169. The internal control functions should include a risk management function (see Section 20), a compliance function (see Section 21) and an internal audit function (see Section 22). The risk management and compliance functions should be subject to review by the internal audit function. The responsibilities of control functions also include to ensure compliance with AML/CTF requirements.

170. The operational tasks of the internal control functions may be outsourced, taking into account the proportionality criteria listed in Title I, to the consolidating institution or another entity within or outside of the group with the consent of the management bodies of the institutions concerned. Even when internal control operational tasks are partially or fully outsourced, the head of the internal control function concerned and the management body are still responsible for these activities and for maintaining an internal control function within the institution.

171. Without prejudice to national law implementing Directive 2015/849/EU, institutions should assign the responsibility for ensuring the institution’s compliance with the requirements of that directive and the institution’s policies and procedures to a staff member (e.g. head of compliance). Institutions may establish a separate AML/TF compliance function as an independent control function [Please refer also to the EBA Guidelines on the AML/CTF compliance function (currently under development)]. The person responsible for AML/CTF should, where necessary, be able to directly report to the management body in its management and its supervisory function.