The 2020 CSSF revamp of the 12-02 Regulation, a small revolution for the AML landscape in Luxembourg

After being under discussion for several months, and following the transposition of the AML5D into the Luxembourgish law in March 2020, the Regulation was eventually finalised in order to provide clarity to professionals on certain key aspects of the new law.

This amended Regulation will apply pressure on the Luxembourgish market with a set of new requirements, covering mainly the risk-based approach, the client-acceptance process, the expected documentation at client file level, the identification of the beneficial owner and the ongoing due diligence.

Scope

• To be aligned with the Law, professionals supervised, authorised or registered by the CSSF, including branches of foreign professionals notified to the CSSF and professionals established under the laws of foreign countries notified to the CSSF, who supply services in Luxembourg without establishing any branch in Luxembourg are now under the scope of the present regulation (art. 2 (1)).

Risk based approach

• As part of the analysis of the strength of the ML/FT environment of intermediaries, two levels of due diligence measures are now expected (art. 3 (2)):
  • Identification and verification of the identity of the intermediary, persons acting on its behalf and its beneficial owner(s) are to be performed using a risk-based approach;
  • Enhanced due-diligence (“EDD”) measures must be applied by the professional on the relationship, which is similar to a correspondent banking relationship.

• The concept of identification, assessment and understanding of the risks by the professional is much more comprehensive compared to the former risk evaluation concept (art.4). This concept includes now the determination of the risk materiality to adapt the due diligence measures:
  • As part of its risk assessment, each professional must refer in their policies at a minimum to the following sources of information (art 4 (1)):
    • National Risk Assessment;
    • Supra National Risk Assessment;
    • Joint Guidelines from ESMA, EBA and EIOPA;
    • Sub-sector Risk Assessments; and
    • CSSF publications.
  • Professionals must be able to share with the CSSF information about their risk assessment upon request. Information shared must be accurate and complete (art. 4 (2 & 3));
  • As part of their risk-based approach, professionals must define and set up their own risk appetite. This must be approved by the Board of Directors and made available to all employees. Policies and procedures will also have to be in line with the risk appetite framework. (art 4. (4)).
• Although minimal EDD criteria have been defined in article 3-2 and Appendix IV of the Law, professionals should include additional relevant factors when conducting their risk assessment of a business relationship (art 5 (2));
• Similarly, for Simplified Due Diligence ("SDD"), although minimal criteria have been defined in Appendix III of the Law, if properly evidenced, professionals can include additional relevant factors when conducting their risk assessment of a business relationship (art 5 (2));
• The classification by the level of risk must be based on an understanding of the nature and the activity of the client relationship (art. 5 (1)).

Customer due diligence – client acceptance

• Now all high-risk clients need to obtain an approval from the AML/CFT compliance officer (art.9);
• In case of low- risk clients, the acceptance process can be simplified. The CSSF allows professionals to use an automated process if they can demonstrate this process is reliable and efficient (art. 9).
• The acceptance of customers who seek to open a numbered account is subject to a formal written authorisation from management (art. 10 (2)).
• Anonymous accounts and anonymous safes are not allowed. This ban also covers the use of a fictitious name. In addition, in the case of opening a safe, professionals have to apply due-diligence measures in the same way as for any other client relationship i.e. subject to all risk assessment procedures (art. 10 (2 & 3)). 

Due diligence on transfers of funds

• The accuracy of the information on the payer must be verified by the payment service provider of the payer before a transfer of above 1000 EUR within the EU is made. Moreover, for any transfer above 1000 EUR within the EU, and before crediting the funds, the payment service provider of the payee is now required to verify that no information is missing for the payee. In the case of missing or incomplete information, and based on its risk assessment, the payment service provider of the payee can either reject the payment or request the missing information. To do so, the payment service provider of the payer must make available this information upon request of the payment service provider of the payee within a period of 3 working days (art 15 (2)).
• In the case of a transfer to a payment service provider outside the EU below 1000 EUR, it is not mandatory for the payment service provider of the payer to verify the information of the payer (art 15 (2)).
• In the case of a transfer based on cash or anonymous e-money, or in the case of suspicion of money laundering or terrorism financing, identification and verification measures must be put in place for both the payer and payee, regardless of the amount (art 15 (3)).
• Professionals providing Money or Value Transfer Service(s) must respect the local obligations applicable in the countries in which they provide their services (art. 15 (5)).

Customer due diligence – identification and verification of the identity for standard due diligence

• Individuals are required to provide professionals with the full address of their main place of residence (art. 16 1.) (except where simplified due diligence can be applied).

• For legal entities, the business address is required when different to the registered address. In addition, for managers and directors only the name of the persons acting as part of the business relationship needs to be obtained (art. 16 2.).
• For funds under the supervision of the CSSF, requirements from article 16 1. must be obtained for the initiator and promoter of the fund (art. 16 3.).
• The beneficial owner declaration obtained needs to be challenged by the professional (art. 17).
• As part of accepted documents to validate proof of identity, driving licenses have been added. It can also include any other documents issued by a public authority. Other secured or electronic identification documents are acceptable if they are approved or accepted by the national authorities in the country in which the client operates (art 18 (1)).

Customer due diligence – identification and verification of the identity for individuals or legal persons acting on the behalf of the client

• The applicable criteria for an individual or legal entity acting on behalf of the client are the same as those described in article 16. However, where simplified due diligence can be applied, the risk based approach has been refined.

Customer due diligence – identification and verification of the identity for beneficial owner

• Clarification has been provided regarding the expectations in terms of data needed to identify the beneficial owner. The full address of the main place of residence is now required and also, if the professional considers it as necessary, the ID card number (art. 21).
• The national beneficial owner register, even though it can be consulted by the professional, is not considered as the sole relevant source in itself. Additional information needs to be obtained in order to verify the identity of the beneficial owner (art. 22 (1)).
• For fiduciary entities and trusts, the identity of the beneficial owner can be verified when a payment occurs or when the beneficial owner exercises his rights. The same applies when the beneficiaries cannot be clearly defined as they are designed by a category of individuals as long as the professional has collected enough information on the beneficial owners to be able to identify them when a payment occurs or when they exercise their rights (art. 22(3)).

Evaluation, understanding and obtaining information about the purpose and nature of the business relationship

• The professional now needs to collect, record, analyse, understand and record information on the source of funds of the clients. In the case of high-risk business relationships, the professional may ask for corroborative documents (art. 24).

Enhanced, Simplified Due Diligence and non face-to-face business relationships

• The professional may obtain corroborative documents regarding the economic background of the transaction and assess its plausibility in case of enhanced due-diligence (“EDD”) measures (art. 26).
• Requirements for relevant documentation to obtain in the case of SDD (including periodic review) have been included in the new article 26, and includes amongst others the following:
  • Regarding the identification and verification of the identity of the client and beneficial owner, the possibility to only check that the first payment is coming from an account held in the name of the client with a bank or financial institution regulated in an EEA country or an equivalent country.
  • In certain circumstances,  identification documents other than purely passports or identity cards can be accepted. They must be reliable and from an independent source.
  • The periodic review can be performed on a trigger event basis only, such as a change in the behaviour of the client transactional profile, subscription to more risky products etc.
  • In case of a person acting on behalf of the client, just the country of residence will be needed for the place of residence (and not all details required by art. 16).
  • For regulated financial institutions, not all criteria of art. 16 must be collected for the proxies, a letter from the financial institution confirming that the latter applied due diligence measures to these persons and that it carried out regular controls of these persons will be acceptable.

• The Regulation also provides examples of due diligence that can be applied by professionals in the case of non face-to-face business relationships (art. 27).

Cross border correspondent relationships and other similar relationships

• The professional must obtain comfort over the effectiveness of the AML/ Counter Terrorist Financing ("CTF") control framework in place at the foreign entity level (art. 28 (1)).
• The enhanced due diligence performed by the professional must be adapted on a case by case basis depending on the overall environment in which the foreign intermediary is acting (art. 28(3)).

Politically Exposed Person (“PEP”)

• The Regulation details the minimum set of measures to take to detect PEP. In addition, the screening to detect PEP has to be done every 6 months at least (art. 30).

High-risk country

• As soon as a business relationship involves an individual located in high-risk countries (as defined in article 1 paragraph 30 of the Law) the professional must apply EDD (art. 31(1)).
• Transaction IN and OUT with a high-risk country must to be monitored through EDD measures which can include corroborative supporting documents (art. 31 (2)).

Ongoing monitoring of transactions

• The economical background of abnormal, complex or unusual transactions must be analysed by the professional in connection with the client risk profile in order to get reasonable comfort over them. This can include requests for relevant corroborative supporting documentation (art. 32 (2)).

Blacklist and sanction list screening

• The Regulation clarifies article 3, paragraph 2, point d) of the Law. As part of the constant vigilance, professionals must at least honour the obligation to perform real-time screening (art. 33(1)).
• Controls and measures are expected to be in place to ensure that updates to the screening system are immediately and automatically made following any amendments to the official sanction list. This is also applicable when the professional is using an external provider (art. 33(3)).

Activities requiring particular attention

• As part of the investment activities monitoring process, professionals must perform an assessment of the risks linked to the investments and adapt their due diligence in line with the conclusion of the assessment. It is required to document the analysis. The assessment of the risk of the investment must be reviewed at least annually (art. 34 (2)).

Periodic update of client files

• In the case of a high-risk client, a periodic review must be performed at least annually.
• For clients that are subject to SDD measures, professionals will have to review the application of the SDD methodology annually to ensure that the conditions leading to the application of the SDD are still valid. In the case of no operation for a period of one year, this review will have to take place upon reactivation of the client relationship (art. 35 (2)).
• In the case of a backlog in the periodic review of files, follow ups and action plans are expected to be presented and approved (art. 35 (4)).

Execution of due diligence measures by third parties 

• The Regulation stresses that the ultimate responsibility remains at the level of the professional in the case of a third-party introducer (art. 36 (2)) or outsourcing (art. 37 (3)). The expectations in terms of outsourcing have been completed as follows:
  •  The outsourcing policy needs to include the process of selection and assessment of the delegated third party and related risks also in case of sub-outsourcing (art. 37 (2) and (2bis)); the assessment needs to be done before signature of the outsourcing agreement (art. 37 (2));
  •  The professional shall ensure that the delegated third party has adequate resources to perform the delegated tasks (art. 37(2));
  • The Regulation gives examples on how the professionals shall regularly monitor that the delegated third party is observing their commitments deriving from the contract. Regarding client data, the professionals and the CSSF must have access rights to the system and database of the delegated third party (art. 37(2));
  • This applies as well to management companies and Board of Directors of funds that delegate tasks to transfer agents and portfolio managers (art. 37(2bis) and (4));
  • The Regulation clearly states that even in the case of delegation to the transfer agent this latter is also responsible with regard to the AML/CTF tasks it executes on behalf of the investment fund (art. 37(4));
  • Professionals are responsible to ensure that the delegated third parties are GDPR compliant (art. 37 (5)).

Monitoring system for business relationship and transactions

• Professionals shall perform screening on the assets they manage (art. 39 (1bis)).
• Client databases need to be complete and up to date and the four eyes principle needs to be applied to validate the accuracy of the KYC data (art. 39 (2)).

Internal organisation

• Policies need to be more detailed on topics such as the procedure for the appointment of the key AML responsible persons (i.e. the person responsible for compliance with AML/CTF professional obligations and the person responsible for its control), the risk appetite framework, the selection and recruitment of employees, the sharing of information between Group entities, at Group level and with the foreign branches and subsidiaries proper coordination and implementation of AML/CTF policies and procedures … (art. 38).
• The Regulation describes the expectation in terms of the lines of defence model and sets out the roles and responsibilities of the person responsible for compliance with AML/CTF professional obligations and the person responsible for its control (art. 39 (7) and art. 40-43).
• The person in charge of the control of compliance with AML/CTF professional obligations needs to prepare a report (at least on an annual basis), which is to be communicated to the person responsible for compliance with AML/CTF professional obligations, the Board of Directors and the authorised management (art. 42 (6)). This report must be sent to the CSSF within 5 months following year-end. This is not applicable to a Luxembourgish investment fund having a Luxembourgish management company (art. 42 (7)).
• The internal audit function must test and assess the controls in place. The internal audit function shall cover also the subsidiaries and branches (art. 44 (2 & 3)).
• An ongoing compliance training plan must be in place, which includes all employees, including the members of management bodies. Training sessions need to be adapted in line with the competencies of the employees (art. 46 (1)).

Cooperation with authorities

• Declarations to the FIU needs to be done without any delay as set in article 5 paragraph 1, point a) of the Law (art. 48 (1)).
• All professionals need to register to the communication tool put in place by the FIU (art. 48 (2)).
• All communication sent to the FIU when they are linked to a professional under CSSF supervision, needs to be shared also with the CSSF (art. 48 (4)).

Controls done by an external function

• The CSSF could replace the AML section of the current Long Form Report by a new dedicated report (art. 49 (4)).
• Professionals not subject to the obligation to have a Réviseur d’entreprise agréé must ask an independent external party with the relevant AML/ CFT skills to perform a dedicated assessment of its compliance with the AML rules applicable in Luxembourg. More details regarding this point are expected in an upcoming CSSF Circular (art. 49 (5)). 

1. PwC Luxembourg (www.pwc.lu) is the largest professional services firm in Luxembourg with 3,000 people employed from 75 different countries. PwC Luxembourg provides audit, tax and advisory services including management consulting, transaction, financing and regulatory advice. The firm provides advice to a wide variety of clients from local and middle market entrepreneurs to large multinational companies operating from Luxembourg and the Greater Region. The firm helps its clients create the value they are looking for by contributing to the smooth operation of the capital markets and providing advice through an industry-focused approach.

2. The PwC global network is the largest provider of professional services in the audit, tax and management consultancy sectors. We are a network of independent firms based in 157 countries and employing over 276,000 people. Talk to us about your concerns and find out more by visiting us at www.pwc.com and www.pwc.lu.