Regulations amending CSSF Regulation 12-02 of 14 December 2012 and Grand Ducal Regulation of 1 February 2010 on the fight against money laundering and terrorist financing
CSSF Regulation 20-05 of 14 August 2020 (“CSSF Regulation”) amending CSSF Regulation No 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing and Grand Ducal Regulation of 14 August 2020 (“GD Regulation”) amending Grand Ducal Regulation of 1 February 2010 providing details on certain provisions of the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended (“AML Law”) entered into force on 24 August 2020.
Both the CSSF and GD Regulations follow the entry into force of the Luxembourg laws of (i) 25 March 2020 transposing into national law certain provisions of the Directive (EU) 2018/843 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (5th AML Directive) and (ii) 10 July 2020 setting up a register of fiduciaries and trusts.
Professionals who fall in scope of the AML Law are impacted by the following key changes/clarifications brought by both the CSSF and GD Regulations:
Clarifications about the implementation of the risk-based approach
- Determination of the risk-based approach to be taken by a professional must, at all times, be based on its money laundering ("ML")/terrorist financing ("TF") risk appetite, which must be duly approved by the professional’s board of directors and put into place by its authorised management. Implementing risk management procedures, the professional shall take into consideration various sources e.g. the Supranational Risk Assessment, the National Risk Assessment and sub-sector Risk Assessments.
- Professionals must ensure that they annually complete the CSSF questionnaire about the collection of information on ML/TF, and submit this questionnaire to the CSSF within the required deadlines.
- Where a business relationship presents a low risk of ML/TF and the professional applies simplified customer due diligence ("CDD") measures accordingly, the professional must be able to justify and demonstrate this business relationship’s low risk of ML/TF to the competent Luxembourg authorities for AML/CTF.
- The risk assessment carried out by a professional does not, under any circumstances, entitle the professional to waive enhanced CDD measures where such measures are expressly prescribed under the AML Law.
Clarifications on CDD measures
- “Customer” is now defined as a natural or legal person with whom a business relationship exists or for whom an occasional transaction is carried out, including persons purporting to act on behalf of the customer (or investors, in the case of investment funds).
- Professionals must review and update the information on the customer at least every seven years, without prejudice to higher frequency depending on the risk assessment. The GD Regulation sets out examples of situations where updated information may be required.
- Virtual asset service providers must apply CDD measures when carrying out occasional transactions exceeding a threshold of EUR 1,000 (instead of the usual EUR 15,000 threshold).
- Regarding CDD measures applicable to an intermediary acting on behalf of its customers, these CDD measures must be applied to the intermediary on a two-level basis: (a) the intermediary, the persons purporting to act on behalf of this intermediary and the beneficial owners of the intermediary must be identified, and their identities verified, on a risk-based basis; and (b) enhanced CDD measures must be implemented for business relationships viewed as similar to correspondent relationship with the intermediary.
- Professionals are required to perform an analysis of the ML/TF risk related to a given investment and implement CDD measures in accordance with the
risk-based approach. Such risk analysis carried out on investments must be reviewed both annually and each time that a particular event requires a review.
- Professionals may now accept a customer presenting a low risk of ML/TF on the basis of an automated acceptance process which does not involve the intervention of a natural person at the level of the professional, provided that such process has previously been duly configured and tested and is reviewed on a regular basis by the professional.
- The use of electronic identification means (e.g. relevant trust services as set out in Regulation (EU) No 910/2014), or any other secure, remote or electronic identification process that is regulated, recognised, approved or accepted by the relevant national authorities is permitted for the verification of a customer’s identity.
- The use of central registers as the sole means of verifying the identities of a customer’s beneficial owners is not sufficient to constitute due compliance with the obligation to take reasonable measures to verify the identities of such beneficial owners – a standard ML/TF
risk-based approach still needs to be followed.
- The CSSF Regulation introduces a list of examples of simplified CDD measures which may be applied by professionals with respect to low risk business relationships. It is further specified that, regardless of the frequency of review of the business relationship, professionals must verify at least once a year that the conditions justifying the application of simplified CDD measures are still present.
- The CSSF Regulation provides examples of enhanced CDD measures to be applied by professionals with respect to high-risk business relationships (e.g. obtaining additional information or documentation on the source of the funds involved and of wealth); it is further specified that CDD measures applied to politically exposed persons (PEP) must be carried out at least every six months.
Inclusion of the rules on the transfer of funds
Professionals shall take note of the rules under Regulation (EU) 2015/847 on the transfers of funds which were added to the text of CSSF Regulation No 12-02 of 14 December 2012 on the fight against money laundering and terrorist financing.
Specifications relating to the use of outsourcing arrangements
For funds specifically, the board of directors (or equivalent body) of a fund and/or the investment fund manager will be required to ensure that outsourcing arrangements contain the relevant detailed clauses specifying the roles and responsibilities of each party, and that such arrangements permit them to access any information deemed necessary for the performance of their function. They will also be required to perform ongoing, formalised monitoring of the delegated third party.
Specifications relating to systems for the supervision of business relationships and transactions
- Formalising what is CSSF practice, the CSSF Regulation now specifically provides that professionals are required to appoint both (i) a person responsible for compliance with the AML-CTF professional obligations at the level of the authorised management or board of directors and
(ii) a compliance officer in charge of the control of compliance with the AML-CTF professional obligations and further defines such functions.
- The AML-CTF governance and internal organisation must follow the “three-lines defence” model:
- a first line of defence based on operational units, i.e. the persons in charge of business execution which are in direct contact with customers and which require a good understanding of the ML-TF risks;
- a second line of defence based on the person in charge of control, including other support, monitoring and compliance functions involved in AML-CTF matters, consisting of providing support, verifying the controls carried out by the first line of defence, and contributing to an independent control of the risks. The level of involvement of the second line of defence must increase with the customer’s risk level;
- a third line of defence based on the internal audit function which independently assesses the first two lines of defence and also verifies the effectiveness of the professional’s AML-CTF policies, procedures and programmes.