Regulations amending CSSF Regulation N°12-02 and Grand Ducal Regulation of 1 February on the fight against money laundering and terrorist financing, which impact all professionals subject to professional obligations and regulated, registered or supervised by the CSSF, have been published on 20 and 21 August 2020.
Regulations amending CSSF Regulation N°12-02 of 14 December 2012 on the fight against money laundering and terrorist financing (the “CSSF Regulation N°12-02”) and the Grand Ducal Regulation of 1 February 2010 (the “2010 Grand Ducal Regulation”) providing details on certain provisions of the amended law of 12 November 2004 on the fight against money laundering and terrorist financing (the “2004 Law”), were published on 20 and 21 August 2020, and entered into force on 24 August 2020.
The aim of the new CSSF Regulation N°20-05 (the “CSSF Regulation N°20-05”) and of the Grand-Ducal Regulation of 14 August 2020 (the “2020 Grand-Ducal Regulation”) is to make the necessary adaptations in order for these texts to become compliant with the Luxembourg anti-money laundering and counter terrorist financing (“AML-CTF”) regulatory framework in light of the recent implementations of the 4th and 5th AML directives into Luxembourg law.
In this respect, the publication of CSSF Regulation N°20-05 and of the 2020 Grand Ducal Regulation follows the entry into force of (i) the law of 25 March 2020 implementing the fifth AML directive and amending the 2004 Law on 30 March 2020 (more information on the 2020 Law can be found at the following link) and (ii) the law of 10 July 2020 setting up a register of fiducies and trusts (more information on the RFT Law can be found at the following link). CSSF Regulation N°20-05 and the 2020 Grand Ducal Regulation are also intended to further clarify certain aspects of CSSF Regulation N°12-02, the 2010 Grand Ducal Regulation and the 2004 Law.
This newsflash sets out the main changes brought by these regulations, which will impact professionals that are subject to AML-CTF obligations and are regulated, registered or supervised by the CSSF (e.g. credit institutions, investment firms and other professionals of the financial sector, investment funds and their management companies, etc.). These changes are, in essence, the following:
- clarifications about the implementation of the risk-based approach, in particular in the investment fund industry;
- specifications relating to the carrying out of customer due diligence (“CDD”) measures;
- implementation of the rules set by Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on information accompanying transfers of funds;
- specifications relating to the use of outsourcing arrangements;
- specifications relating to internal systems for the supervision of business relationships and transactions; and
- a specification relating to the cooperation requirement between the Commission de Surveillance du Secteur Financier (the “CSSF”) and the Cellule de Renseignement Financier (the “CRF”).
1. Clarifications about the implementation of the risk-based approach
1.1 Clarifications of the measures to be adopted at the level of the professional
In accordance with Article 2-2 of the 2004 Law, professionals are required to take appropriate steps to assess the overall risks of money laundering and terrorist financing (“ML-TF”) that they face, taking into account risk factors relating to e.g. their customers, countries or geographic areas, or the products and services they provide. On this basis, professionals must determine their “risk-based approach”. CSSF Regulation N°20-05 specifies that a professional’s assessment of the risk-based approach must, at all times, be based on its ML-TF risk appetite, which must be duly approved by its board of directors and put into place by its authorised management. CSSF Regulation N°20-05 also reminds professionals of the sources of information which must be taken into account in the assessment (e.g. the Supranational Risk Assessment, the National Risk Assessment and sub-sector Risk Assessments).
Furthermore, CSSF Regulation N°20-05 provides that professionals must ensure that they are organised in a way enabling them to annually complete the CSSF questionnaire about the collection of information on ML-TF risks in an accurate and exhaustive manner, and to submit this questionnaire to the CSSF within the required deadlines and via the channels determined by the CSSF.
1.2. Reminder of the measures to be adopted with respect to business relationships
Under Article 3 (2bis) of the 2004 Law, professionals are required, on the basis of their understanding of the nature and type of business relationship, to identify and evaluate the ML-TF risk presented by each of their customers and to classify all customers accordingly (i.e. low, standard or high-risk) in order to determine the intensity of CDD measures to be applied to each customer.
In line with the 2004 Law, CSSF Regulation N°20-05 reinforces the fact that, in order to determine whether a given business relationship presents a lower or higher risk of ML-TF, professionals are required to refer to the risk factors as provided for under Annexes III and IV of the 2004 Law, in addition to those referred to in CSSF circulars. In addition, CSSF Regulation N°20-05 provides that professionals must also take into account all other risk factors that they deem relevant in order to determine whether a business relationship requires simplified or enhanced CDD measures.
It should be noted that CSSF Regulation N°20-05 also provides that where a professional believes a business relationship to present a low risk of ML-TF and applies simplified CDD measures accordingly, the professional must be able to justify and demonstrate this business relationship’s low risk of ML-TF to the competent Luxembourg authorities for AML-CTF. However, CSSF Regulation N°20-05 additionally specifies that the risk assessment carried out by a professional does not, under any circumstances, entitle the professional to waive enhanced CDD measures where such measures are expressly prescribed under i.a. the 2004 Law or the 2010 Grand Ducal Regulation.
2. Specifications relating to the carrying out of CDD measures
2.1. Timelines for carrying out CDD measures
The 2020 Grand Ducal Regulation specifies that professionals must be able to prove to the competent supervisory authorities or self-regulatory bodies that the extent and frequency of CDD measures are appropriate in view of the risks of ML-TF of the customer. Furthermore, it provides that professionals must review and update the information on the customer at a frequency consistent with a risk-based approach, i.e. at least annually for high-risk business relationships, but in any case at least every seven years.
As regards virtual asset service providers, the 2020 Grand Ducal Regulation now states that such providers must apply CDD measures when carrying out occasional transactions exceeding a threshold of EUR 1,000 (and not the usual EUR 15,000 threshold).
2.2. Introduction of a definition of “customer”
The new CSSF Regulation N°20-05 defines a “customer” as a natural or legal person with whom a business relationship exists or for whom an occasional transaction is carried out, including persons purporting to act on behalf of the customer. In this respect, as regards investment funds, the concept of customer encompasses investors registered in the fund register.
2.3. CDD measures applicable to an intermediary acting on behalf of its customers
As a reminder, CSSF Regulation N°12-02 already stated that with respect to the subscription of units or shares of an undertaking for collective investment or an investment company in risk capital through an intermediary acting on behalf of his customers, enhanced CDD measures must be applied to the intermediary by the undertaking for collective investment, its management company, the investment company in risk capital or, where applicable, the respective proxy of the relevant professional. Building on this, CSSF Regulation N°20-05 further specifies that these enhanced CDD measures must be applied to the intermediary on a two-level basis, i.e.:
- the intermediary, the persons purporting to act on behalf of this intermediary and the beneficial owners of the intermediary must be identified, and their identities verified, on a risk-based basis; and
- enhanced CDD measures must be implemented for business relationships viewed as similar to correspondent banking with the intermediary.
2.4. CDD measures applicable to investments
The new CSSF Regulation N°20-05 introduces “know-your investment” measures, and now provides that within the context of the investment business, professionals are required to perform an analysis of the ML-TF risk related to a given investment and implement CDD measures in accordance with the risk-based approach. It also provides that such analyses must be duly formalised. The regulation further specifies that the risk analysis carried out on investments must be reviewed both annually and each time that a particular event requires a review.
In addition to the above, CSSF Regulation 20-05 states that professionals are required to identify the countries, persons, entities and groups subject to financial restrictive measures in relation to the assets managed by such professionals and must ensure that no funds will be made available to them.
2.5. CDD measures relating to the acceptance of a new low-risk customer
CSSF Regulation N°20-05 provides that professionals may now accept a customer presenting a low risk of ML-TF on the basis of an automated acceptance process which does not involve the intervention of a natural person at the level of the professional, provided that such process has previously been duly configured and tested and is reviewed on a regular basis by the professional.
It should also be noted that this process must also be in line with the professional’s own AML-CFT policies and procedures, as well with any further instructions to be issued by the CSSF.
2.6. Verification of the customer’s identity through electronic identification means
In line with Article 3 (2) (a) of the 2004 Law, CSSF Regulation N°20-05 expressly provides that, in order to comply with their obligation to verify the identity of the customer, professionals may use electronic identification means, including relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council, or any other secure, remote or electronic identification process that is regulated, recognised, approved or accepted by the relevant national authorities.
2.7. Identification and verification of the identities of “persons purporting to act on behalf of the customer”
CSSF Regulation N°20-05 specifies that only the persons purporting to act on behalf of the customer, and not all proxyholders of the customer, must be identified and their identities verified. Therefore, professionals should only be required to identify and verify the identity of the persons acting on behalf of the customer with which such professionals are in contact.
2.8. Verification of the identity of the customer’s beneficial owner(s) using information available in central registers
In accordance with Article 3 (2) (b) of the 2004 Law, professionals are required both to identify their customer’s beneficial owners and to take reasonable measures to verify the beneficial owners’ identities, using i.a. the information available in public central registers of beneficial owners, such as the Luxembourg register of beneficial owners.
However, in line with the 2004 Law, CSSF Regulation N°20-05 also reiterates that the use of such central registers as the sole means of verifying the identities of a customer’s beneficial owners is not sufficient to constitute due compliance with the obligation to take reasonable measures to verify the identities of such beneficial owners. Therefore, a professional must take additional measures when identifying the identity of its customer’s beneficial owners in accordance with the customer’s ML-TF risk.
2.9. Simplified CDD measures
CSSF Regulation N°20-05 introduces a list of concrete examples of simplified CDD measures which may be applied by professionals with respect to low risk business relationships (such as e.g. updating information collected as part of the CDD measures only where certain triggering events occur). Such measures may include the simplification of the identification measures (and not only the verification measures).
In addition to the above, CSSF Regulation N°20-05 further specifies that, regardless of the frequency of review of the business relationship, professionals must verify at least once a year that the conditions justifying the application of simplified CDD measures are still present.
For the purpose of reviewing and updating the collected documents, data and information, CSSF Regulation N°20-05 provides that professionals may take into account various sources of information, e.g.:
- relevant publicly available data and information;
- the ML-TF national risk assessment report of the customer's country;
- mutual evaluation reports from the customer's country on AML-CTF;
- any other information obtained from a reliable and independent source.
2.10. Enhanced CDD measures
The new CSSF Regulation N°20-05 also provides concrete examples of enhanced CDD measures to be applied by professionals with respect to high-risk business relationships (e.g. obtaining additional information or documentation on the source of the funds involved and of wealth).
In addition to the above, the regulation further specifies that the CDD measures to be applied to politically exposed persons (PEP) must be carried out at least every six months.
2.11. Remotely entering into a business relationship without adequate guarantees
Under the 2004 Law, the on-boarding of new customers by professionals can be carried out either in person, or remotely without physically meeting the new customers. However, in accordance with Annex IV, point 2., c) of the 2004 Law, non-face-to-face business relationships constitute a factor of potentially higher risk of ML-TF where no “adequate safeguards” are taken by the professional in order to mitigate the risks stemming from the fact that the professional will not be meeting the customer in person. Here, CSSF Regulation N°20-05 gives examples of mitigation measures that professionals may implement (e.g. complementary measures ensuring the verification or certification of documents by a public authority, or an attestation from a credit institution subject to equivalent obligations).
2.12. Clarifications relating to obtaining supporting evidence
In the context of the CDD measures to be applied to customers’ funds, CSSF Regulation N°20-05 specifies that the obligation to obtain information about the origin of the customer’s funds, allowing the professional to carry out efficient CDD measures, may include, but not necessarily an obligation for such professional to obtain supporting evidence depending on the risk assessment of the customer.
In addition to the above, CSSF Regulation N°20-05 provides that supporting evidence may be required in relation i.a. to transactions requiring enhanced CDD measures.
3. Inclusion of the rules on the transfer of funds
CSSF Regulation N°20-05 sets out the rules under Regulation (EU) 2015/847 of the European Parliament and of the Council of 20 May 2015 on the transfers of funds, adding them to the text of CSSF Regulation N°12-02.
4. Specifications relating to the use of outsourcing arrangements
CSSF Regulation N°20-05 brings further specifications with respect to the use by professionals of outsourcing arrangements in order to have CDD measures performed by third parties (notably in relation to the content of such outsourcing arrangements, and to the obligation to perform due diligence on delegates and sub-delegates).
For funds specifically, the board of directors (or equivalent body) of a fund and/or the investment fund manager will be required to ensure that outsourcing arrangements contain the relevant detailed clauses specifying the roles and responsibilities of each party, and that such arrangements permit them to access any information deemed necessary for the performance of their function. They will also be required to perform ongoing, formalised monitoring of the delegated third party. It should also be noted that the fact that a registrar and transfer agent is considered as part of the fund or investment fund manager under the outsourcing arrangement does not exempt it from complying with its own AML-CTF obligations.
5. Specifications relating to systems for the supervision of business relationships and transactions
CSSF Regulation N°20-05 now provides that all professionals are required to appoint both (i) a person responsible for compliance with the AML-CTF professional obligations at the level of the authorised management or board of directors and (ii) a compliance officer in charge of the control of compliance with the AML-CTF professional obligations and further defines such functions.
CSSF Regulation N°20-05 also specifies the manner in which professionals must implement adequate and effective supervisory systems, in line with their obligation to have a good AML- CTF governance and internal organisation under Article 4 of the 2004 Law.
CSSF Regulation N°20-05 provides that the AML-CTF governance and internal organisation must follow the “three-line defence” model, i.e.:
- a first line of defence based on operational units, i.e. the persons in charge of business execution which are in direct contact with customers and which require a good understanding of the ML-TF risks;
- a second line of defence based on the person in charge of control, including other support, monitoring and compliance functions involved in AML-CTF matters, consisting of providing support, verifying the controls carried out by the first line of defence, and contributing to an independent control of the risks. The level of involvement of the second line of defence must increase with the customer’s risk level;
- a third line of defence based on the internal audit function which independently assesses the first two lines of defence and also verifies the effectiveness of the professional’s AML-CTF policies, procedures and programmes.
6. Cooperation between the CSSF and the CRF
In line with CSSF Circular 11/528, CSSF Regulation N°20-05 provides that, where a professional notifies the CRF under Article 5 of the 2004 Law of a suspicion relating to another CSSF-supervised professional, a member of the staff or management bodies of such professional, or where such information is likely to have a wider impact on the financial