The European Banking Authority (EBA) has released its findings from a review of competent authorities’ risk-based approaches and governance systems to combat money laundering and terrorist financing (ML/TF) risks in the supervised entities of the banking sector. In their approach to supervision of financial services, the report indicates that progress has been made by the supervisors, with some authorities implementing significant changes in their Anti-Money Laundering and Counter Terrorism Financing (AML/CFT) risk management systems within banks. Through its promotion of a holistic approach to supervision, the EBA’s efforts have resulted in tangible progress by many authorities in addressing ML/TF risks through prudential supervision and improving their systems and controls. To effectively tackle ML/TF risks and ensure compliance, most supervisors in the financial services sector must strengthen their supervisory processes, and adopt a risk-based approach in their respective banking sectors.

The 2023 report, summarising findings from the third round of AML/CFT implementation reviews, focuses on combating the financing of terrorism, and includes a thorough examination of the risk management systems put in place to achieve this. AML/CFT implementation reviews are carried out in line with Article 1, Article 8(1), Article 9a and Article 29(1) and (2) of Regulation (EU) No 1093/2010 (EBA Regulation) and within the financial system framework.

During this round of on-site inspections, EBA staff reviewed twelve competent authorities from nine EU/EEA Member States, including central banks, that are responsible for the AML/CFT supervision of banks. In total, staff spent 45 working days on-site, assessed more than 1,000 documents related to the financial system and met with 40 local private sector representatives and nine Financial Intelligence Units. Some interviews assessing the compliance landscape and policies and procedures were carried out remotely.

Each review focussed on how competent authorities assess the ML/TF risks associated with banks under their supervision, and on how competent authorities are using these risk assessments to inform their supervisory practices. It also examined the central role of prudential and AML/CFT competent authorities in mitigating ML/TF risks, managing compliance issues, and safeguarding the integrity of the financial markets in their jurisdiction. Review teams provided targeted feedback to each competent authority at the end of each review, supporting them in enhancing their AML/CFT work, including the improvement of risk management systems, policies and procedures. This feedback, which includes aspects relating to sanctions, policies and procedures, and the actions review teams recommended competent authorities to take to address inefficiencies, are summarised in this report.

All competent authorities in this round had undertaken work to implement a risk-based approach to AML/CFT but significant differences existed in the way they identified and addressed ML/TF risks in banks. While some competent authorities had redefined their approach to AML/CFT supervision following high-profile ML/TF cases involving banks in their jurisdiction and were now largely effective, most competent authorities had not taken advantage of such opportunities or drawn on the lessons learnt by others, and therefore continued to face the same challenges as competent authorities that were part of the first two rounds of implementation reviews. In particular, the EBA staff observed potential shortcomings in the existing risk management framework that handles the financing of terrorism, which could give rise to increased vulnerabilities:

• more than half of all competent authorities’ approaches to assessing risks within the banking supervision framework were not conducive to the development of a comprehensive understanding of ML/TF risks in the banking sector;

• more than half of all prudential supervisors in this round were aware of their role in tackling ML/TF risks, but a lack of formalised processes and limited targeted training on ML/TF risks and warning signals meant that opportunities for engagement between AML/CFT and prudential supervisors were sometimes missed;

• most competent authorities had adequate enforcement powers, however processes were not sufficiently detailed or documented in more than half of all cases, which created a risk that measures were not applied consistently; it also exposed competent authorities, including the central bank, to a risk of legal challenges by banks, which could undermine their supervisory processes and their ability to impose sanctions;

• all competent authorities recognised the importance of cooperation and exchange of information at the domestic and international level with competent authorities, FIUs, tax authorities and law enforcement, but few of them took advantage of the opportunities afforded by this to enhance their risk-based approach.

The findings and recommended actions in this report will be relevant to all competent authorities responsible for tackling ML/TF risks in credit and financial institutions across the single market, as well as countering the financing of terrorism. Based on these findings pertaining to the financial sector, competent authorities should consider adjusting their approach to supervision and risk management systems where necessary. In its fourth and last round of implementation reviews, the EBA expanded its supervisory processes to include competent authorities like the central bank. After this round of on-site inspections, the EBA will publish a final report, detailing an assessment of progress made since 2019, with regards to AML compliance, supervision of financial institutions, and measures taken in countering the financing of terrorism.

Report on competent authorities’ approaches to the AML/CFT supervision of banks