New Duties for the Management Body under AMLR
AML/CFT responsibility rests with the Management Body
The Management Body is the highest authority responsible for AML/CFT compliance.
Management Body responsibility:
- Is collective and applies to the management body as a whole
- Cannot be transferred to compliance, risk, or external advisors
- Remains intact even if a specific member is appointed as compliance manager
Appointing a responsible member does not limit or shield the Management Body from liability.
Supervisors will assess your collective conduct, not internal role descriptions.
Internal Policy approval is non-delegable
The Management Body in its „management function“ must:
- Approve all AML/CFT internal policies
- Ensure policies reflect:
- The actual business model
- The institution’s risk exposure
- Strategic risk appetite
What this means in practice:
- Approval by compliance → insufficient
- Approval by committees → insufficient
- Approval by supervisory board only → insufficient
Only executive management approval meets the AMLR standard.
Business-wide Risk Assessment (BWRA) equals risk acceptance
The Business-wide Risk Assessment (BWRA) is:
- Drafted by the compliance officer(s)
- Approved by the management body in its management function
By approving the BWRA, the Management Body explicitly accepts:
- The identified AML/CFT risks
- The risk classification of the institution
- The consequences for controls, resources and escalation
Approval is not procedural – it is a substantive acceptance of risk.
Compliance Manager: Accountability inside Management Body
Appointment and Role
One member of the Management Body must be appointed as Compliance Manager.
Compliance Manager means:
- You are the executive owner of AML/CFT compliance
- You ensure that:
- Policies, procedures and controls match the risk exposure
- They are actually implemented
- Adequate staff and systems are provided
- You receive and act on material AML weaknesses
This is not an honorary title. It is a personal management duty.
Collective Management Bodies
Where the management body acts collectively:
- The Compliance Manager must:
- Assist and advise the body
- Prepare AML-relevant management decisions
- Collective responsibility remains fully intact.
Oversight of the Compliance Officer(s)
The Management Body must ensure that the compliance officer:
- Has sufficient hierarchical standing
- Can report directly and independently to:
- The management body (management function)
- The supervisory function (where it exists)
- Is protected against:
- Retaliation
- Commercial pressure
- Undue influence
Removal of the compliance officer(s):
- Requires prior notification to the management body
- Must be notified to the supervisor
Important: Undermining compliance independence is a management failure, not an HR issue.
The 3 R’s: Reporting, Review and Remediation
The Compliance Manager must:
- Regularly report to the Management Body
- Submit at least annually an AML implementation report
(prepared by the compliance officer)
The Management Body must ensure:
- Deficiencies are remedied in a timely manner
- Findings are not merely acknowledged, but acted upon
Group-wide Responsibility: Parents are responsible for their Subsidiaries
At Group-level, the Management Body of the parent undertaking must:
- Receive regular reports on group-wide AML implementation
- Receive at least one annual consolidated AML report
- Take decisions necessary to remedy group-level deficiencies
Parental Advisory: AML governance is centralised accountability, not decentralised comfort.
Management Summary
Recital (38) of the AMLR explains the core logic:
| Function | Who is responsible? |
|---|---|
| Ultimate AML/CFT compliance | Management Body (collective) |
| Executive accountability | Appointed Compliance Manager |
| Day-to-day implementation | Compliance Officer(s) |