On 14 August 2020, Luxembourg’s financial regulator CSSF published Regulation 20-05 (PDF, 0.3MB) (“the Regulation”), amending CSSF Regulation 12-02 of 14 December 2012 regarding the fight against money laundering (ML) and terrorist financing (TF). The Regulation, which entered into force on 24 August 2020, aims to provide further clarifications to professionals regarding the changes brought by the Law of 21 March 2020 (“the Law”) transposing the Fifth Anti-Money Laundering Directive. And, it also clarifies certain provisions of the Law that apply to the collective investment sector.
This article summarizes the main changes and clarifications of the Regulation. You can find further key changes and amendments to Grand-Ducal Regulation of 14 August 2020 in this related blog .
1. Risk-based approach
Overall risk related to professionals’ activities
- When assessing their activities’ anti-money laundering (AML) and/or combating the financing of terrorism (CFT) risk, professionals must integrate different sources including but not limited to:
- The European Commission’s supranational report on ML and TF risks (Supra National Risk Assessment)
- The “National Risk Assessment” on ML and TF risks
- The “sub-sector Risk Assessment” of AML/CFT risks
- The “Risk Factor Joint Guidelines” from the European supervisory authorities, namely the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA) and the European Insurance and Occupational Pensions Authority (EIOPA), as well as any related CSSF publications.
- Furthermore, professionals must determine their risk-based approach using a defined ML/TF risk appetite approved by the board of directors and transposed by the authorized management. And, they must also make sure the strategy is consistent with this approach and communicated to all staff involved.
- The Regulation also foresees that, regarding investment business, professionals should carry out an analysis of the investment’s ML/TF risk. Appropriate due diligence measures adapted to the risk assessed should be taken . This analysis must be formalized and reviewed on at least an annual basis, as well as on a trigger event basis.
Customers’ risk classification
- When professionals assess a business relationship’s individual risk and whether a situation may represent a lower risk, professional judgment is required to justify and explain the application of simplified due diligence (SDD) regimes besides the use of the minimum requirements included in Appendix III of the Law . Other lower risk factors that professionals deem relevant may be considered as well.Similarly, professionals should also include additional relevant high-risk factors beyond the minimum requirements defined under Appendix IV of the Law when assessing the risk of their business relationships.
- Assessing the risk level of a business relationship should involve an understanding of the nature and activity of that relationship.
- Where the units or shares of an undertaking for collective investment or an investment company in risk capital are subscribed through an intermediary acting on behalf of others, professionals must apply a two-tiered due diligence approach. First, the intermediary, the persons acting on its behalf and its beneficial owners must be identified, and their identity verified, where appropriate, on a risk-based approach . Second, professionals must implement enhanced due diligence (EDD) measures on the business relationship similar to that of a correspondent with the intermediary that invests on behalf of others. This should enable professionals to accurately assess the robustness of the intermediary’s AML/CFT framework.
2. Customer due diligence measures
- Professionals may accept clients with a lower AML/CFT risk using an automated acceptance process that doesn’t require the intervention of a natural person. This process must be tested beforehand, regularly reviewed to assess its reliability over time, and be in line with the CSSF’s instructions.
- Also, for all high-risk clients — such as clients or transactions involving a politically exposed person (PEP) or high-risk countries — the systematic involvement and approval of the compliance officer is expected. The acceptance procedure for these customers must also be described and included in the AML/CFT policy.
- Opening a safe deposit box requires the same level of due diligence as any other type of business relationship. It is prohibited to open an account, passbook or safe deposit box with an anonymous or fictitious name.
Identification and verification of customers
- As part of the standard due diligence measures for identifying customers and collecting information, professionals must also gather and register this information regarding initiators and promoters of an investment fund supervised by the CSSF and who will be the professional’s customer.
- Verifying the identity of a natural person must involve a valid and authentic official identification document issued by a public authority. Driving licenses are once again considered an acceptable document. And, to fulfill their due diligence requirements, professionals may use electronic identification means described by Regulation (EU) 910/2014 as well as any electronic or remote secure, approved and regulated identification process.
- To verify the beneficial owner’s identification data, professionals can rely on information obtained from customers, central registers, or any other independent and reliable sources. However, please note that the information from central registers cannot be considered as a sole reliable source.
- When it comes to trusts, fiduciaries or any other similar legal structure, and in case the professional is not able to identify the beneficiary of a trust/fiducie/similar legal arrangement given that such beneficiary is designated by a characteristic, identification and verification might be performed at the time benefit payments are made or when the beneficial owner exercises its vested rights.