Any experienced Compliance Officer or MLRO (Money Laundering Reporting Officer) reading the EBA’s Final Report and Guidelines on the Role of the AML/CFT Compliance Officer is likely to be struck by how much of it seems to be self evidently good practice, which you would assume would be put in place as a matter of course. However, as a wise manager said to me early in my career, “the thing about statements of the bleeding obvious is that often the bleeding obvious needs to be stated – loudly and repeatedly.”
At a time when the finance industry is seeing lots of new entrants with clever ideas using technology to develop new products and services, the danger is that in pursuit of the goal to deliver a shiny new product, compliance may be seen as a barrier to be got round, or over, with minimum box-ticking and resourcing. Even where this is not the case, in small start-ups (and even in small firms which have been longer established) management often assume that the very obviousness of the requirements means that they will automatically be followed. This can mean that they don’t put in place the necessary policy and procedural steps to ensure that they are and, importantly, that the firm can evidence the fact. From the regulator’s point of view, if something is that obvious and a firm cannot show that it has done the necessary to be compliant, its whole governance framework immediately becomes suspect.
This is something we often find in doing audit reviews (and not just in the AML/CFT area). When the audit question asks for evidence that some requirement is being met, firms are unable to provide it, but in interviews the response is “Well, of course we do that.” To return to a theme I repeat endlessly (and apologies to readers fed up of hearing it from me), unless you can evidence compliance, the regulator is likely to presume that it didn’t happen.
While, post Brexit, the EBA Guidelines are not directly applicable to UK institutions, there is nothing in these with which the FCA would disagree, and indeed the guidelines restate and reinforce much of the FCA’s own guidance and the feedback we are seeing both from Supervision and Authorisations.
So, without wanting to sound like a broken record, below are a few statements of the bleeding obvious from the guidelines and some direction for what firms should consider to follow them:
- The management body should collectively possess adequate knowledge, skills and experience to be able to understand the ML/TF related to the firm’s activities and business model.
Does yours? How could you evidence it?
- The management body should, at least once a year, review the activity report of the AML/CFT compliance officer, and assess the effective functioning of the AML/CFT compliance function.
This needs proper minuted discussion – not just noting.
-
A member of the management body should be identified as being responsible for AML/CFT. They should commit sufficient time and have sufficient resources to perform the duties, and should report comprehensively about his/her tasks.
How do you evidence that this person has sufficient time and resource?
-
If, in a small firm, it is decided not to appoint a separate AML/CFT compliance officer the reasons should be justified and documented with reference to at least these criteria:
- The nature of the firm’s business and the associated AL:/CFT risks taking into account its geographical exposure, customer base, distribution channels and products and services;
- The size of its operations, number of customers, number and volume of transactions and number of employees;
- The legal form of the firm and whether it is part of a group.
Again, this needs proper discussion and justification.
The guidelines also go into some detail on the expected activities and reporting duties of the AML/CFT Compliance Officer, which I would see as being a useful checklist against which the job description of the individual in place should be compared.
Compliance Officers/MLROs would be well advised to bring these guidelines to the attention of their Boards/management bodies and to facilitate a discussion as to how well their firms meets the expectations set out therein. Why? I’d have thought it was obvious.
Related resources
All resourcesPayment Services Regulatory Compliance Forum 2025
Webinar: Operational Resilience – the final countdown
The dust is far from settling on the motor finance fiasco
FCA announce limited temporary flexibility on the ‘Naming and Marketing’ rules