Response to consultation on draft amending Guidelines on risk-based AML/CFT supervision
Go back
AFME has put in place internal arrangements to manage our work in compliance with the conditions set by the EBA on Adam Farkas’ appointment as CEO. As part of these, Adam Farkas has not been involved in the preparation of this consultation response.
4.1.2 Proportionality
• AFME welcomes Guideline 4.1.2 paragraph 15 which states that the size or systemic importance of a subject of assessment may not, by itself, be indicative of the extent to which it is exposed to ML/TF risk. To this end, we also agree that small credit institutions or financial institutions that are not systemically important can nevertheless pose a high ML/TF risk.
We also believe that it is important to stress that not only the ‘size’ of an entity matters when it comes to assessing the AML/CFT risks that it may pose.
4.1.3. Subjects of assessment
• Guideline 4.1.3 paragraph 16 has been revised to explain how competent authorities can determine ‘clusters’ of obliged entities when applying the risk-based approach (RBA) and which criteria to look at when making the assessment.
According to this paragraph, these criteria “should include the same level of risk that they are exposed to, inter alia, their size, the nature of their business, the type of customers serviced, the geographic area they operate in or activity and their delivery channels”.
We believe that this approach may be beneficial in some cases, however we also believe that an individual approach when evaluating ML/TF risks of a specific entity may generate better results.
Although the geographical area should be used as a criterion to assess the level of ML/TF risk, we believe that the business model and organizational structure of an entity should be considered as determining factors in this regard. If a clustering model focused excessively on geographical risks, it will encourage geographical de-risking, and undermine financial inclusion.
We encourage the EBA to take this into account when further updating the Guidance.
4.1.4 Cooperation
• We welcome the revision of Guideline 4.1.4 paragraphs 20 - 23, which emphasises the need for cooperation and exchange of information between competent authorities and with other stakeholders to ensure the implementation of an effective risk-based supervision model. Cooperation and information sharing will strengthen consistency and coherence in the European AML framework, as well as support firms in complying with their obligations.
We invite competent authorities to examine the possibility of concluding memoranda of understanding (MoUs) to facilitate cooperation between them and with other relevant stakeholders, such as prudential supervisors, tax authorities, law enforcement agencies and FIUs.
b. Information on subjects of assessment
• Guideline 4.2.6 paragraphs 43 - 48 explains what type of information should be obtained by competent authorities in order to identify risk factors and mitigating factors associated with the subject of assessment.
AFME agrees that competent authorities should collect all the necessary information. In order to do this efficiently, competent authorities should coordinate closely with prudential supervisors to prevent overlapping. As an example, the annual AML supervisory programme should be approved by all supervisors.
• Guideline 4.3.4 paragraph 61 requires that, if there is an AML/CFT college of supervisors, the lead supervisor should use the information exchanged in the college to gather the necessary information for the risk assessment of cross-border groups.
AFME supports the establishment of colleges of supervisors, and we invite competent authorities to set up effective operational agreements and MoUs between college members for collaboration. We also believe that an important aspect that should be taken into consideration in this regard is the interaction between the college of supervisors and 3rd countries. We request that the EBA considers this further.
• Guideline 4.3.4 paragraph 62 talks about competent authorities ‘assessing whether subjects of assessment have implemented group-wide policies and procedures in their branches and subsidiaries effectively’.
We welcome clarity on which criteria will be taken into account when assessing the effectiveness of implemented group-wide policies and procedures. For instance, will competent authorities pay attention to i) evidence of local policy transposition? ii) The evaluation of the maturity of the underlying controls behind a given policy requirement?
We encourage the EBA to provided clearer guidance on the criteria of effectiveness in this context.
• Guideline 4.4.4 paragraph 96 states that supervisors should cooperate with other competent authorities involved in the supervision of subjects of assessment. This cooperation may include exchanging information related to weaknesses or breaches identified by other competent authorities.
We note that this provision could potentially cause breaches to national data protection laws. Therefore, competent authorities should consider clarifying the scope and means of their cooperation through ad hoc MoUs.
4.4.5 Supervisory practices and the supervisory manual
• Guideline 4.4.5 paragraphs 98 - 103 explain how competent authorities should test the effectiveness of subjects of assessment’s AML/CFT framework and set out factors that should be considered to implement a robust sampling policy.
AFME believes that financial institutions and their financial crime compliance programmes should be assessed mostly based on their ability to prevent, detect, and report suspicious activity, rather than focusing on mere technical compliance with regulatory guidance or supervisory expectations.
Following an appropriate risk-based evaluation, financial institutions should be encouraged to change their practices, in order to improve the production of highly useful information to share with relevant government agencies.
We urge the EBA to encourage a risk-based approach when considering AML/CFT compliance whenever and wherever possible.
• Guideline 4.4.5 paragraph 98 requires competent authorities to assess “subjects of assessment’s AML/CFT systems and controls, as well as the effectiveness of the systems and controls subjects of assessment have put in place to prevent and detect ML/TF”.
The provided wording suggests that there are two different assessments of systems and controls that the competent authorities have to undertake and only one of the assessments is specifically looking at the effectiveness. We question if this is a misunderstanding and the EBA has in mind only one assessment of the effectiveness of systems and controls in questions. Can the EBA please clarify the wording?
• Guideline 4.4.5 paragraph 100 mentions several factors that competent authorities should consider in order to assess the effectiveness of the AML/CFT frameworks implemented by subjects of assessment.
We understand that this list is non-exhaustive. However, AFME believes that it should expressly include the provision of ‘providing highly useful information to relevant government agencies in defined priority areas’. Please see the Wolfsberg Statement on Developing an Effective AML/CTF Programme.
Furthermore, we would encourage the EBA to take into account the following additional factors when assessing the effectiveness of AML/CFT frameworks as we think they are highly relevant in this context:
i) identification of suspicious activity/transaction reporting;
ii) FIUs’ evaluation of the reports submitted by subjects of assessment;
iii) participation in public-private partnerships aimed at improving the detection of and fight against financial crime.
• In addition, we would like to check whether the EBA meant to add some additional wording under paragraph 100 (d) (please see below with our underlining). There is a letter ‘i’ at the end of the paragraph which looks like a typo.
100 d) including the extent to which the supervisor is expected to challenge the robustness of AML/CFT controls, the implementation of policies and procedures and the effectiveness of the business-wide risk assessment, i
Guideline 4.4.9 Feedback to the sector
• Guideline 4.4.9. paragraph 124 requires competent authorities to issue “guidance on the risk-based approach to subjects of assessment on what they expect subjects of assessment to do to comply with their AML/CFT obligations”.
We think that, in issuing such guidance, supervisors should assess the position of multinational companies vis-à-vis the regulatory framework of third countries. Therefore, this guidance should take into account third-countries regulatory and supervisory expectations, in order to ensure a level playing field in cases when local expectations diverge from the European expectations.
• Guideline 4.4.9 paragraph 125 states that evidence of de-risking in some sectors or subjects of assessment may suggest that some further guidance may be needed in this space.
To this end, AFME believes that competent authorities, when assessing de-risking, should also take into account and recognise the efforts made by financial institutions to build appropriate control frameworks to pro-actively engage with the ‘at risk’ clients in order to prevent financial exclusion.
We would like to thank the EBA for the vital work accomplished so far in the space of AML/CFT and we look forward to continued engagement and dialogue on this important matter. We stand ready to discuss the content of this paper or to provide any further clarity regarding the statements made.
Q1. Do you have any comments with the proposed changes to the ‘Subject matter, scope and definitions’?
The Association for Financial Markets in Europe (AFME) welcomes the opportunity to comment on the European Banking Authority’s (EBA) changes to its Guidelines on Risk-Based Supervision of credit and financial institutions’ compliance with anti-money laundering and countering the financing of terrorism (AML/CFT) obligations.AFME has put in place internal arrangements to manage our work in compliance with the conditions set by the EBA on Adam Farkas’ appointment as CEO. As part of these, Adam Farkas has not been involved in the preparation of this consultation response.
Q2. Do you have any comments with the proposed changes to the Guideline 4.1 ‘Implementing the RBS model’?
We believe that, overall, the EBA’s Guidance on Risk-based Supervision helps to align supervisory practices across the EU, which are consistent with international standards. Transparent and coherent rules in this space allow AFME members to have a clear understanding of the EBA’s expectations.4.1.2 Proportionality
• AFME welcomes Guideline 4.1.2 paragraph 15 which states that the size or systemic importance of a subject of assessment may not, by itself, be indicative of the extent to which it is exposed to ML/TF risk. To this end, we also agree that small credit institutions or financial institutions that are not systemically important can nevertheless pose a high ML/TF risk.
We also believe that it is important to stress that not only the ‘size’ of an entity matters when it comes to assessing the AML/CFT risks that it may pose.
4.1.3. Subjects of assessment
• Guideline 4.1.3 paragraph 16 has been revised to explain how competent authorities can determine ‘clusters’ of obliged entities when applying the risk-based approach (RBA) and which criteria to look at when making the assessment.
According to this paragraph, these criteria “should include the same level of risk that they are exposed to, inter alia, their size, the nature of their business, the type of customers serviced, the geographic area they operate in or activity and their delivery channels”.
We believe that this approach may be beneficial in some cases, however we also believe that an individual approach when evaluating ML/TF risks of a specific entity may generate better results.
Although the geographical area should be used as a criterion to assess the level of ML/TF risk, we believe that the business model and organizational structure of an entity should be considered as determining factors in this regard. If a clustering model focused excessively on geographical risks, it will encourage geographical de-risking, and undermine financial inclusion.
We encourage the EBA to take this into account when further updating the Guidance.
4.1.4 Cooperation
• We welcome the revision of Guideline 4.1.4 paragraphs 20 - 23, which emphasises the need for cooperation and exchange of information between competent authorities and with other stakeholders to ensure the implementation of an effective risk-based supervision model. Cooperation and information sharing will strengthen consistency and coherence in the European AML framework, as well as support firms in complying with their obligations.
We invite competent authorities to examine the possibility of concluding memoranda of understanding (MoUs) to facilitate cooperation between them and with other relevant stakeholders, such as prudential supervisors, tax authorities, law enforcement agencies and FIUs.
Q3. Do you have any comments on the proposed changes to the Guideline 4.2 ‘Step 1- Identification of risk and mitigating factors’?
4.2.6 a. Type of information necessary to identify risk factorsb. Information on subjects of assessment
• Guideline 4.2.6 paragraphs 43 - 48 explains what type of information should be obtained by competent authorities in order to identify risk factors and mitigating factors associated with the subject of assessment.
AFME agrees that competent authorities should collect all the necessary information. In order to do this efficiently, competent authorities should coordinate closely with prudential supervisors to prevent overlapping. As an example, the annual AML supervisory programme should be approved by all supervisors.
Q4. Do you have any comments on the proposed changes to the Guideline 4.3 ‘Step 2 – Risk assessment’?
4.3.4 Assessment of the ML/TF risks at the group level• Guideline 4.3.4 paragraph 61 requires that, if there is an AML/CFT college of supervisors, the lead supervisor should use the information exchanged in the college to gather the necessary information for the risk assessment of cross-border groups.
AFME supports the establishment of colleges of supervisors, and we invite competent authorities to set up effective operational agreements and MoUs between college members for collaboration. We also believe that an important aspect that should be taken into consideration in this regard is the interaction between the college of supervisors and 3rd countries. We request that the EBA considers this further.
• Guideline 4.3.4 paragraph 62 talks about competent authorities ‘assessing whether subjects of assessment have implemented group-wide policies and procedures in their branches and subsidiaries effectively’.
We welcome clarity on which criteria will be taken into account when assessing the effectiveness of implemented group-wide policies and procedures. For instance, will competent authorities pay attention to i) evidence of local policy transposition? ii) The evaluation of the maturity of the underlying controls behind a given policy requirement?
We encourage the EBA to provided clearer guidance on the criteria of effectiveness in this context.
Q5. Do you have any comments with the proposed changes to the Guideline 4.4 ‘Step 3 - Supervision’?
4.4.4 Supervisory tools• Guideline 4.4.4 paragraph 96 states that supervisors should cooperate with other competent authorities involved in the supervision of subjects of assessment. This cooperation may include exchanging information related to weaknesses or breaches identified by other competent authorities.
We note that this provision could potentially cause breaches to national data protection laws. Therefore, competent authorities should consider clarifying the scope and means of their cooperation through ad hoc MoUs.
4.4.5 Supervisory practices and the supervisory manual
• Guideline 4.4.5 paragraphs 98 - 103 explain how competent authorities should test the effectiveness of subjects of assessment’s AML/CFT framework and set out factors that should be considered to implement a robust sampling policy.
AFME believes that financial institutions and their financial crime compliance programmes should be assessed mostly based on their ability to prevent, detect, and report suspicious activity, rather than focusing on mere technical compliance with regulatory guidance or supervisory expectations.
Following an appropriate risk-based evaluation, financial institutions should be encouraged to change their practices, in order to improve the production of highly useful information to share with relevant government agencies.
We urge the EBA to encourage a risk-based approach when considering AML/CFT compliance whenever and wherever possible.
• Guideline 4.4.5 paragraph 98 requires competent authorities to assess “subjects of assessment’s AML/CFT systems and controls, as well as the effectiveness of the systems and controls subjects of assessment have put in place to prevent and detect ML/TF”.
The provided wording suggests that there are two different assessments of systems and controls that the competent authorities have to undertake and only one of the assessments is specifically looking at the effectiveness. We question if this is a misunderstanding and the EBA has in mind only one assessment of the effectiveness of systems and controls in questions. Can the EBA please clarify the wording?
• Guideline 4.4.5 paragraph 100 mentions several factors that competent authorities should consider in order to assess the effectiveness of the AML/CFT frameworks implemented by subjects of assessment.
We understand that this list is non-exhaustive. However, AFME believes that it should expressly include the provision of ‘providing highly useful information to relevant government agencies in defined priority areas’. Please see the Wolfsberg Statement on Developing an Effective AML/CTF Programme.
Furthermore, we would encourage the EBA to take into account the following additional factors when assessing the effectiveness of AML/CFT frameworks as we think they are highly relevant in this context:
i) identification of suspicious activity/transaction reporting;
ii) FIUs’ evaluation of the reports submitted by subjects of assessment;
iii) participation in public-private partnerships aimed at improving the detection of and fight against financial crime.
• In addition, we would like to check whether the EBA meant to add some additional wording under paragraph 100 (d) (please see below with our underlining). There is a letter ‘i’ at the end of the paragraph which looks like a typo.
100 d) including the extent to which the supervisor is expected to challenge the robustness of AML/CFT controls, the implementation of policies and procedures and the effectiveness of the business-wide risk assessment, i
Guideline 4.4.9 Feedback to the sector
• Guideline 4.4.9. paragraph 124 requires competent authorities to issue “guidance on the risk-based approach to subjects of assessment on what they expect subjects of assessment to do to comply with their AML/CFT obligations”.
We think that, in issuing such guidance, supervisors should assess the position of multinational companies vis-à-vis the regulatory framework of third countries. Therefore, this guidance should take into account third-countries regulatory and supervisory expectations, in order to ensure a level playing field in cases when local expectations diverge from the European expectations.
• Guideline 4.4.9 paragraph 125 states that evidence of de-risking in some sectors or subjects of assessment may suggest that some further guidance may be needed in this space.
To this end, AFME believes that competent authorities, when assessing de-risking, should also take into account and recognise the efforts made by financial institutions to build appropriate control frameworks to pro-actively engage with the ‘at risk’ clients in order to prevent financial exclusion.
We would like to thank the EBA for the vital work accomplished so far in the space of AML/CFT and we look forward to continued engagement and dialogue on this important matter. We stand ready to discuss the content of this paper or to provide any further clarity regarding the statements made.