs procedures and share information properly, including the information that a suspicious transaction report has been filed (with no prejudice to national confidentiality rules where existing).

72. The group AML/CFT compliance officer should produce an activity report on at least an annual basis and present it to the group management body. In addition to the points mentioned in paragraph 50, the group AML/CFT compliance officer’s report should contain, at least, the following points from the AML/CFT compliance officers in branches and subsidiaries:

a) statistics consolidated at group level, especially on risk exposure and suspicious activities;

b) monitoring of inherent risks that have occurred in one subsidiary or branch and across other subsidiaries and branches, and analysing the impact of residual risks;

c) supervisory reviews, internal or external audits of subsidiaries or branches of the credit or financial institution including the serious weaknesses identified in the AML/CFT policies and procedures of the credit or financial institution, and the actions or recommendations for corrective measures; and

d) information on steering and oversight of subsidiaries and branches with a special focus on the ones located in high-risk countries if applicable.

73. The AML/CFT compliance officer of a subsidiary or branch should have a direct reporting line with the group AML/CFT compliance officer.

74. The group should ensure that the policies and procedures entities put in place are aligned with the group’s procedures and policies to the extent permitted under applicable national law. Based on the proportionality criteria, credit or financial institutions should, where appropriate, establish committees (including a compliance committee) of the management body in its supervisory function as set out in Section 5 of the EBA revised guidelines on internal governance.