Following the entry into force of the Law of 25 March 2020 and publication of the CSSF Circular 20/747 of 23 July 2020, please find enclosed a summary of those changes with a special focus on the establishment of a central electronic data retrieval system concerning IBAN accounts and safe-deposit boxes by the CSSF.
Law of 25 March 2020
Although some provisions of the 5th EU Directive have already been transposed under the law of 13 January 2019 regarding the establishment of a register of beneficial owners, on 25 March 2020 the Luxembourg legislator adopted two separate laws to implement the remainder of the Directive’s provisions. Both laws, the first transposing certain provisions of the 5th AML Directive in Luxembourg, and the second establishing a central data retrieval system concerning IBAN accounts and safe-deposit boxes, introduced a series of amendments to the Law of 12 November 2004 in the fight against money laundering and terrorist financing (the “AML Law”). The main measures related to the 5th AML Directive include:
1. The addition of definitions and extension of scope to virtual currencies and virtual asset service -providers, who are required, as of 30 March 2020 to register with the CSSF in relation to AML/TF,
2. Clarification and extension of customer due diligence (CDD) and enhanced due diligence (EDD) measures to be applied, most notably, regarding high-risk countries), introduction in the law of a framework to provide flexibility in the electronic identification and verification of the customer/investor (EU Regulation 910/2014 on electronic identification and trust services for electronic transactions in the internal market),
3. Establishment of a central electronic data retrieval system concerning IBAN accounts and safe-deposit boxes based on data to be received from banks.
However, this second law did not address the technical and organizational issues brought by this new central electronic data retrieval system.
CSSF Circular 20/747: what’s new?
The CSSF Circular 20/747 provides some clarity to the professionals of the financial industry on the new requirements to actively participate in the establishment of a central electronic data retrieval system concerning IBAN accounts and safe-deposit boxes. It is addressed to all entities providing IBAN accounts and/or safe-deposit boxes to their clients in Luxembourg.
As a reminder, entities in scope should build an internal client database and transmit a daily extract to the CSSF identifying the account holders of their payment accounts and safe-deposit boxes. Then, the CSSF will consolidate the information into a “central electronic data retrieval system” that will be freely accessible for the Cellule du Renseignement Financier (“CRF”) and to only a certain number of national organizations upon request (e.g. state attorney, AED, Service de Renseignement, etc.).
The key requirement introduced by this circular is a new secure way of exchanging information with the CSSF using their own dedicated Application Programming Interfaces (“API”). The CSSF will publish two APIs (one for enrolling entities in scope and one for notification of documents available). On the other side, each professional will also have to expose its own API using a common programming standard: openAPI v3.0.
With this circular, entities in scope can finally start their implementation project and gather the required data to be transmitted to the regulator. More precisely, the circular clarifies the exact content of the report and the frequency of this exchange of information. Professional will have to disclose daily information including, but not limited to, the identity of entity or individual account holders, address, nationality, tax or VAT identification number, and birth details in case of individual account holder. Similar information should also be disclosed on agent or person having power of attorney on the account.
This Circular also provides more clarity on the technical aspect of this exchange of information. In addition to the use of APIs, the expected report should be encoded in a JSON format according to a specific structure provided by the CSSF. After each receipt of information, professionals will receive feedback through their API validating the transmission of information and the validity of its content.
On the security side, all communications with the CSSF will use a mutual TLS identification method and all files will be encrypted using a public PGP key provided by the regulator and signed by the professional using its own private PGP key.
Keen to support professionals with their implementation journey, the CSSF will provide a sandbox environment and entities in scope are highly encouraged to test their own API in this environment before any transmission of information.
Finally, the deadline for implementation of the APIs and transmission of the daily files has been set to be 10 September 2020.
