This article was originally published in Money Laundering Bulletin.
In an effort to achieve better common understanding by competent authorities and financial sector operators of the European Union’s anti-money laundering regulatory framework, on 2 August  the European Banking Authority (EBA) launched a public consultation on draft Guidelines on the policies and procedures around compliance management and the role and responsibilities of the AML/CFT Compliance Officer under Article 8 and Chapter VI of Directive (EU) 2015/849. 
Since 2015, several reports  have highlighted the uneven and ineffective application of the requirements set out in Directive 2015/849.
This Directive provides that a compliance officer should only be appointed by obliged entities “where appropriate with regard to the size and nature of the business”.  Given this rather general wording, some financial sector operators determined they had no need to appoint a compliance officer.
However, the Guidelines now make it clear that all financial sector firms must do so: other obliged entities (independent legal professionals, estate agents, etc.) may still apply the distinctly vague proportionality test.
The Guidelines also provide some direction on the general responsibilities and duties of a compliance officer.
Effective and proportionate application
Under the Guidelines, proportionality and effectiveness for a financial sector operator are to be assessed by reference to its type, size, internal organization, nature, scope and the complexity of its activities, as well as the money laundering and/or terrorist financing risks to which it is potentially exposed.
Whereas proportionality is relatively easy to determine, the question remains of how effectiveness is to be assessed based on the above-mentioned criteria.
Effectiveness implies high quality AML/CFT control procedures. In practical terms, this means providing adequate resources, hiring suitably qualified staff, adapting the corporate governance documents, and developing internal reporting policies. Taking these steps should ensure that senior management has clearly defined responsibilities and create an efficient reporting flow, aimed at identifying information that highlights money laundering and/or terrorist financing concerns.
These operational issues, previously identified as deficient, precipitated the introduction of the new Guidelines.
For example, in their 2017 Joint Opinion on the risks of money laundering and terrorist financing affecting the EU’s financial sector, the European Supervisory Authorities concluded that senior management of some financial sector operators see AML/CFT issues as immaterial, especially when set alongside a corporate culture that pursues profits at the expense of robust compliance. This means that safeguarding adequate resources and hiring qualified staff for AML/CFT roles was not seen as a priority, which adversely affected the quality of the relevant control procedures.
In addition, a 2019 Report from the European Commission on the assessment of recent alleged money laundering cases involving EU credit institutions suggested that many of the entities under review had not established adequate risk management systems and controls. The report’s analysis revealed deficiencies in governance arrangements, internal reporting and group policies, as well as senior management responsibilities and accountability.
Similarly, effectiveness can also stem from appropriate interaction between the supervisory authorities and senior management of the financial sector operators concerned. This reinforces the need for involvement by these operators in AML/CFT issues, clear lines of responsibility, and even a direct line with staff who have AML/CFT responsibility.
In its 2019/20 AML/CFT review of competent authorities, the EBA found that in some Member States, supervisors who were responsible for the AML/CFT supervision of banks did not interact with those banks’ senior management. This oversight occurred because there was no legal or regulatory requirement to appoint a relevant compliance officer of sufficient seniority to report to the financial institution’s senior management body. The EBA emphasised that as a result, there was a risk that AML/CFT supervision may not be effective in those Member States.
Consequence of group compliance requirements
Given the obligation imposed by Directive 2015/849 for groups of companies to appoint a compliance officer at the parent company level, who is responsible for ensuring that compliance with AML/CFT programs is developed at group level for all global subsidiaries, certain points are worth considering.
First, this obligation may impact relations between businesses in the EU and the United Kingdom (or any other third country). Subsidiaries located in third country jurisdictions will have to look into whether they have an obligation to appoint a local compliance officer to meet the obligations of their parent companies based in EU Member States. There is also the question of whether parent companies based in third countries have an obligation to appoint a global compliance officer to ensure Directive compliance of subsidiaries located in EU Member States.
We also consider that the EU Directive 2015/849 imposes an obligation on groups of companies to implement effective AML/CFT programs in accordance with EU law at the level of majority-owned subsidiaries located in third countries,.
The Guidelines note that competent authorities of EU Member States also have a duty to review AML/CFT compliance in the financial sector operators in their jurisdictions. Breaches of obligations under Directive 2015/849carry administrative sanctions up to €5m, or 10% of the operator’s total annual turnover, whichever is greater.
It remains to be seen whether the requirement to appoint a compliance officer will be deemed adequate cause to trigger extraterritorial intervention by EU Member States’ authorities under Directive 2015/849.
Even though the Guidelines will help financial sector operators interpret their AML/CFT obligations, some aspects remain unclear, namely, when other obliged entities need to appoint a compliance officer, the criteria around effective and proportionate application of the requirements, and scope for extraterritorial enforcement.