OBLIGATIONS VIS-À-VIS CUSTOMERS
“Financial institutions should be prohibited from keeping anonymous accounts or accounts in obviously fictitious names”. Thus, professionals are obliged to take due diligence measures vis-à-vis their customers in certain clearly defined situations, in particular:
(i) when establishing business relations;
(ii) when carrying out occasional transactions (subject to conditions);
(iii) where there is a suspicion of money laundering or terrorist financing;
(iv) where there is any doubt about the veracity or adequacy of previously obtained customer identification data.
The professional must identify and verify, in particular, the identity of its customer and that of the beneficial owner, including legal persons and legal arrangements, obtain information on the purpose and intended nature of the business relationship and conduct ongoing due diligence with regard to that relationship.
The identification operation consists in possessing the name and identity of the customer. Thus, the identification can be done by the fact of completing a form requesting entry into a business relationship and indicating on that form the number of an identity document.
“The verification operation, for its part, consists in making the link between the information provided and the reality of the situation by making sure that the identity stated does indeed relate to the person with whom one is dealing, that that person really exists and that the documents, data and information are respectively reliable and probative.” ref. T. POULIQUEN, La lutte contre le blanchiment d’argent, Promoculture-Larcier 2014, p. 250.
WHAT DOES THE DUE DILIGENCE OBLIGATION CONSIST OF?
“Customer due diligence measures shall comprise
- identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source including, where applicable, electronic identification means and trust services provided for in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions within the internal market (…), or any other secure, electronic or remote identification process, regulated, recognized, approved or accepted by the national authorities concerned;
- identifying (…) the beneficial owner and taking reasonable measures to verify his identity, using information or data obtained from a reliable and independent source, so that the professionals are satisfied that they know who the beneficial owner is, including, as regards legal persons, fiducies, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer; (…)
- assessing and understanding of the purpose and intended nature of the business relationship and, as appropriate, obtaining information on the purpose and intended nature of the business relationship;
- conducting ongoing due diligence with regard to the business relationship, including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the professional’s knowledge of the customer, the business and risk profile, and by ensuring that documents, data or information used in the exercise of customer due diligence remain up-to-date and relevant. To this end, the professionals examine the existing elements, and this in particular for the categories of customers presenting the higher risks ”.
Section 1. Customer due diligence measures
WHEN IS DUE DILIGENCE TO BE EXERCISED?
Professionals shall apply customer due diligence measures in the following cases:
a) when establishing a business relationship;
b) when carrying out an occasional transaction that:
-
- amounts to EUR 15 000 or more, whether this transaction is carried out in a single operation or in several operations which appear to be linked; or
- constitutes a transfer of funds, as defined in Article 3, point (9) of Regulation (EU) 2015/847 (…), exceeding EUR 1 000.
“The threshold of EUR 1,000 (…) is also applicable to occasional transactions by virtual asset service providers.”
There exists no definition in Luxembourg law of the terms “occasional transaction” or “occasional customer”.
WHAT TO DO?
The ABBL recommends that professionals should refer to the following definitions:
“An occasional customer is a passing customer who requests the intervention of a financial organisation for the carrying-out of an isolated operation or a series of linked operations (…).”
“(…) where a person hands over cash to a financial organisation with a view to its being paid into an account of one of the latter’s customers, and that person has not been mandated by that customer to act on his or her account, the person in question shall be regarded as an occasional customer. The organisation shall identify that person and verify his or her identity, save where it is already in a business relationship with that person.”
“(…) a person shall be deemed to be an occasional customer where he or she approaches (a professional subject to supervision) exclusively with a view to preparing or carrying out a one-off operation or obtaining assistance in the preparation or carrying-out of such an operation, whether the same is carried out in a single transaction or in a series of apparently linked operations.”
The professional must carry out the due diligence measures prescribed in relation to “occasional customers” or customers carrying out an occasional transaction, in accordance with the risk(s) identified.
(…)
c) when there is a suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or threshold;
d) when there are doubts about the veracity or adequacy of previously obtained customer identification data.”
Professionals are required to apply the customer due diligence procedures not only to all new customers but also, “at appropriate times”, to existing customers based on their risk assessment, taking into account the existence and timing of previous customer due diligence procedures, or when the relevant elements of a client’s situation change or when the professional, during the calendar year under review, is required, due to a legal obligation, to contact the client in order to review any relevant information in relation to the beneficial owner(s) or if this obligation fell to the professional pursuant to the amended law of 18 December 2015 on the Common Reporting Standard (CRS)”.
The definition of “appropriate times based on risk assessment” is given in the Grand Ducal Regulation of 1 February 2010 as amended.
“This includes one of the following situations:
“- a significant transaction occurs ;
-the standards relating to customer identification documents change substantially;
in the field of banking, a significant change occurs in the way a client’s account operates; – the professional becomes aware of a change in the way a client’s account is managed
-the trader becomes aware that he does not have adequate information about a client.
Professionals must be able to demonstrate to the supervisory authorities or self-regulatory bodies that the extent and frequency of customer due diligence measures are appropriate in view of the risks of money laundering and terrorist financing”.
Subsection 1. The acceptance process
1. Policy for accepting new customers
The notion of entering into contact with a customer covers all possible forms of contact, including conversations taking place within the bank’s premises, correspondence by post, telephone calls and exchanges by electronic means (for example the internet).
Mere requests for information which are not followed up by the prospective customer are not to be regarded as an entry into contact.
By contrast, the pre-contractual phase, which begins with an exchange of information and is characterised by the commencement of negotiations concerning the conditions for entering into a business relationship, is to be defined as an “entry into contact”.
1.1 Implementation of the appropriate procedures
“Professionals shall decide on and put in place a customer acceptance policy which is adapted to the activities they carry out, so that the entry into business relationship with customers may be submitted to a prior identification, assessment and understanding of risks (…)”.
The customer acceptance procedure must, in concrete terms, take the form of an analysis of the risk factors carried out in advance by the professional concerned, since the risks concerning the business relationship or the transaction will (or may not) result in the conclusion of the proposed business relationship/transaction.
1.2 Anticipatory nature of the identification and of verification of identity process
Professionals are required to formalise the procedure for identifying prospective customers/customers (natural/legal persons) in their “KYC: Know your customer” documents.
The identification of the customer/beneficial owner forms only a part of the “KYC” procedure, which contains a plethora of crucial supplementary information for assessing the attendant risks and proceeding, where appropriate, with the entry into a business relationship.
“The customer acceptance policy shall require the documentation of all contact, no matter in which form, and shall notably envisage a customer questionnaire adapted to the nature of the contact and the business relationship. When entering into a new business relationship with a company or other legal entity, a trust or a legal arrangement with a structure or functions similar to those of a trust for information on beneficial owners should be registered under Article 30 or 31 of Directive (EU) 2015/849, professionals collect proof of registration or an extract from the register ”.
“The verification of the identity of the customer and of the beneficial owner shall take place before the establishment of a business relationship or the carrying-out of the transaction.”
“However, the verification of the identity of the customer and the beneficial owner may be completed during the establishment of a business relationship if this is necessary in order not to interrupt the normal conduct of business and where there is little risk of money laundering or terrorist financing occurring. In such situations these procedures shall be completed as soon as practicable after the initial contact and professionals take measures to effectively manage the risk of money laundering and terrorist financing ”.
“(…) Professionals can enter into a business relationship, open a customer account or carry out a transaction for an occasional customer before or while the identity of the customer and the beneficial owner is verified (…) provided that the following conditions are met:
- the risk of money laundering and terrorist financing is low and managed effectively;
- it is necessary not to interrupt the normal course of business;
- identity verification is carried out as soon as possible after the first contact with the customer. The impossibility of verifying the identity of the client and the beneficiary within the time limit prescribed by internal rules must be the subject of an internal report which will be sent to the control manager for the required purposes
- sufficient measures are in place so that no outflow of assets from the account can be made before the completion of the verification check
(…)”
It may be “permissible for verification to be completed after the establishment of the business relationship, because it would be essential not to interrupt the normal conduct of business”, for example in the case of:
- “non face-to-face business”;
- “securities transactions. In the securities industry, companies and intermediaries may be required to perform transactions very rapidly, according to the market conditions at the time the customer is contacting them, and the performance of the transaction may be required before verification of identity is completed.”
1.3 The Acceptance Committee or “written authorisation from a specifically appointed superior or body”
“(…) The acceptance of a new customer shall be submitted to a superior or to a specifically appointed professional body for written authorisation by providing for an adequate hierarchical decision-making level, and for customers with a higher level of risk, at least the systematic intervention of the compliance officer”.
“The acceptance of a new client with a low ML / FT risk, following the risk-based approach as implemented by the professional, can be carried out on the basis of an automated acceptance process. ‘not involving the intervention of a natural person on the professional’s side, so as to constitute an effective and reliable alternative to validation by a natural person of the professional.
This process must have been configured and professionally tested beforehand and regularly through the analysis of its robustness. This process must be in line with the professional’s AML / CFT policies and procedures and the instructions to be issued by the CSSF ”.
In accordance with current practice, an examination by a so-called new business relationships committee (or “acceptance committee”) is recommended, particularly in certain cases requiring the authorisation of an executive, but also depending on the nature of the relationships or persons concerned. Not all account openings need to be referred to the new business relationships committee, but it must be called upon to examine at least those which meet certain criteria, particularly those involving a degree of risk. The determination of the risk level must take into account, in particular, the risk factors set out above in Chapter 1 of Part II (“Identification and assessment of risks”) of this Vade Mecum.
It is recommended that responsibility for the entry into a business relationship should not lie with a single person and that the new business relationships committee should be composed of persons from different departments within the professional’s organisation (for example the executive management, the sales and marketing department, the legal department, the compliance officer, etc.).
As regards risky customers, the requirements relating to documentary evidence, particularly documents proving the origin of funds, are more stringent. The quantity and quality of the information (supporting documents) required in relation to the customer and the beneficial owner must likewise meet a high standard.
For clients who present a low risk in terms of money laundering, CSSF Regulation No. 20-05 of 14 August 2020 introduces the possibility of using an automated acceptance system that does not require human intervention. This formalizes a market practice, at least encouraging the system when the risk of money laundering is low and given the increasing digitalisation of services.
1.4 Questionnaire concerning entry into a business relationship
“The customer acceptance policy shall require the documentation of all contact, no matter in which form, and shall notably envisage a customer questionnaire adapted to the nature of the contact and the business relationship.”
The customer acceptance policy shall also provide for procedures to be followed when there is a suspicion or reasonable grounds for suspicion of money laundering, an associated predicate offense or terrorist financing in case contact with a possible customer fails. The reasons for a customer or professional to refuse to enter into a business relationship or to execute a transaction shall be documented and kept (in accordance with the terms of CSSF regulation no.12-02), even if the professional’s refusal does not ensue from the observation of a money laundering or terrorist financing indication.”
2. Identification of customers and verification of their identity
The customer must be identified, and his/her identity verified, on the basis of documents, data or information emanating from a reliable and independent source, including, where applicable, electronic identification means and relevant trust services provided for in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and services of trust for electronic transactions within the internal market (…) ” or any other secure, electronic or remote identification process, regulated, recognized, approved or accepted by the national authorities concerned”..
2.1 Customers who are natural persons
2.1.1 The account-holder
“For the purposes of the identification of customers pursuant to Article 3 paragraph 2, subparagraph 1, point a) and subparagraph 2 of the Law, the professionals shall gather and register at least the following information:
- surname(s) and first name(s);
- place and date of birth;
- nationality (-ies);
- full address of the customer’s main residence;
- where appropriate, the official national identification number.”
“The information listed in point 1 above is to be collected and recorded also for the initiators, the promoters who are at the basis of the launch of an investment fund under the supervision of the CSSF who will be the professional’s client” .
Verification of the identity of a customer who is a natural person
(1) “The verification of the identity, within the meaning of Article 3(2)(1)(a) of the Law, of customers who are natural persons shall be made at least with one valid authentic identification document issued by a public authority and which bears the customer’s signature and picture such as, for instance, the customer’s passport, his ID , (…) his residence permit, his driving license or any other similar document.”
“Electronic identification means, including the relevant trust services provided for by Regulation (EU) No. 910/2014 or any other secure, electronic or remote identification process, regulated, recognized, approved or accepted by the national authorities concerned may be used by the trader to fulfill his obligation of vigilance referred to in Article 3 (2), subparagraph 1, point a) of the Law ”.
(2) “According to the risk assessment, and without prejudice to other enhanced due diligence obligations,the professionals shall take additional verification measures such as, for example, the verification of the address indicated by the customer through the proof of address or by contacting the customer, among others, per registered letter with acknowledgement of receipt.”
See the tables contained in Annex V “Documents” relating to the due diligence obligations with regard to customers who are natural persons.
The practice regarding documentary requirements may vary from one establishment to the next, and may sometimes be more restrictive than the regulatory requirements. The legislative and regulatory framework in Luxembourg allows professionals, in appropriate circumstances, a certain discretion as regards the choice of the documentation to be used for the purposes of identifying a customer who is a natural person.
Thus, the professional may usefully refer to the recommendations/good practices concerning the identification of customers published by professional associations (e.g. ALCO, IRE) or by the supervisory authorities for the banking/financial sector or others (AED).
Exceptional situations:
Some customers may also hold specific documents (e.g. a “carte de forain” (travelling showman’s card), “carte de séjour” (residence permit), “livret de famille” (family record book), etc.), assessment of the relevance of which is left to the discretion of the professional, but which do not in themselves provide complete identification. In such situations, it is appropriate, as indicated above, to obtain other documents emanating from a reliable and independent source which supplement the documents of a specific nature provided by the customer.
Where an official identity document does not contain a signature, the professional must demand an additional supporting document. A clear link must be established between the identity of the customer and his/her signature. The additional supporting document must, in such cases or in an exceptional situation, contain the requisite confirmatory information with regard to the identification of the customer.
A few examples of possible supplementary documentation requirements regarding customers who are natural persons:
– Document of title proving ownership of the principal residence, rent receipt less than three months old, home insurance certificate, documents evidencing liability to pay housing tax, property tax, municipal taxes, official document showing entitlement to subsidies from the State;
– Certificate of nationality, naturalisation certificate, veteran’s card, movement card issued by the military authorities, invalidity card;
– Internet/mobile telephone invoices less than three months old (on paper or in dematerialised form);
– Most recent notice of assessment/non-assessment to tax, pay slips indicating the principal residence, official pension document indicating the principal residence, official grant of a tax credit, various State allowances (family allowances, invalidity allowances, etc.);
– Administrative summons, formal notice to pay or perform, process served by a bailiff/process server, etc.
A driving licence may also constitute an official document proving the customer’s identity or supplementing other documents in the customer’s file, especially for customers residing in third countries.
A few examples of various situations:
- In order to be able to deal with the documentary evidence efficiently, it is current practice systematically to take copies of ID documents.
- Professionals must pay special attention to unusual situations, such as the absence or temporary nature of the place of residence of a customer (for example, a suite in an hotel, a post office box, etc.). Professionals must check to ensure consistency between all the items of information received by them regarding the identification details. Where there is any inconsistency (for example as to the address) or insufficient information, the provision of additional supporting documents must be requested.
Entry into a business relationship may only be agreed to by a professional if the latter is in possession of all the documents which it has asked its customer to provide.
2.1.2 The authorised agent/attorney of a customer who is a natural person lacking legal capacity or a minor
The powers of representation of the legal representatives of customers who are natural persons lacking legal capacity, i.e. who are the subject of guardianship/supervision measures (or analogous measures), or minors, must be verified by means of documents evidencing the situation.
The identification and verification of the identity of the customer’s authorised agent/attorney must, in addition, be done in the manner described in point 2.1.1. The professional must take copies of the documents provided.
A “livret de famille” (family record book) is sometimes used in the case of the opening of an account in the name of a minor by a person of full age. In such cases, the identity of the latter must be verified, together with the link between that person and the minor.
It is recommended that a copy of the minor’s identity document be obtained, if he/she possesses one, and by no later than the time when he/she reaches full age. Generally, it is recommended that professionals ask the customer to inform them of any change occurring in the customer’s legal status.
2.1.3 The particular case of the status of a refugee or an AIP (applicant for international protection)
Although attestation of the lodging of an application for international protection constitutes only part of the verification of the identity of a customer within the meaning of the Law, it will be noted that this bears the stamp of the Ministry of Foreign Affairs as well as the signature of an official within that Ministry, together with the ID photograph of the applicant for protection, his/her signature and ID indications as required by Article 16 of CSSF Regulation No 12-02.
Subject to its being valid, such an attestation may be regarded as acceptable for the purposes of opening a bank account in Luxembourg offering basic financial services, on condition that the risks resulting therefrom are mitigated by the terms and conditions of use of that account and the application of enhanced due diligence measures in the particular cases concerned.
Banks should also monitor the behaviour of the applicant for asylum in terms of the nature, amount, origin/purpose of the transaction concerned, etc. so as to be able to spot potentially suspicious transactions and to intervene in an adequate manner, where necessary in accordance with Article 5(1)(a) of the Law.
Banks should regularly review the risk profile of the applicant for asylum in question, with a view to checking that his/her profile is still appropriate, in particular after several months have elapsed, in order to verify any development in the status of the person concerned.
Banks should also reject a request for the opening of a bank account offering basic services where the opening of such an account would entail a breach of the provisions applicable in relation to the prevention of money laundering and the combatting of terrorist financing.
It is suggested that any request for the opening of an account by or for an applicant for international protection, or any identity check carried out in the context of a banking transaction, should be dealt with on the basis of a document fulfilling the following characteristics:
1 – Statement of the main ID information details prescribed by Article 16 of CSSF Regulation No 12-02 (bearing in mind that it is not mandatory to state the address), AND
2 – Presence of an ID photograph of the applicant for protection, AND
3 – Presence on the document of a stamp of the Ministry of Foreign Affairs or of the OLAI (Luxembourg Reception and Integration Agency), OR
4 – Presence on the document of a signature of a representative of the Ministry of Foreign Affairs or of the OLAI.
Any documentation not including all of the characteristics set out above will be accepted by the professional at its own risk, it being understood that an exception may be made as regards any attestation of the lodging of an application for international protection which bears a stamp or the words “Rejected” or “Annulled”, but only provided the following conditions are fulfilled:
– the acceptance of such an attestation (bearing the stamp or the words “Rejected” or “Annulled”) is permissible only for the identification of the applicant for international protection in the context of transactions carried out on or from an account (and not for the opening of that account);
– as long as the account of the applicant for international protection records the crediting of sums coming from the Ministry of Foreign Affairs and/or the OLAI.
The absence of payments coming from those authorities may mean that the application has been rejected and warrant further research/checks on the part of the establishment concerned.
2.1.4 The validity of a French identity card which expired less than 5 years ago
Under the French rules, since 1 January 2014, the duration of the validity of the national identity card has been extended from 10 to 15 years for persons of full age (aged over 18). The five-year extension for identity cards concerns:
- new secure identity cards (plastic cards) issued as from 1 January 2014 to persons of full age;
- secure identity cards (plastic cards) issued between 2 January 2004 and 31 December 2013 to persons of full age.
If the identity card was issued between 2 January 2004 and 31 December 2013, the five-year extension of the validity of the card is automatic. The validity date appearing on the document will not be changed. For cards that appear on their face to have expired but the validity of which has been extended for 5 years, the Luxembourg State has officially confirmed that these will be accepted by it as travel documents.
A French national may validly use the above-mentioned French identity card, appearing on its face to have expired but still valid in consequence of its having been extended for a further 5 years following an initial issue/validity period of 10 years, in the context of entering into a business relationship with a credit institution.
The professional must determine, in its discretion and applying a risk-based approach, whether to accept a French identity card that has expired, and must, where necessary, request other documentary evidence relating to the identification of its customer.
2.1.5 Electronic means of identification and of verifying the customer’s identity
A. The due diligence measures in relation to customers include the following:
“identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from reliable and independent sources, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services (…), or any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities”.
Professionals may have recourse to video conferencing by using a software developed by themselves or by an external supplier, or may delegate that “on-boarding” video function to a third party. Only a natural person trained for that purpose may use the video conferencing system and deal directly with the prospective customer, thereby de facto excluding the sole intervention of a robot without any additional safeguards.
Only natural persons (the customer, the customer’s statutory representative or authorised agent/attorney, a co-holder of the account or a beneficial owner) may use the function and be identified by the professional.
The video conferencing tool may only be used if the professional has no suspicion of any money laundering/terrorist financing and there can be no dispute as to the veracity and relevance of the documents submitted in advance by the customer.
During the identification of the customer, the data appearing on the identity documents must be clearly legible and clearly identifiable (good lighting conditions, the customer must not be disguised or wearing any headgear that covers part of his or her face, etc.). Only official identity documents emanating from the issuing country and containing optical security devices (holograms, special printing features, etc.) are authorised for the verification procedure. Annex V of the Vademecum contains a convenient link to the online public register of authentic identity and travel documents for citizens worldwide, as established by the Council of the European Union.
The professional must guarantee the efficacy and reliability of the system and remains at all times answerable for compliance with the due diligence obligations incumbent on it in relation to its customers.
WHAT TO DO?
Professionals wishing to make use of video facilities/systems to the purposes of onboarding customers remotely shall get in touch with the CSSF to describe the systems they intend to operate. The CSSF may come with useful comments, which should be duly taken into consideration before making use of the system.
The opinion of the Joint Committee explores, in particular, the ways in which the innovative solutions currently used by financial sector professionals can help them to better fulfil their AML/CFT obligations. For example, the solutions involving non-face-to-face verification of the identity of customers may contain special functionalities making it possible to determine whether the identity document produced really belongs to the person producing it, by combining a number of parameters such as, in particular, biometric facial recognition, document security features and optical character recognition.
Those innovations can also considerably improve the transaction monitoring processes of credit and financial institutions by automating them and making it possible instantaneously to extract relevant data from a number of different databases.
At the national level, as regards the interoperability/cross-border use of trust services supplied by “trust services providers” as defined in Regulation (EU) No 910/2014 and consisting notably in the creation, verification and validation of electronic signatures, electronic seals (…), electronic registered delivery services and certificates related to those services, the Luxembourg portal “qualité.lu” of ILNAS (the national control body) produces the Luxembourg list of such trust service providers (that is to say, in practice, LuxTrust).
At the European level, the European Commission likewise publishes a list of trust service providers.
The customer’s identity must be verified by the professional by means of real-time audio-visual communication, making sure that appropriate technical media are used. The professional must take care to check the authenticity of the customer’s ID documents, in particular via the reading and decryption of the optical security devices contained in the documents supplied by the customer and other elements chosen by the professional.
Under Regulation (EU) No 910/2014, since 1 July 2016:
“1. An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.
2. A qualified electronic signature shall have the equivalent legal effect of a handwritten signature.
3. A qualified electronic signature based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature in all other Member States.”
In addition, the legal value attaching to an electronic signature is stated in the Civil Code:
“The signature required for the perfection of a private document shall identify the person appending it and shall manifest his/her willingness to adhere to the content of the document. It may be in manuscript or electronic form.”
B. Specific measures to be adopted by the trader in the case of a non-face-to-face business relationship
“Where the client is not physically present or has not been met by or on behalf of the trader for the purpose of identification, a so-called “non-face-to-face” relationship, and the trader has not taken the necessary guarantees as set out in Annex IV, point 2) c) of the Law (i.e. not accompanied by guarantees such as electronic means of identification within the meaning of Regulation (EU) No 910/2014 or any other secure electronic or remote identification process regulated, recognised, approved or accepted by the relevant national authorities) specific measures must be applied by the trader to compensate for the potentially higher risk presented by this type of relationship”.
The specific measures to be taken in this case may include
“measures to ensure that the identity of the client is established by means of additional documents, data or identifying information
additional measures ensuring verification or certification by a public authority of the documents provided
a confirmation statement from a credit or financial institution subject to the Act or subject to equivalent professional obligations in relation to AML/CFT
measures to ensure that the first payment of transactions is made through an account opened in the customer’s name with a credit or financial institution subject to the Act or subject to equivalent professional anti-money laundering and anti-terrorist financing requirements.
This list of additional measures to be adopted in case of entering into a business relationship at a distance and in the absence of the necessary guarantees as referred to in particular in Regulation (EU) n°910/2014 was introduced by CSSF Regulation n°20-05 and is not exhaustive. The professional is free to adopt other measures that he deems useful.
2.1.6 FATF Guidance on digital identity
Digital ID simply refers to the use of technology in asserting and proving identity.
Section III of the Guidance is the most relevant one as pertaining to standards regarding customer due diligence standards. Overall, the guidance should help professionals understand if a digital ID is fit for customer due diligence purposes, having firstly understood the attributes of a digital ID systems.
A. Briefly summarising the digital ID process (appendix A of the FATF guidance)
As shown above, the digital ID process mostly entails two components:
- Identity proofing and enrolment
The firs step consists in answering the mere question “who are you”, with the collection of attribute evidence related to the customer being here an individual (documentary or digital, bearing in mind that biophysical, biomechanical and behavioral biometrics do exist).
Validation will then come to make sure that the evidence collected is genuine followed by the verification process whereby there will be a confirmation as to the validated identity indeed relates to the customer undergoing the process.
- Authentication and identity lifecycle management
This part of the ID process could be briefly summarised as “Are you the one you say you are? “.
As stated by the FATF, “the more factors an authentication process employs, the more robust and trustworthy the authentication system is likely to be”. Once the customer has been successfully proofed and enrolled in a digital ID system, the authentication process guarantees to the professional that the person presenting the credential is really the person to whom it belongs.
The common authentication factors can be best summarised as follows:
Lifecycle management merely refers to steps professionals will have to take in response to events occurring to credentials (loss, theft, etc).
B. Making sure that a Digital ID system is suitable for customer due diligence purposes
Apart from the CSSF guidance on video chat and the fact that the CSSF will eventually be consulted on any digital ID onboarding system used or set-up by a professional, there is no specific Luxembourg guidance on the suitability of a digital ID system which will be used to onboard customers.
Therefore, the FATF illustration below, combined with a risk-based approach, will come handy for professionals to elect the right system and make sure that the latter comes with the right assurance level:
WHAT TO DO?
- Use antifraud and cybersecurity systems/processes to support digital identity proofing and/or authentication to support AML/CFT quest.
- Make sure that the CSSF can obtain the underlying identity information and evidence or digital information needed to identify and verify the identity of your customer/prospect.
2.2 Customers that are legal persons
2.2.1 Identification of customers that are legal persons
“For the purposes of the identification of customers [that are legal persons or legal arrangements], professionals shall gather and register at least the following information:
- name
- legal form;
- address of the registered office and, if different, a principal place of business;
- where appropriate, an official national identification number;
- the name of the directors (dirigeants) (for legal persons) and directors (administrateurs) or persons holding/occupying similar positions (for legal arrangements) and involved in the business relationship with the professional;
- provisions governing the power to bind the legal person or arrangement;
- authorisation to enter into a relationship.”
“The information listed in point 1 above must also be collected and recorded for the initiators, promoters who are behind the launch of an investment fund under the supervision of the CSSF which will be the client of the professional.”
Opening an account for a company in the process of incorporation before completion of the identity verification measures
A professional may open an account for a company in the process of incorporation, insofar as the following conditions are met:
“- the professionals shall identify and verify the identity of the company’s founders pursuant to (…) the Law. They shall receive a declaration from the founders stating that they act, either for their own account or for the account of beneficial owners which they name, and where appropriate, the professionals shall take measures to identify and verify the identity of the beneficial owners pursuant to (…) the Law;
– at the earliest opportunity after the incorporation of the company, the professionals shall complete the measures for the identification and verification of the company’s identity (…) as well as, where applicable, of the beneficial owners (…). The impossibility to verify the identity of the founders, the company and the beneficial owners within the timeframe set by the internal rules shall be subject to an internal report which will be transmitted to the AML/CFT compliance officer for the required purposes;
– sufficient measures shall be put in place so that no exit of assets from the account can be carried out before completing this verification.”
A professional may be held liable if it allows a customer which is a legal person to make use of funds before the identification of that customer to be completed.
It is recommended that professionals refrain, at least until they have received the documents or information required, from activating the accounts of legal persons that have not yet been satisfactorily identified. In such cases, the professional concerned must take the requisite measures, inter alia by blocking the account so as to prevent any outflow of funds.
2.2.2 Measures for the identification and verification of the identity of the proxy/proxies (“mandataire(s)”) of a customer which is a legal person
The proxy (“mandataire”) holds an authority from the legal person empowering the former to act in the latter’s name; the professional must proceed to identify, and to verify the identity of, the proxy or proxies in question, including where the proxy is itself a company (that is to say, a legal person), applying a risk-based approach. The identification and verification of the identity of the statutory representative of a proxy which is a company acting as proxy must also be undertaken.
Only the powers of representation of the person(s) acting on behalf of the client “in the context of the business relationship with the professional” will be subject to verification. Professionals will thus not have to systematically identify and verify the identity of all persons holding a power of attorney on behalf of the legal person client.
The proxy or proxies (“mandataire(s)”) must not be confused with the person or persons appearing on a list of authorised signatories provided by a customer that is a legal person. In practice, professionals are given the names of numerous authorised signatories (either in a printed list or in computerised form). Those persons are neither statutory representatives of the legal person nor its beneficial owners. Thus, they are not subject to the same identification obligations as the proxies (“mandataires”) of a customer that is a legal person.
Accordingly, there is no need to verify the identity of the persons appearing on a list of signatories, but professionals are recommended to register their names, not least for the purposes of “name screening”.
“Professionals shall also take note of the powers of representation of the person(s) acting on behalf of the client within the framework of the business relationship with the professional and shall verify them by means of documents likely to be used as evidence, of which they shall take a copy, if necessary in electronic (digital) form.
“This includes (…) :
- “(…) natural or legal persons authorised to act on behalf of customers pursuant to a mandate;
- persons authorised to represent customers which are legal persons or legal arrangements in the relations with the professional.”
- For companies:
The complete documentation relating to a legal person must be such as to make it possible to trace the logical sequence of appointments and delegations of powers, by reference to the articles of association and the designation of the members of the board and thence to the delegation of power(s) to the persons who bind the company vis-à-vis the professional.
As regards the gathering of information concerning the identity of the executives and directors of companies, professionals must, as a minimum, identify and verify the identity of those executives and directors (even those without signing powers) who are in contact with the credit institution.
Duly adapted procedures should be applied to accounts opened in the name of financial institutions, subject to the obligations in respect of correspondent banks.
- For other legal persons:
The identification procedure should be applied, on a case-by-case basis, in exceptional situations, such as the opening of an account in the name of an association, foundation or trade union.
As regards the delegation of powers, the ABBL recommends that professionals should verify the powers of any person who acts on behalf of the customer, and that they should obtain a document evidencing the capacity of the representative in question.
By way of example:
- for the representative of a company or association: the articles of association of the company or association or a delegation of power(s) in due and proper form;
- for the representative of an undertaking for collective investment: the fund prospectus or equivalent documents enabling the management company to be identified;
- for the statutory representative of a municipality/territorial authority: the instrument of appointment (as the case may be), or the delegation of power(s) to named persons.
Depending on its risk analysis, the professional may provide for a reduction in the identification and verification measures to be taken with regard to the proxy (“mandataire”) in the context of simplified due diligence obligations.
2.2.3 Verification of the identity of a customer that is a legal person
“Identifying the customer and verifying the customer’s identity [must be done] on the basis of documents, data or information obtained from a reliable and independent source, including, where appropriate, the relevant means of electronic identification and trust services provided for in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (…) or any other secure electronic or remote identification process regulated, recognised, approved or accepted by the relevant national authorities”.
Bank for International Settlements “Sound management of risks related to money laundering”, point 37
“(…) the verification of the identity of customers who are legal persons or other legal arrangements shall be made at least with the following documents of which a copy shall be kept, Where appropriate, in electronic (digital) form:
- the last coordinated or up-to-date articles of incorporation (or an equivalent incorporation document);
- a recent and up-to-date extract from the companies register (registre des sociétés) (or equivalent supporting evidence).”
The professional may use a certificate of incorporation, a certificate of conformity, a company contract, (…) or any other document emanating from an independent and reliable source indicating the name, form and existence of the customer.
“According to the risk assessment, the professionals shall take additional verification measures, such as, for example:
- an examination of the last management report and the last accounts, where appropriate certified by a réviseur d’entreprises agréé (approved statutory auditor);
- verification, after consulting the companies register or any other source of professional data, that the company was not or is not subject to any dissolution, deregistration, bankruptcy or liquidation;
- verification of the information collected from independent and reliable sources such as, among others, public and private databases;
- a visit to the company, if possible, or contact with the company through, among others, registered letter with acknowledgement of receipt.”
The professional may supplement the above-mentioned documents in accordance with its assessment of the attendant risks. It may also, where necessary or appropriate, apply simplified customer due diligence measures where its customer is a legal person (see above, Chapter 5 of Part 2 of this Handbook).
It is possible, in certain circumstances, for legal persons originating from certain countries to obtain extracts from the commercial register by internet (for example in Switzerland, Belgium and the Netherlands). Care should be taken to ensure the reliability of the source providing such documents. Luxembourg Business Registers, an economic interest grouping, makes it possible to get hold of numerous extracts from European business registers, by virtue of its participation in the “European Business Register”.
It is current practice for the identification of a legal person to be based on a recent extract from a business register, that is to say, an extract which is preferably less than 12 months old at the time of the opening of the account.
It is recommended that, when identifying legal persons, a distinction be drawn between companies which are clearly actively engaged in a commercial activity (large commercial groups, listed companies, SMEs) and small-scale companies, in particular those set up to hold assets and/or those which may function as shell companies. The fact that a legal person is well known as such a company may be noted in the file.
Where multiple accounts are opened by one and the same legal person, the professional may rely on the verification of its identity carried out at the time of the first opening of an account, unless essential elements of the identification are likely to have changed (change of company name) or the professional has doubts about the accuracy of the information provided. Where a business relationship has been definitively terminated and a new business relationship is subsequently entered into, the professional must proceed afresh with the identification of the customer and verification of the latter’s identity.
Subsection 2. Identification and verification of the identity of the beneficial owners
1. Definition of the concept of beneficial owner
1.1. Definition of the term “beneficial owner”
The obligation to identify the beneficial owners encompasses the identification of:
(a) the beneficial owners of companies;
(b) the beneficial owners of fiducies and trusts;
(c) the beneficial owners of legal entities such as foundations and legal arrangements similar to fiducies or trusts.
Professionals are obliged to take reasonable measures to discover the identity of the natural person who owns or controls the customer or for whose benefit a transaction is carried out.
“‘Beneficial owner’ (…) shall, in accordance with this Law, mean any natural person(s) who ultimately owns or controls the customer or any natural person(s) on whose behalf a transaction or activity is being conducted. The concept of beneficial owner shall include at least:
a) in the case of corporate entities:
(i) any natural person who ultimately owns or controls a legal entity through direct or indirect ownership of a sufficient percentage of the shares or voting rights or ownership interest in that entity, including through bearer shareholdings, or through control via other means, other than a company listed on a regulated market that is subject to disclosure requirements consistent with European Union law or subject to equivalent international standards which ensure adequate transparency of ownership information.
A shareholding of 25% plus one share or an ownership interest of more than 25% in the customer held by a natural person shall be an indication of direct ownership. A shareholding of 25% plus one share or an ownership interest of more than 25% in the customer held by a corporate entity, which is under the control of a natural person(s), or by multiple corporate entities, which are under the control of the same natural person(s), shall be an indication of indirect ownership;
(ii) if, after having exhausted all possible means and provided there are no grounds for suspicion, no person under point (i) is identified, or if there is any doubt that the person(s) identified are the beneficial owner(s), any natural person who holds the position of senior dirigeant (manager)/ senior managing official;
aa) a direct or indirect right to exercise a dominant influence over the customer by virtue of a contract with the customer or by virtue of a clause in the customer’s articles of association, where the law governing the customer permits it to be subject to such contracts or clauses in the articles of association
bb) the fact that the majority of the members of the administrative, management or supervisory bodies of the client in office during the financial year and the preceding financial year and up to the preparation of the consolidated financial statements were appointed solely as a result of the exercise of voting rights by a natural person;
cc) a direct or indirect power to exercise, or a direct or indirect effective exercise of, dominant influence or control over the customer, including the fact that the customer is under single management with another undertaking
dd) a requirement under the national law of the parent undertaking of the customer to prepare consolidated financial statements and a consolidated annual report;”
b) in the case of fiducies and trusts:
(i) the settlor or settlors;
(ii) the trustee or trustees;
(iii) the protector(s), if any;
(iv) the beneficiaries, or where the individuals benefiting from the legal arrangement or entity have yet to be determined, the class of persons in whose main interest the legal arrangement or entity is set up or operates;
(v) any other natural person exercising ultimate control over the fiducie or trust by means of direct or indirect ownership or by other means;
c) in the case of legal entities such as foundations, and legal arrangements similar to fiducies or trusts, any natural person holding equivalent or similar positions to those referred to in point (b)”,
“identifying the beneficial owner and taking reasonable measures to verify his identity so that the obliged entity is satisfied that it knows who the beneficial owner is, including, as regards legal persons, fiducies, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer.”
“The beneficial owner within the meaning of Article 1 (7) of the Act means any natural person who ultimately owns or controls the customer or any natural person for whom a transaction is executed or an activity is performed. This may be the case even if the threshold of ownership or control as set out in Article 1 (7) (a) (i) of the Act is not met.”
In providing for the possibility of an obligation to identify as a beneficial owner a natural person holding less than 25% of the shares, the CSSF Regulation draws attention to the fact that the professional’s approach must not involve merely relying on that 25% participation threshold, since that threshold does not automatically enable the real beneficial owner to be identified in every case. Thus it is possible that a person holding less than 25% may be the beneficial owner where that person exercises in some other way control over the management of a legal entity.
It must also be borne in mind that it may be possible for a professional to adopt differentiated approaches to, on the one hand, the identification of beneficial owners pursuant to the Law and, on the other hand, the obligations to be complied with by companies in accordance with the Law of 13 January 2019 on the register of beneficial owners of companies.
1.2 Definition of “controlling persons” in the context of the automatic exchange of information relating to financial accounts in tax matters
It is important to note that different approaches may be adopted as regards the identification of beneficial owners, depending on whether what is involved are customer due diligence measures pursuant to the Law or similar obligations in tax matters.
Also, the information appearing below cannot be equated with the beneficial owner identification obligations under the Law, and is given only by way of comparison. Moreover, the term “controlling persons” within the meaning of the Law of 18 December 2015 cannot be equated with the term “control” in the case of companies or “ultimate control” in the case of fiducies/trusts within the meaning of the Law.
“The term ‘controlling persons’ means natural persons who exercise control over an entity. In the case of a trust, that term means the settlor(s), the trustee(s), the person(s) charged with supervising the trustee(s), as the case may be, the beneficiary or beneficiaries or the classes of beneficiary, and any other natural person ultimately exercising actual control over the trust; and, in the case of a legal arrangement which is not a trust, the term means persons in an equivalent or analogous situation. The term ‘persons having control’ must be construed in accordance with the Recommendations of the FATF.”
The term “passive non-financial entity” (“NFE”) means, in essence, (1) an NFE, that is to say, any entity which is not a financial institution, (2) which is not an active NFE. An active NFE is any NFE which fulfils the eight relevant criteria laid down by Directive (EU) 2014/107. Amongst those criteria, the most representative one appears necessarily to be that requiring less than 50% of the gross income of the entity concerned to be passive income (dividends, interest, rents, capital gains).
In order to determine the residence of “controlling persons” of a passive NFE for new accounts of entities, “(…) the reporting financial institution may rely on information collected and maintained pursuant to AML/KYC procedures, on the understanding that, for the accounts of pre-existing accounts of entities, the rule is as follows:
“For the purposes of determining the controlling persons of an account holder, a reporting financial institution may rely on information collected and maintained pursuant to AML/KYC procedures” [persons controlling a passive NFE].
“For the purposes of determining whether a controlling person of a passive NFE is a reportable person, a reporting financial institution may rely on:
(i) information collected and maintained pursuant to AML/KYC procedures in the case of a pre-existing entity account held by one of more NFEs with an aggregate account balance or value that does not exceed an amount denominated in euros corresponding to USD 1 000 000 (…)” [Determining the residence of a controlling person of a passive NFE].
As regards the identification of the “controlling person” of a passive NFE account holder, the Law of 18 December 2015 on the automatic exchange of information related to financial accounts in tax matters refers to the identification procedures/information collected in the AML context.
In addition, the “CRS-E” form states, in the annex thereto, that the definition of “controlling person” “(…) corresponds to the term ‘beneficial owner’ described in Recommendation 10 and the Interpretative Note on Recommendation 10 of the FATF”.
The ABBL Guidance regarding the implementation of the OECD Common Reporting Standard also states: “Any individual identified as beneficial owner of the Entity under review under applicable anti-money laundering regulations should therefore qualify as Controlling Person of the said entity for the purpose of the CRS” [see Section VII: Controlling Persons of Passive NFEs].
2. Identification of the beneficial owner(s) in certain specific cases
2.1 Identification of the beneficial owner(s) controlling the company by virtue of thresholds (shares/voting rights/capital)
The beneficial owner(s) of a customer that is a legal entity may simply control that entity by virtue of a direct participation comprising over 25% of its capital:
Direct capital holding:
Ms A and Mr B directly hold over 25% of the capital of company Z (units/shares).
They are the beneficial owners of company Z.
As stated by CSSF Regulation No 12-02, a professional may identify the beneficial owner of a legal person, even where the thresholds of participation or control are less than 25%, especially in the context of private banking activities. Thus, the professional must carry out an analysis of the beneficial owner on a case-by-case basis, which may result in it identifying and verifying the identity of Mr Y, even though the latter holds only 20% of the company’s capital.
- Control of a legal entity may also result from an indirect holding (or chain of holding) of the capital of that entity:
Direct and indirect holding of the capital:
– Mr A directly holds 30% of the capital of Alpha
– Ms B holds 37% of the capital of Alpha:
27% indirectly via her participation in Beta
(45% of 60%) and
10% directly.
– Ms C indirectly holds 29.7% of the capital of Alpha:
90% of C x 55% of Beta x 60% of Alpha = 29.7%.
In this example, the 25% threshold is exceeded for each beneficial owner.
The methods for calculating the control held by the beneficial owner must invariably take account of the chain of indirect holding.
- The beneficial owner may indirectly hold voting rights in the customer:
Indirect holding of voting rights:
Ms A holds over 25% of the voting rights in Company Alpha:
40% x 90% = 36%
(* no other member individually holds more than 25% of the capital or voting rights; there exist no agreements between members)
- The beneficial owner holds a majority interest in an entity holding over 25% of the customer company:
Mr A does not hold a weighted interest in LuxCo of more than 25% (75% x 30% = 22,5%), but he holds a majority interest of 75% in FrenchCo, which holds over 25% of the shares/voting rights in LuxCo.
Mr B holds a substantial direct interest in LuxCo. Both of them are the beneficial owners of the customer LuxCo.
2.2 Identification of the beneficial owner(s) controlling the company “through other means”
“Control by other means may be established in accordance with Articles 1711-1 to 1711-3 of the amended law of 10 August 1915 on commercial companies and in accordance with the following criteria:
left-bookmark link=”https://www.cssf.lu/en/Document/law-of-12-november-2004/”]Art. 1, para. (7) of the Act, Points a), ii), 2nd3rd paragraph[/left-bookmark]
aa) a direct or indirect right to exercise a dominant influence over the client by virtue of a contract concluded with the client or by virtue of a clause in the client’s articles of association, where the law governing the client allows it to be subject to such contracts or statutory clauses
bb) the fact that the majority of the members of the administrative, management or supervisory bodies of the client in office during the financial year and the preceding financial year and up to the preparation of the consolidated financial statements were appointed solely as a result of the exercise of voting rights by a natural person;
cc) a direct or indirect power to exercise, or a direct or indirect effective exercise of, dominant influence or control over the customer, including the fact that the customer is under single management with another undertaking
dd) a requirement under the national law of the parent undertaking of the customer to prepare consolidated financial statements and a consolidated annual report;”
The definition of “control by other means” was introduced into Luxembourg law by the law of 25 March 2020.
It may also be useful for the professional to refer to the legal framework of neighbouring Member States to better understand this notion and the situations referred to.
In France, for example, the natural person controlling a company is materialized:
– when he or she de facto determines, by exercising the voting rights that he/she holds, the decisions adopted in general meetings of that company; OR
– when he or she is a member or shareholder of that company and has the power to appoint or remove a majority of the members of the administrative, management or supervisory body of the company in question.
In other words, “control of a company” means the de jure or de facto power to exercise a decisive influence on the appointment of a majority of the directors or managers of the company OR on the way in which it is managed.
Sources:
BRIEFLY:
The right to appoint or remove a majority of the members of the administrative, management or supervisory body of a company OR the right to exercise a dominant/decisive influence over the undertaking pursuant to a contract entered into with that undertaking or to a provision in its memorandum and articles of association, or an agreement entered into with other shareholders or members with a view to controlling the undertaking, constitute “control through other means”.
This example shows a chain of shareholders on 3 levels, the assumption being that the reference to “other shareholders” is to disparate groups of shareholders (holding capital amounting to less than 5%).
Shareholder A is the beneficial owner of LuxCo, in that he holds a significant part of the capital of that company, enabling him to exercise a “power of control through other means” over the administrative, management or supervisory bodies or over its general meeting:
– indirect holding of 13.26% of the capital of LuxCo (51% x 51% x 51%), which appears to be significant in light of the holding threshold of the holdings of the groups of “other shareholders”, who hold less than 5% of the capital;
– A is the majority holder of the shares in Shareholder 2, which is itself the majority holder of the shares in Shareholder 1, the majority shareholder of LuxCo.
2.2.1 Family group having control of a company
A civil partnership (PACS) is entered into between Ms B and Mr C.
No person within the family group individually holds more than 25% of the capital or voting rights in Company Alpha (the same applies in the case of the “other shareholders or members”, who have not entered into an agreement with each other). But they are acting “in concert”, and are thus able together to determine the decisions adopted in general meetings within the framework of their family relationships.
Mr A, Ms B, Mr C and Mr D are the beneficial owners of the customer Alpha Company: they have control of the customer company “through other means”, since they are members of a family group.
2.2.2 Concerted action between different persons
Concerted action may be defined as follows:
“Persons shall be deemed to be acting in concert where they have entered into an agreement with a view to acquiring, transferring or exercising voting rights in order to pursue a joint policy vis-à-vis a company or to obtain control of that company.”
None of the “other shareholders or members” individually holds more than 25% of the capital or voting rights; they have not entered into an agreement whereby they hold more than 47% of the voting rights.
Ms D and Ms A and Mr B and Mr C are not related to each other. But if they act in concert, they can determine the decisions taken in general meetings. They are the beneficial owners of the customer Alpha Company since they control it “through other means”, being bound by a shareholders’/members’ agreement.
2.2.3 Separation of the attributes of ownership
80% of the shares in the Société Civile Immobilière Alpha (an SCI = a property-holding company) are held by the family of Ms A; the attributes of ownership of the shares have previously been separated: Ms A has a usufructuary interest (life interest) in them and the statutory heirs have an undivided bare ownership (remainder) interest.
Under Article 1852 bis of the Civil Code, the voting rights belong to the holder of the bare ownership (remainder) interest, save as regards decisions concerning the allocation of profits, which are reserved to the holder of the usufructuary interest (unless otherwise provided for by the articles of association of the SCI).
Unless otherwise provided for by the articles of association of the SCI, Ms A, who is not a member of that company, nevertheless determines the allocation of its profits up to 80%. Thus, Ms A is a beneficial owner of the SCI Alpha.
Her statutory heirs, as bare owners (remaindermen), hold 80% of the capital and voting rights in the SCI ; they are therefore beneficial owners (assuming that the articles of association of the SCI do not otherwise provide).
2.3 Identification of the ultimate beneficial owner of a legal person: the “senior dirigeant (manager)/ senior managing official”
here a professional has no grounds for suspicion regarding its customer (a company) and has not been able to determine the beneficial owner(s) of the entity having direct control over the company or indirect control via a chain of holdings, or controlling it “through other means”, or where the professional is uncertain whether the person(s) identified is/are the beneficial owner(s), the professional must treat as being the beneficial owner any natural person who holds the position of senior dirigeant (manager)/ senior managing official.
2.3.1 In the case of companies:
The notion of “senior dirigeant (manager)/ senior managing official” must be understood as referring to those managers of the company who exercise, in practice, the most decisive influence on the management of the company. As a general rule, this will be the Chief Executive Officer (CEO) or the chair of the board of directors (of the company).
In the absence of any statutory definition in Luxembourg law of the notion of “senior dirigeant (manager)/ senior managing official”, professionals may determine as being the beneficial owner(s), on a case-by-case basis, depending on the circumstances and according to the specific characteristics of foreign systems of company law:
(a) the manager(s) of sociétés en nom collectif (commercial partnerships), sociétés en commandite simple (limited partnerships), sociétés à responsabilité limitée (private limited companies), sociétés en commandite par actions (limited partnerships with shares) and sociétés civiles (civil-law partnerships);
(b) the general manager/CEO of sociétés anonymes à conseil d’administration (public limited companies having a board of directors) (one-tier system);
(c) the member of the management board to which the day-to-day management of the company has been delegated, in the case of sociétés anonymes (public limited companies) having a management board and a supervisory council (two-tier system);
(d) the chair or managing director of a société par actions simplifiées (simplified joint-stock company) where the latter has powers of representation analogous to those of the chair which are conferred on him/her by the articles of association.
Where the statutory representatives referred to in points (a) or (d) are legal persons, the beneficial owner(s) will be the natural person(s) who represent those legal persons in law.
CSSF Circular 20/742 specifies that reporting entities will be required to take reasonable steps to verify the identity of the natural person who occupies the position of key manager and to keep records of the steps taken and of any difficulties encountered during the verification process.
Sources:
“(…) the concept of senior managing official/senior dirigeant (manager) is generally to be understood as the management body legally provided for and not just for instance, the chairman of a board of directors. Can also be considered as senior managing official, the person to whom the daily management of the company has been delegated or any other equivalent body according to legal or statutory provisions, in which case only the latter must be registered”.
Illustration of a situation where the legal representatives are, by default, the beneficial owners:
It has not been possible to identify any beneficial owner of Alpha SAS, either in terms of the holding of capital/voting rights, or in terms of control through other means.
Accordingly, the legal representatives of Alpha SAS should be identified as its beneficial owners:
- Mr A (Managing Director of the company Belle S.A., which holds the position of Chair of Alpha SAS), since, in French sociétés par actions simplifiées (simplified joint-stock companies), power is exercised by a single person, namely the chair, who may be a natural or a legal person (the sole mandatory management organ);
- possibly, Mr B, if the articles of association of Alpha SAS confer on him executive powers and a power of representation which are the same as those of Belle S.A.
The designation of the “senior dirigeant (manager)/ senior managing official” as the beneficial owner should remain an exceptional measure, and should only be resorted to after all other possible means under the Law have been exhausted (thresholds in respect of direct/indirect holdings; control through other means) to determine the beneficial owner(s) of the customer company.
Depending on the legal form of the customer company, the function/designation of the senior dirigeant (manager)/ senior managing official, as the beneficial owner may well vary.
For the purposes of identifying the “senior dirigeant (manager)/ senior managing official” as the beneficial owner, it is necessary to look first and foremost at the organ responsible for managing the company, charged with the day-to-day management of the entity. Professionals should none the less base their analysis, on a case-by-case basis, on the aspects of the specific business relationship with which they are confronted in each given instance.
- The concept of “legal representative” as applied in the case of a Luxembourg customer company (non-exhaustive example):
Indicative table concerning the “legal representative”
Legal representative (executive power of the management body) Beneficial owner of “last resort” (senior managing official/ senior dirigeant [manager] ) | Administrative organ | |
|
| In the case of a sociéte en commandite spéciale having the structure of an investment fund: the members of the board, unless specific legal arrangements are set |
(civil-law partnership) | the manager(s) | |
|
| |
(« système moniste ») |
(otherwise, where the managing director is a legal person, the permanent representative charged with execution) | Where the SA is a UCITS (“SICAV”): the members of the board, unless specific legal arrangements are set |
|
(otherwise, in the case of a legal person, its permanent representative) | Where the SA is a UCITS (“SICAV”): : the members of the supervisory council unless specific legal arrangements are set |
| the manager(s) (where appropriate, the managing partner)(“actionnaire commandité”) | In the case of an SA that is a UCITS (“SICAV”): The members of the board, unless specific legal arrangements are set |
As regards “fonds communs de placement” (mutual funds): the legal representatives of the fund’s management company: the members of the Board of Directors, unless specifically agreed otherwise in law, should be considered as the “chief executive officer” (i.e. EC of last resort).
2.3.2 In the case of associations
Not-for-profit associations may be involved in the raising and/or disbursing of funds for charitable, religious, cultural, educational, social or fraternal purposes, or for the carrying-out of other types of good works. Nevertheless, they may possibly be used for less virtuous purposes, and risk being exploited for the purposes of, in particular, terrorist financing rather than pursuing a not-for-profit or laudable aim.
The Ministry of Justice has illustrated some cases where associations/foundations are used for TF purposes in guidelines (“Raising awareness of the voluntary sector of the risks of terrorist financing”).
WHAT TO DO?
The professional’s customer may be an association (whether or not promoting the public interest). In such cases, the professional must adopt a prudent approach and must identify the “beneficial owner of last resort”.
Apart from identifying the beneficial owner of last resort, the professional must without fail ascertain whether the association is being used within a set-up aimed at effectively philanthropic goals or with a view to the optimisation of property assets. It is recommended that information be obtained concerning: the name and address of the organisation and its charitable object, as well as an extract from the business register.
The FATF considers that the natural person exercising control over a legal person is the person who supervises that legal person’s day to day or regular affairs through a senior management position, such as a chief executive officer (CEO), chief financial director (CFO) or chair.
Thus, it is only the senior dirigeant (manager)/legal representative of the ASBL (not-for-profit association), to whom the daily management of the association has been delegated according to legal or statutory provisions (delegated administrator or CEO), who may be designated as the beneficial owner in the register. As the case may be, members of the management body), otherwise, in the absence of a delegation of management powers, the members of the Board of Directors will be registered in the registry.
In the event that the professional has any doubts regarding the identification of the beneficial owner (of last resort) in respect of its ASBL customer, it may refer to Circular 19/02 of the Luxembourg Business Registers:
“Where, despite the enquiries carried out, it has not been possible to identify any beneficial owner within the meaning of the Law of 13 January 2019, the senior dirigeant(s) (manager(s)) / senior managing official(s) must be regarded as the beneficial owner(s) and be registered as such in the Register of Beneficial Owners.
In this context, the notion of a senior dirigeant (manager)/ senior managing official, is to be generally understood as being the board of directors and, consequently, the entirety of the members of the management organ legally provided for must be communicated to the Register of Beneficial Owners, rather than merely the chair of the board of directors or the members of an executive committee. Can also be considered as senior managing official the person to whom the daily management of the association has been entrusted to or any other equivalent organ/body according to legal or statutory provisions.”
2.3.3 In the case of undertakings for collective investment (UCIs):
WHAT TO DO?
One should here refer to the joint guidelines of the ALFI, the ALCO, LPEA and LUX REAL entitled “who is the beneficial owner of the investment fund” published on August 8, 2019 (Illustrations of examples to identify the benficial owners).
Reference can also be made to the former ALFI Guidance on “Practices and Recommendations aimed at reducing the risk of money laundering and terrorist financing in the Luxembourg Fund Industry” as regards custodian banks (Part IV, point D).
In the case of investment funds of the SICAV or FCP (mutual fund) type, or involving a legal form such as a société en commandite spéciale (special limited partnership) or limited liability partnership, the professional should refer where necessary to the indicative table concerning the legal representative/ senior managing official, which includes the identification of the beneficial owner(s) of companies whose legal form is used for the creation/management of investment funds.
In the United Kingdom, for example, funds are typically formed as limited partnerships registered at Companies House. Those funds have a general partner who exercises discretion over the assets of the fund.
In the case of a compartmentalised investment fund (of the SICAV type) involving a single legal personality, the professional must investigate the beneficial owner(s) of the fund at the level of the legal entity and not on a compartment-by-compartment basis, since the compartments do not possess their own legal personality.
The FATF guidelines (“Guidance for a risk-based approach for the securities sector”) state that it is for the intermediary (the customer of the custodian bank) to perform the customer due diligence obligations, but that an understanding of the intermediary’s customer base may none the less be a useful element in determining the risk associated with the intermediary itself. The level of understanding and the details obtained concerning the documentation must be tailored to the risk level of the intermediary.
In this context, it should also be noted that the custodian bank of a UCI (in so far as the relevant legislation requires the appointment of a custodian for the UCI) is required to take cognisance of the property and financial assets deposited with the custodian bank and, where necessary, to verify the origin and existence of that property/those assets.
Such due diligence checks, commonly known as the “Know Your Assets” process, may obligate custodian banks, over and above the requirement that they comply with all express legislative provisions prescribing a general duty of due diligence duty on the part of the custodian bank, to pursue a duly applied risk-based approach in the absence of any express agreement/delegation arrangement entered into with the investment manager(s) concerned.
The custodian bank may nevertheless rely on certain legitimate assumptions concerning the property and assets deposited, in so far as that property/those assets come to it from certain types of UCI, in accordance with the risk-based approach.
Preference should be given to a “comply or explain” approach, that is to say, one where the bank is required to explain to the regulator the assumptions applied by it in cases where it has not carried out due diligence checks on the property and assets deposited with it.
2.3.4 In the case of legal persons incorporated under public law and companies whose securities are admitted to trading on a regulated market:
A. Legal persons incorporated under public law
WHAT TO DO?
Public administrative bodies or undertakings of countries or territories with a low level of corruption should be regarded by professionals as posing a potentially lower risk within the meaning of the Law.
A financial organisation having as its customer a legal person incorporated under public law must identify the latter’s beneficial owner; this involves, having regard to the guarantees of transparency, identifying the beneficial owner of last resort, that is to say, its legal representative.
Accordingly, the person to whom the daily management of the public entity has been delegated according to legal or statutory provisions may be designated as beneficial owner in the register. As the case may be, members of the management body/ Board of Directors will be registered in the registry.
If representatives of the State are members of the executive committee or the Board of Directors, the registration of the latter in the registry is replaced by that of their responsible Minister (“Ministre de tutelle”).
The Luxembourg State Treasury keeps a list of public institutions, foundations and economic interest groupings indicating their legal representatives.
B. Companies whose securities are admitted to trading on a regulated market
“Companies whose securities are admitted to trading on a regulated market in the Grand Duchy of Luxembourg or in another State party to the Agreement on the European Economic Area, or in another third country imposing obligations recognised as being equivalent by the European Commission within the meaning of Directive 2004/109/EC of the European Parliament and of the Council of 15 December 2004 on the harmonisation of transparency requirements in relation to information about issuers whose securities are admitted to trading on a regulated market and amending Directive 2001/34/EC, shall register only the name of the regulated market on which their securities are admitted to trading.”
Since companies whose securities are admitted to trading on a regulated market in Luxembourg or in the EEA are required to indicate only the name of the regulated market in the Register of Beneficial Owners of Companies, the professional must identify the name of the regulated market on which the securities of the customer company are admitted to trading as the beneficial owner.
In the case of a customer company a majority of the capital of which is held by a company whose securities are admitted to trading on a regulated market, the professional is thus required to identify as its beneficial owner the “senior dirigeant (manager)/ senior managing official” of the company which is the account-holder; it should indicate in the margin of the documentation of the beneficial owner in question the name of the regulated market on which the listed company holding the customer company is admitted to trading.
2.3.5 Case of the syndicates of co-ownership (NEW)
In accordance with the provisions of the law of 16 May 1975 on the status of co-ownership of built-up properties, the co-owners are obliged to be grouped together in a syndicate (syndic de copropriété), acting as the legal representative of the community of co-owners.
In most cases, the syndicates have legal personality and are registered in the Luxembourg Trade Register, thus being subject to the law of 13 January 2019 establishing a register of beneficial owners.
WHAT TO DO?
In the search for the beneficial owners of trustees, some professionals sometimes find that trustees tend to argue that the co-owners of the building should be designated as the beneficial owners of trustees, indicating that the role of trustees is only to execute decisions on behalf of the co-owners.
Even if the decision of the trustee is taken by the general assembly of the co-owners, and despite the fact that a trade union council hypothetically supervises the trustee, it is the trustee who alone operates and controls the bank account, the co-owners having no say in the management of the trustee’s bank account.
According to the definition of beneficial owner as it appears in article 1, paragraph (7), point a), (ii) of the law of 12 November 2004, in the case of companies, the syndicate being a legal person, “the natural person who occupies the position of principal manager” must be designated as the beneficial owner of the syndic.
/message-box]
Translated with www.DeepL.com/Translator (free version)
2.3.6 In the case of NGOs:
According to the national money laundering risk assessment, NGOs pose an inherently high risk, since they may be used to finance terrorist acts.
Professionals must adopt a prudent approach in identifying the beneficial owner of an NGO, taking due account of its legal structure, of the nature of its activities and of the business relationship which it proposes to maintain with the professional.
2.4 The beneficial owner(s) of fiducies and trusts and other similar legal arrangements
2.4.1 Fiducies and trusts
The professional must identify the beneficial owner and take “reasonable measures to verify his/her identity”, so as to be satisfied that it knows “who the beneficial owner is”, and must also, in the case of “legal persons, fiducies, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer”.
The information which a Luxembourg fiduciary is additionally required to gather regarding the beneficial owner of a fiducie or trust subject to the Luxembourg Law of 27 July 2003 on trusts and fiduciary contracts in order to feed this in to a register created for that purpose, is set out in the Law of 10 August 2018 on the information to be collected and maintained by professionals acting as fiduciaries.
Where the trustee/fiduciary is a legal person, the professional should refer to the guidance given in the “ABBL CRS-related FAQs” concerning the senior managing official test.
In the context of the automatic exchange of information concerning financial accounts in tax matters, the guidelines state, by reference to the Law, that the application of the senior managing official principle applies in the case of a corporate trustee holding a controlling/majority interest in a passive non-financial entity.
By analogy, the professional must accordingly identify the senior managing official of a trustee that is a legal person, seeking to obtain sufficient information concerning the entire chain of holdings in cases where a series of corporate structures are interposed in order to carry out the requisite “common knowledge” analyses.
“Countries should take measures to prevent the misuse of legal arrangements for money laundering or terrorist financing. In particular, countries should ensure that there is adequate, accurate and timely information on express trusts, including information on the settlor, trustee and beneficiaries, that can be obtained or accessed in a timely fashion by competent authorities (…) ”
As regards the obligation to identify the “beneficial owners” of trusts/fiducies, especially those governed by foreign law, it will be noted that the elements enabling the fiduciary/trustee, the settlor, the protector (as the case may be) and the beneficiary or beneficiaries to be identified will be found in the instrument setting up the trust/fiduciary contract.
Trusts and fiducies may cover extremely diverse situations, and the documentary requirements will differ depending on the variety of situations.
Professionals must be conscious of the fact that customer accounts set up in the name of a trust/fiducie could be used to circumvent the procedures for the identification of customers. For that reason, it is essential to understand the true nature of the business relationship. It is necessary to ascertain whether the customer is passing him/herself off as another person, if he/she is “covering” for another person, or if he/she is acting as an intermediary on behalf of a third party. To that end, supporting documents should be requested evidencing the identity of any intermediaries or persons in whose name he/she is acting as well as details regarding the nature of the fiducie/trust. Trusts/fiducies are normally, but not systematically, set up by a written document in the form of a fiduciary instrument / trust deed.
The professional should strive to obtain a list of the contributors of funds and of the beneficial owners by means of the deed setting up the trust/fiducie or through any other means giving reasonable credence to the information communicated to it. The difficulty lies, in essence, in identifying the beneficial owners, since the “letter of wishes” is not normally communicated to the professional. The “letter of wishes” is the document by which the settlor or the fiduciary structure indicates his wishes regarding the ultimate beneficiaries and the ways in which he would like the trust property is to be distributed.
The simplest situation is that in which the account is opened in the name of the trustee, a natural person, but the account is frequently opened in the name of a legal structure, typically a legal person located in an offshore country.
It may happen that, in certain fiduciary structures, the beneficiaries cannot be designated by name because they are in the process of becoming (children yet to be born) or on account of the fact that the realisation of a profit or benefit is subject to the occurrence of certain events. In such cases, it is sufficient to determine the “group of persons”/class of beneficiaries thus designated. This requirement need not involve the identification of the individuals forming that group of persons.
2.4.2 The beneficial owners of foundations/legal arrangements similar to fiducies/trusts
“In the case legal entities such as foundations, and legal arrangements similar to trusts or trusts, (the trader shall identify) any natural person who performs functions equivalent or similar to those of (settlor, trustee/trustee, beneficiaries or any other natural person exercising ultimate control over the trust/trustee by direct or indirect ownership or by other means).”.
2.5 The natural person “for whom a transaction is carried out”
According to the Law, the notion of “beneficial owner” also includes “any natural person(s) on whose behalf a transaction or activity is being conducted”.
This situation concerns cases involving a “man of straw”, called upon to lend his name to cover operations carried out for the account of a third person who wishes to remain anonymous, often with a view to achieving an unlawful aim.
This may also concern, for example, the situation in which the custodian of a property, belonging to a foreign non-resident natural person, opens an account in his own name with a credit institution with a view to domiciling in that account exclusively operations concerning the expenses of maintaining the property in question. The account is fed by transfers of funds coming from the owner. In such a case, the customer is the custodian of the property and the beneficial owner is its owner.
Where special purpose vehicles, for example SOPARFIs (financial holding companies), securitisation companies, or specialised investment funds, are set up on the initiative of a person holding not more than 25% of the capital of the structure in question, but that person nevertheless takes out most of the profits, the professional must try to identify/verify the identity of that person as beneficial owner (“bottom-up” approach).
In the case of, for example, a non-approved securitisation fund (“securitisation SPV”), managed by a management company, the investors will be the holders of co-ownership units in the fund (characterised as “transferable securities” even though the fund does not have legal personality). Those investors will receive, on a recurring basis, the interest due to them. Thus, those investors should be regarded as beneficial owners of the securitisation structure set up.
3. Measures to identify and verify the identity of the beneficial owners
The 4th Anti-Money Laundering Directive, as amended, requires certain information concerning the beneficial owners of companies and fiducies/trusts to be made available in registers to which professionals have access. The professional may, in addition to the information received by its customer, consult the registers established in Member States with a view to backing up the information supplied to it by its customer.
1. Identification measures
“Without prejudice to enhanced due diligence requirements or the application of simplified due diligence measures, where applicable, the identification of beneficial owners (…) shall include the surname(s), first name(s), nationality(ies), date and place of birth and their address as well as the full postal address of the principal residence. At the discretion of the trader, it will also include the official national identity number”.
2. Verification measures
“The verification of these data (concerning the beneficial owners) shall be made, notably, using information obtained from customers, central registers within the meaning of Articles 30(3) and 31(3a) of Directive (EU) 2015/849 or any other independent and reliable source available.
The sole recourse to central registers as mentioned above does not constitute a sufficient means of fulfilling the obligations of vigilance, the professional will therefore, the professional shall take all reasonable measures in order to ensure that the real identity of the beneficial owner is known. The reasonable nature of these measures shall be defined, notably, according to the level of money laundering or terrorist financing risk that the professional considers to be linked to the customer profile or the nature of the business relationship or of the transaction contemplated by the customer ”.
The ability of professionals to access the Register of Beneficial Owners, as provided for by the Law of 13 January 2019, will enable them to obtain information concerning certain entities registered in the Luxembourg Commercial and Companies Registry as from 1 September 2019, it being understood, however, that the Law states that professionals must not rely exclusively on central registers in order to fulfil their customer due diligence obligations.
For the purposes of verifying the identity of the beneficial owners, the professional is referred to the examples given below of documents for the identification of customers who are natural persons.
In the absence of any more detailed statutory or regulatory requirements, the professional has a relatively wide discretion as to the choice of documentation used for the purpose of verifying the identity of the beneficial owner.
The obligation to obtain a beneficial ownership declaration signed by the beneficial owner(s) or his/her/their representatives stems from CSSF Regulation No 12-02; professionals would be well advised to make this practice a permanent and established part of their procedures (see art.17 of the CSSF Regulation).
For information, with regard to “controlling persons” in the context of the automatic exchange of information concerning financial accounts in tax matters, the persons “having control” of an entity, who must be the subject of a declaration within the meaning of the Law of 18 December 2015, must provide information as to their “name, address, jurisdiction(s) of residence, TIN(s) and date and place of birth (…)”.
“Countries should ensure that there is adequate, accurate and timely information on the beneficial ownership and control of legal persons that can be obtained or accessed in a timely fashion by competent authorities. In particular, countries that have legal persons that are able to issue bearer shares or bearer share warrants, or which allow nominee shareholders or nominee directors, should take effective measures to ensure that they are not misused for money laundering or terrorist financing. Countries should consider measures to facilitate access to beneficial ownership and control information by financial institutions (…).”
3. Bearer shares
In the context of business relationships involving nominees, the professional should request the latter to obtain the information needed in order to identify the beneficial owner(s) of the securities (that is to say, the natural person who is the owner of the securities held by the representative/nominee).
Subsection 3. Obtaining information on the purpose and intended nature of the business relationship, including the origin of funds
The customer due diligence measures to be taken by the professional include “assessing and understanding the purpose and intended nature of the business relationship and, as appropriate, obtaining information on the purpose and intended nature of the business relationship”.
1. Assessing the business relationship
This obligation is additional to the obligation to identify customers/beneficial owners, and is just as important, in that it enables the professional to go beyond a mere process of identification/verification based on documents; the professional can thereby assess the nature of the risks inherent in its relationship with the customer(s).
WHAT TO DO?
The relationship between a financial professional and its customer is of an intuitu personae (personal) nature. The scope of the documentation requested from the customer will necessarily depend on the way in which, and the circumstances in which, the relationship is entered into and the risk factors linked to the customer.
A so-called “profile sheet”, listing a number of items of information to be obtained from the customer, should be used by the professional. That sheet must be such as to make it possible to acquire a store of knowledge of the customer that is as exhaustive as possible, and, for that reason, need not necessarily be approved by the latter. It is recommended that this type of profile sheets of this kind be applied both to new and to existing customers. The sheet must also be updated as the relationship develops.
2. The origin of funds
The professional must obtain all necessary information regarding the origin of the customer’s funds:
“The professionals’ obligation to know their customer includes the obligation to gather (…), register, analyse and understand, at the time of the customer identification, information about the origin of the customer’s funds and the types of transaction for which the customer requests a business relationship, as well as any adequate information allowing the determination of the customer’s purpose of the business relationship (…). This information shall allow the professional to carry out an efficient ongoing customer due diligence (…). Depending on the risk assessment, this obligation may include the obligation to obtain evidence”.
In order to enhance the plausibility of the origin of the funds, the professional must verify the consistency between their operational origin and the economic origin indicated by the customer.
All relevant documents corroborating what the customer says, especially as regards the provenance of the funds, must be kept together with the documentation concerning the entry into the business relationship.
The professional must verify and log:
(a) the operational origin of the funds (cards, giro payments, other means of transfer);
(b) the geographical origin of the funds (third countries, EEA countries, countries demonstrating shortcomings in the fight against money laundering;
(c) the economic origin of the funds (salaries, income from investments, inheritances).
The professional is obliged to use its best endeavours to determine the economic origin of its customer’s funds. The following information may be useful, or even necessary, and must therefore be documented by the person carrying out the entry into the business relationship:
– family situation;
– wealth situation;
– associates and/or contact persons;
– description of professional activity;
– other sources of income;
– purpose of the business relationship;
– origin of funds;
– general assessment;
– entry into the relationship for his/her own account or for the account of someone else;
– any other relevant information, in specific cases, needed for knowledge of the customer (…).
All the information and documents thus obtained, when combined with common sense, must be such as to enable the account executive to arrive at an informed judgement in deciding whether or not it is advisable to establish a relationship with a customer. To the extent that there are any unusual factors, inconsistencies or specific risks attaching to the customer, the professional must obtain additional documents or relevant information in order to mitigate the attendant risks.
In order to ensure compliance with the obligations arising from other statutory or regulatory provisions (market abuse, handling of conflicts of interest), the professional must make sure to obtain a number of additional items of information concerning the customer and, in particular, the latter’s professional activity.
Subsection 4. Exercise of ongoing due diligence in respect of the business relationship and the updating of the documents, data and information held
1. General considerations
The exercise of ongoing due diligence as required by the Law is centred around three axes, comprising, for the professional, the obligation to carry out:
– checks on transactions;
– a permanent (“event-driven”) review of the business relationship;
– a periodic review of the business relationship.
The monitoring of customers in terms of the risk involved must be founded either on a process of permanent ongoing checks based on the level of risk attaching to each customer and showing up all instances of unusual behaviour, or on a periodic review which will likewise depend on the level of risk attaching to the customer. Such monitoring must be based on a comparison between the profile sheet and the operations carried out by the customer (checks on transactions).
A customer’s profile may well change over the course of time. For that reason, in order to ensure that their customer data are up-to-date, professionals are recommended to carry out a re-assessment of the data collected by them at the time of the entry into the business relationship. In particular, where a customer has been accepted and it subsequently becomes apparent that that customer or the beneficial owner is or is becoming a politically exposed person, the question whether to maintain the business relationship should, where appropriate, be referred for authorisation to a more senior level.
Such a review may, in particular, take place on the occasion of a significant transaction, a substantial modification of the customer documentation standards or a significant change in the way in which accounts are managed, or whenever a professional realises that it is lacking information regarding an existing customer.
Certain circumstances (changes of shareholders, a change of proxy, unusual operation of the account, for example in the case of professionals normally engaged in the safekeeping of funds of third parties with a financial establishment, etc.) may signify that the beneficial owner has changed or that the customer is not acting, or is no longer acting, for his/her own account. Professionals are recommended to clarify the situation in each case, and thus to undertake where necessary a fresh identification of the beneficial owner.
Professionals should also put in place control mechanisms enabling them, upon accepting new customers and in monitoring business relationships, to identify persons such as PEPs/countries lacking adequate AML/CFT systems/persons who are the subject of restrictive measures in financial matters (see below – point 2, b).
- Special cases: dormant accounts and cheques
Dormant accounts present certain particular characteristics making it problematic to update them. Professionals are recommended to put in place specific procedures for the monitoring of dormant accounts and the updating of the data relating to the customers concerned.
The fact of a dormant account suddenly becoming active should alert the professional.
Particular attention should likewise be paid when processing of cheques, notably those bearing multiple endorsements, and of bank drafts, likewise calls for particular attention.
2. Assessment of transactions and the detection of complex operations and unusual transactions
a) General assessment:
This comprises “conducting ongoing due diligence of the business relationship including constant scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the professional’s knowledge of the customer (and) the business and risk profile, and ensuring that the documents, data or information held obtained in the exercise of customer due diligence remain up to date and relevant. To this end, professionals shall examine existing elements, in particular for higher risk categories of clients.”
Ongoing due diligence in respect of the business relationship necessitates examination of the transactions carried out by the customer in the course of that business relationship. Such ongoing examination of the transactions carried out by the customer will require the professional, where necessary, to gather information concerning the origin of the funds.
b) Complex operations, unusual transactions and restrictive measures
“Ongoing due diligence (…) includes at a minimum the obligation to identify without delay:
- (…) States, persons, entities or groups involved in a transaction or business relationship subject to restrictive measures in financial matters in the context of the fight against terrorist financing, including, notably, those implemented in Luxembourg via EU regulations directly applicable in national law or through the adoption of notably ministerial regulations; and
- the States, persons, entities or groups involved in a transaction or business relationship subject to restrictive measures in financial matters, including, notably, those implemented in Luxembourg via EU regulations directly applicable in national law or, where appropriate, through the adoption of national regulations for their implementation.”
The professional is also obliged to detect States, persons, entities and groups subject to financial restrictive measures in relation to the assets under his management and to ensure that the funds will not be made available to such States, persons, entities or groups.
Where persons, entities or groups referred to in this article are identified, (…), the professional shall without delay apply the required restrictive measures and inform the competent authorities regarding financial sanctions. A copy of this communication must be sent at the same time to the CSSF.”
A list of links to the lists of persons, entities and groups concerned can be found in Annex III, Part B.
“(…) the trader must ensure that the internal system used for this control or made available by an external service provider to which he has recourse for the purposes of this control, is adapted without delay in order to be able to meet his obligations (…)”.
The obligation to exercise constant vigilance over the business relationship requires that “particular attention be paid to transactions that exceed certain amounts, to very large movements on an account that are incompatible with the amount of the balance or to transactions that are outside the normal pattern of account movements”.
“Professionals are required to examine as far as possible the context and purpose of these transactions, to record the results of these examinations in writing and to keep these documents in accordance with (…) the Law and to keep them at the disposal of the Luxembourg authorities responsible for combating money laundering and the financing of terrorism and of the auditors for at least five years, without prejudice to the longer retention periods prescribed by other laws”.
“With respect to the professionals’ ongoing due diligence (…), the professionals shall identify complex or unusual transactions (…) by taking into account, notably:
- the importance of the incoming and outgoing assets and the volume of the amounts The transactions which involve small amounts but which are unusually frequent are also concerned;
- the differences compared to the nature, volume or frequency of the transactions usually carried out by the customer in the framework of the business relationship concerned or the existence of differences compared to the nature, volume or frequency of the transactions normally carried out in the framework of similar business relationships;
- the differences compared to the declarations made by the customer during the acceptance procedure and which concern the purpose and nature of the business relationship, in particular as regards the origin and destination of the funds involved.”
(1) “Professionals shall have procedures and implement control mechanisms that allow them, when accepting customers or monitoring the business relationships, to identify, among others:
(…)
– persons as referred to in articles 30, 31 and 33 (of CSSF Regulation 12-02) (i.e. PEPs, clients from high-risk countries and persons subject to financial restrictive measures).
– the funds coming from or going to States, persons, entities or groups (…) involved in a transaction or business relationship subject to prohibitions or restrictive measures in financial matters in the context of the fight against money laundering and terrorist financing or countries or territories whose AML/CFT framework is considered as insufficient;
– the complex operations or unusual transactions (taking into account in particular the importance of the incoming and outgoing assets, the existence of differences compared to the nature, volume or frequency of the transactions normally carried out by the customer and inconsistencies with the declarations made by the customer during the acceptance procedure);
– a transfer of funds with missing or incomplete information within the meaning of EU Regulation 2015/847)”.
(2) “The establishment of a complete and up-to-date customer database is an integral part of this monitoring system. In the case of encoding by a natural person of the professional, this work should be checked according to the “4-eyes principle”. This monitoring system must cover all client accounts and transactions and must cover clients, persons claiming to act on behalf of the client, originators and beneficial owners and, in the context of monitoring fund transfers, the originator of an incoming fund transfer and the recipient of a fund transfer leaving a client’s account. It should take into account the risks identified by the professional in relation to his or her business and client base. It must be automated, unless the professional can demonstrate that the volume and nature of the clients and transactions to be monitored do not require such automation.”
(3) “The identification researches carried out using this supervisory system shall be duly documented, including in cases where there are no positive results.”
(4) “The identified transactions or persons, as well as the criteria which led to the identification, shall be the subject of written reports. These reports shall be transmitted to the compliance officer for the required purposes, in particular, for compliance with Article 5 of the Law. Professionals shall specify in writing the procedure relating to the transmission of written reports to the compliance officer and the required transmission deadlines.”
(5) “The supervisory system shall allow the professional to take rapidly and, where appropriate automatically, the required measures where a suspicious activity or transaction was identified. The compliance officer shall be solely competent to decide on the application and scope of these measures and their termination, where appropriate, in consultation with the management and the compliance officer.”
(6) “The supervisory system shall be subject to initial validation at least by the compliance officer and regular control by the compliance officer in order to adapt this system, where necessary, to the development of the activities, the customers and the AML/CFT standards and measures.”
Professionals must ensure that their employees report unusual and/or suspicious transactions and that, in accordance with the internal procedures applied by each professional, such transactions are logged in writing by the persons in charge of compliance (including the responsible for monitoring compliance with professional obligations – “RC”), even where it is not considered opportune to report the matter to the authorities.
3. Activities requiring particular attention
“In the framework of ongoing due diligence, the following activities, among others, require particular attention: (…)
- activities of customers whose acceptance was subject to a specific examination (…) (acceptance of customers potentially presenting high levels of risk), as well as
- transfers of funds within the meaning of Regulation (EU) 2015/847 and the respective requirements specified in the latter Regulation (…)”.
4. Keeping documents and information up to date
“Ongoing due diligence includes the obligation to verify and, where appropriate, to update, in accordance with the maximum period provided for by, and taking into account the appropriate times specified in, Article 1 paragraph 4 of the Grand-Ducal Regulation (i.e. at least every seven years, without prejudice to a greater frequency depending on the risk assessment), within an appropriate timeframe to be set by the professional according to its risk assessment, the documents, data or information gathered while fulfilling the customer due diligence obligations (…).”
“For high-risk business relationships, the review frequency should be at least annual.”
“The professionals shall document, keep up to date and make the risk assessments referred to in paragraph 1 available to the supervisory authorities and self-regulatory bodies. The supervisory authorities and self-regulatory bodies may decide that individual documented risk assessments are not required where the specific risks inherent in the sector are clear and understood.”
As regards the obligation to keep the documents, data and information held up to date, professionals must carry out a review of their customers and documents (…), especially those which form an essential element of the business relationship and of knowing the customer, at such intervals as they may determine reflecting the risk associated with each customer and the risk involved in the business relationship. CSSF Regulation 20-05 and the Grand-Ducal Regulation of 14 August 2020 provide further details on the updating of the data collected by the professional. This update must be carried out :
– At least every 7 years
– More frequently if the situation requires it in view of the risk-based approach
– At least annually for high risk business relationships
“Following that review, the said documents must be updated if the professional finds any changes compared to the previous verification (for example, modification of the articles of association, identity card expired).
“When reviewing and updating client documents, data and information, the professional may take into account various sources of information, including
– relevant data and information in the public domain
– the client’s national BC/FT risk assessment report,
– the client country’s AML/CFT mutual evaluation reports
– other information obtained from a reliable and independent source.
Internal follow-up measures should be established for cases where the trader cannot meet the deadlines for updating the documentation.”
5. Retention of documents and protection of personal data
1 – Retention of documents
“Professionals shall retain and quickly make available the following documents, data and information for the purposes of preventing, detecting and investigating, by the Luxembourg authorities responsible for the fight against money laundering and terrorist financing, possible money laundering or terrorist financing or by self-regulatory bodies:
a) in the case of customer due diligence, a copy of or references to the documents, data and information which are necessary to comply with the customer due diligence requirements laid down in Articles 3 to 3-3, including, where appropriate, data obtained through the use of electronic means of identification, the relevant trust services provided for in Regulation (EU) No 910/2014, or any other secure electronic or remote identification process regulated, recognised, approved or accepted by the competent national authorities, books of account, commercial correspondence, and the results of any analysis carried out, for a period of five years after the end of the business relationship with their customer or after the date of an occasional transaction;
b) the supporting evidence and records of transactions which are necessary to identify or reconstruct individual transactions, to provide, if necessary, evidence in a criminal investigation or enquiry, for a period of five years after the end of a business relationship with their customer or after the date of an occasional transaction.
“The retention period referred to in this paragraph, including the extended retention period not exceeding a further five years, shall also apply in respect of data accessible through the centralised mechanisms referred to in Article 32a of Directive (EU) 2015/849.”
Professionals shall also retain the information concerning the measures taken in order to identify the beneficial owners (…).
Without prejudice to longer retention periods prescribed by other laws, professionals shall delete the personal data at the end of the retention period referred to in the first subparagraph. (…).
By way of derogation from the 4th subparagraph, professionals retain the personal data for a further period of five years where this retention is necessary to effectively implement internal measures for the prevention or detection of money laundering or terrorist financing.”
2 – Compliance with data protection rules
As regards the compatibility with the European General Data Protection Regulation (EU) 2016/679 (“the GDPR”) of the rule requiring documents connected with financial transactions to be retained for five years after the end of the business relationship with the customer, it should be borne in mind that the lawfulness of the processing of personal data lies in “compliance with a legal obligation to which the (data) controller is subject”.
(A) Information on the persons concerned and general notice
- The customer:
“Professionals shall provide new clients with the information required under Articles 13 and 14 of the GDPR before establishing a business relationship or carrying out an occasional transaction.
That information shall, in particular, include a general notice concerning the legal obligations of the professionals under this Law to process personal data for the purposes of the prevention of money laundering and terrorist financing.”
The general notice:
The general notice must contain, in particular, the pre-contractual information to be provided to customers/persons concerned, as indicated in the relevant ABBL guidelines « Steps forward in implementing the GDPR ». In addition, it must refer to the professional obligations as contained in the Law, to which the professional is subject, the lawfulness of the processing of the customer’s data being in accordance with compliance with a legal obligation to which the professional (as “data controller”) is subject.
- The beneficial owner:
Since the professional gathers information about the beneficial owner only indirectly through its customer, it is not, by virtue of the exception appearing in the GDPR, obliged to inform the beneficial owner.
– Information concerning beneficial owners:
As regards the prior information to be provided to the beneficial owner(s), since the primary consideration is that the customer due diligence measures prescribed by the Law require the professional to identify and verify the identity of the beneficial owner(s), and since that information will not have been gathered by the professional from the beneficial owner(s) themselves, the professional need not provide him/her/them with the information in question.
The prior information need not be provided where the personal data have not been gathered from the person concerned “in so far as (…) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests”.
In addition, the data protection policies of certain financial establishments indicate that it is for their customers, where necessary or appropriate, to inform their beneficial owners about any processing using the latter’s personal data.
It may also be noted that the Act considers the processing of personal data as a matter of public interest under the GDPR.
(B) Restriction on the right of access
“(…) The person who is responsible for the processing shall restrict or defer the right of access of the person concerned to his personal data where such measure is necessary and proportionate in order to:
(a) enable the professionals, the Financial Intelligence Unit, a supervisory authority or a self- regulatory body to fulfil their tasks properly (…); or
(b) avoid obstructing official or legal inquiries, analyses, investigations or procedures for the purposes of this Law (…) and to ensure that the prevention, investigation and detection of money laundering and terrorist financing is not jeopardised.”
It will be recalled that the GDPR allows Member States to limit the rights of the “persons concerned” in certain specific cases, for example “in the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.