5 Nov 2020
ESG et société de gestion private equity: Par où commencer?

CSSF Regulation 20-05: A deeper insight into the key aspects of the Luxembourg Anti Money Laundering (“AML”) provisions.

Authors
Christophe Wintgens

EY Luxembourg Assurance Partner, Wealth and Asset Management Leader

Pragmatism is my essence. Results are key. Internal audit and Anti-Money Laundering are my playing fields. Storing exclusive cars is my passion.

Christine Frentz

EY Luxembourg Partner, Extended assurance AML officer

AML / KYC expert with over 16 years within audit and financial services including more than 10 years within regulatory and compliance engagements. Market focused. Ability to manage large engagements.

5 Nov 2020

Background

This new Regulation (the “New Regulation”), of 14 August 2020, amends Commission de Surveillance du Secteur Financier (“CSSF”) Regulation 12‑02 of 14 December 2012 ( “12-02”) on the fight against money laundering and terrorism financing. This is the first amendment of 12-02.  It provides further details on certain provisions of the amended Law of 12 November 2004 (the “AML Law”) which implemented European Directive 2018/843 (the “Fifth EU Directive”) on 25 March 2020. The changes set out in the New Regulation are effective immediately.

Primary Change

While a number of amendments only reflect the update of references to the AML Law (see our article on the AML Laws of 25 March 2020), other changes are more substantial and include, inter alia:

·        the introduction of Simplified Customer Due Diligence (“SDD”);

·        reinforced internal management requirements, based on the frequently asked questions (“FAQ”) of 25 November 2019 on Persons involved in Anti Money Laundering and Counter Financing of Terrorism (“AML/CFT”) for a Luxembourg Investment Fund or Investment Fund Manager supervised by the CSSF for AML/CFT purposes;

·        guidance on the risk-based approach to be taken in relation to investment business operations;

·        further details on the use of AML systems (internal or via a third party provider);

·        clarifications on the acceptance process;

·        the definition of ‘customer’,  encompassing the notion of investor registered in the investment fund register;

·        further guidance on the outsourcing process.

 

Key points for Investment Fund Managers (“IFMs”) and Undertakings for Collective Investment (“UCIs”)

1.     Customer due diligence measures

·        Customer acceptance process:

In case of new clients with a low ML/TF risk profile, the acceptance process can be simplified. The CSSF allows professionals to use an automated process which does not require human intervention if it can be demonstrated that this process is a reliable and efficient alternative to manual approval by the professional. The process should be tested and regularly reviewed to ensure its robustness.

·        SDD:

The New Regulation introduces SDD measures that professionals may apply to the business relationship in case of a justified low risk assessment (the professional should monitor the risk at all times to ensure that the conditions for the application of low risk still apply), for example:

  • the exceptional acceptance of other types of ID documents which meet the
  • criteria of reliable and independent sources (e.g. a letter addressed to the customer by a governmental body or other reliable public body). This is only possible where the customer cannot provide the usual identification documents and, insofar as there are no grounds for suspicion
  • due diligence can be updated only upon certain trigger events (e.g. riskier product, relocated to different country, changes in the transaction behaviour or profile or any other trigger event which seems to indicate that the risk is no longer low), instead of being updated on a regular basis
  • for persons purporting to act on behalf of a customer, initiator, promoter who launched an investment fund, obtaining information on the country of residence of these persons instead of asking for the full postal address
  • for persons purporting to act on behalf of a customer where a customer is a regulated credit or financial institution, instead of requesting the complete identification of these persons, obtaining a letter confirming that the institution applied due diligence measures to these persons and that it carried out regular controls of these persons with respect to the applicable lists of restrictive measures in financial matters
  • for customers subject to a compulsory authorisation or registration regime for AML/CFT purposes, the verification that the customer is subject to this regime by performing, for example, a search on the official website of the regulator and documenting the results of the search.
 

2.     Risk-based approach

The New Regulation added a paragraph on Know Your Assets (“KYA”) in the context of investment businesses. The paragraph obliges professionals to analyze, based on a risk-based approach, the Money Laundering/ Terrorism Financing Risk (“ML/TF”) posed by the investment. Further due diligence measures should be taken commensurate with the outcome of the risk-based approach. The regulation stipulates that such risk-based approaches should be formalised and reviewed at least annually or based on a trigger event which would require a re-evaluation of the risk.

The professional also has the obligation to identify the States, persons, entities and groups subject to restrictive measures in financial matters with respect to the assets it manages and to ensure that funds will not be made available to these groups.

 

3.     AML Systems

The professional must ensure that the internal system or system made available by an external service provider, used for the detection of persons, entities or groups involved in a transaction or business relationship subject to restrictive measures in financial matters is adapted without delay to the latest lists.

The identification of politically exposed persons during the business relationship should be carried out at least every six months.

 

4.     Outsourcing arrangements and agency relationships

It is re-iterated that the responsibility with regards to compliance with the provisions of the AML Law, the Grand-Ducal Regulation of 1 February 2010 as amended by Grand-ducal Regulation of 14 August 2020 and the New Regulation remains with the board of directors of the UCI and/or the IFM. Hence, further clarification is provided regarding the minimum content to be included in the contract for outsourcing arrangements to be used by the board of directors of the UCI and/or the IFM. The board of directors of the UCI and the IFM should ensure that the relevant contracts include (i) detailed clauses specifying the roles and responsibilities of each party as well as (ii) the conditions relating to the transmission of information to the professional, notably to make available immediately, regardless of confidentiality or professional secrecy rules or any other obstacle, the information gathered while fulfilling the customer due diligence obligations. In addition, a process should be put in place to transmit, upon request and without delay, of a copy of the original supporting evidence received.

The New Regulation mentions that the policies and internal procedures relating to outsourcing and agency relationships should include detailed provisions (Due Diligence requirements) on the process for the selection and evaluation of third-party delegates and sub-delegates.

The Regulation also specifies the monitoring obligations for third party delegates (most notably transfer agents, portfolio managers to which it outsources the management and investment advisors) which should occur on a regular and ad hoc basis (for example through on-site visits), in accordance with the risk-based approach, where the professional should verify (for example, through sampling) the compliance obligations incumbent upon the third-party delegate.

 

5.     Non-face-to-face business relationships

Even though the AML Law does not foresee that non-face-to-face relationships automatically result in high risk, some additional measures have to be taken when there are no certain safeguards such as electronic identification means, relevant trust services as defined in Regulation (EU) No 910/2014 or any other secure, remote or electronic, identification process which is regulated, recognised, approved or accepted by the relevant national authorities. If such safeguards are not available, additional measures have to be taken, most notably:

·        measures ensuring that the customer's identity is established by additional identification documents, data or information;

·        additional measures ensuring the verification or certification by a public authority of the provided documents;

·        confirmatory certification by a credit institution or a financial institution subject to the AML Law or subject to equivalent professional obligations as regards the fight against money laundering and terrorist financing;

·        measures ensuring that the first payment of the transactions is carried out via an account opened in the customer’s name with a credit institution or a financial institution subject to the AML Law or subject to equivalent professional obligations as regards the fight against money laundering and terrorism financing.

 

6.     Internal Management

In its FAQ from 25 November 2019, the CSSF provided an introduction to the functions of ‘person responsible for compliance’(the “RR”[1]) and those of the ‘compliance officer’  (the “RC”[2]).

The RR should be a member of the board of directors or the board of directors as a collective body (or, where applicable, the authorised management responsible for the fight against ML/TF).

The RC is the person who must implement AML/CFT procedures, for example, the compliance officer, where applicable. The RC may delegate the exercise of his function to one or more employees connected to the professional provided that they have sufficient experience and knowledge of the Luxembourg legal and regulatory framework relating to AML/CFT and are of a sufficient level and authority within the entity.

The table below provides information on the RR’s and RC’s respective responsibilities:

 

RR = Person responsible for compliance

RC = Compliance officer

 

UCI

IFM

UCI

IFM

Eligibility criteria

Board member

Board member

Board member

Compliance officer

Board collectively

Board collectively

Person mandated intuitu personae by the UCI Board (may be chosen among the staff of the designated IFM for externally manage UCIs)

Additional

Requirements

  • Demonstrable AML/CFT knowledge with regard to applicable Luxembourg legislation
  • Available (at least one member if the RR is a collegial body) without delay upon contact by Luxembourg competent authorities
  • Demonstrable AML/CFT knowledge, expertise and experience with regard to applicable Luxembourg legislation
  • Available without delay upon contact by Luxembourg competent authorities
  • Has access to all internal documents and systems required for performing its tasks

Knowledge about investment and distribution strategies of the UCI

Knowledge about the services offered by the IFM

 

Knowledge about investment and distribution strategies of the UCI

Knowledge about the services offered by the IFM

Duties

  • validates the supervisory system
  • approves business relationships with PEPs (establishing/continuing)
  • approves business relationships involving high-risk countries
  • in case of branches/subsidiaries established in third countries where the law does not permit to implement group-wide AML policies, the RR must:
    • approve the AML/CFT risk assessment and the group AML/CFT policies and procedures
    • be provided at least with information on the number of suspicious transactions reports filed within a set period and aggregated data providing an overview of the circumstances that gave rise to suspicion
    • be provided with at least the number of high-risk customers and aggregated statistical data providing an overview of the reasons why customers have been classified as high risk, such as politically exposed person status
    • approve the establishment and maintenance of higher-risk business relationships, or a higher risk occasional transaction
  • receives regular and ad hoc reports from the compliance officer on the follow up of the recommendations, problems and shortcomings and irregularities identified during the course of regular controls and verifications of the compliance with the AML/CFT policy. Reports should specify the risks related and their seriousness, propose corrective measures and the position of persons concerned. These reports must allow:
    • assessing the scale of the suspicions or reasonable grounds for suspicion of (i)money laundering,  (ii)an associated predicate offence or (iii)terrorism financing which were identified and
    • expressing a judgement on (i)the adequacy of the AML/CFT policy, procedures and  systems and (ii)the collaboration between the professional's departments as regards  AML/CFT
  • where a suspicious activity/transaction is identified, the compliance officer should consult the RR where appropriate
  • submits summary report to the CSSF within 6 months of the year end.

 

  • applies the AML/CFT policy and procedure and has the power to propose to the authorized management on his own initiative any measure necessary or useful to this end, including the release of required means
  • reviews the AML/CFT policy on a regular basis
  • performs regular control of the supervisory system
  • ensures the quality of the AML/CFT controls carried out by the first line of defence and, as the second line of defence, must verify compliance by the professional with all the AML/CFT professional obligations
  • must provide written authorization for the acceptance of new customers, where appropriate and for customers with a high-risk profile
  • must be provided with an internal report when it is impossible to verify at the earliest opportunity the identity of a customer and benefical owner  (in case where an account is opened before or during the verification of the identity)
  • must be provided with an internal report when it is impossible to verify at the earliest opportunity the identity of the founders, of a company and of the beneficial owner  (in case where an account is opened for a company in the process of incorporation)
  • must be involved systematically in the acceptance of customers involving high-risk countries
  • must be provided with reports on suspicious transactions/persons identified and is solely competent to decide on the application and scope of measures required where a suspicious activity or transaction is identified and their termination. The RC is consulted where appropriate
  • must provide the RR, the authorized management and, where appropriate the Board regular and ad hoc reports on the follow up of the recommendations, problems and shortcomings and irregularities identified during the course of regular controls and verifications of the compliance with the AML/CFT policy. Reports should specify the related risks and their severity, propose corrective measures and the position of persons concerned. These reports must allow:
    • assessing the scale of the suspicions or reasonable grounds for suspicion of (i)money laundering,  (ii)an associated predicate offence or (iii)terrorism financing which were identified and
    • expressing a judgement on (i)the adequacy of the AML/CFT policy, procedures and  systems and (ii)the collaboration between the professional's departments as regards  AML/CFT
  • must prepare at least once a year, a summary report on his activities and his operation and submit it to the person responsible for compliance, the authorized  management and the Board and, where appropriate, the specialized  committees.  
  • is the privileged contact person for the Luxembourg authorities as regards AML/CFT issues and for the  competent authorities with respect to the application of restrictive measures in  financial matters. He is  also in charge of the transmission of any information or statement to these authorities. 

Link to the CSSF Regulation 20-05

Link to the CSSF Regulation 12-02, as amended

 

[1] Responsable du respect des obligations

[2] Responsable du contrôle du respect des obligations

Summary

The CSSF regulation introduces, inter alia,  Simplified Customer Due Diligence, reinforced internal management requirements, further guidance on the risk-based approach,  guidance on the use of AML systems, clarifications on the acceptance process and the outsourcing processes as well as the definition of customer.

About this article

Authors
Christophe Wintgens

EY Luxembourg Assurance Partner, Wealth and Asset Management Leader

Pragmatism is my essence. Results are key. Internal audit and Anti-Money Laundering are my playing fields. Storing exclusive cars is my passion.

Christine Frentz

EY Luxembourg Partner, Extended assurance AML officer

AML / KYC expert with over 16 years within audit and financial services including more than 10 years within regulatory and compliance engagements. Market focused. Ability to manage large engagements.