The EU AML4 Directive (Directive)1 – an EU directive aimed at combatting money laundering and terrorist financing – has finally been transposed into Luxembourg law through the adoption of bill 71282. This occurred several months after the 26 June 2017 deadline for the implementation of the Directive, through the entry into force of a law amending the Luxembourg AML Law3 (AML Amending Law4) on 18 February 2018.

The AML Law sets out new requirements relating to, inter alia, the due diligence obligations for all professionals subject to the AML Law (Professionals), as well as the supervision by control authorities and self-regulatory bodies with respect to Professionals’ compliance with such obligations. The legal framework is generally more rigorous, as Professionals must comply with new requirements and update their internal procedures accordingly. Further, Professionals are subject to increased sanctions in the case of non-compliance.

Although most provisions of the Directive have now been implemented through the entry into force of the AML Amending Law, neither the implementation of a register of beneficial owners5 nor a register of trusts6 has yet been completed.

The Luxembourg financial supervisory authority (Commission de Surveillance du Secteur Financier, CSSF) published CSSF Circular 18/684 on 13 March 2018, to draw attention of the Professionals under its supervision to the entry into force of the AML Amending Law and the key changes made to the AML Law.

Below is a non-exhaustive summary of such key changes effected by the AML Amending Law.

Risk-Based Customer Due Diligence

Through the implementation of the Directive, all Professionals have the obligation to take appropriate measures (proportionate to their nature and size) to identify and evaluate the risks of money laundering and terrorist financing to which they are exposed. Professionals are required to adapt their customer due diligence in accordance with the risks identified through this assessment. The risk assessments must be documented, kept up-to-date and made available to the relevant control authorities and self-regulatory bodies.

The AML Law now contains non-exhaustive lists7 of: (i) risk variables to be considered by Professionals when determining appropriate customer due diligence measures (e.g., purpose of the relationship, size of the transactions undertaken, regulatory or duration of the business relationship); and (ii) risk factors (relating to clients, countries or geographical areas, products, services, transactions or distribution channels) that may be indicative of the level of risk of money laundering and terrorist financing. For example, a potentially lower risk might be posed by a company listed on a stock exchange and subject to transparency obligations, whereas a higher risk might be posed through the use of nominee shareholders or bearer shares.

Beneficial Ownership

The identification by Professionals of their clients’ beneficial owners constitutes one of the main customer due diligence duties under the AML Law. The AML Amending Law, by providing clarification as to the concept of beneficial ownership for companies and fiduciary arrangements (fiducie) and trusts, has increased Professionals’ duties regarding the identification of beneficial owners.

Prior to the adoption of the AML Amending Law, ownership of at least 25% of a company was sufficient to create the presumption of being a beneficial owner of the company. A different approach is now taken by the AML Law, which construes an ownership of at least 25% as merely an indication of direct or indirect ownership in a company. By reducing the importance of the ownership threshold in the determination of beneficial ownership, the AML Law opens the door for other persons (including those holding less than 25% ownership in a company) to be considered as beneficial owners.

The AML Law also now provides that, if no beneficial owner can be identified, or where it is not clear that an identified person is the beneficial owner, the principal senior managing official(s) of a company shall be considered as the beneficial owner(s) of the company.

Further, the AML Law clarifies the concept of beneficial ownership in relation to fiduciary arrangements and trusts, by providing that the following participants in a fiduciary or trust arrangement must all be considered as beneficial owners: settlor; trustee; protector, beneficiaries and any natural persons exercising control over the arrangement or entity, in each case notwithstanding any ownership percentage.

Politically Exposed Persons

Professionals are also obliged under the AML Law to put in place appropriate risk management systems (including risk-based procedures) to determine whether their customers or the customers’ beneficial owners are persons entrusted with an important public function (“politically exposed persons” or PEPs)8 or are related to such persons. If so, Professionals must apply enhanced due diligence measures with respect to such PEPs, including, inter alia, the obligation to: (i) obtain senior management approval for establishing business relationships with the PEPs; (ii) take adequate measures to establish the source of wealth and source of funds involved in the business relationship or transaction; and (iii) conduct enhanced ongoing monitoring of the business relationship with the PEPs.

Prior to the adoption of the AML Amending Law, the enhanced due diligence measures applied only to foreign PEPs. The AML Law no longer provides for a distinction between domestic and foreign PEPs. Furthermore, the definition of PEPs has been expanded to include, inter alia: directors and members of the board of an international organisation; and brothers and sisters as family members of PEPs. Therefore, there is now a broader category of PEPs for purposes of application of the AML Law’s enhanced due diligence measures.

Enhanced Adequate Internal Organisation

Professionals are required to establish appropriate policies, controls and procedures9 (proportionate to their nature and size) to mitigate and effectively manage the risks of money laundering and terrorist financing that they identify, at the international, European, national and sectoral levels, as well as with respect to the Professionals themselves. In connection with this obligation, Professionals must take measures to make their employees aware of applicable professional obligations and data protection requirements10, including through participation in ongoing training programs to recognise operations that may be related to money laundering and terrorist financing, and how to respond in such cases. In this regard, Professionals must have in place appropriate procedures for their employees to report breaches of professional obligations internally through a specific, independent and anonymous channel.

Professionals that are part of a group are required to implement group-wide data protection and information sharing policies and procedures, and those policies and procedures must be implemented effectively at the level of the Professional’s branches and majority-owned subsidiaries.

Further, prior to developing, launching or utilising new products, business practices (including distribution channels) or technologies, Professionals must consider and evaluate the potential risks of money laundering and terrorist financing that may be involved and take appropriate measures to manage and mitigate those risks.

Supervision and Sanctions

The AML Law now specifically lists the Control Authorities11 and Self-Regulatory Bodies12 that are the entities charged with monitoring Professionals’ compliance with their obligations under the AML Law (and, if required, with the cooperation of the competent authorities in the Member State where a Professional operating in Luxembourg has its head office). The Control Authorities and Self-Regulatory Bodies perform this monitoring based on the risks of money laundering and terrorist financing to which the Professionals are exposed13, and periodically (or upon the occurrence of a major change in a Professional’s management or activities) evaluate Professionals’ risk profiles in relation to such risks14. The Control Authorities are entrusted with all powers of supervision and investigation necessary to the exercise of their functions, within the limits of the AML Law15 – this includes the right to (among other matters): request documents or information; temporarily prohibit persons under their prudential supervision (as well as employees of the Professional or members of the Professional’s managing body) from exercising professional activities; request that the Luxembourg public prosecutor freeze or sequester assets; and impose administrative sanctions and measures (e.g., warnings, reprimands, public statements, suspension or withdrawal of the Professional’s authorisation), as well as administrative fines.

The maximum amount of administrative fines that the Control Authorities may impose is double the amount of any determinable benefit gained by the Professional, or EUR 1,000,000 if such amount cannot be determined. In the case of a credit institution or financial institution, the maximum amount of administrative fines is EUR 5,000,000 or 10% of the company’s total annual turnover.

The maximum amount of criminal fines provided by the AML Law has been increased to EUR 5,000,000.