Most people will say that these two functions are one and the same thing. The reality is that in some smaller organisations, these two functions, due to size and resources available are merged.
Whilst this is acceptable for smaller organisations one needs to appreciate the actual responsibilities of these functions and therefore, whilst one person may be fulfilling the function, the importance of keeping these functions separate.
Money Laundering Reporting officer (MLRO)
As defined in the Implementing Procedures Part 1, Section 5.1, the MLRO is an officer of sufficient command within an organisation which is a subject person, whose main functions are:
- To receive reports from employees regarding knowledge or suspicion of ML/FT, consider these reports, and report externally to the FIAU when they deem that ML/FT or the suspicion of ML/FT subsists
- To be the main point of contact for the FIAU
Further to MFSA guidance issued in July 2020, in practice the MLRO should also have oversight over all AML/CFT related activities within the organisation. The MLRO would therefore be responsible for ensuring that;
- AML/CFT policies, controls, processes and procedures are appropriately designed, implemented, and effectively utilised to reduce the risk of the organisation being used for ML/FT
- Sufficient training is provided to all employees in terms for AML/CFT general obligations, and organisation specific policy and procedure
- Proper and sufficient due diligence is performed on customers
- They assess any client activities which score as high risk of ML/FT either at onboarding stage or thought the client relationship, in order to provide recommendations in relation to the mitigation of the risks identified
The MLRO may also be tasked with the monitoring function of day-today application of the measures, policies, controls and procedures adopted by the subject person to ensure compliance with its AML/CFT obligations.
In fulfilling these functions, the MLRO may delegate and/or be assisted by other employees falling under his/her supervision, however the MLRO shall remain responsible for the carrying out of the core functions outlined above and thus shall ensure that he/she is carrying out appropriate supervision. Certain subject persons therefore also appoint a designated employee/s, to temporarily replace the MLRO when absent. The main purpose of a designated employee is therefore to deputise for the MLRO.
Compliance Officer (CO)
On the other hand, the CO is an officer of a regulated person (entity) whose role is to ensure that the organisation complies with all laws under which it operates, and rules issued by the Regulator. The CO must therefore ensure that the licence holder is abiding by all license requirements and regulation such as GDPR, ICT regulation, CRS, FATCA, Governance requirements, MBR firm specific filings and any other applicable regulations.
Contrary to the common belief, the CO is not expected to draft and implement all the required policies and procedures and ensure that they are to date with every issued regulation, but rather to ensure that these are established and implemented by the relevant departments within the organisation and followed by all employees (as necessary).
The CO’s responsibilities therefore include:
- Monitoring and assessing on a regular basis the adequacy and effectiveness of the measures and procedures put in place by the licence holder, to comply with all its obligations in accordance with regulatory requirements and licence conditions. Record and report any breaches of such requirements and outline the actions taken to address any deficiencies;
- Advise and assist a license holder to comply with its legal and regulatory obligations.
Whereas the MLRO function may not be outsourced, except in very specific circumstances and subject to approval by the MFSA, the CO function may be outsourced by the subject person to 3rd parties.
The CO function is an oversight function, responsible for ensuring that the subject person is abiding by all relevant regulatory and license requirements, which is entirely distinguishable from the to the MLRO function, which is responsible for unusual activity reports, communication with the supervisory authority and ensuring that AML/CFT policies and procedures are in place, effective and implemented.
In terms of AML/CFT, the CO should therefore be overseeing the AML function, ensuring that the MLRO is fulfilling his/her function and that there are appropriate policies and procedures in place, which are being implemented and adhered to by the MLRO and all other employees within the subject person, as required by current regulation.
When the CO is burdened with MLRO duties, the CO would have a clear conflict of interest in this regard, since it becomes impossible for there to be effective oversight over and assessment of the AML/CFT function of the organisation, by the CO.