Six AML/CTF updates from the past six months

From June to December 2022, there have been a number of updates to the EU’s anti-money laundering framework which aims to strengthen the ongoing fight against financial crime.

There have been a handful of changes to European anti-money laundering (AML) and counter-terrorist financing (CTF) regulation in the latter half of 2022. These amendments are unsurprising given the mounting pressure from regulators to comply with AML/CTF rules in lieu of financial scandals in recent months receiving intense public scrutiny. Locally, in Luxembourg, the topic of financial crime has received its fair share of airtime. Some of this has been influenced by the announced on-site visit of the Financial Action Taskforce (FATF) in November 2022. The previous inspection of the FATF in 2009 exposed some red flags, with the country being partially or non-compliant with some of the 40 FATF standards. Much effort has been put into improving compliance since this last visit.

Some of the most important regulatory updates include guidelines on remote customer onboarding, sanctions screening, temporary suspension of Luxembourg’s beneficial owner register, compliance management and some reminders with respect to tax offences. Each of these are briefly summarized below in order of date.

Prevention of tax offences in the context of AML/CTF

The Commission du Surveillance du Secteur Financier (CSSF)’s “UCI On-site inspection” department performed a thematic review in relation to the AML/CFT controls applied in terms of preventing tax offences, targeting five Luxembourgish investment fund managers (IFMs) of different sizes and types in November and December 2021. This inspection sits in the context of the criminal provisions within the Law of 23 December 2016, wherein the ML offence was extended to cover aggravated tax fraud and tax evasion. 

Overall, while the outcome of the review was that the measures put in place by entities, and their general understanding of the risks associated with ML/TF, were satisfactory, the review did uncover some potential areas for improvement, prompting the CSSF to remind IFMs, via a communication on 8 November 2022 , of the following important considerations: 

• Weakness in regard to risk assessment: Not all the relevant indicators of CSSF Circular 20/744 have been covered and IFMs must ensure that their risk assessment includes all relevant tax-specific indicators
• Shortcoming in the control functions environment: Weaknesses regarding verifications performed by the control functions were identified, such as at the level of the compliance monitoring plan and internal audit plan. IFMs are reminded to ensure tax matters are included in such plans on a risk-based approach and that risk mitigation measures include tax-specific indicators (identifying in a proportionate manner those being relevant for the specific activities performed)
• Tax calculation, filing and reporting: Weaknesses were noted with respect to delegated tax calculations, filings and investor tax reporting, among others. IFMs are reminded to sufficiently mention their tax compliance obligations in their procedures and to perform adequate monitoring where these activities are delegated

Important reminder about sanctions

The Grand-Ducal Regulation of 14 November 2022  provides more insight on the Law of 19 December 2020. It covers the implementation of restrictive financial measures, namely, sanctions screening. While the message of this Regulation is not altogether new, it reiterates that application of sanctions measures must be actioned without delay. Specifically: 

• Restrictive financial measures should be applied without delay or prior notification
• Those measures, when applied should be communicated to the finance minister without any delay
• Luxembourgish credit and financial institutions should follow (at minimum) the sanctions list delivered by the UN and EU

For the last point, it must be made clear that the UN and EU lists are an absolute minimum and that other sanctions lists could be used or may even be needed, depending on the specific circumstances of the client. For example, residents of the USA are subject to Office of Foreign Assets (OFAC) sanctions.

Temporary suspension of the Luxembourg register of beneficial owners

Access to Luxembourg’s web register of beneficial owners (RBO) on the Luxembourg Business Register (LBR) was temporarily suspended following the judgement of the Court of Justice of the European Union (CJEU) on 22 November 2022 . This suspension came as a result of the preliminary ruling from the Luxembourg District Court, whereby the “quality of users” accessing the register was called into question in a dispute between the underlying beneficial owners (UBOs) of a Luxembourg-registered entity and the LBR. The argument in this case is that this unclarified access goes against the Charter of Fundamental Rights of the European Union (Articles 7 and 8). 

Access to the RBO has in the meanwhile been restored for a certain number of professionals who already had prior access to the LBR/RBO. For professionals as defined in the AML/CFT Act of 2004, access will be restored in the next days, others with a legitimate interest in the register (e.g., press representatives, other actors with a link to the fight against ML/TF) will have their access restored in due course, although no date for the lifting of the suspension has been announced yet. Note that National Competent Authorities (NCAs) can access this information via a dedicated intranet portal, allowing them to continue their AML/CTF tasks.

Changes impacting remote customer onboarding solutions

The European Banking Authority (EBA) published its final Guidelines on the use of remote customer onboarding solutions on 22 November 2022 . These Guidelines are off the back of the European Commission’s “Digital Finance Strategy” for the European Union, wherein a key priority is to address the fragmentation of the Digital Single Market for financial services. The Commission had previously found that the customer due diligence rules held within Directive (EU) 2015/849 were not adequate in their coverage of the digital/remote environment, which is underlined by the substantial rise in demand for digital onboarding activities from clients and firms in the wake of the health crisis. As such, the Commission requested the EBA to issue guidelines on the application of AML/CTF for remote onboarding of customers. 

These Guidelines set out the steps credit and financial institutions, which are within the scope of the Anti-money Laundering Directive (AMLD), should take to ensure safe and effective remote customer onboarding practices. Next steps are for the Guidelines to be translated into all official EU languages and published on the EBA website after which they will enter into force six months thereafter. It is to be noted, however, that the deadline for the NCAs to report whether they comply with the Guidelines, or not, is two months after the publication of these translations. 

As per Article 16(3) of Regulation (EU) 1093/2010, competent authorities and financial institutions are obligated to make every effort to comply with these Guidelines, for example, by amending their legal framework or their supervisory processes. A summary of the changes follows.

Policies and procedures relating to remote customer onboarding

Risk sensitive policies and procedures must be set up and include at least the following if opting for remote customer onboarding, which is in scope for most Alternative Investment Fund Managers (AIFMs):

• Description of the solution used (collection, verification and recording of information) and explanation of features and functioning of the solution
• Situations where the remote customer can be used (category of customers, products, and services eligible)
• Definition of the autonomized steps and the non-autonomized ones
• Controls to ensure that first transaction occurs after the due diligence is performed
• Description of the induction and regular training programs about remote onboarding

Governance

The AML/CTF Compliance Officer ("responsable du contrôle du respect des obligations" or RC) should ensure that remote onboarding policies and procedures are properly implemented, reviewed and amended. The management body ("responsable du respect des obligations" or RR) should approve these and oversee the correct implementation.

Pre-implementation assessment of the remote customer onboarding solution

Credit and financial institutions should set out the scope, steps and record-keeping requirements of the pre-implementation assessment, which should include at least:

• Assessment of the adequacy and reliability of the solution regarding the completeness, accuracy and source of the data and documents to be collected
• Assessment of the impact of the remote onboarding on business-wide risks (ML/TF, operational, reputational and legal risks) and mitigating measures/remedial actions
• Tests to assess fraud risks (impersonation and communication/security risks)
• End-to-end testing of the solution

Ongoing monitoring of the remote customer onboarding solution

The following actions must be taken:

• Complete the policies with ongoing monitoring on remotely onboarded customer (scope, frequency of the reviews, circumstances of ad hoc reviews)
• Set up of remedial measures when a risk has materialized (whether the client should be subject to enhanced due diligence measures, limitations, termination, reporting to the FIUs or reclassified)
• Set-up of the most effective way to monitor the ongoing adequacy and reliability of the remote customer onboarding solutions (e.g., quality assurance testing)

Acquisition of information

When it comes to client information, the following should be reported:

• Identification of the customer: ensure that the information is up to date, in a readable format, time stamped and properly stored; define what information is gathered from documentation, client or external sources. For legal entities, same as above including noting the persons to act on behalf of the customer and beneficial owners
• Nature and purpose of the business relationship

Oversight

• Document authenticity and document reproduction integrity should be verified and double-checked with reliable third-party sources when possible
• In situations where there is ambiguity or uncertainty that impacts the performance of remote checks, the individual remote customer onboarding process should be interrupted and restarted or redirected to a face-to-face verification
• In case of outsourcing of the customer due diligence to a third party, the credit and financial institutions are responsible for ensuring that all the remotely onboarded customers fulfill the relevant requirements. Verification of the procedures of the third party for this matter is therefore a necessity

Compliance management policies and procedures – entered into force on 1 December 2022

A refresher on the context

The AML/CTF compliance function is a critical element to the functioning of financial institutions. Directive (EU) 2015/849 of the European Parliament and of the Council sets out that financial institutions must appoint a compliance officer at the management level, and that financial institutions with a management body identify which member to ultimately be responsible for the implementation of the law. 

Following this, in 2017, the European Commission asked the European Supervisory Authorities (ESAs) to develop guidance on the role of the compliance officer and management body. In response, the ESAs found the existing guidelines to be sufficient, but analyses by other EU institutions in the years that followed found deficiencies in the application. The EBA Guidelines on policies and procedures in relation to compliance management and the role and responsibilities of the AML/CTF Compliance Officer , issued on 14 June 2022, and coming into force on 1 December 2022, aim to achieve a common understanding on the role of the AML/CTF compliance officer and management body, among the NCAs. A reminder on the Regulation key points follows below.

Management body (RR)

The role of the management body in its supervisory function in the AML/CTF framework:

• Supervise, oversee and monitor the implementation of internal governance and control framework
• Should be informed of the ML/TF risk assessment and identify potential conflicts of interests
• Oversee and monitor AML/CTF policies to cover the ML/TF risks the entity is exposed to and ensure remedial actions if necessary
• At least once a year, review the activity report of the compliance officer and obtain regular updates on activities exposed to higher ML/TF risks
• At least once a year, assess the effective functioning of the AML/ CTF compliance function, and ongoing assurance that the compliance officer has sufficient access to information, human resources and AML/CTF incident and shortcomings
• Ensure that the management body has the knowledge, skills and experience necessary to identify assess the ML/TF risks, has a good understanding of the business model and the sector the entity is operating in, and is informed without delay if any decisions that could affect the risk of the entity. As such, the management body should have access to the required data and reports
• Members of the management body should have sufficient time and resources to perform AML/CTF duties. If no management body is appointed, a senior manager should be appointed
• Appointment of a senior manager responsible for AML/CTF duties

The role of the management body in its management function in the AML/CTF framework:

• Implement the organizational and operational structure in line with AML/CTF strategy
• Ensure implementation of AML/CTF strategies
• Review the compliance activity report
• Ensure AML/CTF reporting to the competent authorities

Compliance Officer (RC)

With respect to the appointment of the AML/CTF compliance officer:

• Taking into account the AML/CTF risk of the entity, the management body should identify if this role will be carried out on a full-time basis or not; appointing someone with the required skills and knowledge of the ML/FT risk the entity is exposed to
• The RC should be available to competent authorities and financial intelligence units
• In case the compliance officer is contracted to work in another jurisdiction, adequate and effective measures should be in place The RC should be able to delegate tasks but is finally responsible for the effective fulfillment of those tasks
• The RC should be part of second line of defense to ensure independence and direct access to the RR and can operate for two different entities if they belong from the same group
• When no RC is appointed (e.g., sole trader), the reason should be justified and documented, and the AML/CTF duties should be performed by a senior manager or outsourced

Tasks and role of the AML/CTF compliance officer:

• Develop a risk assessment framework for business-wide and individual ML/TF risk; report this to the management body, and if necessary, propose mitigation actions
• Develop policies and procedures making sure they are up to date and implemented effectively
• Consult in case of onboarding or maintaining of a business relationship with a high-risk customer
• Monitor compliance and recommend management corrective measures
• Report to the management body on ML/TF risk assessment, resources, policies and procedures
• Ensure adequate training and awareness on ML/TF methods, trends, typologies, risk-based approach and mitigation measures

Organization of the AML/CTF compliance function at group level:

• The parent of the group should ensure that each branch/entity has the required knowledge and data to perform their duties
• Have a cartography of the ML/TF risks of the entities and perform a group ML/TF risk assessment
• Ensure remediation actions are in place in case of ML/TF risks in the branches
• Set up of a specific body dedicated to AML/CTF duties, coordination structure, group policies and procedures, AML/CTF controls
• The AML/CTF group compliance officer should coordinate ML/TF risk assessments, draft a group-wide risk assessment, define group AML/CTF standards, coordinate the local compliance officers, ensure entities have adequate suspicious transaction report procedures and produce an annual activity report

New proposal for a directive on criminal offences and penalties

On 2 December 2022, the European Parliament and the Council put forward a proposal for a new Directive on the definition of criminal offences and penalties for the violation of Union restrictive measures . The aim of the Directive would be to ensure that EU sanctions/restrictive measures are properly enforced across the EU in a standardized fashion and that attempts to evade or go against the sanctions are discouraged.

The below-mentioned activities should be considered as a violation of the EU restrictive measures:

1. Providing financial activities which are prohibited or restricted by EU restrictive measures, e.g., financing and financial assistance, providing investment and investment services, issuing transferrable securities and money market instruments, accepting deposits, providing specialized financial messaging services, dealing in banknotes, providing credit rating services, providing crypto assets and wallets
2. Providing other services which are prohibited or restricted by EU restrictive measures, including legal advisory services, trust services, public relations services, accounting, auditing, bookkeeping and tax consulting services, business and management consulting, IT consulting, public relations services, broadcasting, architectural and engineering services

Other important topics proposed to be covered by the Directive include, inter alia:

• A list of definitions of offences broadened to cover the circumvention of EU sanctions, for example instances where there is concealment that a person who is subject to restrictive measures is the owner or beneficiary of certain funds
• Penalties for natural persons
• A maximum penalty of five years (minimum) of imprisonment that judges in Member States should impose on natural persons (for serious offences)
• A common basic standards for penalties for legal persons across Member States, including, inter alia: criminal or non-criminal fines of up to 5% of annual worldwide turnover

Footnotes

1. Communication on AML/CFT controls applied in terms of preventing tax offences, 8 November 2022
2. Grand-Ducal Regulation of 14 November 2022 clarifying the Law of 19 December 2020 on the implementation of restrictive measures in financial matters
3. Judgment of the Court (Grand Chamber) off 22 November 2022
4. Guidelines on the use of Remote Customer Onboarding Solutions under Article 13(1) of Directive (EU) 2015/849, Final Report
5. Guidelines on AML/CTF compliance officers