Bill 7128 (the "Bill") implementing some of the provisions of Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (the "4th AML Directive") has been brought before the Luxembourg Parliament. The Bill will amend a number of Acts, in particular the AML Act of 12 November 2004, as amended (the "AML Act").

The Bill is mainly intended to implement the provisions of the 4th AML Directive with regard to the application of "a holistic, risk-based approach" by all professionals subject to the AML legislation.

Two-step implementation

The Bill transposes the provisions of the 4th AML Directive relating to obligations applicable to professionals in the framework of the fight against money laundering.

The provisions of the 4th AML Directive regarding the obligation of all corporate and other legal entities incorporated in Luxembourg to obtain and hold adequate, accurate and current information on their beneficial ownership, including the details of the beneficial interests held as well as the storage of such information in a central register, are not part of this Bill.

A holistic, risk-based approach

Professionals will be obliged to evaluate risks on a case-by-case basis. As a result, there will no longer be situations or transactions in relation to which they can automatically conduct simplified customer due diligence. On the other hand, the Bill contains a description of situations deemed to be higher risk and in relation to which professionals must ensure enhanced customer due diligence in order to manage and mitigate the risks appropriately.

Additional compliance obligations

In order for professionals to be able to efficiently mitigate and manage risks, the Bill requires them to have or put in place appropriate internal organizational and procedural rules, policies and controls which must be proportionate to the nature, particularities and size of the professional. These include internal AML rules and procedures, management policies, document preservation measures, the regular training of personnel, etc., as well as a compliance officer and possibly an independent audit, depending on the size and nature of the professional's activities. The Bill also provides for specific rules to be applied at group level.

Data protection obligations

The Bill requires professionals to provide new clients with the information required by Article 26(1) of the Data Protection Act of 2 August 2002, as amended (the "Data Protection Act"). This information must be provided prior to the start of the business relationship or execution of the transaction and should include a general disclaimer regarding the professional's obligations under the AML Act as regards the processing of personal data in the framework of the prevention of money laundering and the fight against terrorism. The Bill contains a number of additional data protection-related provisions and clarifies that the processing of personal data under the AML Act is deemed a matter of public policy for purposes of the Data Protection Act.


The Bill provides for enhanced oversight of various professional supervisory bodies and introduces additional sanctions which can be imposed on professionals that fail to comply with their AML obligations and which, in principle, can be made public.