Outsourcing is dead, long live outsourcing!
The mantra „Outsourcing is dead, long live outsourcing!“ encapsulates the future proposed by the final draft of the Anti-Money Laundering Regulation (AMLR).
The AMLR delineates a clear boundary around „Non-outsourceable tasks,“ essentially carving out the core responsibilities of an AML/CTF Compliance Officer. These include high-stakes decisions like customer risk profiling, approving business relationships, and suspicious activity reporting — tasks that demand nuanced judgment and intimate knowledge of the obliged entity’s operations.
Yet, the reality of business operations often clashes with regulatory ideals. Scenarios such as the resignation of an AML/CTF Compliance Officer, unforeseen leaves due to health or personal reasons, or the financial constraints especially of smaller obliged entities can precipitate a compliance vacuum. In these moments, outsourcing not only becomes a lifeline but a strategic imperative to maintain uninterrupted compliance and safeguard the obliged entity’s integrity.
Recitals of the final draft AMLR
Outsourcing of AML/CFT Tasks
Obliged entities, which are subject to AML/CFT regulations, can outsource tasks related to these requirements to service providers. However, if these service providers are not themselves covered by AML/CFT regulations, their obligations only arise from their contractual relationship with the obliged entity, not from the AMLR directly.
Responsibility Remains with Obliged Entity
Despite outsourcing certain tasks, the ultimate responsibility for AML/CFT compliance rests with the obliged entity. This includes ensuring that any outsourced activities, especially those involving customer identification, adhere to the risk-based approach mandated by the regulation.
Outsourcing Does Not Diminish Obligations
The ability to outsource does not absolve obliged entities of their duty to understand and mitigate money laundering and terrorist financing risks. They must retain final decision-making authority over measures that impact the implementation of their AML/CFT policies and procedures.
Notification to Supervisors
Informing supervisors about outsourcing arrangements does not equate to regulatory approval. However, such notifications are important for supervisory assessments of the obliged entity’s risk management systems and controls, especially when critical functions are outsourced or there is systematic outsourcing.
Guidelines on Outsourcing
The Anti-Money Laundering Authority (AMLA) is tasked with developing guidelines to provide clarity on outsourcing practices. These guidelines will cover the conditions, roles, and responsibilities involved in outsourcing and will help ensure consistent supervisory oversight across the EU.
Restrictions on Outsourcing to High-Risk Third Countries
Obliged entities are prohibited from outsourcing AML/CFT tasks to service providers in third countries that are considered high-risk, have compliance issues, or pose a threat to the EU’s financial system.
Article 14a of the final draft AMLR
Notification and Liability
Obliged entities must inform the supervisory authority before starting outsourcing activities with a service provider. Despite outsourcing, the obliged entity retains full liability for the actions related to the outsourced tasks, whether they are acts of commission or omission.
Non-Outsourceable Tasks
Certain critical tasks cannot be outsourced any more in the future, such as the
- proposal and approval of the business-wide risk assessment,
- approval of policies, controls and procedures,
- decisions on customer risk profiles,
- entering into business relationships, and
- suspicious activity reporting,
- among others.
Qualification and Compliance
Before outsourcing, obliged entities must ensure that the service provider is qualified for the tasks and that they will adhere to the obliged entity’s AML/CFT policies and procedures. This compliance must be outlined in a written agreement and subject to regular controls by the obliged entity.
Supervisory Oversight
Outsourcing must not hinder the supervisory authorities‘ ability to monitor the obliged entity’s compliance with AML/CFT requirements.
Restrictions on Outsourcing to High-Risk Third Countries
Outsourcing to service providers in high-risk third countries is prohibited unless the service provider is part of the same group, and the group complies with AML/CFT policies equivalent to those of the EU. This compliance must be supervised at the group level by the home Member State’s supervisory authority.
Guidelines by AMLA
The proposed new Anti-Money Laundering Authority (AMLA) is tasked with issuing guidelines on establishing outsourcing relationships, including governance, monitoring, roles, responsibilities, and supervisory expectations, especially for critical functions, within three years after the regulation’s entry into force.
Sources:
- Final Draft AMLR
- EBA-Guidelines on the role and responsibilities of the AML/CFT compliance officer https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/anti-money-laundering-and-countering-financing-1
- BaFin-Interpretation and Application Guidance on the German Money Laundering Act (October 2021) https://www.bafin.de/SharedDocs/Downloads/EN/Auslegungsentscheidung/dl_ae_auas_gw2021_en.html