Anti-money laundering and banking supervision

Speech by Elizabeth McCaul, Member of the Supervisory Board of the ECB, at Leaders in Finance AML Europe 2023 event

Brussels, 29 June 2023

Introduction

Thank you very much for inviting me to speak at this conference.

Money laundering and terrorist financing can pose a grave threat to the sound management of banks and, by extension, the stability of the financial system. They can tarnish a bank’s reputation, hamper its funding, affect its customer relationships and even threaten its very survival. That is why anti-money laundering and countering the financing of terrorism (AML/CFT) matter to ECB Banking Supervision, even though ensuring banks comply with AML/CFT rules is not part of our mandate.

For me, the fight against terrorist financing is personal. I remember well when I held office as Banking Superintendent on 9/11. In the days, weeks and months that followed the planes hitting the twin towers, we mourned the enormous loss of life and picked up the pieces to get the markets in New York functioning again. We worked collaboratively to understand how the attacks were financed with a team of supervisors, industry representatives, law enforcement agencies and legislators. And we helped to draft the USA PATRIOT Act and design the regulatory framework required to protect citizens and prevent the financial system from being used by terrorists. Today, this framework and similar ones globally fostering critical information sharing are as relevant in the context of Russia’s unjust war against Ukraine as they are in preventing human traffickers – such as those who recently smuggled migrants to their horrifying deaths in the Aegean Sea – and drug traffickers from using the financial system. Protecting human life through doing our part to safeguard the integrity of the financial system is paramount.

Today I would like to touch upon three factors.

First, I will highlight the importance of finalising the legislative discussions on the AML package and establishing an AML authority.

Second, I would like to say a few words about how we look at sanctions compliance from a prudential supervision perspective. As with AML/CFT, although we are not responsible for ensuring banks comply with sanctions, the latter may still have significant implications for banking supervision.

Third, I will conclude by making a few remarks about the use of artificial intelligence (AI) for AML/CFT, which I believe is also the topic of a breakout session today.

AML package

European banking supervision was created following the realisation that rules and supervision fragmented along national lines could threaten the integrity of the financial system and the Single Market within the EU. A similar realisation underpins the AML/CFT legislative package designed to implement a strong, harmonised and effective AML regime at EU-level.

What we need to do now is help finalise this crucial project. We strongly encourage the EU co-legislators to reach a political agreement on an effective European Anti-Money Laundering Authority (AMLA) as soon as possible. The new authority and the new single rulebook will increase the harmonisation and consistency of AML/CFT supervision and will represent an important step towards a more integrated EU internal market. They will also help prudential supervisors present a clearer picture of the impact of AML/CFT-related supervisory findings on an entity’s prudential risk profile.

In this respect, two factors are of particular importance. The first is cooperation between prudential supervisors and AML/CFT supervisors. Although the ECB’s supervisory tasks explicitly exclude AML/CFT supervision of banks, we are required to take AML/CFT-related findings into account in our prudential supervision.

This cooperation is essential at every stage of a bank's life cycle, from granting a licence to assessing the suitability of managers, to reviewing business strategy risks and lastly, to deciding whether and when to withdraw a licence.

But why is this cooperation so important? Because money laundering and terrorist financing are not isolated issues but are in fact intricately linked to a bank’s overall governance and management. A bank that struggles with AML/CFT issues often suffers from structural weaknesses in their internal controls and governance. These weaknesses can lead to an array of problems ranging from inadequate risk assessment to poor customer due diligence. If they work together, supervisors from the AML/CFT side and the prudential side can address these issues more effectively and ensure the overall soundness of our banking sector. The new European Banking Authority Guidelines^[1] set out clear expectations for the role, tasks and responsibilities of a bank’s AML/CFT compliance officer and management body. AML/CFT compliance officers should be part of the second line of defence and independent of the business lines they oversee.

However, cooperation alone is not enough. We also need a robust framework that promotes effective supervision and information sharing. This is where the new AMLA comes into play. The creation of this new authority will be a significant step towards ensuring that AML/CFT rules are applied more effectively and consistently across countries.

AMLA has a central role to play in simplifying the current tools for cooperation between AML/CFT authorities and prudential authorities through the creation of a data hub to encourage the exchange of information. The ECB would be a key beneficiary of, and contributor to, this data hub. We therefore fully support the implementation of a memorandum of understanding between the ECB and AMLA to encourage information sharing. With broad access to high quality data, AMLA can be a powerful data hub that will enhance the efficiency and effectiveness of cooperation and information sharing between authorities. It may also promote effective public-private partnerships for information sharing as a complement to legally permissible private-private partnerships, all of which form part of the AML ecosystem.

Let me now turn to my second point on the AML package.

From the outset, AMLA must be a strong and independent authority responsible for the direct supervision of a sufficiently large number of entities. In our experience, based on the ECB Banking Supervision set-up, it makes sense to directly supervise a broad range of entities at EU level and to select these entities on the basis of objective and transparent criteria.

To help harmonise supervisory practices, the pool of entities directly supervised by AMLA could include at least one entity, ideally a group, from each Member State. We welcome the Council and the Parliament’s proposal to significantly increase the number of supervised entities to 40, with scope to expand this number in the future.

Our own experience shows how important it is for AMLA, as an EU-level supervisor, to have sufficient resources, notably budget, to fulfil its tasks. This is true for off-site supervision, for which AMLA’s staff will work alongside staff from national supervisors in joint supervisory teams. However, it is even more important to ensure that AMLA has enough staff to carry out on-site inspections, which are the most intrusive supervisory tool and essential in giving us a sense of what is going on within supervised entities. In line with our approach to prudential banking supervision, responsibilities for on-site inspections and off-site supervision should ideally be allocated to different teams, whereby the scope to deploy cross-border teams is invaluable. This structure enables us to take a more comprehensive and effective approach to supervision, ensuring that we can promptly identify and address potential issues.

The creation of AMLA is an opportunity for the EU to further harmonise its AML/CFT framework and promote supervisory collaboration, thereby strengthening the prevention of money laundering and terrorist financing risks. The ECB has significantly enhanced its toolkit to support the European response to these risks. But many prudential supervisory tasks rely on support and input from AML/CFT authorities. That is why the AML/CFT legislative package is a great opportunity for enhancing cooperation – even fostering effective collaboration – between AML/CFT and non-AML/CFT authorities.

Sanctions

Let me now turn to the topic of sanctions, such as those adopted in response to Russia’s war in Ukraine.

The ECB neither imposes sanctions or restrictive measures nor monitors banks’ compliance with them. Banks are responsible for implementing and monitoring compliance with the different sanctions regimes.

However, sanctions and potential AML second-order effects stemming from sanctions and the risk of circumvention can have consequences for banking supervision. For instance, a fine for a breach could reduce a bank’s capital, potentially affecting its ability to handle losses. Similarly, if a bank disregards sanctions, it risks harming its reputation, which could ultimately affect its business. Moreover, weaknesses in a bank’s internal governance, such as insufficient board oversight or weak internal controls, could affect its ability to comply with sanctions. That's why the ECB, as prudential banking supervisor, monitors the impact of sanctions on banks’ internal governance and controls.

In practice, this means assessing if a bank is well-prepared to comply with sanctions. Does the bank’s board and senior management exercise strong oversight of the impact of sanctions on the entire banking group? Does the bank have robust internal control functions, such as a proactive compliance department that monitors developments under different sanctions and assesses their impact on the bank? Does it have adequate risk management arrangements in place for transaction approvals and client engagement? It is imperative for banks to ensure that their processes can effectively and proactively mitigate legal and reputational risks.

Use of AI for AML/CFT

Let me now turn to my final topic: the use of AI for AML/CFT.

We live in a time of rapid technological progress, as evidenced by the hype around generative AI and its potential to revolutionise the way we work. Indeed, AI has already been used for AML/CFT for a long time.

AI is exceptionally good at analysing vast amounts of financial data and identifying patterns, making it much easier to identify suspicious transactions or money laundering activities which can be flagged for further investigation. Besides reducing the amount of manual work required, this improves the effectiveness and accuracy of transaction monitoring systems. Similarly, natural language processing can help to analyse and review unstructured text data to identify potential risks and connections between individuals or organisations. AI can help to identify hidden links and connections, uncovering complex networks and relationships between individuals and entities potentially involved in money laundering and terrorist financing.

However, let’s be clear: AI is not a panacea. It has to be handled with care. For example, AI algorithms and datasets may sometimes not only reflect, but even reinforce, unfair biases. Using AI for decision-making can lead to inaccurate or unfair outcomes such as missing suspicious activity. If not properly addressed, these issues could pose additional operational and reputational risks to a bank. Properly harnessing the potential of AI means using it in a way that reduces, rather than exacerbates, risk.

The mature use of AI requires sound governance frameworks including data and model governance, quality assurance and controls to ensure the transparency and explainability of AI systems. AI can only augment human judgement, not replace it.

Conclusion

Let me conclude.

We all stand to gain from strong and effective AML supervision in Europe. It is therefore vital that co-legislators quickly agree on establishing a strong, robust and effective AML authority and framework, which effectively serves to protect everyone in the EU from the outset.

Thank you for your attention.