THE CONTENT OF PROFESSIONAL OBLIGATIONS
PART 2 - CHAPTER 1RISK BASED APPROACH
1There exist three levels of risk assessment:
- a supranational risk assessment at European level, the results of which were published by the European Commission on 26 June 2017, updated on 24 July 2019.
- a national risk assessment to be carried out by each Member State with a view to evaluating the level of risk attaching to activities carried out in its territory.
Luxembourg updated its national risk assessment concerning money laundering and terrorist financing on 15 December 2020. A concise summary of the national risk assessment is made available to professionals.
“Each Member State shall make appropriate information available promptly to obliged entities to facilitate the carrying-out of their own money laundering and terrorist financing risk assessments”:
- Identification, assessment and proper understanding by the professional itself of the risks it faces, which must enable the latter to determine which due diligence measures will be applied to the business relationship on the basis of the materiality of the risk.
“To this end, the professional must integrate different sources into his risk management procedures, including:
- The supranational report of the European Commission on the risks of money laundering and terrorist financing (“Supra National Risk Assessment”);
- The national risk assessment for money laundering and terrorist financing (“National Risk Assessment”);
- Sub-sector ML / FT risk assessments (“sub-sector Risk Assessments”);
- The Joint Guidelines issued by the 3 European supervisory authorities (ESMA, EBA and EIOPA) on money laundering and terrorist financing risk factors (“Risk factor Joint Guidelines”);
- Relevant CSSF publications ”.
(see below, “The obligation to carry out a risk assessment”).
The risk-based approach cannot be dissociated from the notion of “risk appetite” in the combatting of money laundering.
Risk appetite should at least take into consideration factors such as the business carried on, the target clientele and undesirable customers, the geographical countries/areas concerned, and prohibited structures (…).
“The professional’s determination of his risk-based approach is necessarily based on the definition of ML / FT risk appetite, as approved by the board of directors and transposed by authorized management.
The strategy must be consistent with this approach. The AML / CFT policies, procedures and controls put in place within the professional must be consistent with the appetite for the previously defined risk. This definition and strategy must be communicated in a precise, clear and understandable manner to all the personnel concerned “.
Section 1. Identification and assessment of risks
“(…) Countries should identify, assess, and understand the money laundering and terrorist financing risks for the country, and should take action (…) and apply resources, aimed at ensuring the risks are mitigated effectively. Based on that assessment, countries should apply a risk-based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified.” This recommendation was updated by the FATF in November 2020 for professionals to identify, assess and mitigate the risks of potential breaches of non-application or bypassing of financial sanctions relating to proliferation financing.
Both the Law and CSSF Regulation n ° 12-02 require professionals to identify and assess the money laundering and terrorist financing risks to which they are exposed.
In addition to the professional’s obligation to assess the overall risk in relation to his activity, he also classifies individual risks concerning his business relationships.
The professional classifies all of his clientele according to a coherent combination of risk factors.
“Besides those cases where the risk level is to be considered as high pursuant to the Law or the Grand-Ducal Regulation, that level shall be assessed according to a consistent combination of risk factors defined by each professional according to the activity exercised and inherent to the following risk categories:
– type of customers (including client, agent, beneficial owner);
– countries and geographic areas;
– products, services, transactions or;
– distribution channels.”
“Professionals determine the scope of due diligence measures (with regard to customers) according to their assessment of the risks associated with the types of customers, countries or geographical areas and with particular products, services, transactions or distribution channels”.
The Law draws a clear distinction between, on the one hand, the obligation to carry out an assessment of the risks of money laundering and terrorist financing which the institution concerned faces by virtue of the business areas in which it engages and, on the other hand, the obligation to apply due diligence measures in relation to its customers, the extent of which will depend on the assessment of the risks regarding each customer or prospective customer.
See Part 2, Chapter 1 : “Obligations vis à vis customers”
“(1) Professionals shall take appropriate steps to identify, assess and understand the risks of money laundering and terrorist financing that they face, taking into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or distribution channels. Those steps shall be proportionate to the nature and size of the professionals.”
That article is accompanied by three annexes (II to IV) in the Law, setting out, first, a non-exhaustive list of the risk variables which professionals should automatically take into consideration, followed by two lists of factors/elements indicative of a potentially lower risk and a potentially higher one.
“(2) Professionals consider all relevant risk factors before determining the overall risk level and the level and type of appropriate measures to apply to manage and mitigate those risks. Professionals also ensure that the risk information contained in the national and supranational risk assessment or communicated by supervisory authorities, self-regulatory bodies or European supervisory authorities is included in their risk assessment.
Professionals shall document, keep up-to-date and make the risk assessments referred to in paragraph 1 available to the supervisory authorities and self-regulation bodies. The supervisory authorities and self-regulation bodies may decide that individual documented risk assessments are not required where the specific risks inherent in the sector are clear and understood.
(3) Professionals shall identify and assess the risks of money laundering and terrorist financing which may result from the development of new products and business practices, including new
distribution mechanisms, and the use of new or developing technologies related to new or pre-existing products.
Professionals shall: (a) assess the risks before the launch or use of these products, practices and technologies; and (b) take appropriate measures to manage and mitigate those risks.
THE OBLIGATION TO CARRY OUT A RISK ASSESSMENT
Subsection 1. Factors and elements indicative of a potentially higher risk as referred to in Article 3-2 (I), second subparagraph of the Law:
The specific risks listed here are discussed in greater detail later on in this Handbook, in dedicated sections dealing with the different sectors of activity.
Professionals will take note, in particular, of a potentially higher risk in the cases referred to below:
1.1 Risk factors inherent in customers
- business relationships occurring in unusual circumstances;
- customers residing in high-risk geographical areas (…);
- legal persons or legal arrangements which are structures for holding personal assets;
- companies whose capital is held by nominee shareholders or represented by bearer shares;
- activities necessitating large amounts of cash;
- companies whose ownership structure appears unusual or inordinately complex, having regard to the nature of their business;
- the customer is a third country national who applies for residence rights or citizenship in the Member State in exchange for capital transfers, purchase of property or government bonds, or investment in corporate entities in that Member State.
On 17 October 2018 , the OECD published Recommendations concerning lists of programmes of residence and citizenship that can be obtained by investment (“Citizenship by Investment” and “Residence by Investment”) which may pose a high risk to the integrity of the Common Reporting Standard (CRS).
According to the OECD, financial institutions are required to take that list duly into account when performing their due diligence obligations in relation to fiscal transparency.
Those programmes may also be misused to conceal offshore assets by circumventing the reporting obligation under the OECD’s Common Reporting Standard.
In addition to the higher-risk factors inherent in certain customers, professionals must invariably take full account of the risk variables mentioned below in relation to their customers:
“Professionals take into consideration, in their assessment of the risks of money laundering and terrorist financing, linked to the types of customers, to the countries and geographical areas and to the specific products, services, operations or distribution channels, the risk variables linked to these risk categories. These variables, taken into account individually or in combination, can increase or decrease the potential risk and, consequently, have an impact on the appropriate level of due diligence measures to be implemented ”.
In short, the risk factors are linked to the customer himself, in light of his behaviour and of any unusual circumstances characterising the business relationship.
In some cases, the professional will be unable to agree to enter into a business relationship with a customer, either because this is prohibited by law or because the risks inherent in the customer are too high, in particular:
– where the customer appears on an official list or lists of persons/entities/groups subject to restrictive measures in financial matters in the context of combating terrorist financing;
– where the nature of the activities carried on by the customer represents an excessively high risk which cannot be mitigated or which does not correspond to the risk policy previously defined by the professional;
– where the professional is unable to offer the product/service requested by the prospective customer (e.g. acting as the custodian bank for virtual currencies, or providing a money remittance service);
– where the professional finds that the prospective customer is unable to provide the requisite guarantees, as determined by the professional concerned, evidencing fiscal transparency/conformity;
– where the professional finds that the documentation enabling it to comprehend the structure of a company/chain of companies or the economic justification for a financial arrangement is insufficient;
– any other circumstance rendering it impossible to dispel any doubts existing in the mind of the professional.
1.2 Risk factors linked to products/services/transactions/distribution channels
(a) private banking
Private banking, or more precisely the management of assets “consisting in the provision of banking services and other financial services to high-net-worth individuals”, is cited as a high-risk factor. According to the European Banking Authority (EBA), the presence of this activity amongst the risk factors is due to the risk of tax evasion. The EBA states that “wealth management firms’ services may be particularly vulnerable to abuse on the part of customers who wish to conceal the origin of their funds or, for example, evade tax in their home jurisdiction.”
In the opinion of the Joint Committee of the European Supervisory Authorities, private banking/wealth management gives rise to “a potentially higher risk”. Professionals must assess in each case the risks relating to the customer, taking into consideration a series of risk criteria or circumstances peculiar to the business relationship.
Summary (in French) of the national money laundering risk assessment [/ left-bookmark]Thus, different risk factors exist, depending on the profile of the customer wishing to enter into a business relationship.
The National Money Laundering and Terrorist Financing Risk Assessment 2020 notes that private banking is particularly exposed to money laundering risks, in particular for the complexity of certain products such as asset structuring activities.
(b) products or transactions that might favour anonymity;
(c) non-face-to-face business relationships or transactions, without certain safeguards, such as electronic identification means, relevant trust services within the meaning of Regulation (EU) No 910/2014 or any other secure, electronic or remote identification process, regulated, recognized, approved or accepted by the authorities national concerned;
(d) payments received from unknown or unassociated third parties;
(e) new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products;
(f) transactions related to oil, arms, precious metals, tobacco products, cultural artefacts and other items of archaeological, historical, cultural and religious importance, or of rare scientific value, as well as ivory and protected species”.
1.3 Geographical risk factors
The factors/elements indicative of a potentially higher risk are as follows:
“(a) (…) countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective anti-money laundering and counter-terrorist financing systems;
(see for example the mutual evaluations or assessment reports of the FATF)
(b) countries identified by credible sources as presenting significant levels of corruption or other criminal activity (see for example the list of countries (corruption) published by Transparency International);
(c) countries the subject of sanctions, embargoes or other similar measures imposed by, for example, the European Union or the United Nations (see the list of sanctions of the Security Council of the United Nations);
(d) countries financing or supporting terrorist activities or that have designated terrorist organisations operating within their territory”.
“The supervisory authorities and self-regulatory bodies provide professionals with information on countries which do not apply or insufficiently apply measures to combat money laundering and the financing of terrorism and in particular on the concerns raised by the failures of anti-money laundering and anti-terrorist financing systems in the countries concerned.
The supervisory authorities may require credit and financial institutions to adopt one or more enhanced due diligence measures proportionate to the risks (…), in the context of business relationships and transactions with natural persons or legal entities involving such countries ”.
In addition to the above, professionals should draw up a list of countries posing a high risk of money laundering or terrorist financing.
In practice, professionals usually draw up lists classifying countries in different categories: low risk, medium risk high risk. Certain countries may present risks regarded as unacceptable by certain institutions.
Annex III provides professionals with relevant links relating inter alia to lists of countries subject to prohibitions and restrictive measures in financial matters and third countries presenting a low risk of corruption/terrorist financing.
The professional will ensure that the instructions published by the CSSF are complied with, if applicable.
1.4 International financial sanctions
A) Essentials on International Financial Sanctions
Financial sanctions are restrictive measures in financial matters, taken against certain States, natural or legal persons, entities and groups about a change of policy (domestic or foreign) or activity on the part of the States or persons designated.
The Ministry of Finance is competent to deal with all questions relating to the implementation of financial sanctions raised both by those at whom those measures are targeted and those who are called upon to apply them. Accordingly, professionals shall inform the Ministry of Finance of the enforcement of each restrictive measure (including attempted transactions) taken in respect of a State, natural or legal person, entity or group designated according to the Law of 19 December 2020 on the implementation of restrictive measures in financial matters.
In the same vein, professionals who have reported a case of sanction to the Ministry of Finance shall simultaneously address to the CSSF a copy of this report.
The CSSF remains the competent supervisory authority, which will verify professionals’ compliance with the Law on financial restrictive measures. Consequently, the CSSF will be able to apply administrative sanctions to professionals, which would fail implementing appropriate procedures/processes in this regard.
Any notification to the Ministry of Finance and associated with restrictive measures shall be made without prejudice for professionals to make, as the case may be, suspicious activity/transaction reports to the Financial Intelligence Unit.
WHAT TO DO?
In order to avoid the eventuality that a customer or prospective customer may be subject to international sanctions, professionals must have in place stringent procedures for identifying persons and monitoring transactions involving, in particular, technical resources/filtering systems based on lists of international sanctions (filtering of names, transactions and the SWIFT messaging system).
In the specific context of combatting terrorist financing and proliferation financing, banks must take into consideration, in particular:
– the Law of 19 December 2020 relating to the implementation of restrictive measures in financial matters.
The Law of 19 December 2020 repealed the law of 27 October 2010 and implements in Luxembourg the restrictive measures in financial matters adopted against certain States, natural and legal persons, entities and groups by the provisions of the resolutions adopted by the Security Council of Nations and certain acts of the European Union.
– the list of sanctions of the Office of Foreign Assets Control (United States of America) in so far as these have extra-territorial scope;
The aforementioned procedures shall cover the customer due diligence measures set out in the Law, encompassing the identification of the customers/beneficial owners but also the scrutiny/monitoring of transactions throughout the course of the customers’ relationships, ”without delay”, to ensure that funds will not be made available to States, persons, entities and groups subject to restrictive measures in financial matters.
As soon as a case of sanction is spotted, professionals should not hesitate to escalate it without delay to the Ministry of Finance and provide it with all necessary information linked to the case at hand.
The reporting of cases of sanctions to the Ministry goes hand in hand with the hard blocking of the account (cash & financial instruments) without delay, the latter being an obligation of result. Indeed, professionals shall apply without delay the required restrictive measures, hence proceed to the freezing of funds owned by the listed person.
The reporting made to the Ministry of Finance shall yet not be confused with a suspicious transaction/activity reporting made to the Financial Intelligence Unit.
Indeed, the “no-tipping off” rule obligates professionals not to inform their customers/prospects on the fact that their accounts are blocked, whereas such rule would not apply to restrictive measures in the event that no STRs/SARs were made. The list of sanctions being publicly available, customers under financial restrictive measures could eventually be informed on the fact that their accounts are frozen.
The consequences of failure to take into consideration persons/groups/entities/countries featuring in particular on those lists may considerably impact the activities carried on, and the services provided, abroad by the professional (criminal prosecutions, administrative penalties, reputation risks, substantial fines, and/or suspension/withdrawal of an authorisation or licence).
The ABBL recommends that professionals should regularly check the list of resolutions of the Security Council of the United Nations and to sign up free of charge to the Financial Sanctions Newsletter published by the Ministry of Finance. Professionals may also consult and sign up for the consolidated list of sanctions imposed by the European Union. The Ministry of Finance also provide useful tools to help professionals keep up with processing international financial sanctions. So does the CSSF with its website dedicated to international financial sanctions.
The ABBL also recommends that professionals opt to put in place an internal system possibly resembling the one illustrated below:
The European Commission stated in an opinion of 7 June 2019 that all funds and economic resources belonging to the entities listed in Annex VI of Regulation 2016/44 include interest, dividends or other incomes from assets or capital gains stemming from frozen assets.
WHAT TO DO … when the professional conducts its research?
As regards measures to freeze assets, any indications relating to pseudonyms which feature in the ID information may be taken into account, depending on their reliability. The professional must conduct its research working on the basis of reliable pseudonyms, that is to say, high-value pseudonyms considered to be of great significance for identification purposes
Unreliable pseudonyms, that is to say, low-value pseudonyms considered to be of minor importance for identification purposes, help economic operators and other actors to confirm the ID of persons at whom sanctions are targeted.
A professional may be confronted with a homonymy situation, where the surname and first name of a prospective customer are the same as those of a person listed, including where the surname is not distinguishable from the first name.
In cases of homonymy, the accounts must be closely watched and movements must be suspended. The Ministry of Finance must be alerted so that it can decide on the situation.
The fact that the surname and first name of the person concerned are the same as those of a listed person is not enough to justify concluding that the case involves one and the same person. On the contrary, there may be other information showing very clearly that it involves quite different persons. For example, such information may reveal a different geographical location, different posts and occupations, different dates of birth and/or different passport numbers.
Professionals confronted with possible cases of homonymy must seek further information before taking any decision, and must keep a written record of the results of their research. If that information, taken as a whole, manifestly shows that another person is involved, it will not be necessary or appropriate to contact the Ministry of Finance.
Where there is any doubt or if the homonymy research proves unconclusive,, the professional should contact the Ministry of Finance and suspend movements on the account(s) concerned (cash and financial instruments) pending final clarification. The availability of a limited number of pieces of information will not by itself justify the pursuit of an operation.
B) Specific clarifications related to national/international financial sanctions regime
SCREENING SCOPE of CSSF Regulation 12-02:
Professionals should implement control mechanisms that allow them, when accepting customers or monitoring the business relationships, to identify, among others:
- the persons as referred to in Articles 30, 31 and 33 of the regulation;
- the funds coming from or going to States, persons, entities or groups as referred to in Article 33 of this regulation (…)”
The name screening has to include all the accounts of customers and their transactions and shall apply to customers, proxies, initiators and beneficial owners as well as, as regards the supervision of transfers of funds, to the payer of an incoming transfer of funds and the recipient of a transfer of funds going out of the customer’s account.
Remember:
The screening scope is not subject to the risk-based approach enshrined in the Law and cannot be invoked/used by professionals when applying sanctions screening.
The identification researches carried out shall be duly documented, including in cases where there are no positive results.
Professionals also have the obligation to identify the States, persons, entities and groups subject to restrictive measures in financial matters also with respect to the assets they manage and to ensure that the funds will not be made available to these States, persons, entities or groups.
SCREENING TIMING & SCREENING FREQUENCE
Professionals have to carry out a name screening :
- before establishing a new business relationship
- before carrying out wire transfers by debit of customer account or before crediting incoming funds to customer accounts;
- on longstanding business relationships.
In its annual activity report of 2014, the CSSF stated that « Controls such as “name matching”, i.e. controls on the client database performed in relation to:
- acts directly applicable in Luxembourg, as adopted by the EU (in particular, EU regulations) and including prohibitions and restrictive financial measures against certain persons, entities or groups respectively i. in the context of the fight against terrorist financing or ii. in the context of other financial embargoes; and
- national regulatory texts concerning financial sanctions relating to the fight against terrorist financing based (on the law of 27 October 2010) implementing the United Nations Security Council resolutions (and Grand-ducal Regulation of 29 October 2010) enforcing the aforementioned law
« must be performed without delay after the publication of each new amendment ».
Such controls are independent from any other frequency of controls, of whatever type (for example, in relation to the detection of PEPs), which may have been put in place by the professional ».
“Without delay” means, in the context of the implementation of the financial sanctions, including the freeze of assets or other economic resources or other restrictive measures taken in application of the above-mentioned texts :
« a delay of, ideally, a few hours following the publication of the measures by the CSSF and/or the Ministry of Finance ». In any case, it should be interpreted in relation to the need to prevent the outflow or the dispersion of funds or other goods linked to the designated persons, entities and groups.
WHAT TO DO?
Professionals must ensure that their screening tools are updated without any delay with the names of newly designated or de-listed persons or entities after the publication of the measures by the CSSF and/or the Ministry of Finance.
Professionals must also carry out a name screening on longstanding business relationships without any delay after the publication of the measures by the CSSF and/or the Ministry of Finance and to take into account the amendments also when entering new business relationships or executing in/out wire transfers.
1.5 Risks surrounding Virtual Assets (a.k.a. crypto assets) and Virtual Asset Service Providers
Overview
In the current ecosystem of growing cross-border/digital transactions and the rapid rise of trades involving crypto assets, there is a need to understand and mitigate the ML/TF risks associated with crypto asset providers/activities. The 2018 and 2020 Luxembourg national risk assessments highlighted virtual assets (“VAs”) as one of the key emerging and evolving risks of ML/TF.
Banks are exposed to risks stemming from VAs as they are the point of contact of centralised exchange users with the traditional finance sector. Criminals using VAs for ML/TF activities need to convert VAs to fiat, or vice-versa. For these purposes, criminals use exchanges, the deposits and withdrawals from which are usually done to and from bank accounts.
Credit institutions are exposed to the risks arising from virtual currencies (“VAs”) mainly in circumstances where customers of regulated credit and financial institutions deal in VAs or where they are VASPs. The main factors contributing to the increased exposure to the ML/TF risks is the limited transparency of VAs transactions and the identities of the individuals involved in these transactions.
The FATF indeed draws attention to the top two threats related to the VAs risk landscape:
- The continued use of of tools and methods to increase the anonymity of VAs transactions putting at risk the “travel rule” (i.e., identification of the originators and beneficiaries of VA transactions), hence potentially the KYC procedures set-up by VASPs;
- VASPs registered or operating in jurisdictions that lack effective AML/CFT regulation, possibly revealing weak AML/CFT systems and procedures.
Definitions
Professionals may be involved in VAs activities or even act as Virtual Asset Service Providers (VASPs).
A virtual asset is “a digital representation of value, including a virtual currency, that can be digitally traded, or transferred, and can be used for payment or investment purposes, except for virtual assets that fulfil the conditions of electronic money and the virtual assets that fulfil the conditions of financial instruments”.
A VASP is any person providing, on behalf of or for its customer, one or more of the following services:
(a) the exchange between virtual assets and fiat currencies, including the service of exchange between virtual currencies and fiat currencies;
(b) the exchange between one or more forms of virtual assets;
(c) the transfer of virtual assets;
(d) the safekeeping or administration of virtual assets or instruments enabling control over virtual assets, including the custodian wallet service;
(e) the participation in and provision of financial services related to an issuer’s offer or sale of a virtual asset
Understanding VAs and VASPs
For financial institutions to better apprehend the ML/TF risks of their VASPs customers, it is necessary to briefly understand the ML/TF risks the latter must deal with. VASPs’ exposure to ML/TF threats is due to multiple factors, to the extent that those financial institutions are exposed to:
- Non-face-to-face business relationships
- International nature of business
- High volume of transactions
- Technological complexities of VAs/VASPs
- Anonymous properties of VAs
- High volatility and complex valuation of VAs
Potential exposure of VASPs at each ML/TF step:
Mitigation of risks (overall)
WHAT TO DO
Even though the activities of some VASPs may present a higher level of risk, professionals can adapt their risk-based approach accordingly, with a view of avoiding the kind of de-risking that may restrict digital innovation and hinder the growth of distributed ledger technology in Luxembourg. Overall, the risk appetite of professionals needs to take into consideration the various aspects of VAs and VASPs’ activities.
Professionals can mitigate the risks at hand notably by:
- Making sure that the VASPs have strong AML/CFT processes and procedures, esp. regarding compliance with the travel rule in the presence of crypto exchange platforms (“CEP”), the percentage of transactions linked to unhosted/private wallets, and the mechanisms used for sanctions screening;
- Bearing in mind that the ML/TF core red flags indicators for VASPs do not substantially differ from those encountered by financial institutions. Red flags indeed relate to transactions (size/frequency/patterns), customers’ anonymity, irregularities observed during the CDD process, source of funds or geographical risks;
- Getting acquainted with the VASPs’ business models, e.g., the counterparties they are dealing with, whether they are registered/licensed in a jurisdiction adequately supervised for AML/CFT purposes;
- Asking VASPs for a charter of compliance with AML/CFT requirements, especially for VASPs not established in Luxembourg. Luxembourg VASPs have to abide to the Law of 12 November 2004 like other local professionals; this might yet not be the case for VASPs located in other EU Member States or in third countries.
- Assessing, based on the VASPs’ location and business model, if they have adequate regulatory oversight.
You may find some additional resources related to VASPs in Annex IV (“useful links” – Virtual Assets)
Mitigation of risks for customers dealing with virtual/crypto currencies
Professionals should consider the business model of each VASP and whether or not they are:
- Operating as a VA trading platform that effects exchanges between fiat currency and virtual currency;
- Operating as a VA trading platform that effects exchanges between virtual currencies;
- Operating as a VA trading platform that allows peer-to-peer transactions;
- Providing custodian wallet services;
- Arranging, advising or benefiting from ‘initial coin offerings’ (ICOs).
WHAT TO DO
To ensure that the level of ML/TF risk associated with such customers is mitigated, professionals should not apply simplified due diligence measures.
At a minimum as part of their CDD measures, firms should:
Enter into dialogue with the customer to understand the nature of the business and the ML/TF risks it poses.
In addition to verifying the identity of the customer’s beneficial owners, carry out due diligence on senior management, including the consideration of any adverse information.
Understand the extent to which these customers apply their own customer due diligence measures to their clients either under a legal obligation or on a voluntary basis.
Establish whether the customer is registered or licensed in an EEA Member State, or in a third country, and take a view on the adequacy of that third country’s AML/CFT regime.
Find out whether businesses using ICOs in the form of VA to raise money are legitimate and, where applicable, regulated.
Should the professional associate its VASP customer/prospect with higher ML/TF risks, further mitigating measures should be considered.
Credit institutions wishing to provide Virtual assets’ services
1.6 COVID 19 Threats
The COVID-19 sanitary crisis, which is constantly evolving around time, is an opportunity for criminals to exploit the fears and threats pertaining thereto, adapting their modus operandi and engaging into new criminal activities.
Professionals should put their best efforts to maintain effective systems and controls to ensure that they are not being abused by such criminals redesigning pre-existing frauds.
- Rising ML/TF threats stemming from COVID-19:
Three core threats have been identified by the public authorities, the latter recalling that the technical means and the expertise used by criminals to fraud customers/banking employees were sky rockecting.
- Specific areas of particular vulnerability:
Six areas in the financial sector may especially be exploited by emerging threats, as follows:
-
- Online payment services
The surge in online purchases is increasing both the volume and value of online payments services, including the use of internet banking. This may create more opportunity for criminals to conceal illicit funds within a greater amount of legitimate payments made online.
-
- Clients in financial distress
Customers (individuals and legal entities) may be put in a financial distress due to the economic outcome/waves of the current sanitary crisis and therefore more inclined to to be exploited by criminals seeking to launder illicit proceeds.
-
- Mortgages and other forms of collateralised lending implying a regular repayment schedule leading to customers’ financial distress
-
- Credit backed by government guarantees whereby funds could be obtained without the intention to ever pay back the government.
-
- Distressed investment product (loss of significant value) whereby investors could be looking to minimise the losses and give criminals the opportunity to purchase/refinance the distressed assets.
-
- Delivery of aid through non-profit organisations:
Where there are increased financial flows through NPOs to higher risk countries, there may be an increased risk of illicit activity and special attention should be paid to the risks of TF
WHAT TO DO (mitigating actions)
Professionals should maintain effective systems and controls to ensure that the financial system is not abused or misused for ML/TF purposes.
The areas that professionals should pay a particular attention to are as follows:
- Transaction monitoring
Pay particular attention to any unusual or suspicious patterns in customers’ behaviour and financial flows. Professionals should take risk-sensitive measures to establish the legitimate origin of unexpected financial flows, in particular where these flows stem from customers in sectors that are known to have been impacted by the economic downturn and COVID-19 mitigation measures.
- Customer due diligence measures (CDD)
Consider how CDD measures could be strengthened, having due regard to the risk-based approach, to mitigate the impact of a lack of face-to-face contact with prospects/customers (e.g., more frequent checks against PEPs lists, performing overall additional checks for EDD purposes etc.…).
In its COVID circular, the CSSF refers to its FAQs on AML/CFT and IT requirements for specific customer on-boarding/KYC methods for the identification/verification through video chat. It is there being stated that “the verification of customer identity via live video-chat, or the use of electronic identification means, could be considered an appropriate safeguard in view of the above-mentioned requirements (i.e., lack of face-to-face contact)”.
Professionals having recourse to remote video onboarding should nonetheless still use other mitigations measures and collect additional documents for clients/BOs due diligence purposes.
- ML/TF risk assessment
Take a dynamic approach to ML/TF risk assessments and incorporate the risks associated with COVID-19 within your risks’ matrixes.
- Cooperation with authorities
Cooperation with the national authorities is key to deter ML/FT. Professionals shall regularly consult any guidance provided by either the CRF or the CSSF and try to be involved in any public private partnerships (or similar) involving national public representatives.
The FATF, in both of its COVID 19 guidance, sets out a range of actions that States and financial stakeholders could consider taking in response to the COVID 19 challenges, notably in dealing with new COVID 19 threats.
Section 2. Management and mitigation of risks
The final guidelines on risk factors published by the Joint Committee of the European Supervisory Authorities on 26 June 2017 contain specific recommendations regarding certain particular sectors of activity, whereby the risks encountered can in the right circumstances be mitigated. They are set out in CSSF circular 21/782 of 24 September 2021.
In addition, the risk management principles set out in CSSF Regulation No 12-02 must first of all be borne in mind before sectoral suggestions, as encouraged by the European Supervisory Authorities, are submitted.
2.1 Reminder of the statutory and regulatory provisions of Article 4 of the Law and of CSSF Regulation No 12-02
“Professionals shall put in place policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified at international, European, national and sectoral level and at the level of the professionals themselves.”
(…) These policies must be approved by the professional’s board of directors. The related procedures must be approved by the authorized management or by the board of directors for funds under the supervision of the CSSF “.
“Controls” covers all controls, in the broad sense of the term, put in place within the professional’s institution for the purpose of effectively managing and mitigating the ML/FT risks to which the professional is exposed, including the implementation of all procedures and monitoring of compliance by the professional with all its professional obligations in the matter
“(2) Professionals shall set the extent of the due diligence measures laid down in Article 3(2) of the Law according to the risk level assigned to each customer (…). Where enhanced due diligence measures are required pursuant to the Law or the Grand-Ducal Regulation (of 1st February 2010) or of this Regulation (CSSF n ° 12-02), all such measures shall be applied although the extent of such measures may vary according to the specific level of risk set by the professional.”
“(3) The adaptation of the extent of due diligence measures to the risk level shall take place during the identification and identity verification period (…)”
As regards Member States of the EU, there is a presumption of equivalence, accompanied by a proviso: that presumption is displaced where relevant information indicates that that presumption cannot be maintained.
The assumption that a country is to be regarded as equivalent cannot be maintained over time without regular analysis. The conclusion that obligations are equivalent must be regularly reviewed, in particular where fresh relevant information is available regarding the country concerned.
Lastly, even where a country is considered by a professional to be equivalent, this does not absolve that professional from the obligation to carry out a risk assessment upon agreeing to accept a new customer, and does not relieve it of the obligation to apply enhanced due diligence measures in high-risk cases.
2.2 Summary table of the key elements of risk mitigation
(according to the guidelines on risk factors published by the European Banking Authority on 1 March 2021)
(See also Annex III of the Law: “Indicators of a potentially lower risk”.)
Product/services risk |
|
Transaction risks |
|
Distribution channel risks |
|
Customer risks |
|
Country risks |
Moreover, Article 7(1) of CSSF Regulation No 12-02 provides: “it is for each professional to assess if a Member State or a third country imposes obligations which are equivalent to those laid down in the Law or in Directive (EU) 2015/849, according to the particular circumstances of the case. The reasons for concluding that a Member State or a third country imposes equivalent obligations shall be documented when the decision is taken and shall be based on relevant and up-to-date information (…)”. |
2.3 Mitigation of specific risk factors according to the business sectors concerned
Title II of the final guidelines on risk factors published by the Joint Committee of the European Supervisory Authorities lays down sector-specific guidelines.
It features, for example, the activities of correspondent banks, retail banks, wealth management (private banking) and electronic money issuers.
Generally, the guidelines define, first of all, the enhanced risk factors in the various sectors, going on to mention the criteria which may reduce the attendant risks.
The risk factors set out below are not exhaustive. They may be useful in supplementing those determined by the professional, who will carry out an analysis on a case-by-case:
Retail banking:
Factors increasing risk | Factors helping to reduce risk | |
Products, services, transactions |
(The Law incorporates Recommendation 15 of the) |
“Professionals must identify and assess the ML or TF risks that may result from the development of new products and new business practices, including new distribution mechanisms as well as the use of new or developing technologies in connection with new or pre-existing products ”. “Professionals must: a) assess the risks before the launch or use of these products, practices and technologies; b) take appropriate measures to manage and mitigate these risks ”. |
Customers (natural/legal persons) |
|
|
Countries |
|
|
Distribution channels |
|
|
Wealth management/private banking
Factors increasing risk | Factors helping to reduce risk | |
Products, services, transactions |
|
|
Customers |
|
|
Countries |
|
|
Distribution channels |
|
|
In the context of private banking activities in particular, professionals are referred to Annex I and to CSSF Circular No 17/650 as recently amended by Circular 20/744 of 3 July 2020 containing indicators likely to reveal possible laundering of a predicate tax offence.
Criminal tax offences and CSSF Circular No 17/650 are discussed in section 3 of Chapter 1 above.
WHAT TO DO … to detect possible laundering of aggravated tax fraud or tax evasion?
Professionals must take into account a series of indicators (listed in CSSF Circular No 17/650 and also containing indicators specific to collective investment activities) which may give rise to doubt and prompt them to submit a suspicious operation report to the FIU, in particular where:
– the customer is a legal person or legal arrangement established in a jurisdiction which is not subject to AEOI/CRS/FATCA reporting and that “entity” has no real economic or property-related existence;
– the customer is a legal person which has been the subject of numerous changes to its legal status over a short period of time;
– there exists a multiplicity of companies which have been set up in a State other than the State of the beneficial owner;
– the documentation provided by the customer shows anomalies or the customer refuses to produce documents evidencing his compliance with tax rules, or the documentation raises doubts as it has been issued by someone close to the customer;
– the professional notes a substantial increase in the movements on the account(s) occurring over a short period of time or an inconsistency between the volume of business and the movements on the bank accounts;
– the customer has recourse to a complex arrangement without any economic or property-related justification, or requests a form of assistance the aim of which could be to circumvent his tax obligations;
– the customer transfers his funds from a country regarded by the professional as risky from the point of view of fiscal transparency or resides for tax purposes in a country not subject to AEOI/CRS/FATCA reporting
(…).
It must be stressed that the presence of an indicator does not, of and in itself, justify concluding that a predicate tax offence has been committed.
Correspondent banks:
Factors increasing risk | Factors helping to reduce risk | |
Products, services, transactions |
|
|
Customers |
|
|
Countries |
|
|
Distribution channels |
|
|
Issue of electronic money:
It will be recalled that electronic money is defined as monetary value as represented by a claim on the issuer which is (i) stored on an electronic device, including a magnetic medium, (ii) issued on receipt of funds for the purposes of payment operations, and (iii) accepted by a natural or legal person other than the electronic money issuer.
It must not be confused with virtual currencies, also called “cryptocurrencies” or “virtual money”.
Factors increasing risk | Factors helping to reduce risk | |
Products, services, transactions |
|
|
Customers |
|
|
Countries |
| |
Distribution channels |
|
|
Custodian banks
The sectoral guidelines for providers of investment funds are directed primarily at investment fund managers and investment funds marketing their own shares or units, pursuant to Article 3(2), points (a) and (d) of the 4th AML Directive. They are none the less relevant for custodian bankers of investment funds:
Factors increasing risk | Factors helping to reduce risk | |
Products, services, transactions |
|
|
Customers |
|
|
Countries |
| |
Distribution channels |
|
|
In brief:
Depending on the activity carried on/the services provided, the professional must identify all the attendant risks, preparing a summary thereof in order to determine the overall risk attaching to the business relationship or the transaction envisaged.
It is that risk assessment, carried out in accordance with the criteria laid down by, in particular, the Law, the regulations and circulars of the CSSF, the joint guidelines published by the European Supervisory Authorities, the European Commission, and the recommendations of the FATF or other European and international sources, which will enable the professional to assess, in its own discretion, the level of risk that it is facing.
As soon as the acceptable risk level is exceeded, the professional must strive to “take appropriate due diligence measures to manage and mitigate those risks” (see Article 2‑2(3) of the Law).
ASSESSMENT OF ML/FT RISKS BY THE CSSF
Since 2017, the CSSF has each year been carrying out an inquiry by gathering standardised key information concerning money laundering and terrorist financing risks to which the professionals under its supervision are exposed, as well as the measures to mitigate the risks taken on by those professionals.
The CSSF refers, in particular, to FATF Recommendation 1 with regard to the risk-based country approach, and to the 4th AML Directive.
The answers provided by the professionals to the CSSF’s “risk questionnaires” allow the latter to assess whether the prevention/mitigation measures put in place by the professional concerned are appropriate to counter the risks actually facing that professional. The CSSF gives each institution an account of the results of that analysis.
RISKS AND DUE DILIGENCE MEASURES
The due diligence measures are set out in Chapter 2 below, under the heading “Obligations vis-à-vis customers”. However, it is useful already at this point to briefly cite the three levels of risk of money laundering set out in the Law:
(1) “Low” risk (lower risk of money laundering): Article 3-1 of the Law describes, in a non-exhaustive manner, the conditions in which simplified due diligence measures are sufficient. The application of simplified due diligence measures must be based on a risk assessment demonstrating the low level of the risk.
(2) “Real” risk (due diligence obligation de vigilance as prescribed by Article 3 of the Law)
Apart from in high-risk situations as defined by the authorities, it is for each professional to determine its own risk-management policy, reflecting its type of business relationships, its customer base, the services and products offered by it and the countries with which it has dealings.
That approach must take into consideration both the elements increasing risk and those reducing it.
The classification of customers in a “risky customer” category will not necessarily arise from a single criterion but may result from a bundle of risk factors. An accumulation of risk factors should prompt the professional to investigate in greater detail the reasons for the business relationship, to obtain additional documentation, to examine attentively the operations carried out, to pursue follow-up measures and to carry out periodic reviews.
(3) “High” risk (enhanced due diligence measures): Article 3-2 of the Law determines those situations in which professionals are required to apply enhanced due diligence measures in relation to their customers.
In addition to those levels of due diligence, an absolute prohibition may be imposed, forbidding all contact concerning persons or entities subject to an embargo (measures to freeze funds or other terrorist assets – see in particular the European Union’s consolidated list of sanctions).
Annex IV provides various additional references and tools relating to the risk-based approach