index

Preface

index

Preface
PART 2

Contact us

Tel: +352 46 36 60-1

Email: mail@abbl.lu

PART 1 - CHAPTER 2

PERSONAL SCOPE OF APPLICATION

Section 1. Financial sector professionals operating in Luxembourg

The Law applies in particular to “credit institutions and financial sector professionals (FSPs) approved or authorised to carry on their activities in Luxembourg pursuant to the Law of 5 April 1993 on the financial sector as amended (…)”, payment institutions, electronic money institutions as well as “tied agents as defined in article 1 of the amended law of 5 April 1993 relating to the financial sector and agents as defined in article 1 of the law of 10 November 2009 on payment services established in Luxembourg ”.

The circle of persons subject to professional obligations in the combatting of money laundering and terrorist financing has now been extended to include all persons acting as family offices, persons carrying on, in Luxembourg, the activity of a provider of services to companies and fiducies, providers of gambling services and bailiffs.

The law of 25 March 2020 transposing the 5th Directive (EU) 2018/843 widened the list of subject professionals, in particular to providers of virtual asset services as well as custody or administration providers.

Section 2. Application of professional obligations to foreign subsidiaries and branches of professionals operating in Luxembourg

1. General principle

“Financial institutions should be required to implement programmes against money laundering and terrorist financing. Financial groups should be required to implement group-wide programmes against money laundering and terrorist financing, including policies and procedures for sharing information within the group for AML/CFT purposes. Financial institutions should be required to ensure that their foreign branches and majority-owned subsidiaries apply AML/CFT measures consistent with the home country requirements implementing the FATF Recommendations through the financial groups’ programmes against money laundering and terrorist financing.”

Policies and procedures at group level:

Professionals forming part of a group are required to implement policies and procedures at group level, in particular data protection policies, as well as policies and procedures relating to the sharing of information within the group for the purposes of combatting money laundering and terrorist financing. Those policies and procedures must be implemented efficiently and in an appropriate manner, taking into account in particular the risks of money laundering and terrorist financing identified and the nature, particularities, size and activity of branches and subsidiaries, at the level of branches and subsidiaries in which a majority interest is held and which are established in Member States and third countries”.

“Group-wide policies and procedures include:

– the policies, controls and procedures provided for in Article 4, paragraphs (1) and (2);

the provision, under the conditions of Article 5, paragraphs (5) and (6), of information from branches and subsidiaries relating to customers, accounts and operations, when necessary, for the purposes from the fight against money laundering and the financing of terrorism, to the functions of compliance, audit and the fight against money laundering and the financing of terrorism at group level. This covers data and analyzes of transactions or activities that appear unusual, if such analyzes have been carried out, and information related to suspicious statements or the fact that such a statement has been transmitted to the FIU. Likewise, when relevant and appropriate for risk management, branches and subsidiaries also receive this information from the group’s compliance functions; and

– adequate guarantees in terms of confidentiality and use of the information exchanged, including guarantees to prevent the disclosure of information “.

Directive (EU) 2013/34 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings defines the term “group” as : “a parent undertaking and all its subsidiary undertakings”.

As regards credit institutions and investment firms falling within the scope thereof, it will be noted that Regulation (EU) 575/2013 defines the terms “parent company”, “subsidiary” and “branch”.

Professionals will thus be required, in consultation with their subsidiaries/branches based abroad, to define a group policy to be implemented by those subsidiaries/branches, even where differences and/or specific national characteristics exist within the legal framework for combatting money laundering on the territories where those subsidiaries/branches are based.

In the implementation of that group policy, professionals must duly take account of the provisions concerning the “professional secrecy obligation” as referred to in Article 41 of the Law of 5 April 1993 on the financial sector.

Moreover, where an exchange of personal data involves a transfer of such data from a professional established in Luxembourg to an entity based in a third country which is not the subject of an adequacy decision of the European Commission, that data transfer may only be effected if it includes the “appropriate safeguards” referred to in Article 46 of the General Data Protection Regulation.

Thus, the professional must use, in particular, the legal instruments provided for to that end, such as binding corporate rules or the standard data protection clauses adopted by the European Commission, alternatively by a supervisory authority.

The law of March 25, 2020 introduced article 4-1, para I, point (b) in the Law allowing professionals of credit / financial institutions of Member States belonging to the same group to exchange information customers / accounts / transactions between group entities (including branches / subsidiaries majority owned and located in third countries), in this case only information necessary for AML purposes, especially those relating to transactions or activities unusual or the fact that a suspicious transaction report has been transmitted to the financial intelligence unit.

1.1  In a Member State

“Professionals operating establishments in another Member State shall ensure that those establishments respect the national provisions of that other Member State transposing Directive (EU) 2015/849.”

A branch/subsidiary established in another Member State must respect the national provisions of that host Member State transposing the Fourth Anti-Money Laundering Directive as amended.

1.2  “Abroad”: in a third State

“Professionals shall apply in their branches and majority-owned subsidiaries located abroad measures at least equivalent to those laid down in Directive (EU) 2015/849 or by the measures taken for their execution with regard to risk assessment, customer due diligence, keeping information and documents, adequate internal management and cooperation with the authorities.”

“Where the minimum standards on combatting money laundering and the financing of terrorism in a country where professionals have branches or majority-owned subsidiaries differ from those applicable in Luxembourg, those branches and subsidiaries shall apply the higher standard, to the extent that the laws and regulations of the host country so permit.”

“In this context, if the standards of the country in which these branches and subsidiaries are located are less strict than those provided for in Luxembourg, the data protection rules applicable in Luxembourg in the fight against money laundering and the financing of terrorism must be respected “, to the extent that the laws and regulations of the host country allow.

“Professionals shall pay particular to ensuring that this principle is complied with in respect of their branches and subsidiaries in high-risk countries.”

Thus, where the legal framework for combatting money laundering by a subsidiary or branch based in a third State features certain lacunae or is less strict than in Luxembourg, that subsidiary or branch based abroad must apply the Luxembourg rules in force.

The models and procedures concerning risk management, customer due diligence, cooperation with the authorities and with the FIU, retention of documents, internal controls, governance, the independent audit function and training must therefore be in compliance with the applicable Luxembourg rules in that regard, taking into account, moreover, the specific national characteristics peculiar to the State in which the branch or subsidiary is established.

2. Subsidiaries and branches established in third countries whose rules do not permit the application of equivalent measures

“Where a third country’s law does not permit the implementation of the policies and procedures required under paragraph 1, professionals shall ensure that their branches and majority-owned subsidiaries in that third country apply additional measures to effectively handle the risk of money laundering or terrorist financing, and inform the supervisory authorities and self-regulation bodies. If those additional measures are not sufficient, the supervisory authorities and self-regulation bodies shall implement additional supervisory measures, including requiring that the group does not establish, or that it terminates, business relationships, and does not undertake transactions and, where necessary, requesting the group to close down its operations in the third country concerned.”

This obligation is particularly relevant in respect of “higher-risk countries” as identified by the FATF.

“Institutions should ensure that their subsidiaries and branches take steps to ensure that their operations are compliant with local laws and regulations. If local laws and regulations hamper the application of stricter procedures and compliance systems implemented by the group, especially if they prevent the disclosure and exchange of necessary information between entities within the group, subsidiaries and branches should inform the compliance officer or the head of compliance of the consolidating institution.”

The fact that a third State does not authorise the subsidiary/branch of a Luxembourg professional to apply the Luxembourg anti-money laundering rules, even where additional measures to mitigate that prohibition are in place, may prompt that professional to regard itself as prohibited from carrying out transactions involving the subsidiary/branch established abroad

Commission Delegated Regulation (EU) 2019/758 (regulatory technical standards) allows professionals to refer to certain standards in the following contexts:

(1) individual risk assessments

(2) customer data sharing and processing

(3) disclosure of information related to suspicious transactions

(4) transfer and retention of data

2.1  Individual AML/CFT assessments

“Where the third country’s law prohibits or restricts the application of policies and procedures that are necessary to identify and assess adequately the money laundering and terrorist financing risk associated with a business relationship or occasional transaction due to restrictions on access to relevant customer and beneficial ownership information or restrictions on the use of such information for customer due diligence purposes”,

the professional must, at the very least:

  • inform the competent authority of the home Member State without undue delay and in any case no later than 28 calendar days after identifying the third country of the following:
    • name of the third country concerned; and
    • how the implementation of the third country’s law prohibits or restricts the application of policies and procedures that are necessary to identify and assess the money laundering and terrorist financing risk associated with a customer;
  • ensure that [its] branches or majority-owned subsidiaries that are established in the third country determine whether consent from their customers and, where applicable, their customers’ beneficial owners, can be used to legally overcome restrictions or prohibitions referred to [above];
  • ensure that [its] branches or majority-owned subsidiaries that are established in the third country require their customers and, where applicable, their customers’ beneficial owners, to give consent to overcome restrictions or prohibitions referred to [above] to the extent that this is compatible with the third country’s law.

Where the consent of the customer/beneficial owners is not feasible, credit institutions and financial institutions shall take additional measures as well as their standard anti-money laundering and countering the financing of terrorism measures, to manage risk.”

  • EXAMPLES OF ADDITIONAL MEASURES:

Article 3 of Delegated Regulation 2019/758 provides that at least two additional measures must be taken where necessary: the measure set out in point (c) of Article 8 and at least one of the measures set out in points (a), (b), (d), (e) and (f).

Accordingly, the following measure must be taken:

  • carrying out enhanced reviews, including, where this is commensurate with the money laundering and terrorist financing risk associated with the operation of the branch or majority-owned subsidiary established in the third country, onsite checks or independent audits, to be satisfied that the branch or majority-owned subsidiary effectively identifies, assesses and manages the money laundering and terrorist financing risks.

That measure must be combined with at least one other pertinent measure, such as, for example:

  • ensuring that its branches or majority-owned subsidiaries that are established in the third country seek the approval of the credit institution’s or financial institution’s senior management for the establishment and maintenance of higher-risk business relationships, or for carrying out a higher-risk occasional transaction;
  • ensuring that its branches or majority-owned subsidiaries that are established in the third country restrict the nature and type of financial products and services provided by the branch or majority-owned subsidiary in the third country to those that present a low money laundering and terrorist financing risk and have a low impact on the group’s AML/CFT risk exposure;
  • ensuring that its branches or majority-owned subsidiaries that are established in the third country carry out enhanced ongoing monitoring of the business relationship including enhanced transaction monitoring, until the branches or majority-owned subsidiaries are reasonably satisfied that they understand the money laundering and terrorist financing risk associated with the business relationship.

Where a credit institution or financial institution cannot effectively manage the money laundering and terrorist financing risk by applying the measures referred to above, it must:

  • “ensure that the branch or majority-owned subsidiary terminates the business relationship;
  • ensure that the branch or majority-owned subsidiary not carry out the occasional transaction;
  • close down some or all of the operations provided by their branch and majority-owned subsidiary established in the third country”.

2.2  Customer data sharing and processing

The reader is referred to the Delegated Regulation, having regard to the prohibition of/restriction on sharing customers’ data imposed by the third State, and the measures prescribed in relation thereto, to be carried out within the group, are similar to those mentioned above.

In short, the professional must;

  •    inform the competent authority of its home Member State;
  •    where necessary obtain the consent of its customer/the beneficial owner(s) to the transmission of information; and
  •    if need be, take the requisite additional measures to overcome the problem in cases where such consent(s) cannot be obtained. Those additional measures include the ones referred to in points (a) and (c) of Article 8.
  • where the risk of money laundering/terrorist financing is sufficiently high to necessitate other additional measures, credit institutions and financial institutions must apply one or more of the other additional measures mentioned in points (a) to (c) of Article 8.

2.3 Intra-group disclosure of information related to suspicious transactions

“The prohibition (of communication to the customer of the fact that information concerning him/her/it has been disclosed to the FIU) shall not apply to disclosure between credit institutions and financial institutions in Member States, provided they belong to the same group, or between those institutions and their branches and majority-owned subsidiaries located in third countries, on condition that those branches and majority-owned subsidiaries fully respect the policies and procedures defined at the level of the group, including procedures for sharing information within the group, in accordance with Article 4-1 or Article 45 of Directive (EU) 2015/849, and that the group-wide policies and procedures comply with the requirements laid down in this Law or in Directive (EU) 2015/849”.

This exception is to be strictly construed, in that it is applicable only in an intra-group context.

“For professionals who are part of a group, they are required to include in their group-wide policies and procedures, the policies, controls and procedures required (by the Act) and the provision (…) of information from branches and subsidiaries relating to customers, accounts and transactions, where necessary for AML/CFT purposes, to the compliance, audit and AML/CFT functions at group level.

This includes data and analyses of transactions or activities that appear unusual, if such analyses have been carried out, and information relating to suspicious reports or the fact that such a report has been forwarded to the FIU.

Similarly, where relevant and appropriate for risk management purposes, branches and subsidiaries also receive such information from the group compliance functions. Adequate safeguards for the confidentiality and use of the information exchanged, including safeguards to prevent disclosure of information, should be provided.”

“Information on suspicions that funds are the proceeds of money laundering or of an associated predicate offence, or are related to terrorist financing, reported to the Financial Intelligence Unit shall be shared within the group, unless otherwise instructed by the Financial Intelligence Unit.”

2.4 Transfer of customer data to the Member States in the context of AML/CFT supervision

“Where the third country’s law prohibits or restricts the transfer of data related to customers of a branch or majority-owned subsidiary established in a third country to a Member State for the purpose of supervision for anti-money laundering and countering the financing of terrorism, (…)”, the professional must at least inform the competent authority of the home country as indicated in point 2.1 above.

The professional must, in addition, at least:

  • carry out enhanced reviews, on-site checks or independent audits of the branch or majority-owned subsidiary established in the third country;
  • require the branch or majority-owned subsidiary established in the third country regularly to provide relevant information to the credit institution’s or financial institution’s senior management, including:
    • the number of high-risk customers;
    • the number of suspicious transactions identified and reported;
  • make the information available to the competent authority of the home Member State upon request.