Striking the Right Balance Between the1st and the 2nd Line
On the 21st of November, the Swedish Financial Supervisory Authority (FSA) will inform The European Banking Authority (EBA) if and how, Sweden will apply the new Guidelines on the AML Compliance Officers.
"The worst place for a compliance professional is line one and a half, getting stuck in the middle,” says John McDermott, Director Financial Services Industry Luminary at Protiviti, when discussing AML across the three lines of defense."
John McDermott has over 30 years of experience in corporate audit, regulatory compliance, operational risk and governance in the USA, Japan and the UK.
His comment is in reference to the forthcoming EBA Guidelines on the role of the AML/CFT Compliance Officer, and is very personal. McDermott has had roles including Managing Director & Head of Compliance and Operational Risk Control at UBS New York and Senior Vice President, Head of Audit and Compliance at Merrill Lynch.
Efficiency vs Ownership
By the 21st of November, things are expected to become a bit clearer. The FSA might take on the Guidelines without reservations or propose adaptations whereby the Specially Appointed Executive will retain risk management, rather than moving responsibility of general risk assessment and internal rules to the CFA (AML/CFT Compliance Officer).
According to John McDermott, there are both challenges and risks to consider. There is merit in the independence of people doing the oversight, but they may not necessarily have the experience or channels to be heard. In the US context, the AML/CFT Compliance Officer has been around for years, although regulatory authorities have recently been focusing more on the 1st line. In his experience, taking 2nd line people to the 1st line, people tend to be less risk-taking and not fully independent. It is a question of striking the right balance between efficiency and ownership.
“It is understandable that it might get messy in the 1st and 2nd lines, and because of the Swedish implementation, the discussions have revolved around organizational challenges. However, it is important to read and consider the Guidelines in total, including reporting and competence requirements of the AML/CFT Compliance Officer role.”
Johanna Bäck, Director FCG’s Financial Services
What is fully clear is that requirements on the CFA will become stricter, considering suitability, skills and expertise1.
Overall, depending on the size and type of business and organization, for some companies, such as fintechs, meeting the requirements on both competency and continuity might be a challenge.
”If an organization is struggling to secure the required competencies, outsourcing could be a way forward. It is fully possible to delegate operational tasks and activities of the AML/CFT Compliance Officer. This can ensure both expertise, continuity and independence of the function.”
Johanna Bäck
With the new Guidelines, reporting requirements will also become more extensive. For example, on reporting areas of improvements, progress of remedial programs and assessment of sufficiency of human and technical resources. The Guidelines also state requirements on;
- Statistical information and data such as number of unusual transactions detected, analyzed and reported
- Number of requests for information received from the FIU, courts and law enforcement agencies
- Number of customer files by risk category for whom CDD reviews and updates are outstanding
- Number of customer relationships ceased due to AML/CFT concerns.
Today many financial institutes may lack a proper control of their data as focus has been on organizational structure rather than on data (quality) specifically.
FCG’s Recommendations
In preparation for the new Guidelines, here are five actions financial organizations can take today:
1. Review your AML/CFT organization
Based on the description in the Guidelines, the first and second lines are re-drawn and the responsibilities and roles change. This means that organizational setup, job descriptions, annual activity plans and reporting routes may need to be reviewed. What functions that may be outsourced also changes.
2. Suitability testing based on new criteria
The Guidelines set extensive requirements on knowledge, competence and experience for the various roles. This means companies need to update their suitability tests of relevant employees according to these requirements, and when necessary, build and assure expertise, internally or externally.
3. Ensure continuity
The AML/CFT Compliance Officer role must not be unstaffed at any period of time. In the event the CFA role is absent, companies should ensure that resources with similar skills and knowledge are able to cover the function. This could be someone internally or a person externally to handle planned or unplanned absences.
4. Update reporting routines
The Guidelines place increased requirements on the reporting of key figures and issues from the business. Reporting to the CEO and the Board may need to be reviewed and updated, as well as data access for key figures.
5. Train staff
As always with changes, the staff needs to be informed and updated about new rules, routines and conditions.
Please contact Louise Brown and Johanna Bäck for further information.
To participate in the event with John McDermott and other international speakers on the 18th of November please register here.
1 Specifically: a) the reputation, honesty and integrity necessary to perform his/her function; b) the appropriate AML/CFT skills and expertise, including knowledge of the applicable legal and regulatory AML/CFT framework, and the implementation of AML/CFT policies, controls and procedures; c) sufficient knowledge and understanding of the ML/TF risks associated with the business model of the credit or financial institution to perform his/her function effectively; d) relevant experience regarding the identification, assessment and management of the ML/TF risks; and e) sufficient time and seniority to perform his/her functions effectively, independently and autonomously.