How the Anti-Money Laundering Regulation impacts the internal governance of obliged entities

• The AMLR contains various internal governance requirements that must be adhered to by all obliged entities as of 10 July 2027
• The AMLR partially codifies the governance requirements as included in – for example – the EBA AML/CFT Compliance Officer Guidelines and (upcoming) EBA Guidelines on internal policies, procedures and controls to ensure the implementation of Union and national restrictive measures.
  
• These guidelines include regulatory expectations regarding the role of senior management, internal governance and roles and responsibilities for banks and other financial institutions.
  
• Both financial and non-financial obliged entities are advised to consult the existing EBA Guidelines as part of their preparatory work in becoming compliant with the AMLR, while taking into consideration that the AMLR may slightly differ from these Guidelines.
  

In July 2024, the Anti-Money Laundering Regulation (AMLR) entered into force. The AMLR details the material AML/CFT obligations for obliged entities such as outsourcing, customer due diligence, the reporting of suspicious transactions, record keeping and training and awareness. Slightly lesser known are the obligations related to obliged entities’ internal governance arrangements. By comparison with the AMLR provisions to the fifth Anti-Money Laundering Directive (AMLD5) and relevant Guidelines issued by the European Banking Authority (EBA), this KPMG Insight addresses the internal governance requirements under the AMLR and how these should be considered in light of existing legislation and regulatory expectations.

Internal governance requirements can be found in various AMLR provisions. A summary of the most prominent provisions follows hereinafter:

• Article 9 is about the scope of internal policies, procedures and controls. The AMLR requires that the internal policies be approved by the management body in its management function (Management Board), whereas internal procedures and controls must be approved at least at the level of the Compliance Manager, who is the member of the Management Board responsible for ensuring AML/CFT/TFS. The ultimate responsibility for compliance with AML/CFT/TFS requirements, however, rests with the Management Board.
• Article 10 concerns the business-wide risk assessment. This assessment must be ‘drawn’ up by the Compliance Officer and approved by the management body in its management function (Management Board) and, where such body exists, communicated to the management body in its supervisory function (Supervisory Board).
• Article 11 contains requirements on the compliance function. It requires obliged entities to appoint one member of management body in its management function, who is responsible for ensuring compliance with the obligations in the area of anti-money laundering (AML), combatting terrorism financing (CFT) and targeted financial sanctions (TFS). The Compliance Manager is responsible for ensuring that the entity’s internal policies, procedures and controls are consistent with the entity’s risk exposure and that these are implemented in practice. The Compliance Manager must regularly report on the implementation of the obliged entity’s internal policies, procedures and controls to the management body and keep it informed of the outcome of any reviews, like supervisory inspections.
  Obliged entities are, in principle, also required to have a Compliance Officer, who must be appointed by the Management Board and have a sufficiently high hierarchical standing. This Compliance Officer is responsible for the day-to-day operations of the obliged entity’s AML/CFT/TFS obligations and is the contact point for competent authorities. The Compliance Officer must be able to directly report to the Management Board and, where such body exists, the Supervisory Board independently.
  
• Article 16 concerns group-wide requirements. It requires parent undertakings to ensure that the requirements on internal procedures, risk assessment and staff apply in all branches and subsidiaries of the group in the European Union (EU) and, for groups whose head office is located in the EU, also in third countries. Compliance functions are to be established at the level of the group.
  
• Article 69 details that reports of suspicious transactions must be submitted by the Compliance Officer.
  

Compared to its predecessor AMLD5, the AMLR is more detailed on internal governance arrangements in the area of AML and CFT. It pays more attention to the required skills, competences and tasks of the Compliance Manager and the Compliance Officer. The AMLR also expands the scope from AML/CFT to include compliance with TFS, which also impacts the internal governance.

Under the AMLD5, the EBA was mandated to draft guidelines. In June 2022, the EBA issued its Guidelines on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CFT Compliance Officer (AML/CFT Compliance Officer Guidelines). The Guidelines set expectations on the role, tasks and responsibilities of the AML/CFT Compliance Officer and the Management and Supervisory Boards. The Guidelines are directed towards credit and financial institutions, which must make every effort to comply with the guidelines.

In November 2024, the EBA issued its Guidelines on final guidance on internal policies, procedures and controls to ensure the implementation of Union and national sanctions (Restrictive Measures Guidelines), following amendments to the Wire Transfer Regulation (Transfer of Funds Regulation) as part of the adoption of the EU AML package. These guidelines include requirements for financial institutions’ governance and risk management systems to ensure these are sound and sufficient to address the risk that they might breach or evade restrictive measures. These guidelines will apply as of December 2025.

The EBA Guidelines are strictly legally speaking nonbinding as these operate under a ‘comply or explain’-mechanism. In practice, however, EBA Guidelines are generally complied with and used as the supervisory benchmark. The EBA Guidelines are thus giving more shape to the (limited) requirements stemming from the AMLD.

It is also important to point out that the above two Guidelines should not be read in isolation, but that they relate to other relevant Guidelines as well, such as the EBA Guidelines on internal governance under the Capital Requirements Directive. Also, the draft guide on governance and risk culture issued by the European Central Bank (ECB) in July 2024 makes reference to AML internal governance, as it integrates AML/CFT-related matters in its prudential assessment of governance and risk culture. For the purpose of readability of the KPMG Insight, these are not further considered here.

Where do the AMLR on the one hand, and AMLD5 and the AML/CFT Compliance Officer Guidelines and Restrictive Measures Guidelines (hereinafter jointly referred to as ‘the EBA Guidelines’) on the other, align? Where do they diverge? The illustrations below highlight the most salient governance requirements by focusing on the key players: the Supervisory Board, the Management Board, the Compliance Manager and the Compliance Officer.

For the management body in its supervisory function (Supervisory Board), the AMLR includes only few provisions. It must be informed of the outcomes of the business-wide risk assessment. The Compliance Officer and Head of Internal Audit must be able to report independently to the Supervisory Board or raise concerns and warn it where specific developments affect or may affect the obliged entity .

The EBA Guidelines provide more regulatory expectations on this body’s roles and responsibilities within the AML/CFT framework, for example in relation to the Compliance Manager as well as periodic assessments of the effective functioning of the compliance function. The EBA Guidelines also note that the Supervisory Board must have access to and take into account data and information of sufficient detail and quality to enable it to fulfil its oversight and monitoring role effectively.

For the management body in its management function (Management Board), the AMLR stipulates that it is responsible for approval of the internal policies. Internal procedures and controls may be approved at least at the level of the Compliance Manager. The AMLR – unlike AMLD5 and the EBA Guidelines – explicitly require the Management Board to approve the business-wide risk assessment. The Management Board is responsible for appointing the Compliance Manager and Compliance Officer. The Compliance Officer and Head of Internal Audit must be able to report directly to the Management Board or raise concerns and warn it where specific developments affect or may affect the obliged entity.

As under the AMLD5, the Management Board may be involved in the approval of the acceptance of new and continuation of certain business relationships. However, as the AMLD5 and AMLR in this context refer to ‘senior management’, it is also permissible to allocate this role to other officers and employees with sufficient knowledge of the entity’s ML/TF risk exposure and sufficient seniority to take decisions affecting its risk exposure.

The EBA Guidelines provide more regulatory expectations on this body’s roles and responsibilities within the AML/CFT framework.

The Compliance Manager is the member of the Management Board responsible for ensuring AML/CFT compliance, as well as TFS with the expansion of the AMLR to this domain. Under the AMLR the Compliance Manager is responsible for:

• Ensuring that the entity’s internal policies, procedures and controls are consistent with the obliged entity’s risk exposure and that these policies, procedures and controls are implemented.
• Ensuring sufficient human and material resources to that end.
• Receiving information on significant or material weaknesses in the internal policies, procedures and controls.
• Assisting, advising on and preparing decision-making by the Management Board.
• Regular reporting to the Management Board, keeping the board updated of outcomes of any reviews, and for the (at least) annual submission of the report on the implementation of the entity’s internal policies, procedures and controls drawn up by the compliance officer, and
• Taking actions to remedy identified deficiencies in a timely manner.

From the formulations used, it appears that tasks imposed on the Compliance Manager have become somewhat more prescriptive under the AMLR. On the matter of reporting, for example, the AMLR requires the Compliance Manager to ‘regularly report’, instead of ‘ensuring’ that there is periodic reporting to the Board. And instead of ‘recommending actions’ to the Board to remedy serious or significant AML/CFT issues and breaches, the Compliance Manager is required to take the necessary actions for remediation of any deficiencies.

It is also noteworthy that the AMLR predominantly focuses on the relationship of the Compliance Manager with the Management Board (upwards), while the EBA Guidelines also pay attention to the responsibilities of the Compliance Manager vis-à-vis the Compliance Officer (downwards). The EBA Guidelines stipulate, for example, that the Compliance Manager is the main contact point for the Compliance Officer and require the Compliance Manager to ensure that the Compliance Officer has access to all information, as well as sufficient human and technical resources and tools, to perform his/her tasks. 

The Compliance Officer is the person appointed by the Management Board with responsibility for the policies, procedures and controls related to AML/CFT and TFS in the entity’s day-to-day operations.

Different from AMLD5, the AMLR does not necessarily require the Compliance Officer to be at management level but leaves more flexibility by referring to a ‘sufficiently high hierarchical standing’. The Compliance Officer assuming responsibility for TFS also brings a difference from the EBA Restrictive Measures Guidelines, which allow any ‘senior staff member’ with adequate knowledge and understanding of restrictive measures to be appointed. This means that until 10 July 2027, institutions may appoint a person different from the Compliance Officer as responsible officer for the implementation of TFS, but that after this date this must be the same person.

Unlike the EBA Guidelines, the AMLR is silent on the Compliance Officer’s skills and competences, position and embedding within the organisation. The EBA Guidelines stipulate, for example, that the Compliance Officer is part of the 2^nd Line and must be independent. The EBA Guidelines also include expectations on the Compliance Officer’s contracting and geographic location, and circumstances under which the Compliance Officer can assign and delegate tasks to other officers or employees acting under his/her direction and oversight.

Under the AMLR, the Compliance Officer is the entity’s contact point for competent authorities and responsible for:

• Reporting suspicious transactions to the FIU.
• Drawing up the business-wide risk assessment.
• Drawing up an (at least) annual report on the implementation of the obliged entity’s internal policies, procedures and controls.

The formulation used in the AMLR suggest that the role of the Compliance Officer in the business-wide risk assessment changes from setting the risk management framework, to actually facilitating and/or carrying out the assessment.

Compared to the AMLR, the EBA Guidelines include various additional expectations on the responsibilities of Compliance Officer, for example in the areas of client acceptance (mandatory consultation high-risk customers), internal monitoring and oversight, and training and awareness. 

The AMLR partially codifies the AMLD5 and EBA Guidelines, yet with some different accents and nuances as described above. The EBA Guidelines provide more detailed regulatory expectations related to the internal governance of financial and credit institutions, the content of the business-wide risk assessment and reporting.

As AMLA is tasked to issue guidelines on the (extent of) internal policies, procedures and controls and allocation of staff to the compliance function, we expect the current EBA Guidelines to continue to be relevant under the future AMLR regime. Additionally, it will also become relevant for non-financial sector parties, because the AMLA guidelines will apply to the full range of obliged entities under the AMLR. Under article 54(5) of the AMLA Regulation, the EBA Guidelines and recommendations remain applicable until new guidelines and recommendations issued by AMLA on the same subject apply.

Therefore, both financial and non-financial obliged entities are advised to consult the existing EBA Guidelines as part of their preparatory work for AMLR compliance, while taking into consideration that the AMLR’s formulations could lead to a deviation or nuance compared to the existing EBA Guidelines.

KPMG Malta is on top of the regulatory developments in the AML/CFT and sanction domains. With our regulatory expertise and rich experience in the market, we can offer you a wide array of services, including but not limited to performing AMLR readiness assessments, carrying out or validating AMLR gap and impact assessments, updating or validating updates to your internal risk management and policy frameworks, training, advising you on the translation of legal obligations into internal requirements as well as the use of screening and monitoring tooling, and the provision of managed services.

If you would like to learn more about the developments in the AML/CFT and sanction domains, their potential impact on your organisation, or what you can do to prepare and start now, we would be pleased to assist you!

At KPMG, we also have a dedicated AMLA office, headquartered in Frankfurt, Germany. KPMG’s AMLA Office serves as the leading centre of expertise on AMLA supervisory policy and practice.