EBA sets out compliance officer role: is compliance getting personal?

The European Banking Authority (EBA) has published new guidelines setting out the universal role and responsibilities of AML/CFT compliance officers. The overarching goal of the guidelines is to create a “common understanding” of the anti-money laundering (AML) and countering the financing of terrorism (CFT) arrangements and actions that are expected of firms.

The guidelines aim to ensure “common interpretation” as well as “adequate implementation of AML/CFT internal governance arrangements across the EU”. They oblige all financial or credit organisations to appoint one clear member of their management body who must be responsible for the implementation of AML/CFT obligations.

What does the universal role of the AML/CFT compliance officer (CO) entail?

Under the EBA’s new guidelines, the AML/CFT compliance officer is responsible for compliance across seven key areas:

1. The development of a risk assessment framework – the CO is expected to develop and maintain an AML/CFT risk assessment framework in line with Article 8(1) of Directive (EU) 2015/849.
   
   
2. The development of policies and procedures – the CO should ensure that adequate policies and procedures are put in place, kept up to date, and implemented effectively on an ongoing basis.
   
   
3. Managing high-risk customers – the CO should be consulted before a final decision is taken by senior managers to onboard new, high-risk customers.
   
   
4. Compliance monitoring – the CO should, as a second line of defence, be responsible for monitoring whether measures, policies, controls and procedures comply with AML/CFT obligations.
   
   
5. Reporting to the management body – the CO should advice the management body on measures taken to ensure compliance with applicable rules, regulations, laws and standards.
   
   
6. Reporting of suspicious transactions – the CO, under Article 33(2) of Directive (EU) 2015/849, should make that other members of staff responsible for aspects of compliance have the skills, knowledge and suitability to assist.
   
   
7. Training and awareness – the CO should inform relevant staff about the risks to which the organisation is exposed, including methods, trends and typologies – as well as the approach being used to mitigate those risks.
   

When will the guidelines take effect?

The deadline with which relevant authorities should comply is the 1 December 2022, with such companies expected to report on whether they comply with the guidelines to be made 6 months after the publication of translated versions. The translated versions are still awaited.

CUBE comment

CUBE has long been an advocate for global standards. Compliance is incredibly complex at the best of times and made significantly more difficult when different regulators are saying and doing slightly different things. With that in mind, the EBA has offered welcome clarity to the industry by setting an EU-wide benchmark. As is often the case with regulatory developments, we will likely see other global regulators follow suit in the years and months to come.

The EBA’s guidelines coincide with a broader market shift towards individual accountability for compliance. In the US, the Securities and Exchange Commission has recently announced charge against a former Chief Compliance Officer (CCO) for unlawfully offering and selling securities in connection with a fraudulent scheme. In February, the Financial Industry Regulatory Authority (FINRA) issued a compliance officer with a $25,000 fine after finding that he had failed to properly oversee his employer’s anti-money laundering program. Since the inception of SMCR, we’ve seen regulatory messaging both in the UK and abroad that suggests that individual corporate responsibility is high in regulatory priorities.

Compliance officers have long been held accountable to bad actors and bad compliance decisions made within firms, but we are seeing a clear shift in regulatory attitudes – one which takes action against individuals, not just the businesses they work for.

This means that compliance is now a personal issue. It is no longer enough to watch malpractice unfold and take minimal action – where once the business would have taken the hit, now the compliance officer will be penalised. This takes the jeopardy for the compliance teams up a level. It also means that compliance officers should be doing all they can to ensure regulatory obligations are met – it’s their neck on the line if they fail.

The regulatory landscape is moving fast, with new legislation published every week. Keep ahead of regulatory change with CUBE.