A new EU-wide AML enforcement framework is on the way, creating a new AML authority, bringing new rules and enhanced enforcement that will affect areas ranging from detailed client due diligence measures to transfers of crypto-assets. Banks need to recognise the scope of change, keep up with supervisory thinking and use new technologies to stay ahead of the game.
Anti-money laundering (AML) and combating the financing of terrorism (CFT) have been rising up banks' agendas in recent months - and European authorities, building on 2020’s six-point action plan on AML/CFT safeguards, are now accelerating their push to create a rigorous new pan-European AML/CFT enforcement framework. In response, many banks are also stepping up their efforts to fight AML/CFT.
As part of this plan, the European Commission has published an ambitious AML legislative proposal package setting out its vision for a system that will combat money laundering with consistent rules, supervision and enforcement. At its centre the proposal is to create a new EU AML Authority (AMLA). This new authority will directly supervise the riskiest cross-border financial sector entities and bodies that demonstrate weaknesses in their approach to AML. The AMLA will also coordinate all national supervisors and have the power to levy fines of up to 10% of revenue or €10m – whichever is the higher. In addition to the new Authority, the Commission proposes to:
- Set out new AML/CFT regulations, including an EU-wide limit of €10k on large cash payments and more granular customer due diligence measures.
- Create a sixth AML Directive with a range of provisions to be transposed into national laws.
- Revise 2015’s regulation on transfers of funds, in order to include transfers of crypto-assets made by “Crypto-Asset Service Providers” (“CASPs”), within the current provisions on transfer of funds.
In this context, the European Banking Authority (EBA) recently published its annual work programme for 2022 describing its priorities for the coming year. One of these priorities include fighting AML/CFT and contributing to a new EU infrastructure. Furthermore, the summer of 2021 also saw the EBA launch two major AML/CFT consultations on:
- New guidelines for compliance officers. These specify management bodies’ responsibility to implement AML/CFT governance frameworks; clarify the AML/CFT responsibilities of compliance officers; and set out new requirements for parent group AML/CFT functions and their relationships with subsidiary compliance units.
- Incorporating AML/CFT into the Supervisory Review and Evaluation Process (SREP). The goal is to align the SREP with other developments including those introduced by the Capital Requirements Directive (CRD V) and the Capital Requirements Regulation (CRR II). This would affect all four elements of the SREP, putting AML/CFT into a new and more significant light for banks.
Additionally, there are several other key initiatives undertaken by the European authorities in their continuous efforts to tackle AML/CFT. These include the formation of a dedicated AML unit by both the EBA and the European Central Bank (ECB) to facilitate cooperation and the exchange of information related to AML/CFT between prudential supervisors and AML/CFT supervisors.
In short, European banks face a fast-changing regulatory and supervisory environment. In response many banks are investing to strengthen their AML/CFT programmes, and are reviewing the roles and responsibilities of first lines of defence (1LoD) and second lines of defence (2LoD) related to AML. Against this background, client conversations indicate that poor data quality is one of the main barriers to defining clear roles & responsibilities between 1LoD & 2LoD related to AML work.
So where should banks go from here? A recent ECB speech revealed that the European Commission’s review of AML incidents involving European banks indicated weaknesses in control and risk management frameworks, a lack of joined-up cross border oversight, and even the deliberate lowering of defences were typical contributors to recent failures. These findings, combined with KPMG’s own observations and the ongoing evolution of regulation and supervision, lead us to identify seven key areas of action for banks aiming to enhance their AML/CFT capabilities.
- Enhance data management capability: Establish a robust data management framework that eliminates ambiguity between functions and lines of defence, and enables the seamless collection, consolidation and governance of AML data.
- Strengthen data and tech infrastructure, harnessing emerging technologies: Implement integrated, automated systems using emerging tools such as artificial intelligence (AI), machine learning and cloud computing to screen transactions, detect suspicious activity, augment suspicious activity reports (SARs) and reduce false positives - while recognising that human judgement can never be removed entirely.
- Update policies and procedures: Align policies and procedures with global and local standards and changing regulatory and supervisory expectations. Develop an integrated framework to track regulatory and supervisory requirements, update policies and ensure regular review and approval by senior management.
- Review and rethink AML investment budgets: Ask whether investments in existing systems are yielding the desired results, and rethink AML investment strategies with a focus on minimizing costs, increasing efficiency and demonstrating progress towards sustainable AML/CFT models.
- Ensure adequacy of resources: Review resources periodically to ensure that teams are suitably resourced and have the right subject matter knowledge and experience, and that investment is prioritised effectively given the evolving AML/CFT landscape.
- Promote a positive AML culture: Maintain a positive AML/CFT culture within the firm and across all lines of defence by providing regular training for employees on potential or emerging risks stemming from developments in areas such as environmental, social and governance (ESG), digital finance, cryptocurrencies, emerging technologies and the pandemic.
- Augment AML risk assessment framework considering the changing AML landscape: Establish a framework to assess the firm-wide impact of AML risks resulting from changing customer behaviour, evolving products or services, system enhancements etc on a regular basis. For instance, the AML risk involved in offering a product to a customer through a traditional banking channel may differ when a similar product is offered through a digital platform.
Money laundering and financial crime are a danger to the stability of individual banks, and to the public’s trust in banking. European authorities take potential breaches very seriously and are working to strengthen regulation, co-ordination and enforcement. With risks and supervision evolving more rapidly than ever, now is the time for banks to reassess their readiness and apply new technology and techniques so they can achieve higher standards of compliance at a lower cost.