The Commissariat aux Assurances (the “CAA”) has just published a new regulation relating to the fight against money laundering and terrorist financing (“AML/CTF”): Regulation No. 20/03 of 30 July 2020 (the “New Regulation”).

The aim of the New Regulation is to replace and repeal the amended CAA Regulation No. 13/01 of 23 December 2013 on the fight against money laundering and terrorist financing (the “13/01 Regulation”) following the legislative changes resulting from the implementation of EU Directive 2015/849 and EU Directive 2018/843 (respectively the fourth and fifth anti- money laundering directives).

In line with the new Grand Ducal Regulation of 14 August 2020 (the “2020 Grand Ducal Regulation”) amending the Grand Ducal Regulation of 1 February 2010 and the new CSSF Regulation N°20-05 amending the CSSF Regulation N°12-02 of 14 December 2012 on the fight against money laundering and terrorist financing (more information on these two regulations can be found at the following link), the New Regulation details a number of provisions already contained in the repealed 13/01 Regulation, as well as certain provisions of the amended law of 12 November 2004 on the fight against money laundering and terrorist financing (the “2004 Law”), and introduces new requirements relating to AML/CTF that affect professionals in the insurance business.

The aim of this newsflash is to set out the main changes brought by the New Regulation, namely:

  • specifications relating to the scope of application of the AML/CTF obligations;
  • clarifications about the risk-based approach;
  • specifications relating to customer due diligence measures, including simplified and enhanced customer due diligence measures, ongoing monitoring and the timelines for carrying out such measures;
  • explanations on the content of group-wide policies;
  • explanations regarding the split of competence between the Responsible for Compliance and the Compliance Officer.

1.     Specifications relating to the scope of application of the AML/CTF obligations

As regards the general scope of application, the New Regulation specifies that insurance undertakings, reinsurance undertakings and intermediaries immediately fall within its scope when they are issued an authorisation to conduct the classes of life insurance referred to in Annex II to the amended law of 7 December 2015 on the insurance sector and/or classes 14 (credit) and 15 (surety) of non-life insurance referred to in Annex I to that same law. The New Regulation also reminds professionals that Luxembourg branches of foreign professionals, and professionals established under the laws of foreign countries providing services into Luxembourg on a cross-border basis, fall within the scope of the 2004 Law.

Accordingly, they must take the measures required by the AML/CTF legislation before beginning any activity in the branches of activity falling within the scope of the AML/CTF requirements.

The New Regulation also specifies that the provisions relating to financial sanctions apply to all natural and legal persons subject to the supervision of the CAA, irrespective of whether they are also subject to the 2004 Law.

2.     Clarifications about the risk-based approach

The requirements relating to the risk assessment to be carried out at the level of the professional previously contained in the 13/01 Regulation are now more detailed.

The New Regulation, for instance, clearly specifies that when carrying out the risk assessment relating to its own activity (risk assessment at entity level), a professional must refer to various sources, e.g.:

  • the supranational report from the European Commission on the assessment of the risk of money laundering and terrorist financing;
  • guidance issued by the European Supervisory authorities; and
  • the relevant rules issued by the CAA.

Furthermore, in relation to the risk classification of its clients, in accordance with the 2004 Law, the New Regulation provides that professionals must also take into account the beneficiary of the life insurance contract as a relevant risk factor when assessing whether enhanced due diligence measures are required.

3.     Specifications relating to customer due diligence measures

3.1 General customer due diligence measures

The New Regulation specifies what is meant by the term “customers”. In relation to group life insurance contracts, the New Regulation clarifies that insured persons are to be viewed as customers where they have active powers over the contracts.

With regard to the performance of customer due diligence measures, the New Regulation provides that if the customer is materially unable to provide an identity card or a passport in the course of the identity verification process, the professional may alternatively obtain the residence card, the driving license or any other similar document. Furthermore, the New Regulation introduces the possibility for professionals to use electronic means of identification to comply with their customer due diligence obligations.

As regards the process of verifying the identity of customers which are legal persons, the New Regulation now specifies that if more than three months have elapsed between the entry into the business relationship and the conclusion of an insurance contract, the professional must ensure that all the documents requested are still up to date at the time the contract is concluded.

Furthermore, for each type of customer (low, standard or high risk), the professional's procedures must reflect which members of the anti-money laundering department can accept or review a file according to their level of seniority.

Finally, a new article relating to portfolio transfers has also been included in the New Regulation. Pursuant to this new provision, due diligence measures on i.a. the transferor’s AML/CTF policies and procedures must now also be carried out by the transferee in the event of a portfolio transfer, whether the transferor is located in Luxembourg, the European Economic Area or a third country.

3.2 Simplified customer due diligence measures

The New Regulation further specifies the requirements applicable to the customer acceptance procedure and, in particular, provides that in situations which have been identified as presenting a lower risk of money laundering, an automated process which does not involve human intervention may be used. In this case, the professional must ensure that this tool is configured in such a way that the names of the persons who validate the files, as well as the date and time of such validations, are traceable.

It should also be noted that a provision has been introduced to provide examples of simplified customer due diligence measures that may be applied in low-risk relationships. For instance, in the case of clients subject to an authorisation or approval regime, evidence of such authorisation or approval may be sufficient, under certain conditions, to satisfy customer due diligence requirements.

3.3 Enhanced due diligence measures

With respect to politically exposed persons (PEP), the New Regulation sets out measures in addition to those in the 2004 Law, e.g. the systematic involvement of the Compliance Officer

in the customer acceptance procedure or the enhanced ongoing monitoring of the business relationship.

A non-exhaustive list of measures relating to the acceptance and monitoring of business relationships and operations involving high-risk countries has also been included in the New Regulation, in line with the 2004 Law. In particular, this list contains the obligation to obtain additional information on the customer and beneficial owner(s) and to regularly update customer and beneficial owner identification data.

3.4 Specifications relating to remote entry into a business relationship

The New Regulation highlights that, in the event of the remote entry into a business relationship (i.e. when no "face-to-face" identification is carried out), the professional needs to have put in place electronic means of communication, relevant trusted services within the meaning of Regulation (EU) No 910/2014, or any other secure electronic or remote identification process that is regulated, recognised, approved or accepted by the relevant national authorities in accordance with the 2004 Law.

If not, other specific measures must be taken, and must be clearly defined in the professional's procedures, in order to compensate for the risk involved in this type of relationship (which is listed as a factor for potentially higher risk in the 2004 Law).

3.5 Ongoing monitoring

The New Regulation also includes a series of specifications relating to ongoing due diligence measures:

  • with respect to the detection of complex and unusual operations and transactions, several examples of operations having no apparent economic or visible lawful purpose have been included;
  • a provision now gives detail on the professional’s obligation with respect to the use of filtering tools through which controls are performed to detect States, natural and legal persons, entities and groups subject to restrictive measures in financial matters;

in accordance with the 2004 Law, the New Regulation provides that insurance contracts having securities or instruments not listed on a regulated market as underlying assets shall require particular attention. This activity covers situations where a life insurance undertaking becomes a legal owner of companies held as assets underlying unit-linked insurance liabilities. In such case, the insurance undertaking must take measures to ensure that it is aware of the nature and extent of its participation in these companies. If it exerts a dominant influence or a control over these companies, the undertaking is required to implement adequate procedures to have an overview of the companies’ financial flows, to ensure that they are not used for purposes of money laundering or terrorist financing.

3.6 Timelines for carrying out customer due diligence measures

Professionals are required to take into account the level of risk assigned to the client or business relationship when reviewing documents, data or information gathered as part of compliance with customer due diligence requirements. The New Regulation specifies that the frequency of the update must be chosen based on the results of the relevant risk assessment. In this sense, professionals are required to put in place procedures that define what an appropriate frequency is, and must be able to prove to the competent authorities that the scope and frequency of the review are appropriate to the type of customer and risk identified.

In line with the 2020 Grand Ducal Regulation, the New Regulation specifies that professionals must be able to prove to the competent supervisory authorities that the extent and frequency of the due diligence measures are appropriate in view of the risks of money laundering or terrorist financing attached to the customer in question, and further provides that professionals must review and update the information on the customer, taking a risk-based approach, but in any case at least every seven years.

4.     Specifications relating to customer due diligence measures

In order to comply with the new provisions of the 2004 Law on this topic, the New Regulation sets out explanations on the policies relating to the AML/CTF requirements that must be implemented at group level.

The professionals must notably coordinate these policies and their implementation at group level with their branches and subsidiaries in Luxembourg and abroad. Moreover, the New Regulation states that where the law of a country does not enable the implementation of these policies, professionals must take additional measures to effectively deal with the resulting risk of money laundering and terrorist financing.

5.     Explanations regarding the split of competence between the following two persons: the Responsible for Compliance and the Compliance Officer

In line with the amended version of the 2004 Law, professionals are required to appoint a “person responsible for compliance” at the level of their management. Pursuant to the New Regulation, depending on their activities, size and organisation, professionals must also appoint a compliance officer who is responsible for monitoring compliance with AML/CTF requirements.