New Amended AML/CTF Requirements – But Companies Are Advised To Gear Up for Long-Term Changes
On March 26, the Swedish Financial Supervisory Authority's proposed amended AML/CTF Requirements (Föreskrifter (FFFS 2017:11) om åtgärder mot penningtvätt och finansiering av terrorism) come into force.
According to critics and seasoned AML-professionals, the news are basically no news. What is important at this point it in time, is rather to take a longer-term view and focus not only on the updated requirements by the Swedish FSA but also on the forthcoming EU AML Regulations and the AMLD6. For businesses that are not taking a longer-term view to work strategically and effectively to adapt, a bigger challenge awaits when the European regulation come into force, according to Advisense AML experts.
From the viewpoint of financial institutions in Sweden, it should not really be a question whether roles and responsibilities should adjusted and accommodated now or later. The question is rather how iterative the process will turn out to be, and if organisations will have to review and redo again shortly.
Getting your AML organisation ready for the future
Before we go into what the amended AML/CTF requirements implicate in essential parts, let’s set our sights on the longer perspective.
In the near future, the EU AMLR is expected to require AML functions to undergo significant changes. The role of specially appointed executive in the first line, (särskilt utsedd befattningshavare SUB) is not uniform. Within Europe, Great Britain and the United States, large parts of transaction monitoring and other controls are often handled by the second line AML compliance officer function, corresponding to what is referred to as the Central Funktionsansvarig, CFA, in a Swedish context.
The future requirements according to the AMLR for the “AML Compliance Officer” involve responsibilities similar to the SAE role, but with a crucial difference – the AML Compliance Officer must be independent and part of the management team. Originally, the Compliance Officer was required to be an appointed board member.
However, this requirement has now been changed, which poses a challenge for Swedish companies. This is partly because SAE is often a first line function, and a Compliance function is not usually expected to report to the first line. In part, the view of what is acceptable and what is not for Compliance and CFA to perform is also being challenged.
Hence, organizations are advised to adopt in preparation for the regulation, given that more of the regulatory compliance management and the framework for the general risk assessment will take place in the second line.
Practical implications
A new requirement in the regulations is that the company’s routines and guidelines must clearly define which functions the company has established and who holds what function. According to the European Banking Authority (EBA) Guidelines, an equivalent CFA should be appointed at company management level, although this requirement is not specified in the regulations.
A central aspect is also an increased emphasis on proportionality. The size of the company will determine whether a CFA needs to be appointed, as can the the established level of risk exposure that the company has. The expected result is that it will become easier, especially for small businesses and sole traders, to comply with the requirements.
The financial industry can expect a rapid change in AML compliance practices, which might involve inherent challenges for various institutions. It is therefore recommended to clarify how frameworks and structures are suited the new requirements on reporting according to the new EU regulations already now. In general, this means that management and the board must take greater responsibility than before and govern more on policy level.
For smaller Swedish financial institutions, the ability to recruit and maintain appropriate competence is often a challenge. It poses a risk per se if generalist resources within an organization are expected to address and work with specific subject matter issues for which they are not equipped.
For larger companies with an international presence, it is necessary to carefully review the guidelines given what the EBA may present until the regulation has come into force and the new European supervisory authority AMLA has started its work. It is not unthinkable that some financial institutes with operations in different jurisdictions may face conflicting issues in relation to different authorities when it comes to, for example, compliance with AML governance and control.
Immediate changes – CFA and AML compliance
There is some critique that the new guidelines are at odds with the way Swedish financial institutions organize their AML/CTF work, specifically with regards to certain operational roles being assigned to the CFA. The goal of the current regulation is for the regulations to better comply with the money laundering directive and the upcoming regulation.
Under the new regulations, financial institutes that do not appoint a CFA must have a compliance function. If a CFA is not appointed, the institute should organize itself so that its obligations under the money laundering regulations are implemented and enforced in the business, for example through SUB or the person in the company responsible for the implementation of the money laundering regulations. However, the regulations do not refer to the SUB but to a compliance function that must “ensure” that the company’s obligations are enforced in the business.
According to the referral memorandum, companies without a central functional manager must have a regulatory compliance function that is responsible for ensuring that the company implements and enforces its AML/CTF obligations in the business.
There is a need in many organizations to understand that the term ‘compliance function’ is not necessarily the same as compliance function under other legislations. Therefore, the term “function for regulatory compliance” should be avoided and one should instead speak of an AML Compliance function. For companies that according to other regulations must have a function for regulatory compliance, this function should have the responsibility.
With regard to the duties of the CFA, it is clear that a financial institute can outsource some of these, with the exception of the obligation to report (uppgiftsskyldigheten), which is a consideration explained by the duty of confidentiality. According to the Financial Supervisory Authority, the duty of confidentiality is only covered by business operators and persons who are or have been engaged by the company as board members or employees. Therefore, it is important that those who have the task of reporting to the FIU are employees of the company in order that they are covered by the duty of confidentiality.
However, it is not clear how the duty of confidentiality should be handled when controls are outsourced to an external party, as this would reasonably give access to such information within the scope of assessments. This is an area that requires further clarity and guidance from the authorities.
Striking a balance between the first and second line
If the role of CFA is outsourced or co-sourced, it is appropriate that responsibility for this lies with the compliance function. If the Compliance function itself is outsourced, the responsibility for procurement and overall responsibility should be placed with the risk control in the second line function to ensure independence. If the task of performing the CFA role is assigned to risk control, it is required that the person has appropriate knowledge and experience in accordance with the requirements of the guidelines.
If risk control is also outsourced, the CFO or credit manager can for example take responsibility for the CFA role or equivalent function by appropriately managing the outsourcing and ensuring internal rules for the remaining tasks provided they are sufficiently independent from the business.
Conclusively, it is important to ensure that the person holding the role has sufficient knowledge and competence to fulfill the tasks adequately and that there are clear rules and procedures for managing the role, especially if it is outsourced to an external party. By placing the responsibility with a function that is sufficiently independent and has the appropriate competence, it can be ensured that the CFA role is performed in a reliable and efficient manner, in accordance with the requirements of the Financial Supervisory Authority’s regulations and the EBA’s guidelines.
Please contact us to discuss current and future changes, how your organization can create assurance around necessary adaptations, adequate and skilled resources and outsourcing.
