Top 5 recurring AML/CFT issues to look out for when preparing for AED onsite inspections

From mere pennies to EUR 5 million. This is the spectrum of single administrative penalties issued by the CSSF in Luxembourg over the past five years. Each stems from onsite inspections which spotlighted serious shortcomings in compliance with legal and regulatory obligations under the AML/CFT Law, Grand-ducal Regulations of 1 February 2010, CSSF Regulation No 12-02 as amended and Circular CSSF 23/842 (complement of complement of Circular CSSF 21/782). Such hefty fines are  examples of the toll of non-compliance.

The Luxembourg Tax Authority – Administration de l’Enregistrement, des Domaines et de la TVA (AED) – plays a similar role in monitoring AML/CFT compliance. Through onsite inspections, the AED ensures that entities under its supervision, such as unregulated alternative investment funds, real estate promotors, accounting professionals, and tax advisors , meet their professional, ethical and AML/CFT obligations. These inspections follow a formal process and can lead to administrative measures or sanctions, including substantial fines.

While AED penalties are generally less severe than those imposed by the CSSF (for example, the total value of collective penalties for administrative sanctions was only just over EUR 480,000),  they remain significant. Companies may face anything from a warning to public naming and shaming, administrative fines of up to EUR 1 million, or even a proposal to withdraw business authorization, subject to the Minister of the Economy’s final decision.

What are some of the most recurring issues? 

Inspections frequently uncover recurring weaknesses, which can be grouped into five key areas:

1. Risk assessment gaps

Many firms fail to consider key risk factors when determining the ML/TF risk level of customers. Additionally, documentation and verification of the source of wealth and source of funds are often incomplete or missing, weakening the overall risk assessment process.

2. Screening and monitoring weaknesses

Automated tools for sanctions and politically exposed persons (PEPs) screening are not used regularly. Related parties such as ultimate beneficial owners (UBOs) and directors are frequently overlooked, creating significant gaps. Furthermore, alerts generated by screening tools are sometimes poorly managed, with delays, lack of second-level compliance checks, and inadequate documentation of alert rejection reasons.

3. Due diligence deficiencies

Client relationships lack clarity regarding their nature and purpose, and expected transactions are not properly recorded. Ongoing due diligence is weak, leading to incomplete analysis of transactions, even in cases linked to previously reported suspicions. Intermediaries acting for multiple clients pose additional risks, particularly when they operate in jurisdictions without equivalent regulatory supervision.

4. Governance and reporting failures

There is insufficient oversight of AML/CFT controls delegated to third parties. Firms frequently fail to report ML/TF suspicions promptly to the Financial Intelligence Unit (FIU). Moreover, compliance functions do not consistently ensure the quality and comprehensiveness of controls performed by the first line of defense.

5. Tax and structural risks

Tax risk indicators are poorly managed, with alerts left unaddressed and plausibility checks missing. The use of SCSp structures for tax optimization is not always properly framed, increasing the risk of misuse for tax fraud. Complex offshore structures often lack clear rationale, heightening exposure to tax-related money laundering.

How do onsite inspections work?

AED inspections follow a structured process:

• Notification: Companies receive an appointment letter two to three weeks before the visit
• Preparation: Firms prepare key documents, including risk analyses, client files, and transaction records
• Inspection: The AML/CFT Officer must be present during the review of compliance areas.
• Reporting: After the visit, documents are submitted electronically. An initial report is issued within four weeks, highlighting gaps. Firms then have approximately three weeks to respond before the final report and potential sanctions.

Proactive preparation and addressing known weaknesses are essential to minimize risk.

What are the key recommendations for entities when preparing for inspections? 

Entities need to build confidence that their controls can withstand scrutiny. That means keeping documentation current, tightening internal checks, reporting suspicious activity promptly, and investing in smart tools and ongoing staff training. Many firms also lean on trusted professionals to guide them through the process. Why? Because these experts know what regulators look for and can spot weaknesses before they become costly mistakes.