Purpose and Scope
In January 2020, the CSSF published its first Sub-Sector Risk Assessment (“SSRA”) on money laundering/terrorist financing (“ML/TF”) risks faced by the collective investment sector. The conclusions drawn in this first assessment were based on quantitative data collected through different initiatives, in particular the annual AML/CFT survey, and qualitative assessments by the CSSF as part of its onsite and offsite AML/CFT supervision (for more information, check our previous newsletter).
The CSSF now updated the report noting that the update does not repeat general messages which were detailed in the 2020 SSRA but rather focuses on the evolutions to highlight several ML/TF threats and vulnerabilities that are increasingly important for the fund industry in Luxembourg.
Updates and methodology
The report contains some evolutionary facts (inter alia the number of existing securitisation vehicles, the aggregate total net assets of Luxembourg funds regulated for AML/CFT purposes, number of Luxembourg investment funds managers) and also a methodology that explains the approach used to update the SSRA.
Threat Assessment Evolution
The report notes that COVID-19, the lockdown and the latest geopolitical crisis made it difficult in terms of AML communication and controls and that this can lead to an increase in the threat of cybercrimes.
The year 2021 was also marked by a very sharp increase in total market capitalisation of cryptocurrencies and trading volumes of virtual assets such as non-fungible tokens. The underlying technology used by virtual assets can provide a level of anonymity which can be abused by criminals. In addition, the volatility of these assets may be perceived as an opportunity of a higher return of investments by money launderers and terrorist financiers.
Vulnerability Assessment Evolution
The report notes that the Luxembourg collective investments’ largest inherent vulnerabilities arise from UCITS management companies. Similar to the 2020 SSRA, within the UCITS management companies category, the Luxembourg chapter 15 management companies present the highest inherent risk, primarily because of the volume of managed assets and because of the cross-border distribution of UCITS.
For Luxembourg authorised and registered AIFMs, the inherent risk scoring remains the same (medium high risk); for UCITS management companies (high risk).
Evolution of mitigating factors and residual risk assessment
For Luxembourg Chapter 15 management companies, the CSSF noted an improvement in terms of the implementation of a risk based approach both on the UCI’s liability and asset side; in particular when it comes to the oversight of third parties performing AML/CFT controls on behalf of the investment fund managers (“IFM”). The due diligence processes have been more precise and better documented but, in some cases, were still lacking an in-depth analysis and remediation of identified shortcomings.
The content and frequency of AML trainings have improved, which contributed to the overall improvement of the quality of mitigation measures.
For Luxembourg authorised AIFMs, the CSSF did not identify any significant change regarding the implementation of a risk based approach, however it noted a moderate modification of the results of the work performed by the external and internal control functions which identified more shortcomings in the AML/CFT framework of these entities. A change of compliance rating from “Compliant” to “Largely Compliant” by these control functions was observed in this cluster, which is in line with the CSSF’s own observations. Nevertheless, the CSSF noted significant improvements in the due diligence performed on assets, screening of Targeted Financial Sanctions and oversight on distributors (when applicable). Content and frequency of AML trainings have also improved.
Luxembourg registered AIFMs had been identified as a class needing significant improvements in the 2020 SSRA. The CSSF notes some improvements in terms of their AML/CFT framework, notably through the set-up of tailor-made AML/CFT procedures and policies and the registration with the GoAML platform used by the Financial Intelligence Unit, but also, and more importantly, through a major review of their understanding of their exposure to the risks of ML/TF both on the UCI’s liability and assets side. The CSSF noted an improvement in terms of ongoing monitoring of third parties performing AML/CFT controls on their behalf, in particular investment advisors, distributors and registrar and transfer agents. The CSSF also noted an improvement in the quality of their mitigation measures notably through a better understanding of their exposure to the risks of ML/TF.
Outcome of the report
Despite the fact that the CSSF noted an overall improvement of the quality of the mitigation measures implemented by the entities in scope, it also noted some areas requiring further improvement as it still identifies cases where erroneous data has a significant impact on the scoring of the entity and the related risk measures implemented by the entity.
Areas for further improvement
The CSSF addressed, inter alia, recommendations for cross-border intermediaries to consider, with respect to the outsourcing of the screening of the Targeted Financial Sanctions to non-European entities, IT components of AML/CFT systems, improvement in the quality of RC reports.