On 10 April 2020, the CSSF published Circular 20/740 to provide guidance to all professionals who are subject to the CSSF’s anti-money laundering and counter-terrorism financing (“AML/CFT”) supervision in respect to money laundering and terrorism financing (“ML/TF”) risks and consequences amid the outbreak of COVID-19. Experience suggests that in many cases illicit financial flows will continue, and criminals and terrorists may seek to exploit temporary weaknesses in AML/CFT controls. The CSSF emphasises that Circular 20/740 be read jointly with existing related guidance provided by EU, international and national authorities, as well as related guidance on AML/CFT previously issued by the CSSF (e.g. CSSF Circular 19/732 and Circular 17/661).
Split in four sections, Circular 20/740 sets out new and emerging ML/TF threats resulting from COVID-19, several possible areas of particular vulnerability for the financial sector and mitigating actions that supervised professionals can implement going forward, and the CSSF’s approach to AML/CFT supervision during this period.
New threats, examples of which are set out in the Circular 20/740, have been emerging in the areas of cybercrime, fraud, counterfeit goods, robbery and theft and market abuse.
The Luxembourg financial sector could be exploited by these emerging threats and therefore all professionals should remain vigilant. The Circular 20/740 highlights several relevant vulnerabilities and outlines the nature of each.
The CSSF urges supervised professionals to continue to implement and maintain effective systems and controls to ensure that the financial system is not abused or misused for ML/TF purposes, for example:
- to ensure that effective and robust processes are in place to apply AML/CFT controls (emphasis given on cyber risk controls) whilst staff is working remotely, in a manner compliant with the obligations set out in the Luxembourg Law of 12th November 2004 (“AML Law”);
- to continue monitoring transactions (emphasis given on unusual or suspicious patterns in customers’ behaviour and financial flows) as well as the adequacy of third party outsourcing related to transaction monitoring, as there may be a large increase in false positives from transaction monitoring and fraud prevention systems that use machine learning techniques by reason of such softwares being trained and based on data from periods of normal economic activity;
- to continue to apply the customer due diligence (“CDD”) measures required under the AML Law and to consider how these can be strengthened to mitigate the impact of a lack of face-to-face contact with customers, suggesting the use of financial technology (Fintech) to manage some of the CDD issues presented by COVID-19 such as digital/contactless payments and digital on-boarding to reduce the risk of spreading the virus; and
- to promptly report suspicions of ML/TF to the Luxembourg Financial Crime Agency (Cellule de Renseignement Financier) as well as continuing to interact with the CSSF as part of its supervisory activities (e.g. responding in a timely manner to information requests, keeping regular communication in relation to deadlines).
On 4 May 2020, the Expert Working Group AML OPC (chaired by the CSSF and composed of representatives from a number of Luxembourg institutions e.g. ALFI, ALCO, ABBL and the Financial Intelligence Unit) published a PowerPoint presentation (“Presentation”) designed to provide sector specific details to Circular 20/740, which in turn can be used as part of the remote training process implemented by supervised professionals on tackling the implications of the Covid-19 situation in the fight against ML/TF.
The Presentation provides an overview of possible ML/TF risks (as further elaborated in Circular 20/740), suggests best practices for the appointed RR and RC ("responsable du respect des obligations" and "responsable du contrôle du respect des obligations" respectively), and encourages the re-evaluation of the risk-based approach in the context of a client’s ongoing-diligence, the continued performance of due diligence on service providers (including Digital ID providers) and re-examination of the relevant supervised entity’s cyber resilience vis-à-vis cyber threats. Prior to ending with a short quiz, the Presentation also points out certain red flags that supervised professionals should be aware of in order to avoid corruption and social engineering by fraudsters through their business activities.
It is further stressed that the CSSF will continue AML/CFT supervisory activities during this period. AML/CFT on-site inspections that have already commenced will be completed and the CSSF will also commence inspections on a remote basis. Off-site supervisory activities are also continuing.
Communications with the CSSF can be made in the following way:
- through the eDesk for those who have registered, or by e-mail rather than regular mail;
- outgoing communications from the CSSF will be done by e-mail bearing the domain name @cssf.lu, and carrying no handwritten signature from the CSSF;
- by telephone or videoconference.