EBA/GL/2022/05  
14 June 2022  
Final Report  
Guidelines  
On policies and procedures in relation to compliance management  
and the role and responsibilities of the AML/CFT Compliance  
Officer under Article 8 and Chapter VI of Directive (EU) 2015/849  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
Contents  
Executive Summary  
Background and rationale  
Guidelines  
3
4
8
4. Guidelines  
14  
4.1 The role and responsibilities of the management body in the AML/CFT framework and of the  
senior manager responsible for AML/CFT  
14  
4.2 The role and responsibilities of the AML/CFT compliance officer  
4.3 Organisation of the AML/CFT compliance function at group level  
18  
30  
5. Accompanying documents  
33  
5.1 Cost-benefit analysis / impact assessment  
33  
38  
39  
44  
5.2 Overview of questions for consultation  
5.3 Views of the Banking Stakeholder Group (BSG)  
5.4 Feedback on the public consultation and on the opinion of the BSG  
Summary of responses to the consultation and the EBA’s analysis  
46  
2
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
Executive Summary  
1. The AML/CFT compliance function is central to credit or financial institutions’ AML/CFT efforts.  
This is why Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015  
on the prevention of the use of the financial system for the purposes of money laundering or  
terrorist financing requires that credit or financial institutions appoint an AML/CFT compliance  
officer at the management level. It also provides that credit or financial institutions that have a  
management body identify the member of the management body who is ultimately responsible for  
the implementation of the law, regulations and administrative provisions necessary to comply with  
AML/CFT requirements. It does not set out in detail how these provisions should be applied.  
2. Through these guidelines, the EBA will create a common understanding, by competent  
authorities and credit or financial institutions, of credit or financial institutions’ AML/CFT  
governance arrangements. A common understanding, which is applied consistently and enforced  
as necessary, is key to strengthening the EU’s AML/CFT defences.  
3. These guidelines set clear expectations of the role, tasks and responsibilities of the AML/CFT  
compliance officer and the management body. They specify that credit or financial institutions  
should appoint one member of their management body who will ultimately be responsible for the  
implementation of the AML/CFT obligations, and clarify the tasks and functions of that person. They  
also describe the roles and responsibilities of the AML/CFT compliance officer, when this person is  
appointed by the management body pursuant to the proportionality criteria. When the credit or  
financial institution is part of a group, the guidelines prescribe that a group AML/CFT compliance  
officer should be appointed and clarify this person’s tasks and responsibilities.  
4. These guidelines apply to all existing management body structures and do not advocate any  
particular structure. They complement, but do not replace, relevant guidelines issued by the  
European Supervisory Authorities on wider governance arrangements and suitability checks.  
Next steps  
The guidelines will be translated into the official EU languages and published on the EBA website.  
The deadline for competent authorities to report whether they comply with the guidelines will be  
two months after the publication of the translations. The guidelines will apply from 1  
December 2022.  
3
 
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
Background and rationale  
Background  
5. Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the  
prevention of the use of the financial system for the purposes of money laundering or terrorist  
financing requires that credit or financial institutions have in place policies, controls and procedures  
to mitigate and manage effectively the risks of money laundering and terrorist financing (ML/TF).  
In accordance with Article 8(4) of this Directive, where appropriate with regard to the size and  
nature of the business, credit or financial institutions have to appoint a compliance officer at the  
management level. Article 46(4) further provides that credit or financial institutions that have a  
management body also identify the member of the management body who is ultimately  
responsible for the implementation of the law, regulations and administrative provisions necessary  
to comply with AML/CFT requirements.  
6. These provisions complement requirements in other sectoral laws that relate to credit or financial  
institutions’ governance and risk management systems, and suitability requirements for senior  
function holders.  
7. In 2017, in its Supranational Risk Assessment, the European Commission asked the ESAs to develop  
guidance to clarify the role of AML/CFT compliance officers in credit or financial institutions. At the  
time, the ESAs considered that existing guidelines on internal governance were sufficient to fulfil  
the Commission’s request.  
8. There have, however, been a number of reports that suggest that the requirements set out in  
Directive (EU) 2015/849 have been implemented unevenly across different sectors and Member  
States, and that they are not always applied effectively. This can have adverse consequences for  
the integrity of the EU’s financial system.  
9. For example,  
a) In their 2017 Joint Opinion on the risks of money laundering and terrorist financing affecting  
the Union’s financial sector1, the European Supervisory Authorities (ESAs) considered that the  
Union’s financial sector was exposed to money laundering and terrorist financing (ML/TF) risks  
arising from ineffective AML/CFT systems and controls. Findings from national supervisors  
pointed to a number of causes for these shortcomings. These included senior management of  
some credit or financial institutions affording low priority to AML/CFT issues, in particular when  
paired with a corporate culture that pursues profits at the expense of robust compliance. This  
lack of senior management buy-in meant that ensuring adequate resources and hiring suitably  
qualified staff for AML/CFT roles were not seen as a priority, which appeared to affect the  
quality of financial institutionsAML/CFT controls.  
1 JC/2017/07 of 20 February 2017  
4
 
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
b) The 2019 Report from the Commission to the European Parliament and the Council on the  
assessment of recent alleged money laundering cases involving EU credit institutions2 found  
that many credit institutions in the Commission’s sample had not established adequate risk  
management systems and controls. The analysis revealed deficiencies in credit institutions’  
anti-money laundering/countering the financing of terrorism-related governance  
arrangements (including the ‘three lines of defence’), their internal reporting, group policies  
and senior managementsresponsibilities and accountability.  
c) The EBA found in its 2019/2020 AML/CFT reviews of competent authoritiesapproaches to the  
AML/CFT supervision of banks3 that AML/CFT supervisors in some Member States did not  
interact with financial institutions’ senior management because there was no legal or  
regulatory requirement in those Member States to appoint an AML/CFT compliance officer at  
a level that was sufficiently senior to report to the financial institution’s senior management  
body. As a result, in those Member States there was a risk that AML/CFT supervision may not  
be effective.  
d) The EBA noted in its 2021 Opinion on the risks of money laundering and terrorist financing  
affecting the European Union’s financial sector4 that there was still a sizeable proportion of  
competent authorities that considered that the quality of some controls had remained poor  
and many competent authorities identified persisting deficiencies in some key controls.  
Rationale  
10.The EBA has a legal duty to prevent the use of the EU’s financial system for ML/TF purposes, and a  
mandate to lead, monitor and coordinate the EU financial sector’s fight against ML/TF. Through  
these guidelines, the EBA aims to achieve a common understanding, by competent authorities and  
credit or financial institutions, of the role and responsibilities of  
a. the AML/CFT compliance officer; and  
b. the management body with regard to AML/CFT or the senior manager where no  
management body exists.  
11.A common understanding of the role and responsibilities of AML/CFT compliance officers and the  
management body or senior manager, which is applied and enforced consistently, is important to  
ensure that credit or financial institutions in all Member States implement sound and effective  
AML/CFT systems and controls and to protect the EU’s financial sector from financial crime.  
Overview  
12. In particular, these guidelines set out provisions on:  
2 https://ec.europa.eu/info/sites/info/files/report_assessing_recent_alleged_money-  
laundering_cases_involving_eu_credit_institutions.pdf  
3 EBA/Rep/2020/06  
4 EBA/Op/2021/04 of 3 March 2021  
5
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
1. The role and responsibilities of the management body in the AML/CFT framework and of the  
senior manager responsible for AML/CFT: Guideline 4.1 specifies the duties and tasks of the  
management body in the AML/CFT framework.  
2. The role and responsibilities of the AML/CFT compliance officer: Guideline 4.2 specifies the  
need to appoint an AML/CFT compliance officer at a level which entails the powers to propose,  
on his/her own initiative, all necessary or appropriate measures to ensure the compliance and  
effectiveness of the internal AML/CFT measures to the management body in its supervisory  
and management function. Guideline 4.2 also specifies the suitability requirements for the role  
of AML/CFT compliance officer as well as explaining the roles and responsibilities of the person  
employed in this role.  
3. The organisation of the AML/CFT compliance function at group level: Guideline 4.3 sets out  
specific roles and responsibilities and clarifies the reporting lines in respect of the role of the  
AML/CFT compliance officer function at a group level, in order to ensure that shortcomings in  
the AML/CFT framework affecting the entire group or a large part of the group are addressed  
effectively.  
13. The provisions set out in these guidelines should be applied in a manner that is effective and  
proportionate to the credit or financial institution’s type, size and internal organisation, the nature,  
scope and complexity of its activities, and the ML/TF risks to which the credit or financial institution  
is exposed.  
Interaction with other guidelines  
14.The guidelines complement the following ESAs guidelines:  
the EBA guidelines on internal governance under Directive 2013/36/EU5;  
the joint EBA and ESMA guidelines on the assessment of the suitability of members of the  
management body and key function holders6;  
the ESMA guidelines on certain aspects of the MiFID II compliance function requirements7;  
the EIOPA guidelines on system of governance8;  
the EBA guidelines on outsourcing arrangements9;  
the EIOPA guidelines on outsourcing to cloud service providers10;  
5 EBA/GL/2021/05  
6 ESMA35-36-2319, EBA/GL/2021/06  
7 ESMA35-36-1946  
8 EIOPA-BoS-14/253 EN  
9 EBA/GL/2019/02  
10 EIOPA-BoS-20-002  
6
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
the ESMA guidelines on outsourcing to cloud service providers11; and  
the EBA guidelines on cooperation and information exchange between prudential supervisors,  
AML/CFT supervisors and Financial Intelligence Units under Directive 2013/36/EU12.  
11 ESMA50-157-2403  
12 EBA/GL/2021/15  
7
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
Guidelines  
8
 
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
EBA/GL/2022/05  
14 June 2022  
Guidelines  
on policies and procedures in relation to compliance management  
and the role and responsibilities of the AML/CFT Compliance  
Officer under Article 8 and Chapter VI of Directive (EU) 2015/849  
9
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
1. Compliance and reporting  
obligations  
Status of these guidelines  
1.  
This document contains guidelines issued pursuant to Article 16 of Regulation (EU) No  
1093/201013 . In accordance with Article 16(3) of Regulation (EU) No 1093/2010, competent  
authorities and credit or financial institutions must make every effort to comply with the guidelines.  
2.  
Guidelines set the EBA view of appropriate supervisory practices within the European  
System of Financial Supervision or of how Union law should be applied in a particular area.  
Competent authorities as defined in Article 4(2) of Regulation (EU) No 1093/2010 to whom  
guidelines apply should comply by incorporating them into their practices as appropriate (e.g. by  
amending their legal framework or their supervisory processes), including where guidelines are  
directed primarily at institutions.  
Reporting requirements  
3.  
According to Article 16(3) of Regulation (EU) No 1093/2010, competent authorities must  
notify the EBA as to whether they comply or intend to comply with these guidelines, or otherwise  
with reasons for non-compliance, by 21/11/2022. In the absence of any notification by this  
deadline, competent authorities will be considered by the EBA to be non-compliant. Notifications  
should be sent by submitting the form available on the EBA website with the reference  
‘EBA/GL/2022/05’. Notifications should be submitted by persons with appropriate authority to  
report compliance on behalf of their competent authorities. Any change in the status of compliance  
must also be reported to the EBA.  
4.  
Notifications will be published on the EBA website, in line with Article 16(3).  
13 Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a  
European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing  
Commission Decision 2009/78/EC (OJ L 331, 15.12.2010, p.12)  
10  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
2. Subject matter, scope and definitions  
Subject matter and scope of application  
5.  
These guidelines specify the role, tasks and responsibilities of the AML/CFT compliance  
officer, the management body and senior manager in charge of AML/CFT compliance as well as  
internal policies, controls and procedures, as referred to in Article 8, and Article 45 and Article 46  
of Directive (EU) 2015/849.  
6.  
These guidelines apply to credit or financial institutions as defined in Article 3(1) and 3(2)  
of Directive (EU) 2015/849. These guidelines apply to all existing management body structures,  
irrespective of the board structure used (a unitary and/or a dual board structure and/or another  
structure) across Member States.  
7.  
The terms ‘management body in its management function’ and ‘management body in its  
supervisory function’ are used throughout these guidelines without referring to any governance  
structure, and references to the management (executive) or supervisory (non-executive) function  
should be understood as applying to the bodies or members of the management body responsible  
for that function in accordance with national law. National company law may contain specific  
provisions regarding the management body and these guidelines apply without prejudice to these  
provisions.  
Addressees  
8.  
These guidelines are addressed to competent authorities as defined in Article 4(2) (iii) of  
Regulation (EU) No 1093/2010. They are also addressed to credit or financial institutions as defined  
in Article 3(1) and 3(2) of Directive (EU) 2015/849, which are financial sector operators referred to  
in Article 4(1a) of Regulation (EU) No 1093/2010.  
Definitions  
9.  
Unless otherwise specified, the terms used and defined in Directive (EU) 2015/849 have  
the same meaning in these guidelines. In addition, for the purposes of these guidelines, the  
following definitions apply:  
means the credit or financial institution’s  
body or bodies, which are appointed in  
Management body  
accordance with national law, and are  
empowered to set the strategy, objectives  
and overall direction of the credit or  
financial institution, and which oversee and  
monitor management decision-making, and  
11  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
include the persons who effectively direct  
the business of the said institution.  
Management body in its supervisory function  
Management body in its management function  
means the management body acting in its  
role of overseeing and monitoring  
management decision-making.  
means the management body acting in its  
role of day-to-day management of the  
credit or financial institution.  
12  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
3. Implementation  
Date of application  
10.  
These guidelines apply from 1 December 2022.  
13  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
4. Guidelines  
4.1 The role and responsibilities of the management body in the  
AML/CFT framework and of the senior manager responsible for  
AML/CFT  
11.  
The management body should be responsible for approving the credit or financial  
institution’s overall AML/CFT strategy and for overseeing its implementation. To this end, it should  
collectively possess adequate knowledge, skills and experience to be able to understand the ML/TF  
risks related to the credit or financial institutions activities and business model, including the  
knowledge of the national legal and regulatory framework relating to the prevention of ML/TF.  
4.1.1 The role of the management body in its supervisory function in the AML/CFT  
framework  
12.  
The management body in its supervisory function should be responsible for overseeing and  
monitoring the implementation of the internal governance and internal control framework to  
ensure compliance with applicable requirements in the context of the prevention of money  
laundering and terrorism financing (ML/TF).  
13.  
In addition to the provisions set out in the ESAsguidelines on internal governance14, as  
applicable, a credit or financial institution’s management body in its supervisory function should:  
a) be informed of the results of the business-wide ML/TF risk assessment;  
b) oversee and monitor the extent to which the AML/CFT policies and procedures are adequate  
and effective in light of the ML/TF risks to which the credit or financial institution is exposed  
and take appropriate steps to ensure remedial measures are taken where necessary;  
c) at least once a year, review the activity report of the AML/CFT compliance officer and obtain  
interim updates more frequently for activities that expose the credit or financial institution to  
higher ML/TF risks;  
d) at least once a year, assess the effective functioning of the AML/CFT compliance function,  
including by taking into account the conclusions of any AML/CFT-related internal and/or  
external audits that may have been carried out, including with regard to the appropriateness  
of the human and technical resources allocated to the AML/CFT compliance officer.  
14.  
The management body in its supervisory function should ensure that the member of the  
management body referred to in section 4.1.3. or where applicable the senior manager referred to  
14 EBA guidelines on internal governance under Directive 2013/36/EU: EBA/GL/2021/05; ESMA guidelines on certain  
aspects of the MiFID II compliance function requirements: ESMA35-36-1946; EIOPA guidelines on system of governance:  
EIOPA-BoS-14/253 EN  
14  
   
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
in section 4.1.4., who is responsible for the implementation of the laws, regulations and  
administrative provisions necessary to comply with Directive (EU) 2015/849:  
a) has the knowledge, skills and experience necessary to identify, assess and manage the ML/TF  
risks to which the credit or financial institution is exposed, and the implementation of AML/CFT  
policies, controls and procedures;  
b) has a good understanding of the credit or financial institution’s business model and the sector  
in which it operates and the extent to which this business model exposes the credit or financial  
institution to ML/TF risks;  
c) is informed in a timely manner of decisions that may affect the risks to which the credit or  
financial institution is exposed.  
15.  
The management body in its supervisory function should have access to and take into  
account data and information of sufficient detail and quality to enable it to discharge its AML/CFT  
functions effectively. At a minimum, the management body in its supervisory function should have  
timely and direct access to the activity report of the AML/CFT compliance officer, the report of the  
internal audit function, the findings and observations of external auditors, where applicable, as well  
as the findings of the competent authority, relevant communications with the FIU and supervisory  
measures or sanctions imposed.  
4.1.2. The role of the management body in its management function in the AML/CFT  
framework  
16.  
In relation to internal policies, controls and procedures referred to in Articles 8(3) and 8(4)  
of Directive (EU) 2015/849, a credit or financial institution’s management body in its management  
function should:  
a) implement the appropriate and effective organisational and operational structure necessary to  
comply with the AML/CFT strategy adopted by the management body, paying particular  
attention to the sufficient authority and the appropriateness of the human and technical  
resources allocated to the AML/CFT compliance officer function, including the need for a  
dedicated AML/CFT unit to assist the AML/CFT compliance officer;  
b) ensure implementation of internal AML/CFT policies and procedures;  
c) review the AML/CFT compliance officer’s activity report, at least annually;  
d) ensure adequate, timely and sufficiently detailed AML/CFT reporting to the competent  
authority;  
e) where operational functions of the AML/CFT compliance officer are outsourced, ensure  
compliance with the ESAs guidelines on outsourcing arrangements15 and ESAs guidelines on  
15  
EBA guidelines on outsourcing arrangements: EBA/GL/2019/02; EIOPA guidelines on outsourcing to cloud service  
providers: EIOPA-BoS-20-002; ESMA guidelines on outsourcing to cloud service providers: ESMA50-157-2403  
15  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
internal governance 16 , where applicable, and receive regular reporting from the service  
provider to inform the management body.  
4.1.3. Identification of the member of the management body responsible for AML/CFT  
17.  
The member of the management body to be identified in accordance with Article 46(4) of  
Directive (EU) 2015/849 should, in particular, have sufficient knowledge, skills and experience  
regarding ML/TF risks, and the implementation of AML/CFT policies, controls and procedures, with  
a good understanding of the credit or financial institution’s business model and the sector in which  
the credit or financial institution operates.  
18.  
The member of the management body referred to in Article 46(4) of Directive (EU)  
2015/849 should commit sufficient time and have sufficient resources to perform his/her AML/CFT  
duties effectively. He/she should report comprehensively about his/her tasks as mentioned in  
section 4.1.5. and regularly inform, where necessary and without undue delay, the management  
body in its supervisory function.  
4.1.4. Identification of a senior manager responsible for AML/CFT where no management  
body is in place  
19.  
Where no management body is in place, the credit or financial institution should appoint a  
senior manager who is ultimately responsible for the implementation of the laws, regulations and  
administrative provisions necessary to comply with Directive (EU) 2015/849, with sufficient time,  
resources and authority to perform his/her duties effectively.  
20.  
The senior manager referred to in paragraph 19 should have sufficient knowledge, skills  
and experience regarding ML/TF risks, and the implementation of AML/CFT policies, controls and  
procedures, with a good understanding of the credit or financial institution’s business model and  
the sector in which the credit or financial institution operates. In addition, he/she should be given  
sufficient time, resources and authority to perform his/her duties effectively.  
4.1.5. Tasks and role of the member of the management body or senior manager  
responsible for AML/CFT  
21.  
Without prejudice to the overall and collective responsibility of the management body,  
when appointing the member of the management body, or the senior manager referred to in  
paragraphs 17 and 19, credit or financial institutions should identify and take into account potential  
conflicts of interest and take steps to avoid or mitigate them.  
22.  
The member of the management body, or the senior manager where designated,  
responsible for AML/CFT should ensure that the entire management body, or the senior  
management where no management body is in place, is aware of the impact of ML/TF risks on their  
business-wide risk profile. The responsibilities of the member of the management body, or the  
senior manager where designated, responsible for AML/CFT, in view of the performance of their  
16 EBA guidelines on internal governance under Directive 2013/36/EU, EBA/GL/2021/05 of 2 July 2021  
16  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
task as referred to in Article 46(4) of Directive (EU) 2015/849, and in particular in relation to the  
implementation of policies, controls and procedures to mitigate and manage effectively the risks  
of ML/TF as referred to in Article 8 of that Directive, should include at least:  
a) ensuring that the AML/CFT policies, procedures and internal control measures are adequate  
and proportionate, taking into account the characteristics of the credit or financial institution  
and the ML/TF risks to which it is exposed;  
b) carrying out with the management body the assessment of whether it would be appropriate to  
appoint a separate AML/CFT compliance officer at management level, as referred in section  
4.2.2.;  
c) supporting the management body in assessing the need for a dedicated AML/CFT unit to assist  
the AML/CFT compliance officer in carrying out his/her functions, taking into account the scale  
and complexity of the credit or financial institution’s operations and exposure to the ML/TF  
risks. Staff within this unit should possess the necessary expertise, skills and knowledge to assist  
the AML/CFT compliance officer, who should be involved in the recruitment process;  
d) ensuring that there is periodical reporting to the management body on the activities carried  
out by the AML/CFT compliance officer and that the management body is provided with  
sufficiently comprehensive and timely information and data on ML/TF risks and AML/CFT  
compliance, which is necessary to allow the management body to carry out the role and  
functions entrusted to it. Such information should also cover the credit or financial institution’s  
engagements with the national competent authority and communications with the FIU,  
without prejudice to the confidentiality of STRs, and any ML/TF-related findings of the  
competent authority against the credit or financial institution including measures or sanctions  
imposed;  
e) informing the management body of any serious or significant AML/CFT issues and breaches and  
recommending actions to remedy them;  
f) ensuring that the AML/CFT compliance officer (i) has direct access to all the information  
necessary to perform his/her tasks, (ii) has sufficient human and technical resources and tools  
to be able to adequately perform the tasks assigned to them, and (iii) is well informed of the  
AML/CFT-related incidents and shortcomings identified by the internal control systems and by  
the national and, in the case of groups, foreign supervisory authorities.  
23.  
The member of the management body, or the senior manager where designated,  
responsible for AML/CFT should be the main contact point for the AML/CFT compliance officer  
within the management. In addition, the member of the management body, or the senior manager  
where designated, responsible for AML/CFT should ensure that any AML/CFT concerns that the  
AML/CFT compliance officer has are duly addressed and, where this is not possible, are duly  
considered by the management body in its management function or by the senior management  
where applicable. If the management body in its management function or senior management  
where applicable decide not to follow the recommendation of the AML/CFT compliance officer,  
17  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
they should duly justify and record their decision in light of the risks and concerns raised by the  
AML/CFT compliance officer. In the case of a significant incident, the AML/CFT compliance officer  
should have direct access to the management body in its supervisory function.  
4.2 The role and responsibilities of the AML/CFT compliance officer  
4.2.1 Appointment of the AML/CFT compliance officer  
24.  
When deciding whether to appoint the AML/CFT compliance officer in accordance with  
Article 8(4) of Directive (EU) 2015/849, the management body should take into account the scale  
and complexity of the credit or financial institution’s operations and its risk exposure to ML/TF  
pursuant to the criteria set out in section 4.2.2.  
25.  
The AML/CFT compliance officer should be appointed at management level. He/she should  
have sufficient authority to propose, on his/her own initiative, all necessary or appropriate  
measures to ensure the compliance and effectiveness of the internal AML/CFT measures to the  
management body in its supervisory and management function.  
26.  
Where the AML/CFT compliance officer is appointed in accordance with Article 8(4) of  
Directive (EU) 2015/849, the management body should determine whether that role will be carried  
out on a full-time basis or whether it may be carried out by an employee or an officer in addition  
to his/her existing functions within the credit or financial institution.  
27.  
Where the functions of the AML/CFT compliance officer are to be entrusted to an officer  
or employee who already has other duties or functions within the credit or financial institution, the  
management body should identify and consider possible conflicts of interest and take the steps  
necessary to avoid or, where this is not possible, manage these. The management body should  
ensure that that person can allocate sufficient time to the functions of AML/CFT compliance officer.  
28.  
The AML/CFT compliance officer should make themselves available to the competent  
authority and the FIU upon request, and should therefore normally be contracted and work in the  
country in which the credit or financial institution is established.  
29.  
Where commensurate with the ML/TF risk to which the credit or financial institution is  
exposed and to the extent that this is permitted under the national law, the AML/CFT compliance  
officer may be contracted to work in another jurisdiction. In those cases the credit or financial  
institution should have the necessary systems and controls in place to ensure that the AML/CFT  
compliance officer has access to all the necessary information and systems required to perform  
his/her tasks and is available to meet the local FIU and the competent authority without delay. The  
credit or financial institution should also be able to demonstrate to its competent authority that  
the measures it has put in place in this regard are adequate and effective.  
30.  
The AML/CFT compliance officer should be able to assign and delegate his/her tasks as set  
out in section 4.2.4. to other officers and employees acting under his/her direction and supervision,  
18  
 
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
provided that ultimate responsibility for the effective fulfilment of those tasks remains with the  
AML/CFT compliance officer.  
31.  
The AML/CFT compliance officer should be part of the second line of defence and, as such,  
part of an independent function, and the following conditions should be met:  
a) The AML/CFT compliance officer should be independent from the business lines or units he/she  
controls and he/she cannot be subordinate to a person who has responsibility for managing  
any of those business lines or units.  
b) The credit or financial institution has put in place internal procedures to ensure that the  
AML/CFT compliance officer has at all times unrestricted and direct access to all information  
that is necessary to the performance of his/her function. The decision on which information  
he/she needs to access in this regard should be the AML/CFT compliance officer’s alone.  
c) In the case of a significant incident, the AML/CFT compliance officer should be able to report  
and have direct access to the management body in its supervisory function or to the senior  
management where no management body is in place.  
4.2.2 Proportionality criteria for the appointment of a separate AML/CFT compliance  
officer  
32.  
A credit or financial institution should appoint a separate AML/CFT compliance officer  
unless it is a sole trader or has a very limited number of employees or the reasons set out in  
paragraph 33 justify the non-appointment.  
33.  
When the management body decides not to appoint a separate AML/CFT compliance  
officer, the reasons should be justified and documented, and explicitly refer to at least the following  
criteria:  
a) the nature of the credit or financial institution’s business and the ML/TF risks associated  
therewith, taking into account its geographical exposure, customer base, distribution channels  
and products and services offering;  
b) the size of its operations in the jurisdiction, the number of its customers, the number and  
volume of its transactions and the number of its full-time equivalent employees;  
c) the legal form of the credit or financial institution, including whether the credit or financial  
institution is part of a group.  
34.  
Where a separate AML/CFT compliance officer is not appointed, the credit or financial  
institution should organise the performance of the AML/CFT compliance officer tasks (see below  
section 4.2.4 on Tasks and role of the AML/CFT compliance officer) by either the member of the  
management body as referred to in section 4.1.3 or the senior manager responsible for AML/CFT  
as referred to in section 4.1.4, or by outsourcing operational functions as mentioned in section  
4.2.6, or by a combination of the previous options.  
19  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
35.  
When the AML/CFT compliance officer acts for two or more entities within the group or is  
charged with other tasks, the credit or financial institution should ensure that these multiple  
appointments still allow the AML/CFT compliance officer to effectively perform his/her functions.  
The AML/CFT compliance officer should operate for different entities only if the entities are part of  
the same group. However, due to the specific nature of the collective investment undertakings  
sector17, the AML/CFT compliance officer could service several funds.  
4.2.3 Suitability, skills and expertise  
36.  
In relation to employee screening referred to in Article 8(4) (a) of Directive (EU) 2015/849,  
credit or financial institutions should, prior to the appointment, assess whether the AML/CFT  
compliance officer possesses:  
a) the reputation, honesty and integrity necessary to perform his/her function;  
b) the appropriate AML/CFT skills and expertise, including knowledge of the applicable legal and  
regulatory AML/CFT framework, and the implementation of AML/CFT policies, controls and  
procedures;  
c) sufficient knowledge and understanding of the ML/TF risks associated with the business model  
of the credit or financial institution to perform his/her function effectively;  
d) relevant experience regarding the identification, assessment and management of the ML/TF  
risks; and  
e) sufficient time and seniority to perform his/her functions effectively, independently and  
autonomously.  
37.  
The credit or financial institutions should ensure that the AML/CFT compliance function  
operates on an ongoing basis as part of its overall business continuity management. It should cater  
for the possibility of having the AML/CFT compliance officer discontinue his/her functions and the  
availability of a delegate with appropriate skills and expertise to take over the functions of the  
AML/CFT compliance officer in the event that he/she is absent for a period of time or the integrity  
of the AML/CFT compliance officer is called into question.  
4.2.4 Tasks and role of the AML/CFT compliance officer  
38.  
The role and responsibilities of the AML/CFT compliance officer should be clearly defined  
and documented.  
a. Development of a risk assessment framework  
17 A collective investment undertaking or CIU means a UCITS as defined in Article 1(2) of Directive 2009/65/EC of the  
European Parliament and of the Council of 13 July 2009 on the coordination of laws, regulations and administrative  
provisions relating to undertakings for collective investment in transferable securities (UCITS) or an AIF as defined in  
Article 4(1)(a) of Directive 2011/61/EU.  
20  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
39.  
In relation to the identification and assessment of risk referred to Article 8(1) of Directive  
(EU) 2015/849, the AML/CFT compliance officer should develop and maintain an ML/TF risk  
assessment framework for business-wide and individual ML/TF risk assessments in line with the  
EBA guidelines on ML/TF risk factors18.  
40.  
The AML/CFT compliance officer should report the results of the business-wide and  
individual ML/TF risk assessment to the management body, via the member of the management  
body, or to the senior manager responsible for AML/CFT, or directly, if he/she deems it necessary.  
The AML/CFT compliance officer should propose to the management body the measures to take to  
mitigate those risks. The launch of a new product or service or significant changes to existing ones,  
the development of a new market or the undertaking of new activities should not be initiated until  
adequate resources to understand and manage the associated risks are available and effectively  
implemented.  
b. Development of policies and procedures  
41.  
The AML/CFT compliance officer should ensure that adequate policies and procedures are  
put in place, kept up to date and implemented effectively on an ongoing basis. The policies and  
procedures should be commensurate with the ML/TF risks that the credit or financial institution  
has identified. The AML/CFT compliance officer should at least:  
a) set out the AML/CFT policies and procedures to be adopted by the credit or financial institution,  
as well as the controls and systems to be implemented under Article 8(4) of Directive (EU)  
2015/849;  
b) ensure that AML/CFT policies and procedures are implemented effectively by the credit or  
financial institution as explained under section d on Monitoring compliance;  
c) ensure that AML/CFT policies and procedures are reviewed regularly and amended or updated  
where necessary;  
d) propose how to address any changes in legal or regulatory requirements or in ML/TF risks as  
well as how to best address deficiencies or shortcomings identified through monitoring or  
supervisory activities.  
42.  
The policies, controls and procedures referred to in Article 8(4) of Directive (EU) 2015/849  
should at least include the following:  
a) the business-wide and individual ML/TF risk assessment methodology;  
18 EBA revised guidelines on ML/TF risk factors: EBA/GL/2021/02  
21  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
b) customer due diligence including that provided by the EBA revised guidelines on ML/TF risk  
factors19, and a customer acceptance process as explained below in section c on Customers, in  
particular for high-risk customers;  
c) internal reporting (analysis of unusual transactions) and the submission of STRs to the FIU;  
d) record keeping; and  
e) provisions for monitoring AML/CFT compliance as in section d on Monitoring compliance.  
c. Customers, including high-risk customers  
43.  
The AML/CFT compliance officer should be consulted before a final decision is taken by  
senior management on onboarding new high-risk customers or maintaining business relationships  
with high-risk customers in line with the risk-based internal AML/CFT policies of the credit or  
financial institution, and in particular in situations where the senior management’s approval is  
explicitly required under Directive (EU) 2015/849. If senior management decides not to follow the  
advice of the AML/CFT compliance officer, it should duly record its decision and address how it  
proposes to mitigate the risks raised by the AML/CFT compliance officer.  
d. Monitoring compliance  
44.  
As a second line of defence, the AML/CFT compliance officer should be responsible for  
monitoring whether the measures, policies, controls and procedures implemented by the credit or  
financial institution comply with the credit or financial institution’s AML/CFT obligations. The  
AML/CFT compliance officer should also oversee the effective application of AML/CFT controls  
applied by business lines and internal units (first line of defence).  
45.  
The AML/CFT compliance officer should ensure that the AML/CFT framework is updated  
where necessary, and in any case when deficiencies are detected, new risks emerge or the legal or  
regulatory framework has changed.  
46.  
The AML/CFT compliance officer should recommend to the management body corrective  
measures to be taken to address identified weaknesses in the credit or financial institution’s  
AML/CTF framework, including weaknesses identified by competent authorities or by internal or  
external auditors.  
e. Reporting to the management body  
47.  
The AML/CFT compliance officer should advise the management body on measures to be  
taken to ensure compliance with applicable laws, rules, regulations and standards, and should  
19 Guidelines on customer due diligence and the factors credit and financial institutions should consider when assessing  
the money laundering and terrorist financing risk associated with individual business relationships and occasional  
transactions (‘Guidelines on ML/TF risk factors) under Articles 17 and 18(4) of Directive (EU) 2015/849: EBA/GL/2021/02  
22  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
provide his/her assessment of the possible impact of any changes in the legal or regulatory  
environment on the credit or financial institution’s activities and compliance framework.  
48.  
The AML/CFT compliance officer should bring to the attention of the member of the  
management body or the senior manager responsible for AML/CFT:  
a) the areas where the operation of AML/CFT controls should be implemented or improved;  
b) the appropriate improvements suggested in relation to point (a) above;  
c) a progress report of any significant remedial programmes, at least once a year as part of the  
activity report referred to in paragraph 50 and on an ad hoc basis or periodically, depending on  
the improvements, to provide information about the level of exposure to the ML/TF risks, and  
the measures taken or recommended to reduce and effectively manage these risks;  
d) whether the human and technical resources allocated to the AML/CFT compliance function are  
insufficient and should be reinforced.  
49.  
The credit or financial institution needs to stand ready to share a copy of the activity report  
referred to in paragraph 50 with the competent authority.  
50.  
The AML/CFT compliance officer should produce an activity report on at least an annual  
basis. The activity report should be proportionate to the scale and nature of the activities of the  
credit or financial institution. The activity report may, where appropriate, be based on information  
already sent to the national competent authorities in the form of other reports. The activity report  
should contain at least the following information:  
1) On the ML/TF risk assessment:  
a) a summary of the main findings of the business-wide ML/TF risk assessment as referred to in  
Article 8 of Directive (EU) 2015/849, where such an update has been performed in the past  
year, and a confirmation of whether it was required by the competent authority to be  
submitted for the reporting year;20  
b) a description of any changes related to the method used by the credit or financial institution to  
assess the individual customer risk profile, highlighting how such change is aligned to the credit  
or financial institution’s business-wide ML/TF risk assessment;  
c) the classification of customers by risk category, including the number of customer files by risk  
category for whom CDD reviews and updates are outstanding;  
d) information and statistical data on:  
i) the number of unusual transactions detected;  
ii) the number of unusual transactions analysed;  
20 Please refer to the EBA guidelines on ML/TF risk factors on conducting risk assessments (EBA/GL/2021/02)  
23  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
iii) the number of reports of suspicious transactions or activity to the FIU  
(distinguished by country of operations);  
iv) the number of customer relationships ceased by the credit or financial  
institution due to AML/CFT concerns;  
v) the number of requests for information received from the FIU, courts  
and law enforcement agencies.  
2) On resources:  
e) a brief description of the AML/CFT organisation structure and, where appropriate, of any  
significant changes made in the past year and of the underlying reasoning;  
f) a brief description of the human and technical resources allocated to the AML/CFT compliance  
function by the credit or financial institution;  
g) where applicable, the list of AML/CFT processes outsourced with a description of the oversight  
performed by the credit or financial institution on those activities.  
3) On policies and procedures:  
h) a summary of important measures taken and procedures adopted during the year, including a  
brief description of the recommendations, problems, shortcomings and irregularities identified  
in the year of the reporting;  
i) a description of the compliance monitoring actions undertaken to assess application of the  
credit or financial institution’s AML/CFT policies, controls and procedures by the credit or  
financial institution’s employees, agents, distributors and service providers, as well as the  
adequacy of any monitoring tools employed by the credit or financial institution for AML/CFT  
purposes;  
j) a description of the AML/CFT training activities completed, and of the training plan for next  
year;  
k) a plan of activities of the AML/CFT compliance officer function for the subsequent year;  
l) findings of internal and external audits relevant to AML/CFT and any progress made by the  
credit or financial institution to address these findings;  
m) supervisory activities, including communications with the credit or financial institution, carried  
out by the competent authority, reports submitted, breaches identified and sanctions imposed  
together with how the credit or financial institution is undertaking to remedy the breaches  
identified and the stage at which the remedial action is, without prejudice to any other  
periodical report that may be required in the case of supervisory activity or remedial action.  
f. Reporting of suspicious transactions  
24  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
51.  
In relation to the AML/CFT compliance officer’s obligation under Article 33(2) of Directive  
(EU) 2015/849 to transmit information referred to in paragraph (1) of that Article, he/she should  
make sure that other members of staff whose assistance is sought with the discharge of aspects of  
this function have the skills, knowledge and suitability to assist with that task. Due consideration  
should be given to the sensitivity and confidentiality of information that may be disclosed and the  
non-disclosure obligations the credit or financial institution has to adhere to.  
52.  
When the AML/CFT compliance officer transmits information to the FIU in accordance with  
Article 33(2) of Directive (EU) 2015/849, he/she should ensure that the information is transmitted  
in a format and through means which comply with any guidelines issued by the national FIU, in an  
effective manner. As part of his/her role under that provision, the AML/CFT compliance officer  
should:  
a) understand the functioning and design of the transaction monitoring system, including  
scenarios covered according to the ML/TF risks posed to the credit or financial institution and  
internal procedures to handle alerts;  
b) receive reports from the credit or financial institution’s employees, agents or distributors, or  
reports generated otherwise by the credit or financial institution’s systems, of knowledge or  
suspicion of ML/TF, or that a person may have been, is or may be connected with ML/TF;  
c) ensure that these reports are considered promptly so as to determine whether there is  
knowledge or suspicion that funds are proceeds of criminal activity including ML/TF, or whether  
a person may have been, is or may be connected with ML/TF; the AML/CFT compliance officer  
should also determine, document and implement a prioritisation process for the internal  
reports received so that internal reports concerning especially high-risk situations are treated  
with the necessary urgency;  
d) while assessing the reports received, keep a record of all evaluations carried out as well as any  
feedback received from the FIU subsequently to improve the detection of future suspicious  
transactions;  
e) ensure that knowledge or suspicion of ML/TF or of a person’s connection with ML/TF are  
promptly reported to the FIU, submitting with the report such facts, events or information and  
documentation as necessary to substantiate the suspicion or instances of reasonable grounds  
to suspect ML/TF;  
f) ensure a prompt and exhaustive response to any request for information made by the FIU; and  
g) consider regularly the reasons why alerts of unusual activity or transactions were not escalated  
as internal reports so as to determine whether there are any issues that need to be addressed  
to ensure effective detection of suspicious activity or transactions.  
53.  
The AML/CFT compliance officer should ensure that the credit or financial institution’s  
internal controls will enable it to comply with any guidance provided by the FIU.  
54.  
Credit or financial institutions should draw the attention of their managers and employees  
to the obligation to comply strictly with the prohibition on informing the customer or third parties  
25  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
that an ML/TF analysis is ongoing or may be started and to limit access to this information to the  
persons who need it for the performance of their functions. While there is a non-disclosure  
obligation applicable within the credit or financial institution, the AML/CFT compliance officer  
should still consider carefully to whom information on either any reports submitted to the FIU or  
any request for information received from the FIU is provided within the credit or financial  
institution. The reporting procedure should be confidential and the identity of the persons involved  
in the preparation and forwarding of the report should be protected by privacy policy.  
g. Training and awareness  
55.  
In accordance with the obligation under Article 46(1) of Directive (EU) 2015/849 and as  
specified in the EBA revised guidelines on ML/TF risk factors21, the AML/CFT compliance officer  
should duly inform staff about the ML/TF risks to which the credit or financial institution is exposed  
including ML/TF methods, trends and typologies, as well as of the risk-based approach  
implemented by the credit or financial institution to mitigate these risks. This information may take  
various forms, such as company letters, the intranet, meetings.  
56.  
The AML/CFT compliance officer should oversee the preparation and implementation of  
an ongoing AML/CFT training programme. In cooperation with the human resources department  
of the credit or financial institution, an annual plan of training and education of staff should be  
documented and be referred to in the activity report to the management body as per paragraph  
50.  
57.  
The AML/CFT compliance officer should ensure that the internal reporting procedures  
adopted by the credit or financial institution are brought to the attention of all staff.  
58.  
In addition to general education, for the purposes of Article 46(1) of Directive (EU)  
2015/849 the AML/CFT compliance officer should assess the specific training needs within the  
credit or financial institution and ensure that adequate theoretical and practical training is provided  
to the persons exposed to different level of ML/FT risks, such as:  
a) persons working in the compliance function under the responsibility of the AML/CFT  
compliance officer;  
b) persons in contact with customers or tasked with carrying out their transactions (employees,  
agents and distributors);  
c) persons responsible for developing procedures or internal tools applicable to activities that may  
be sensitive to ML/TF risk.  
59.  
The content of the specific training programmes delivered to persons with different levels  
of exposure to ML/TF risks should be adjusted on a risk-sensitive basis as described in the EBA  
revised guidelines on ML/TF risk factors22.  
21 Guideline 6: Training of EBA revised guidelines on ML/TF risk factors: EBA/GL/2021/02  
22 Guideline 6: Training of EBA revised guidelines on ML/TF risk factors: EBA/GL/2021/02  
26  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
60.  
The AML/CFT compliance officer should determine indicators of assessment to check the  
effectiveness of training provided.  
61.  
Where the credit or financial institution adopts a training and awareness-raising  
programme developed abroad, e.g. by its registered office or parent company, the AML/CFT  
compliance officer should ensure that this programme is adapted to the legal and regulatory rules  
applicable at national level, as well as with respect to ML/TF typologies and specific activities of the  
credit or financial institution.  
62.  
Where certain training activities are outsourced to a service provider, the AML/CFT  
compliance officer should ensure (i) that the service provider has the required AML/CFT knowledge  
to guarantee the quality of the training to be provided, (ii) that the management conditions of the  
outsourcing are set and respected, and (iii) that the content of this training is adapted to the specific  
features of the credit or financial institution concerned.  
4.2.5 Relationship between the AML/CFT compliance function and other functions  
63.  
Both the compliance function and the independent AML/CFT compliance function should  
be located in the second line of defence of the credit and financial institutions.  
64.  
Where the AML/CFT compliance function is different from the general compliance function,  
in addition to the provisions of ESAs guidelines on internal governance23 on a transparent and  
documented decision-making process and clear allocation of responsibilities and authority within  
its internal control framework, credit or financial institutions should meet the provisions set out in  
this section.  
65.  
The independent audit function referred to in Article 8(4)(b) of Directive (EU) 2015/849  
should not be combined with the AML/CFT compliance function.  
66.  
The risk management function, to the extent that the credit or financial institution has a  
risk management function, and, where established, the risk committee, should have access to  
relevant information and data necessary to perform their role, including information and data from  
relevant corporate and internal control functions, such as AML/CFT compliance.  
67.  
A good cooperation to exchange information should take place between the head of risk  
management and the AML/CFT compliance officer. The AML/CFT compliance officer should  
cooperate with the risk function for the purpose of setting AML/CFT methodologies coherent with  
the risk management strategy of the credit or financial institution.  
4.2.6 Outsourcing of operational functions of the AML/CFT compliance officer  
23 EBA guidelines on internal governance under Directive 2013/36/EU: EBA/GL/2021/05; ESMA guidelines on certain  
aspects of the MiFID II compliance function requirements: ESMA35-36-1946; EIOPA guidelines on system of governance:  
EIOPA-BoS-14/253 EN  
27  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
68.  
In addition to the ESAs guidelines on outsourcing 24 , as applicable, and where the  
outsourcing of operational functions of the AML/CFT compliance officer is permitted under national  
law, credit or financial institutions should have regard to the following key principles:  
a. The ultimate responsibility for compliance with legal and regulatory obligations, whether or not  
specific functions are outsourced, lies with the credit or financial institution.  
b. The rights and obligations of the credit or financial institution and the service provider should  
be clearly allocated and set out in a written agreement.  
c. The credit or financial institution relying on an outsourcing arrangement should remain  
accountable to monitor and oversee the quality of the service provided.  
d. Intra-group outsourcing should be subject to the same regulatory framework as outsourcing to  
service providers outside the group25.  
e. The outsourcing of functions cannot result in the delegation of the management body’s  
responsibilities. Strategic decisions in relation to AML/CFT should not be outsourced. These  
decisions include, in particular:  
i.  
the approval of the business-wide ML/TF risk assessment;  
ii.  
the decision on the internal organisation of the AML/CFT framework of the credit and  
financial institution;  
iii.  
iv.  
the adoption of internal AML/CFT policies and procedures;  
the approval of the methodology used to determine the ML/TF risk presented by a given  
business relationship and the assignment of the risk profile;  
v.  
the approval of the criteria to be used by the credit or financial institution to detect  
suspicious or unusual transactions for its ongoing monitoring and/or reporting  
purposes.  
Credit and financial institutions remain ultimately responsible for the decision to report  
suspicious transactions to the FIU, including in situations where the identification and  
reporting of suspicious transactions is outsourced.  
69.  
Credit and financial institutions should follow the outsourcing process, as set out in the  
EBA’s guidelines on outsourcing arrangements, when outsourcing operational tasks of the AML/CFT  
compliance officer function to a service provider. This includes the identification and assessment  
of relevant risks of the outsourcing arrangement, the justification of the decision to outsource in  
light of the objectives pursued (whether it aims to ensure an optimal allocation of AML/CFT  
resources throughout the group or on the basis of the proportionality criteria), undertaking due  
diligence on the prospective service provider, and the contractualisation of the outsourcing  
agreement.  
24  
EBA guidelines on outsourcing arrangements: EBA/GL/2019/02; EIOPA guidelines on outsourcing to cloud service  
providers: EIOPA-BoS-20-002; ESMA guidelines on outsourcing to cloud service providers: ESMA50-157-2403  
25  
Point 27 of the Background sections of the EBA guidelines on outsourcing arrangements of 25 February 2019:  
EBA/GL/2019/02  
28  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
70.  
The credit or financial institution which outsources tasks of the AML/CFT compliance  
function should entrust its AML/CFT compliance officer with:  
i) monitoring the service providers performance to ensure that the outsourcing  
effectively enables the credit or financial institution to comply with all its legal and  
regulatory AML/CFT obligations;  
ii) carrying out a regular control of compliance by the service provider with the  
commitments arising from the agreement. In accordance with the documented  
analysis, the regular control should ensure that the AML/CFT compliance function is  
provided with means to test and monitor regularly and occasionally compliance with  
the obligations incumbent upon the service provider. As regards its customer’s data,  
the AML/CFT compliance function and the competent authority should have access  
rights to the systems/databases of the service provider;  
iii) reporting on the outsourcing to the management body as part of the AML/CFT  
compliance officer’s activity report or whenever circumstances require, in particular  
so that any necessary remediation measures are implemented as soon as possible.  
71.  
Where the credit or financial institution does not have any officers or employees of its  
own other than a management body, it may outsource the AML/CFT compliance function to a  
service provider. In such instances the AML/CFT compliance officer should be the AML/CFT  
compliance officer of one of the service providers who has experience or knowledge on the type of  
activity or transactions carried out by the credit or financial institution.  
72.  
In situations whereby the credit or financial institution is making use of intra-group  
outsourcing, it should in particular take the measures necessary to identify and manage any  
conflicts of interest that could arise from such an outsourcing agreement. The parent entity of the  
group should:  
a) ensure that an inventory of cases of intra-group AML/CFT outsourcing, in order to determine  
which function relates to which legal entity, is established in the concerned entities and  
regularly made available for its consultation; and  
b) ensure that intra-group outsourcing does not compromise the compliance of each subsidiary,  
branch or other form of establishment with its AML/CFT obligations.  
73.  
The outsourcing of tasks related to AML/CFT to service providers established in third  
countries should be subject to additional safeguard measures in order to ensure that the  
outsourcing does not, as a result of the location of the service provider, increase the risk of non-  
compliance with the legal and regulatory requirements or of inefficient performance of the  
outsourced tasks, nor hinders the competent authority’s capacity to effectively exercise its  
supervisory power with regard to the service provider.  
29  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
4.3 Organisation of the AML/CFT compliance function at group level  
4.3.1 General provisions on the group context  
74.  
The credit or financial institution should adapt its internal control framework to the  
specificity of its business, its complexity and the associated risks, taking into account the group  
context.  
75.  
The credit or financial institution should ensure that the parent undertaking, where it is a  
credit or financial institution, has sufficient data and information and is able to assess the group-  
wide ML/TF risk profile, in line with the EBA guidelines on ML/TF risk factors26.  
76.  
Where the credit or financial institution is the parent of a group, it should ensure that each  
management body, business line and internal unit, including each internal control function, has the  
information necessary to be able to carry out its duties. In particular it should ensure exchange of  
adequate information between the business lines and the AML/CFT compliance function, and the  
compliance function where those are different functions, at the group level and between the heads  
of the internal control functions at the group level and the management body of the credit or  
financial institution.  
4.3.2 Role of the management body in respect of AML/CFT at group level  
77.  
Where the parent is a credit or financial institution and thus an obliged entity under  
Directive (EU) 2015/849, its management body should carry out at a minimum the following tasks:  
a) in order to have a cartography of the ML/TF risks to which each group entity is exposed, ensure  
that the group entities perform their own business-wide ML/TF risk assessments in a  
coordinated way and based on a common methodology, yet reflecting their own specificities,  
taking into account Article 8(1) of Directive (EU) 2015/849 and the EBA revised guidelines on  
ML/TF risk factors27;  
b) when being informed, by members of the group management body or senior manager  
responsible for AML/CFT or directly by the group AML/CFT compliance officer, of supervisory  
activities carried out in entities of the group by a competent authority, or deficiencies identified  
therein, ensure that remediation measures are completed by the subsidiary or branch in a  
timely and effective manner.  
4.3.3 Organisational requirements at group level  
78.  
When implementing group-wide policies and procedures as referred to in Article 45 of  
Directive (EU) 2015/849, conflicting interests, meaning ML/TF risk-generating tasks such as the  
commercial function, between a parent credit or financial institution, which is an obliged entity  
26 EBA revised guidelines on ML/TF risk factors: EBA/GL/2021/02  
27 EBA revised guidelines on ML/TF risk factors: EBA/GL/2021/02  
30  
 
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
under Directive (EU) 2015/849, and a subsidiary or branch, should not jeopardise the compliance  
with AML/CFT requirements, and should be mitigated.  
79.  
The parent credit or financial institution should:  
a) designate a member of its management body or senior manager responsible for AML/CFT  
among the senior managers at the level of the parent undertaking, as well as a group AML/CFT  
compliance officer;  
b) set up an organisational and operational coordination structure at group level with sufficient  
decision-making power for the group AML/CFT management to make this position effective at  
managing and preventing ML/TF risks, in line with the proportionality principle and applicable  
domestic legislation;  
c) approve the group's internal AML/CFT policies and procedures and ensure that these are  
consistent with the group's structure and with the size and characteristics of the credit or  
financial institutions belonging to it;  
d) set up internal AML/CFT control mechanisms at group level;  
e) regularly evaluate the effectiveness of the AML/CFT policies and procedures at group level; and  
f) for a credit or financial institution that operates branches or subsidiaries domestically, or in  
another Member State or a third country, appoint a group AML/CFT compliance officer as a  
coordinator, for ensuring the implementation by all the entities of the group, which are  
engaged in financial activities, of the group policy and the adequate and appropriate systems  
and procedures for the effective prevention of ML/TF.  
80.  
The group AML/CFT compliance officer should cooperate fully with the AML/CFT  
compliance officer of each entity.  
81.  
The group AML/CFT compliance officer should have at least the following tasks:  
a) coordinate the business-wide assessment of the ML/TF risks carried out at local level by entities  
of the group and organise the aggregation of their results in order to have a good understanding  
of the nature, intensity and location of the ML/TF risks to which the group as a whole is  
exposed;  
b) draft a group-wide ML/TF risk assessment. In this respect, the parent entity of the group should  
take into account, in its ML/TF risk management system at group level, both the individual risks  
of the various entities of the group and their possible interrelations that could have a significant  
impact on the group-wide risk exposure. In this respect, particular attention should be paid to  
the risks to which the groups branches or subsidiaries established in third countries are  
exposed, especially if they are of high ML/TF risk;  
c) define group-level AML/CFT standards and ensure that local, entity-level policies and  
procedures comply with the AML/CFT legislation and regulations applicable to each entity of  
the group individually, and are also aligned to the group standards defined;  
d) coordinate the activities of the various local AML/CFT compliance officers in the group's  
operational entities in order to ensure that they work consistently;  
31  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
e) monitor compliance of the branches and the subsidiaries located in third countries with EU  
AML/CFT provisions, in particular where requirements for the prevention of ML/TF are less  
strict than those set out in Directive (EU) 2015/84928;  
f) set group-wide policies, procedures and measures concerning, in particular, data protection  
and sharing of information within the group for the purposes of AML/CFT, in accordance with  
the national legal provisions;  
g) ensure that the entities of the group have adequate STRs procedures and share information  
properly, including the information that a suspicious transaction report has been filed (with no  
prejudice to national confidentiality rules where existing).  
82.  
The group AML/CFT compliance officer should produce an activity report on at least an  
annual basis and present it to the group management body. In addition to the points mentioned in  
paragraph 50, the group AML/CFT compliance officer’s report should contain, at least, the following  
points from the AML/CFT compliance officers in branches and subsidiaries:  
a) statistics consolidated at group level, especially on risk exposure and suspicious activities;  
b) monitoring of inherent risks that have occurred in one subsidiary or branch and across other  
subsidiaries and branches, and analysing the impact of residual risks;  
c) supervisory reviews, internal or external audits of subsidiaries or branches of the credit or  
financial institution including the serious weaknesses identified in the AML/CFT policies and  
procedures of the credit or financial institution, and the actions or recommendations for  
corrective measures; and  
d) information on steering and oversight of subsidiaries and branches with a special focus on the  
ones located in high-risk countries if applicable.  
83.  
The AML/CFT compliance officer of a subsidiary or branch should have a direct reporting  
line with the group AML/CFT compliance officer.  
84.  
The group should ensure that the policies and procedures entities put in place are aligned  
with the group’s procedures and policies to the extent permitted under applicable national law.  
Based on the proportionality criteria, credit or financial institutions should, where appropriate,  
establish committees (including a compliance committee) of the management body in its  
supervisory function as set out in Section 5 of the EBA revised guidelines on internal governance29.  
28 Please also refer to the Joint ESA Regulatory Technical Standards on the implementation of group-wide AML/CFT  
policies in third countries of 6 December 2017: JC 2017 25  
29 EBA revised guidelines on internal governance under Directive 2013/36/EU: EBA/GL/2021/05  
32  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
5. Accompanying documents  
5.1 Cost-benefit analysis / impact assessment  
A.  
Introduction  
1.  
In several provisions of Directive (EU) 2015/849 there are references to the existence of  
senior management in charge of the AML/CFT compliance function that is required to approve  
business relationships or transactions involving high-risk third countries (Article 18a(1)(e) of  
Directive (EU) 2015/849), cross-border relationships with a third-country respondent institution  
(Article 19(c) of Directive (EU) 2015/849) and transactions or business relationships with politically  
exposed persons (Article 20(b)(i) of Directive (EU) 2015/849), among others. Moreover, senior  
management should approve policies, controls and procedures to mitigate and manage effectively  
the risks of money laundering and terrorist financing (Article 8(5) of Directive (EU) 2015/849).  
2.  
More specifically, Article 8(4a) of Directive (EU) 2015/849 makes reference to the  
appointment of a compliance officer at management level if appropriate and Article 46(4) of  
Directive (EU) 2015/849 requires entities to identify the member of the management body who is  
responsible for the implementation of the laws, regulations and administrative provisions  
necessary to comply with the Level 1 text.  
3.  
In 2017 and 2019, the European Commission issued Reports on the assessment of the risks  
of ML/TF affecting the internal market and relating to cross-border activities30 (‘Supra National Risk  
Assessment’) in which it recommended that the European Supervisory Authorities (ESAs) provide  
guidelines to clarify the functions of compliance officers in financial institutions31.  
B.  
Policy objectives  
4.  
The guidelines aim at ensuring that the provisions of the Level 1 text are interpreted and  
applied consistently and effectively. To this end, the guidelines describe the responsibilities at all  
hierarchical levels of the AML/CFT compliance function. First, the roles and responsibilities of the  
management body in the AML/CFT framework are set out. Second, the role of the AML/CFT  
compliance officer is described at all phases (i.e. the expectations about the appointment, the tasks  
and the reporting to the management body).  
5.  
The guidelines also address the organisation of the AML/CFT compliance function at group  
level and the relationship and interactions between the AML/CFT compliance function and other  
functions related to the three lines of defence.  
30 https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52017DC0340  
31https://ec.europa.eu/info/sites/info/files/supranational_risk_assessment_of_the_money_laundering_and_terrorist_f  
inancing_risks_affecting_the_union.pdf  
33  
   
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
C. Baseline scenario  
6.  
The current EU legislative framework for credit institutions’ internal governance consists  
mainly of Directive 2013/36/EU, the EBA guidelines on internal governance under Directive  
2013/36/EU issued in 2017, the EBA draft guidelines on internal governance under Directive  
2013/36/EU issued in 2020, the EBA guidelines on the assessment of the suitability of members of  
the management body and key function holders, and the EBA guidelines on outsourcing. The draft  
amended guidelines on internal governance under Directive 2013/36/EU include in the section  
dedicated to the compliance function the provision that credit institutions should take appropriate  
action against internal or external behaviour that could facilitate or enable fraud, ML/TF or other  
financial crime and breaches of discipline.  
7.  
The impact assessment covers the application of the provisions included in the Level 1 text  
about the existence of the AML/CFT compliance officer and approval processes of senior  
management, and the policy options assessed during the drafting process for implementing the  
recommendations of the Supra National Risk Assessment reports of 2017 and 2019.  
D. Options considered  
8.  
In the process of drafting the guidelines, the ESAs considered whether to tackle the  
recommendation by updating EBA guidelines on internal governance or by issuing a new set of  
guidelines (approach for fulfilling the mandate). Other aspects, mainly related to the scope of the  
guidelines and the proportionality provisions, were discussed.  
Approach for fulfilling the mandate  
Option 1: Update guidelines on internal governance under Directive 2013/36/EU  
9.  
The EBA guidelines on internal governance under Directive 2013/36/EU apply to credit  
institutions and investment firms as defined in point 3 of Article 4(1) of Regulation (EU) No  
575/2013 (‘CRR I’). Similarly, the guidelines are addressed to prudential supervisors, as defined in  
point 40 of Article 4(1) of Regulation (EU) No 575/2013 as amended by Regulation (EU) 2019/876.  
10.  
This option is aligned with CRR I but the scope of application of Directive (EU) 2015/849 is  
larger and would not be effective to address both the mandate and the effective compliance with  
the Directive (EU) 2015/849 provisions.  
34  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
Option 2: Draft a new set of guidelines  
11.  
Under this option, the scope of application is larger, as it will ensure the applicability of the  
guidelines not only to credit institutions and investment firms, but also to financial sector operators  
as defined in Article 4(1a) of Regulation (EU) No 1093/2010, which are credit and financial  
institutions as defined in Article 3(1) and 3(2) of Directive (EU) 2015/849. Moreover, the guidelines  
are also applicable to competent authorities as defined in Article 4(2) (iii) of Regulation (EU) No  
1093/2010.  
12.  
This option is more aligned with the recommendation from the Commission specified in  
the Supra National Risk Assessment reports of 2017 and 2019, which applies to financial institutions  
and not only to credit institutions.  
13.  
Option 2 is the preferred option.  
Scope of the guidelines  
Option 1: Provide guidelines on all aspects of the AML/CFT compliance function  
14.  
Under this option, guidelines will be provided in relation to all aspects of the AML/CFT  
compliance function, including the role of the management body and the member of the  
management body or senior manager responsible for AML/CFT, as well as the organisation of the  
AML/CFT compliance function at group level. This option might appear to be more efficient for the  
addressees, as all the guidelines related to the AML/CFT compliance function would be accessible  
in a single document. Moreover, one single document ensures that financial sector operators  
comply with the Level 1 text, addresses the shortcomings identified in the Joint Opinion on ML/TF  
risks affecting the EU financial sector and fulfils the Commissions recommendation included in the  
Supra National Risk Assessment reports. Thus, it provides additional clarity to financial sector  
operators while maintaining the costs of implementation constant, as the costs of implementing a  
single set of guidelines and separate sets of guidelines would be the same.  
Option 2: Provide guidelines only on the role of the AML/CFT compliance officer  
15.  
This option would focus only on the aspects related to the AML/CFT compliance officer,  
without considering the role of the management body and the member of the management body  
or senior manager responsible for AML/CFT. This option is sufficient to address the  
recommendation of the Supra National Risk Assessment reports of 2017 and 2019. However, the  
EBA’s guidelines should also achieve a consistent application of relevant provisions in the Level 1  
text, which include several references to approval processes from senior management in charge of  
AML/CFT. Moreover, the 2017 Joint Opinion of the three ESAs pointed out that the most common  
breaches relating to inadequate controls were those about the identification and verification of  
financial sector operators’ customers, weaknesses in the internal controls and overall AML/CFT  
policies and procedures and customer risk assessments.  
35  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
16.  
Thus, Option 2 would be more focused in addressing the Commission recommendation to  
draft guidelines on the functions of AML/CFT compliance officers, but it would be insufficient to  
strengthen financial sector operators’ compliance with the Level 1 text and tackle the shortcomings  
identified in the Joint Opinion.  
17.  
Option 1 is the preferred option.  
Proportionality  
Option 1: Neutral approach  
18.  
Under this option, guidelines regarding the AML/CFT compliance function in financial  
sector operators would be drafted in general terms, without considering specific situations of those  
financial sector operators with limited ML/TF risk or less complex business relationships and  
transactions.  
Option 2: Provision of sufficient guidance, in line with Directive (EU) 2015/849, for the application  
of the proportionality principle  
19.  
This option would include sufficient guidance to ensure that the guidelines are  
implemented in a proportionate manner, commensurate with the level of ML/TF risk, the size or  
the business model of the financial sector operator. Thus, Guideline 1 includes the first  
proportionality provision by prescribing the appointment of a senior manager responsible for  
AML/CFT where no management body is in place. Guideline 1 ensures as well that the AML/CFT  
policies, procedures and internal control measures are adequate and proportionate to the  
characteristics and the ML/TF risks. Proportionality is present in Article 8(4a) of Directive (EU)  
2015/849 by envisaging, with regard to the size and nature of the business, the appointment of a  
separate AML/CFT compliance officer at management level. Therefore, in compliance with the  
Level 1 text, Guideline 2 exempts financial sector operators from the appointment of a separate  
AML/CFT compliance officer when the ML/TF risk is limited. However, the choice of the financial  
sector operators of not appointing a separate AML/CFT compliance officer does not exempt them  
from complying with AML/CFT obligations. Thus, the financial sector operators should allocate the  
related tasks to the senior manager already responsible of AML/CFT or by outsourcing certain tasks.  
20.  
This option will ensure full alignment with the Level 1 text and with other guidelines to  
which these guidelines are referenced, such as the EBA guidelines on internal governance, which  
apply the proportionality principle in line with Article 74(2) of Directive 2013/36/EU.  
21.  
Option 2 is the preferred option.  
E. Cost-benefit analysis  
22.  
The implementation of the guidelines entails costs and benefits for both financial sector  
operators and competent authorities.  
23.  
Regarding financial sector operators, the benefits of additional guidance on the AML/CFT  
compliance function will increase their robustness and reduce their vulnerability towards ML/TF  
36  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
risks, both as a group and on an individual level because, in a similar way to EBA guidelines on  
internal governance, the guidelines are applicable to both the parent entity and the subsidiaries.  
Thus, the parent entity can assess the group-wide risk profile. Moreover, the guidelines strengthen  
the level playing field, as the guidelines are not applicable only to credit institutions but also to  
other types of financial sector operators, as defined in Article 4(1a) of Regulation (EU) No  
1093/2010. Financial sector operators will also benefit from the certainty introduced by the  
guidelines about the hierarchical structure of the AML/CFT compliance function, the responsibility  
for the appointment of the AML/CFT compliance officer, the tasks of and the subsequent reporting  
by the AML/CFT compliance officer to the management body, the content of the activity report that  
should be prepared by the AML/CFT compliance officer, the responsibility about customer  
acceptance policies and the reporting to the FIU of suspicious transactions, among other things. In  
sum, the guidelines would strengthen internal governance in relation to AML/CFT requirements  
and mitigate the level of ML/TF risk faced by the financial sector operators.  
24.  
In relation to the costs faced by financial sector operators, the one-off costs are limited as  
financial sector operators already had to be compliant with the provisions included in Directive (EU)  
2015/849 related to the existence of senior management in charge of AML/CFT issues and the  
obligation to have policies, controls and procedures to mitigate and manage effectively the risks of  
ML/TF (Article 8 of Directive (EU) 2015/849), among other things. Instead, one-off costs are related  
to the distribution of duties between the management body, the management body or senior  
manager responsible for ML/TF issues and the AML/CFT compliance officer. Other one-off costs are  
the provision of adequate human and material resources to the AML/CFT compliance officer in  
order to enable effective execution of his/her duties and the preparation of AML/CFT training if  
necessary. The costs faced by financial sector operators are proportionate to their size, their  
business activities, the complexity of their transactions and level of ML/TF risk, as some financial  
sector operators are exempted from the appointment of a separate AML/CFT compliance officer if  
it is not deemed necessary. If that is the case, they should distribute the functions among already  
existing roles related to AML/CFT compliance within the financial sector operator.  
25.  
Regarding competent authorities, the benefits are related to the implementation in the EU  
of a harmonised hierarchical structure of the AML/CFT compliance function, particularly beneficial  
when performing supervisory duties. Thus, competent authorities will account with greater clarity  
for the tasks, the responsibilities for the preparation of the policies and procedures and reporting  
processes (the AML/CFT compliance officer should report to the management body via the member  
of the management body). Moreover, the guidelines envisage the preparation of an activity report  
by the AML/CFT compliance officer that can serve the competent authority in the assessment of  
the actions taken by the financial sector operators during the exercise. The one-off costs faced by  
competent authorities are expected to come from the review of the implementation of the  
guidelines in the first supervisory year of application while the subsequent costs are expected to  
come from the review of the activity report of the AML/CFT compliance officer and ensuring that it  
contains all the sections required by the guidelines.  
37  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
5.2 Overview of questions for consultation  
1. Do you have any comments on the section ‘Subject matter, scope and definitions’?  
2. Do you have any comments on Guideline 4.1 ‘Role and responsibilities of the management  
body in the AML/CFT framework and of the senior manager responsible for AML/CFT’?  
3. Do you have any comments on Guideline 4.2 Role and responsibilities of the AML/CFT  
compliance officer?  
4. Do you have any comments on Guideline 4.3 ‘Organisation of the AML/CFT compliance  
function at group level’?  
5. Do you have any comments on Guideline 4.4 ‘Review of the AML/CFT compliance function  
by competent authorities’?  
38  
 
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
5.3 Views of the Banking Stakeholder Group (BSG)  
On 29 July, the EBA issued a consultation on draft guidelines on policies and procedures in relation  
to compliance management and the role and responsibilities of the AML/CFT compliance officer.  
The proposed guidelines are new and are intended to complement existing guidelines e.g. the EBA  
guidelines on internal governance. The rationale for issuing new guidelines is the EBAs assessment  
that the requirements set out in Directive (EU) 2015/849 have been implemented unevenly across  
different sectors and Member States, and that they are not always applied effectively.  
The BSG welcomes the opportunity to comment on the draft guidelines.  
GENERAL REMARKS  
The BSG underlines the importance of ensuring that it is clear for both competent authorities and  
regulated firms how these guidelines relate to and can be implemented coherently alongside other  
guidelines on internal governance and control functions. One way to do this would be to extend  
existing guidelines instead of creating an additional layer. Another would be to give examples of  
how the different guidelines interact in practice. Without this clarity, it is more difficult for financial  
institutions to adhere to the guidelines.  
The BSG stresses that the guidelines need to cater for the different corporate governance structures  
that exist in the Member States. In some countries, financial institutions have a one-layer  
management structure. In others, e.g. in the Nordics, financial institutions have a two-layer  
management structure often with a Board of Directors and an executive management team  
responsible for running the business. Implementing the draft guidelines could create difficulties for  
the two-layer management structures as it would be difficult e.g. to appoint a member of the Board  
of Directors to the function of member of the management body responsible for AML/CFT. It would  
be helpful if the EBA could clarify expectations of how the guidelines would work in practice in the  
common models of corporate governance.  
Additionally, the BSG highlights that there is a lot of focus on the responsibilities forrisk identification,  
but not a lot of focus on the implementation of controls that align resource to risk and focus on  
effective management of risk. We consider that this point should come out more clearly to  
complement the approach proposed in the EBA’s draft guidelines on a risk-based approach to AML  
supervision.  
The BSG believes that the proposed guidelines are quite detailed and prescriptive e.g. regarding the  
list of information that should be included in reports (GL 4.2), but there is a lack of detail on how the  
AML risk management framework should work. The BSG is of the view that approaching AML  
processes in a task-oriented way should be avoided and that it would be preferable to adopt a more  
strategic and risk-led view setting up clear guidelines/orientations on the outcomes that should be  
achieved, in particular in relation to governance arrangements that should be in place at group level.  
Furthermore, a too prescriptive approach could set a precedent for other areas, leading to a more  
complex and cumbersome rulebook for financial institutions that may not actually be effective in all  
situations in delivering good AML outcomes.  
We find the use of the term compliancein the draft guidelines unclear. This difficulty is compounded  
because the term complianceis often used to refer specifically to the second line of defence. The  
set-up in different financial institutions can differ and some tasks that are proposed as tasks of the  
AML/CFT compliance officer are in some financial institutions performed by the first line of defence,  
39  
 
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
while others might be at least partly performed by internal audit as part of the third line of defence.  
The BSG considers that the draft guidelines do not sufficiently reflect upon the differentiation of  
duties between the first, second and third lines of defence and this could lead to weaknesses in the  
framework. An example is in section D ‘Monitoring compliance’ in paragraphs 45-48: how would  
this fit with an internal audit function? The draft guidelines are also not fully clear about how the  
relationship between the general compliance function and the AML/CFT compliance function should  
be. Should the general compliance function have an overarching role and also monitor AML/CFT  
compliance? Or are these two parallel, completely separate compliance streams?  
We consider that it would be helpful to reference the need for the management body and the  
AML/CFT compliance officer to take into account the interaction between AML and other regulatory  
responsibilities, particularly fair treatment of customer responsibilities, and ensure that the overall  
approach is coherent.  
The present guidelines will in future need to be aligned with the recently proposed AML regulation,  
in particular Article 9 Compliance Functions.  
COMMENTS ON THE SECTION SUBJECT MATTER, SCOPE AND DEFINITIONS’  
Scope of application  
The scope of application should be more granular, for instance it should be clear what all existing  
management body structuresmeans for the purpose of falling within the scope of the guidelines.  
The BSG considers that clarity should be given, specially where a financial services operator is part  
of a group, as to the type of management body structures (e.g. from a sole director to a board of  
directors or from dual management structures to unitary management structures) that are  
considered to be in the scope of application, and, on the other hand, which (if any) might be  
considered to be excluded (e.g. management bodies of branches, considering that these do not have  
legal personality). It is not clear for example whether a branch that has a management body  
structure should duplicate the appointments at board level (of the branch) or whether the AML/CTF  
compliance officer of the branch should coordinate/report directly to the group AML/CTF  
compliance officer, who reports directly to the member of the management body of the parent  
company responsible for AML/CFT.  
Definitions  
To interpret the guidelines correctly, consideration should be given to including the following  
definitions while allowing for the difference in corporate governance structures described above:  
member of the management body responsible forAML/CFT;  
senior manager in charge ofAML/CFT;  
AML/CFT compliance officer;  
group AML/CFT complianceofficer;  
member of the group management body or senior manager responsible for AML/CFT;  
organisational and operational coordination structure at group level with sufficient  
decision-making power for the group AML/CFT management.  
Alternatively, it would be beneficial to provide some clear examples and best practices as to how  
these persons should fit in the organisation, at least in the most common corporate governance  
40  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
structures currently operating in theEU.  
Interaction with other guidelines  
Given that these guidelines complement, but do not replace, very relevant guidelines issued by the  
European Supervisory Authorities on wider governance arrangements and suitability checks, specific  
cross-references should be provided to be clear as to how they interplay with the current guidelines  
on the role of the AML/CFT compliance officer following a single rulebook style.  
COMMENTS ON GUIDELINE 4.1 ‘ROLE AND RESPONSIBILITIES OF THE  
MANAGEMENT BODY IN THE AML/CFT FRAMEWORK AND OF THE SENIOR  
MANAGER RESPONSIBLE FORAML/CFT’  
Regarding section 4.1, the BSG considers that the guidelines need to cater for two-layer  
management structures that exist in the corporate governance structure in e.g. the Nordics. It is  
essential to clarify whether the management body in which a member shall be appointed with  
responsibility for AML/CFT can be interpreted as the management leadership team and not the  
Board of Directors.  
Likewise, one-tier management structures where the management body is conceived as one unique  
and inseparable body through which all functions are performed collectively would require specific  
mention in the EBA guidelines, related to the fact that the individual allocation of responsibilities to  
the management body can be only implemented if they are appropriately delegated to members of  
the senior management.  
Additionally, it would be helpful to state more explicitly that the key responsibility of the  
management body is to assure itself about the effectiveness of controls in place.  
In relation to the EBA´s finding (reported in its 2019/2020 AML/CFT review of competent authorities’  
approaches to the AML/CFT supervision of banks) that AML/CFT supervisors in some Member  
States did not interact with financial institutions’ senior management because there was no legal or  
regulatory requirement in those Member States to appoint an AML/CFT compliance officer at a level  
that was sufficiently senior to report to the financial institution’s senior management body, no  
orientation is given as to how to address this important issue in the interests of supervisory  
convergence. Therefore, we consider that more clarity should be given as to what person (if any),  
and at what level (e.g. management level, the AML/CFT compliance officer or the group AML/CFT  
compliance officer), should be the person appointed/registered with the competent authority and  
for what purposes (reporting, contact point, etc.).  
One aspect that remains important and is linked to the previous point is to clearly identify who in the  
organisation is ultimately responsible for the implementation of the laws, regulations and  
administrative provisions necessary to comply with Directive (EU) 2015/849, in particular when the  
financial operator is part of a group. In our opinion, the management body should bear this  
responsibility, but guidelines are needed in this respect, to explain that the responsibility sits in fact  
with them and not with the AML/CFT compliance officer (e.g. paragraph 29 of the guidelines might  
create confusion regarding thispoint).  
41  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
COMMENTS ON GUIDELINE 4.2 ‘ROLE AND RESPONSIBILITIES OF THE  
AML/CFT COMPLIANCE OFFICER’  
On section 4.2.4 Role and responsibilities of the AML/CFT compliance officer, the BSG notes that  
the tasks as drafted in section 4.2.4, e.g. developing ML/TF risk assessments, preparing policies and  
assessing training needs, could be performed by the first line of defence. In the BSG’s view, it should  
be possible for a financial institution to set up their internal working methods, fully respecting the  
important task of the second line of defence (what the BSG would refer to as the compliance’  
function). Thus, the guidelines would need to allow for more flexibility in this respect.  
Regarding the reporting to the management body, the BSG agrees as to the importance of such  
reporting and finds the list of information to be included in the activity report highly useful. However,  
the current drafting of the guideline is very detailed and prescriptive. This approach risks creating a  
tick-the-box approachtocompliance. It should be possible for financialinstitutions andthe respective  
management bodies to arrange their internal reporting more freely and in a way that is  
commensurate with their risk as long as the institution fulfils the requirements to fully understand  
and manage the ML/TF risks they are subject to. Moreover, as mentioned in the section above, some  
of the reporting may be performed by the first line of defence as described depending on the  
organisational set-up of the financial institution.  
On 4.2.4 c) concerning customers including high-risk customers, the BSG takes the view that CDD  
policies and procedures could be prepared by the first line of defence although review and sign-off  
by the AML compliance function would be important. Moreover, while it is important to have clear  
decision-making policies and procedures for onboarding high-risk customers in line with the risk  
appetite of the financial institutions at a sufficiently high level in senior management, a requirement  
to have the AML/CFT compliance officer exercise an advisory role before a final decision is taken by  
senior management on onboarding each new high-risk customer could create an unnecessarily  
complex decision-making process, particularly in large financial institutions. Consideration should be  
given to ways of ensuring that this requirement can be implemented effectively in institutions of  
different sizes and complexity.  
As mentioned before, there is a lot of focus on the responsibilities for risk identification, but not a lot  
of focus on the implementation of controls that align resource to risk and focus on effective  
management of risk. As an example, the BSG suggests adding into the description of compliance  
officer responsibilities in paras 43-44 a responsibility to ensure that simplified customer due  
diligence is used for lower-risk customer groups, as well as enhanced due diligence where  
appropriate. This would ensure a proportionate approach and avoid harming access to financial  
services and financial inclusion through ‘over-compliance’.  
The AML/CFT compliance officer should be provided with a nameor specific designation(e.g. as  
the MLRO in the UK) in order to clearly differentiate this person from the member of the  
management body or the senior manager responsible for AML/CFT or from the compliance officer  
when the AML/CFT compliance officer is a different person. Otherwise, it might not be clear who is  
who and responsibilities might be blurred.  
COMMENTS ON GUIDELINE 4.3 ‘ORGANISATION OF THE AML/CFT  
COMPLIANCE FUNCTION AT GROUP LEVEL’  
On paragraph 4.3.3, the BSG reiterates the comment that the management body and the  
42  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
requirement to designate a member of the group management body or senior manager responsible  
for the AML/CFT compliance function needs to cater for those financial institutions that have two-  
layer corporate governance structures and that the management body does not mean the Board of  
Directors.  
Regarding the tasks and reporting of the group AML/CFT compliance officer, the guidelines should  
be amended to cater for the different organisational set-ups of financial institutions, where some  
may have divided certain tasks between the first, second and third line of defence.  
As mentioned before, clear examples of good and bad practices built on supervisory experience  
should help financial services operators to identify how the governance arrangements and  
organisational requirements should work in practice (in terms of coordination, reporting, etc.) and  
what outcomes are expected from them.  
Finally, it might be useful to understand how these guidelines interplay with the forthcoming EBA  
guidelines on cooperation and information exchange between prudential supervisors, AML/CFT  
supervisors and financial intelligence units.  
COMMENTS ON GUIDELINE 4.4 ‘REVIEW OF THE AML/CFT COMPLIANCE  
FUNCTION BY COMPETENTAUTHORITIES’  
The BSG believes that the content of this section is too narrow. While the suitability of the individual  
AML/CFT compliance officer is important, it is insufficient to provide a view of the effectiveness of  
the AML compliance function. The BSG is of the view that the AML/CFT compliance officer’s ability  
to deliver effective function will also depend significantly on support received from the management  
body and resource allocated as much asindividual competence.  
Furthermore, it would be useful to have some examples of good and bad practices identified in the  
past when reviewing the conditions relating to integrity, expertise and knowledge of the legal and  
regulatory AML/CFT framework that the AML/CFT compliance officer or the group AML/CFT  
compliance officer should meet.  
DETAILED POINTS  
Page 22, para 28: ‘local’ to whom? Does this refer to the place where the regulated firm is  
established or the location of the AML compliance officer? Para 30: ‘independent’ reporting line –  
independent of whom? Do we mean ‘direct’, ‘unmediated’?  
Page 37, para 82: need to mention the ‘AML risk profile’ of the regulated firm too. Para 83: add  
‘and vice versa’.  
Page 38, para 84: c) and d) need to emphasise the importance of effectiveness, not just  
consistency.  
Para 86: ‘direct reporting line for communication’… what does this mean? Again, is it a direct  
line of communication (we agree that this is important, but not the same as a reportingline).  
43  
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
5.4 Feedback on the public consultation and on the opinion of the  
BSG  
The EBA publicly consulted on the draft proposal.  
The consultation period lasted for three months and ended on 2 November 2021. Thirty-six  
responses were received. Twenty-nine non-confidential submissions were published on the EBA  
website.  
This paper presents a summary of the key points and other comments arising from the consultation,  
the analysis and discussion triggered by these comments and the actions taken to address them if  
necessary.  
In some cases several respondents made similar comments or the same respondent repeated their  
comments in the response to different questions. In such cases, the comments and EBA analysis  
are included in the section of this paper where the EBA considers them most appropriate.  
Changes to the draft guidelines have been incorporated as a result of the responses received during  
the public consultation.  
Summary of key issues and the EBA’s response  
Respondents to the public consultation welcomed the guidelines. They considered that such  
guidance addressed to credit or financial institutions and their competent authorities is critical to  
achieving consistency across Member States, thereby strengthening AML/CFT defences.  
Where respondents raised concerns on the draft guidelines, these related to the following key  
issues:  
1. The legal basis of the draft guidelines and alignment with the European Commission’s AML  
package under consultation: Several respondents questioned whether and how the draft  
guidelines would be aligned to provisions in the European Commission’s AML package, which  
was published on 20 July 2021 and is currently being negotiated. In particular, Article 9 of the  
draft EU Regulation on AML/CFT will provide for the appointment of a compliance manager’  
as well as a compliance officer.  
The AML package is not yet in force and cannot therefore provide a legal basis for EBA  
guidelines. Furthermore, the AML package is still being negotiated and provisions may  
therefore change. For this reason, the EBA decided that the final guidelines will not anticipate  
future developments and instead remain aligned with the current legal framework and, in  
particular, provisions of Directive (EU) 2015/849.  
2. The extent to which financial institutions with different governance models can comply with  
these guidelines: Several respondents indicated that there is a variety of different financial  
institutions, in size, importance and internal governance models, which will comply with these  
44  
 
FINAL REPORT AND GUIDELINES ON THE ROLE OF THE AML/CFT COMPLIANCE OFFICER  
guidelines. The draft guidelines therefore need to take into consideration that corporate  
governance models of financial institutions differ, sometimes significantly, between Member  
States. The draft guidelines will need to cater for all of these models.  
The EBA, in consultation with the EBA’s internal governance experts, concluded that the draft  
guidelines should not advocate for any specific governance structure or organisational set-up  
of financial institutions. The EBA updated the guidelines to make this point clear.  
3. Drafting style, length and level of detail provided by the guidelines: Most respondents  
considered that the draft guidelines were too prescriptive. In their view, the level of detail  
provided risked leading to a tick-box approach by credit and financial institutions, rather than  
a risk-based approach. They also considered that very detailed guidelines would set a precedent  
for other areas of the EBA’s work, leading to a complex and lengthy rulebook for financial  
institutions. Lastly, several respondents considered that the level of operational details on the  
roles and responsibilities of the AML compliance officer was not proportionate to his/her level  
of hierarchy in the financial institution.  
The EBA took note of those concerns and reviewed and amended the guidelines on that basis.  
Lastly, as announced in the consultation paper, the initial section 4.4. Review of the AML/CFT  
compliance function by competent authorities was removed from these guidelines and was  
incorporated in the revised Risk-based Supervision Guidelines (EBA/GL/2021/16), published on 16  
December 2021. Responses received on this specific section were taken on board when finalising  
EBA/GL/2021/16.  
45  
Summary of responses to the consultation and the EBA’s analysis  
Feedback on responses to Question 1: Do you have any comments on the section ‘Subject matter, scope and definitions’?  
Guideline  
Summary of responses received  
EBA analysis  
Amendments to the  
proposal  
Section ‘Subject  
matter, scope  
and definitions’  
Respondents asked to replace the term financial sector This change has been accepted. The final guidelines will refer to Changed all reference from  
operatorthroughout the guidelines with credit and financial ‘credit and financial institutions’, and references will be adjusted ‘financial sector operatorto  
institutionin line with the terms used in Directive (EU) 2015/849 accordingly throughout the document.  
credit  
and  
financial  
and with the EBA guidelines on ML/TF risk factors.  
institution’.  
Section ‘Subject  
matter, scope  
and definitions’,  
paragraph 6  
Some respondents requested clarifications as to whether the The guidelines apply to all credit or financial institutions which are None  
guidelines would apply to branches of financial institutions obliged entities under Directive (EU) 2015/849.  
which, by definition, do not have a legal personality.  
Section ‘Subject  
matter, scope  
and definitions’,  
paragraph 7  
Two respondents requested adding clarifying language which The guidelines aim to achieve harmonisation on the EU level. All Change inserted in paragraph  
would explain that the guidelines apply to the extent that they institutions and all their subsidiaries have to comply with the 7 referring to in accordance  
do not contradict with national legislation.  
applicable Union and national legal requirements without this fact with national lawin order to  
being stated in guidelines.  
respond to these comments.  
This being said, a sentence has been added to the section ‘Subject  
matter, scope and definitions’.  
Section ‘Subject  
matter, scope  
and definitions’,  
paragraph 6  
Several respondents, including the BSG, pointed out that the The guidelines should not advocate for any specific governance Changes inserted in paragraph  
guidelines need to take into consideration the fact that corporate structure or organisational set-up of financial institutions. Specific 6 (in line with EBA revised  
governance models of credit or financial institutions differ, language has been inserted under paragraph 6 of the guidelines in guidelines  
sometimes significantly, between Member States. The guidelines line with the EBA’s guidelines on internal governance, as adopted governance) respond to these  
will need to cater for all of these models. on 2 July 2021. comments.  
on  
internal  
Section ‘Subject  
matter, scope  
and definitions’,  
paragraph 9  
Several respondents suggested adding additional definitions to Definitions included in Directive (EU) 2015/849 apply to the terms None  
the guidance, including the AML/CFT compliance officerand used in the guidelines (such as credit institutions, financial  
senior management. In addition, two respondents requested institutions, senior management). In addition, the definition of the  
amending the definition of ‘management body’.  
‘management body’ was inspired by Directive 2013/36/EU (CRD  
IV), as also referred to in the EBA’s guidelines on internal  
governance.  
46  
 
Finally, no definition was added under this section on the AML/CFT  
compliance officer because this is the subject matter of these  
guidelines.  
Feedback on responses to Question 2: Do you have any comments on Guideline 4.1. ‘Role and responsibilities of the management body in the  
AML/CFT framework and of the senior manager responsible for AML/CFT’?  
Guideline  
Summary of responses received  
EBA analysis  
Amendments to the  
proposal  
Guideline 4.1.1.  
Five respondents questioned why the guidelines refer to the Directive (EU) 2015/849, under its Article 8(5), requires entities to Deletion of the initial section  
‘Approval of the  
approval of policies, controls and procedures by the obtain approval from their senior management for the policies, 4.1.1. ‘Approval of the policies,  
policies, controls ‘management body’ instead of the ‘senior managerwhich would controls and procedures that they put in place and to monitor and controls and procedures’  
and procedures’  
be coherent with the language of Directive (EU) 2015/849.  
enhance the measures taken, where appropriate.’  
There was no consensus to refer to the ‘management body’  
(instead of ‘senior management’) in the guidelines for such  
approval. In order to avoid a pure repetition of Directive (EU)  
2015/849 language the whole section was subsequently deleted  
from the final version of the guidelines.  
Guideline 4.1.2.  
‘Role of the  
management  
body in its  
supervisory  
function’,  
One respondent indicated that the management body in its CRD Article 88 requires [Member States to ensure] that the Change introduced in  
supervisory function is not responsible for setting nor approving management body defines, oversees and is accountable for the paragraph 13.  
an adequate and effective internal governance and internal implementation of the governance arrangements that ensure  
control framework to ensure compliance with AML/CFT effective and prudent management of an institution.On that basis,  
requirements. Its function is to ensure and assess the agreement with the suggestion.  
effectiveness of such a framework.  
paragraph 13.  
Guideline 4.1.2.  
‘Role of the  
management  
body in its  
supervisory  
function’,  
Some respondents questioned how the management body Collective knowledge is foreseen under CRD and further specified None  
would be able to collectively possess adequate knowledge, skillsin the joint ESMA and EBA fit and proper guidelines. The collective  
in general, and such collective knowledge to understand the knowledge means that the management body should have  
ML/TF risksin particular given the specificities of the AML/CFT collectively the knowledge and skills to understand the AML-CFT  
field.  
framework. It does not mean that each individual member of the  
management body should be an expert in all subject areas such as  
AML/CFT.  
paragraph 11.  
47  
Guideline 4.1.2  
(impact on  
guideline 4.2.4  
too)  
One respondent systematically disagreed with allocation of the The management body, in its management function, is responsible Changes introduced in  
responsibility of the management body to implementAML/CFT for ensuring implementation of the AML/CFT policies and paragraphs 12, 13, 16 and 41.  
related policies given that they consider this to be a very procedures. The day-to-day, operational implementation of such  
operational task. They propose replacing it with the responsibility policies lies with the AML/CFT compliance officer, where  
to oversee the adequacy and efficiency of the internal appointed.  
governance and control framework to ensure compliance with  
AML/CFT requirements.  
Guideline 4.1.3  
Guideline 4.1.3  
Some respondents challenged that the appointment of a There needs to be an appointment of a member of the None  
member of the management body responsible for AML/CTF is management body, or, in the case of the absence of a management  
not mandatory, especially if it is not required by national law. body, at a senior management level, who will be responsible for  
They argued that the ‘proportionality’ criteria should apply to AML/CFT. The person would be the main contact in the financial  
this appointment.  
institutions vis-à-vis the national competent authority.  
Some respondents suggested, in relation to the member of the The requirement of knowledge, skills and experienceis aligned to None  
management body referred to in section 4.1.3 or, where the joint ESMA and EBA guidelines on the assessment of the  
applicable, the senior manager referred to in section 4.1.4, that suitability of members of the management body and key function  
the requirement, under paragraph 14 a), indicating that this holders under Directive 2013/36/EU and Directive 2014/65/EU  
person should have adequate knowledge, skills and experience (EBA/GL/2021/06). Therefore, consistency should be ensured.  
regarding the identification, assessment and management of the  
ML/TF risksshould be eased and replaced by has adequate  
knowledge regarding the ML/TF risks’.  
Guideline 4.1.2,  
16 a) and  
paragraph 20  
One respondent proposed to stress, throughout the guidelines, The reference to ‘authority’ has been inserted throughout the Changes introduced to insert  
that the AML/CFT compliance officer should be allocated not only guidelines.  
adequate resources, but equally his/her authority within the  
business e.g. access to staff and information.  
the word authorityin  
paragraphs 16, 19, 20 and 25.  
Guideline 4.1.2,  
paragraph 16 b)  
At least three respondents indicated that the implementation’  
of policies is not the responsibility of the management body in  
its management function, which rather bears the responsibility  
for the adequacy and effectiveness of the internal AML/CFT  
policies and procedures.  
The implementation of AML/CFT policies is the responsibility of the Editorial changes were  
management body in its management function while the introduced to paragraph 16 to  
management body in its supervisory function is in charge of reinforce the EBA’s views.  
overseeing and monitoring management decision-making and  
actions and providing effective oversight of the management body  
in its management function in line with the EBA’s guidelines on  
internal governance. See also interconnected comment under  
section 4.1.1 above.  
48  
Guideline 4.1.2,  
paragraph 16 c)  
One respondent questioned whether the management body The ‘approval’ of the AML/CFT compliance officer’s report would Change from approvalto  
should approve the AML/CFT compliance officer’s annual activity include the possibility of ‘rejecting’ the report, which could reviewthe activity report  
report, or should be informed /acknowledge receiptin relation undermine the AML/CFT compliance officer’s independence. The  
to it. These respondents indicated that requiring ‘approval’ may EBA accepts the point raised. However, the mere ‘acknowledgment  
interfere in the independence of the AML/CFT compliance of the receipt’ of such a report would not be sufficient, it should be  
officer.  
given consideration by the management body.  
Guideline 4.1.2,  
paragraph 16 e)  
A couple of respondents indicated that the EBA guidelines on This section has been clarified.  
outsourcing arrangements do not require that the management  
body approve individual service providers. As these respondents  
pointed out, the EBA outsourcing guidelines referred to provide  
that the management body should approve, regularly review and  
Change made in 16 e) by  
deleting the requirement of  
the management body to  
‘approve the service  
provider’.  
update  
a
written outsourcing policy and ensure its  
implementation.  
Guideline 4.1.3,  
paragraph 17  
Some respondents argued that in certain governance models (i.e. The EBA notes that the same argument was already put forward None  
one-tier systems) whereby the management body is conceived during the public consultation on the revision of the EBA’s  
as one, inseparable collegial body, it is not feasible to appoint one guidelines on internal governance, published in July 202132. In that  
single person as responsible for AML/CFT.  
context, it had already been clarified that appointing one person as  
AML/CFT responsible is operationally feasible and this is without  
prejudice to the responsibility of the management body as a  
collegial body.  
Guideline 4.1.3,  
paragraph 17  
Several respondents challenged that in financial institutions with The guidelines are applicable to one-tier governance systems. If the Paragraph 17 has been slightly  
one-tier governance systems the designated member of the management body in its management function is composed only reworded to clarify  
management body in its management function responsible for of the CEO, the CEO should be the person appointed under section expectations.  
AML/CFT will be the CEO himself/herself. Therefore, in such 4.1.3.  
cases, the CEO would not possess the required experience and  
skill regarding AML/CFT and therefore expectations described  
under paragraph 17 are unrealistic.  
Feedback on responses to Question 3: Do you have any comments on Guideline 4.2. ‘Role and responsibilities of the AML/CFT compliance officer’?  
32 Final Report on guidelines on internal governance under Directive 2013/36/EU, accessible here:  
https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Guidelines/2021/1016721/Final%20report%20on%20Guidelines%20on%20internal%20governa  
nce%20under%20CRD.pdf  
49  
Guideline  
Summary of responses received  
EBA analysis  
Amendments to the  
proposal  
Guideline 4.2,  
paragraph 24  
Some respondents indicated that the guidelines should focus on The guidelines are based on Directive (EU) 2015/849 and therefore None  
the AML/CTF compliance function specifying its tasks and should be aligned to Directive (EU) 2015/849 language. See also  
responsibilities and establishing that an AML/CTF compliance section 5.4. of the Final report for further clarification.  
officer responsible for the function shall be appointed.  
Consequently, these respondents suggested referring,  
systematically, to the AML/CTF compliance functioninstead of  
the AML/CTF compliance officer. They believed this would also  
be consistent with the forthcoming draft EU AML/CFT regulation,  
which is part of the European Commission’s AML/CFT package,  
still under negotiations as of May 2022.  
Guideline 4.2,  
paragraph 28  
Lots of respondents reacted to the mention that the AML/CFT The intention of this paragraph is not to prescribe where the Change introduced in  
compliance officer should normally be located and work in the AML/CFT compliance officer should be living but note that certain paragraph 28 replacing the  
country in which the credit or financial institution is established. national legislation may require, for instance, that the compliance word ‘located’ to ‘contracted  
These respondents, who request introducing more flexibility in officer in charge of filing STRs be located in the same country as the and work.  
this specific guideline, made reference to 1. the specific financial institution. Also, the majority of the national regulators  
COVID19-context (which has brought a more generalised manner require that such a compliance officer, whose name is reported to  
of working from home as opposed to working in physical national competent authorities, be ‘available’ upon request from  
offices) but also to 2. the potential outsourcing arrangements the regulator and therefore should be localised in a limited  
that may be in place for the financial institution which would not distance from the financial institution’s offices.  
necessarily require physical presence of the service provider in In addition, paragraph 28 should be read together with paragraph  
the same country as the credit or financial institution.  
29 of the guidelines.  
Guideline 4.2.2  
At least two respondents questioned the meaning of the word The word ‘separate’ refers to ‘different from the member of the None  
separateAML/CFT compliance officer, as used throughout management body responsible for AML/CFT(section 4.1.3) or the  
section 4.2.2.  
senior manager responsible for AML/CFT where no management  
body is in place (section 4.1.4). Appointment of a ‘separate’  
AML/CFT compliance officer should be based on the  
proportionality criteria as set out in section 4.2.2.  
Guideline 4.2.2,  
paragraph 35  
One respondent questioned the requirement that an AML/CFT The EBA is of the view that if an AML/CFT compliance officer is None  
compliance officer, when acting for two or more entities as a fulfilling such a position in several entities at the same time, it is  
compliance officer, could work only for entities that belong to the important that those entities belong to the same group as he/she  
same group and proposed deleting such a restriction from the will need to carry out the work in an efficient manner; in the  
guidelines.  
context of a group, the same group policy is to be applied in the  
different entities. In addition, some Member States’ specific  
50  
experience shows that such a restriction improves the quality of  
the AML/CFT compliance offer.  
Guideline 4.2.2,  
paragraph 35  
Some respondents requested adding a definition of the collective Definition was added.  
investment funds in the guidelines.  
Footnote inserted to  
paragraph 35 with the  
definition.  
Guideline 4.2.3,  
paragraph 36 a)  
One respondent strongly requested the EBA to refrain from using Agreement to delete such a reference and focus paragraph 36 a) Deletion of the term ‘key  
the term key function holder when referencing to the AML/CFT on the fit and proper criteria, which is the key message of that function holder’ from  
compliance officer.  
paragraph.  
paragraph 36 a)  
Guideline 4.2.4,  
paragraph 43  
Several respondents required clarification as to whether the It was clarified that the AML/CFT compliance officer should be Change introduced in  
AML/CFT compliance officer’s advisory role should be consulted, as a minimum, in situations whereby Directive (EU) paragraph 43.  
systematically required for high-risk customers upon onboarding 2015/849 explicitly requires the approval of a senior management:  
and reclassification, or should the AML/CFT compliance officer’s business relationships involving high-risk countries (Art. 18a (e)), or  
advice be risk-sensitive and thus non-systematic for high-risk with politically exposed persons, PEPs (Art. 20 (b) i)) and new cross-  
customers.  
border correspondent relationships (Art. 19(c)). In addition, the  
AML/CFT compliance officer should be consulted in other high-risk  
situations in line with the credit and financial institution’s risk-  
based internal policies.  
Guideline 4.2.4,  
paragraphs 44-  
46  
One respondent indicated that the specific section d) on This section was clarified and further aligned to the EBA’s Changes introduced in  
monitoring compliance was not entirely aligned to the three lines guidelines on internal governance, published on 2 July 2021.  
of business model.  
paragraphs 44-46.  
Guideline 4.2.2,  
paragraph 48 c)  
One respondent requested clarifications on what the EBA means ‘Remedial programme’ concerns programmes which aim to None  
by ‘remedial programme’.  
remedy/resolve the deficiencies identified in the functioning of the  
AML/CFT framework of the institution.  
Guideline 4.2.2,  
paragraph 50.  
A large number of respondents reacted to paragraph 50 which This specific part of the guidelines has been significantly revised Changes introduced in  
provides a non-comprehensive list of information which should and shortened.  
be included in the activity report of the AML/CFT compliance  
officer. Respondents indicated that this section was far too long  
and prescriptive, and thus puts a significant burden on the  
AML/CFT compliance officer. They requested simplifying it. In  
addition, it was requested to clarify that the activity report is an  
annual report.  
paragraph 50 and clarified  
that it is an annual report.  
51  
Guideline 4.2.4,  
paragraph 56  
Some respondents indicated that AML/CFT compliance officer The AML/CFT compliance officer will not need to be personally None  
does not necessarily have to train the staff himself/herself, but involved in each training, and this is already reflected in the choice  
can delegate this task. They requested to acknowledge this in the of the term ‘oversee’ (and not ‘deliver’) in paragraph 56.  
guidelines.  
More generally, the AML/CFT compliance officer can have  
More generally, several respondents requested clarifications dedicated staff/employees working under his/her direction. In that  
that the AML/CFT compliance officer does not perform the listed regard, paragraph 16 a) explicitly makes reference to a ‘dedicated  
tasks on his/her own, but can be helped by employees working AML/CFT unit to assist the AML/CFT compliance officer.  
in the AML/CFT compliance unit or function.  
Guideline 4.2.4,  
paragraph 58 c)  
One respondent indicated that the guidelines should not Agreement for deleting the requirement to train IT software Change introduced in  
prescribe the necessity to train IT developers and IT operational developers for AML/CFT purposes unless their activity is captured paragraph 58 c).  
personnel as they do not have any customer contact and will not under the other points 58 a) or 58 b).  
be monitoring transactions or similar, and are therefore highly  
unlikely to detect suspicious activity.  
Guideline 4.2.5.  
One respondent requested to consider the incorporation of The current guidelines do not have a mandate to detail the Initial paragraph 63 deleted  
guidelines for the activities of the internal audit function which is responsibilities and activities of the internal audit function. Please from the guidelines.  
currently not captured by this consultation paper.  
refer to the EBA’s guidelines on internal governance, published on  
2 July 2021.  
Guideline 4.2.6,  
paragraph 68  
A large number of respondents challenged the list of non- The ESAs guidelines on outsourcing set out key principles of the Change introduced in  
outsourceable strategic decisions as indicated in paragraph 68. outsourcing arrangements which remain valid in the context of the paragraph 68.  
Several respondents also questioned the principle that intra- outsourcing of operational functions of the AML/CFT compliance  
group outsourcing should be subject to the same regulatory officer. The guidelines have been further clarified.  
framework as outsourcing to service providers outside the group.  
They argue that outsourcing outside of a group bears higher risk  
(e.g. operational risk).  
Guideline 4.2.6,  
paragraph 72 a)  
One respondent specifically requested that the inventory of Agreement that the inventory of intra-group AML/CFT outsourcing Change introduced in  
intra-group AML/CFT outsourcing should be established and kept should be kept by the outsourcing entity, as this thinking is also paragraph 72 a).  
by the concerned entity which is outsourcing (as opposed to the aligned with the principle that the responsibility of outsourcing  
parent company). This is to ease the burden on the parent entity. remains with the entity. Such an inventory should be made  
available to the parent company for its consultation.  
Feedback on responses to Question 4: Do you have any comments on Guideline 4.3. ‘Organisation of the AML/CFT compliance function at group  
level’?  
52  
Guideline  
Summary of responses received  
EBA analysis  
Amendments to the proposal  
introduced in  
Guideline 4.3  
Several respondents requested clarification on how the whole of These guidelines are based on Directive (EU) 2015/849. It was Change  
section 4.3 of the guidelines would be applicable to cross-border therefore clarified that where a parent company is not an obliged paragraph 77 to make the  
groups whereby the parent entity is not an obliged entity under entity under Directive (EU) 2015/849, section 4.3 should not be scope of application explicit  
Directive (EU) 2015/849 either because of the parent entity’s applicable to the parent entity (note, however, that branches and and clear.  
legal form (e.g. holding company) or because the parent entity is subsidiaries of such a parent entity which are themselves obliged  
established in a third country outside Europe.  
entities, if located in the Member States, should be compliant with  
other sections of these guidelines).  
Guideline 4.3.2,  
paragraph 77  
One respondent requested clarifications on how the cartography It is the responsibility of the individual entities to perform their Change  
of risks exercise at a group level should be coordinated with the own AML/CFT risk assessments, but the parent entity‘s paragraph 77.  
individual entitiesrisk assessments. responsibility to provide a consistent methodology.  
introduced  
to  
Guideline 4.3.3,  
paragraph 79 a)  
One respondent requested clarification as to whether, in banking There needs to be a designation of a member of the management None  
groups where the AML/CFT function is outsourced to the parent body responsible for AML/CFT in every subsidiary/entity of the  
company, the member of the management body responsible for group. An AML/CFT responsible at the group level is not sufficient.  
AML/CFT should be appointed only at the parent company level This requirement is also coherent with section 4.1 of these  
or in each entity of the group, both located in the same Member guidelines.  
State as the parent company or in another Member State / third  
countries, including non-banking entities subject to AML/CFT  
regulation.  
Guideline 4.3.3,  
paragraph 79  
Three respondents requested clarifications on what is meant by  
group management body.  
It was clarified that ‘group management body’ refers to the Rewording of paragraph 79  
‘management body of the parent company’.  
Guideline 4.3.3,  
paragraph 81  
One respondent proposed to add a requirement, in the list of The systematic involvement of the group-level AML/CFT None  
tasks of the group AML/CFT compliance officer under paragraph compliance officer in the designation of AML/CFT compliance  
81, that the group AML/CFT compliance officer should be officers of the group entities is not a Directive (EU) 2015/849  
involved in the recruitment and/or replacement of the AML/CFT requirement and may pose several implementation issues such as:  
compliance officers in the entities of the group.  
the shift of responsibility for the selection of the candidate from  
the entity toward the group; legal issues around the  
contractualisation of the employment; and, in cases of bigger  
financial institutions with a large number of entities in the group,  
operational/resource issues for the group AML/CFT compliance  
officer to find time to allocate to this task.  
53  
Guideline 4.3.3,  
paragraph 82  
Several respondents indicated that the list of elements to be As was the case with paragraph 50 on the activity report of the Changes introduced in  
included in the activity report of the group AML/CFT compliance AML/CFT compliance officer, this specific part of the guidelines has paragraph 82 and clarified  
officer, as described under paragraph 82, is excessive, too been significantly revised and shortened.  
prescriptive and detailed, and sometimes ‘create confusion’  
that it is an annual report.  
between the tasks of the first and second lines of defence.  
Feedback on responses to Question 5: Do you have any comments on Guideline 4.4. ‘Review of the AML/CFT compliance function by competent  
authorities’?  
Note: responses received on this specific question were taken on board when finalising the revised Risk-based Supervision Guidelines (EBA/GL/2021/16), published on 16 December 2021.  
54