ENHANCED CUSTOMER DUE DILIGENCE OBLIGATIONS
The Law lays down the specific cases in which professionals are required to apply enhanced customer due diligence measures.
The criteria governing cases in which professionals will find themselves faced with potentially higher-risk situations, thereby requiring them to apply enhanced due diligence, are set out in Annex IV to the Law.
Where professionals are confronted with factors indicating higher risks, they shall be required to “examine, as far as reasonably possible, the background and purpose of all transactions, that meets at least one of the following conditions:
(a) it is a complex transaction
(b) it is an unusually large transaction
(c) it is conducted in an unusual pattern
d) it has no apparent economic purpose or apparent lawful purpose.
In particular, the professional shall reinforce the degree and nature of monitoring of the business relationship, in order to assess whether such transactions or activities appear unusual or suspicious.”
Alongside the non-exhaustive list of factors and types of elements indicative of a potentially higher risk, it will be noted that there are situations in which a professional will always be confronted with a high risk and will therefore invariably be constrained to apply enhanced due diligence measures:
- For business relationships or transactions involving high risk countries
Nevertheless, enhanced customer due diligence measures need not be automatically applied in majority-owned branches or subsidiaries that are located in high-risk countries, if such branches or subsidiaries fully comply with the group-wide policies and procedures in place pursuant to Article 4-1 or Article 45 of Directive (EU) 2015/849.
- In the case of cross-border correspondent and other similar relationships with client institutions
- In the context of business relationships with politically exposed persons.
The situations imposing reinforced vigilance measures will be detailed one by one below.
Section 1. Politically exposed persons
1. The risk posed by a PEP
The special attention that professionals are required to pay to these persons arises, first, from the reputational risk linked to customers exercising political responsibilities, particularly in authoritarian regimes, and, second, the risk of the laundering of funds deriving from corruption.
Such persons may also use their families or associates to conceal funds or assets that have been misappropriated as a result of abuse of their official position or resulting from bribery and corruption. Moreover, they may seek to use their power and influence to gain representation and/or access to, or control of, legal entities for similar purposes.
2. Definition of a PEP
Politically exposed persons are defined as “(…) natural persons who are or have been entrusted with prominent public functions and (…) family members or persons known to be close associates of such persons”.
“‘Natural persons who are or have been entrusted with prominent public functions’ (…) means all natural persons, including:
- heads of State, heads of government, ministers and deputy or assistant ministers;
- members of parliament or of similar legislative bodies;
- members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances;
- members of courts of auditors or of the boards or directorates of central banks;
- ambassadors, chargés d’affaires and high-ranking officers in the armed forces;
- members of the administrative, management or supervisory bodies of State-owned enterprises;
- important officials and members of the governing bodies of political parties;
- directors, deputy directors and members of the board or equivalent function of an international organisation.”
- natural persons performing the functions included in the list published by the European Commission on the basis of Article 20a(3) of Directive (EU) 2015/849 (…)”
“Each Member State shall issue and keep up to date a list indicating the exact functions which, according to national laws, regulations and administrative provisions, qualify as prominent public functions (…).”
These lists will help professionals to determine the public functions characterising PEPs in all Member States.
3. Definition of family members and associates of a PEP
The identification of a PEP must also include an examination of the members of his/her family and of his/her associates, within the framework of enhanced due diligence.
“Family members” means “all natural persons, including in particular:
- the spouse;
- any partner considered by national law as equivalent to the spouse;
- the children and their spouses or partners considered by domestic law as equivalent to a spouse;
- the parents;
- the brothers and sisters.”
The list is thus not exhaustive, according to the wording of the provision.
“Persons known to be close associates” (…) means “all natural persons, including in particular:
- any natural person who is known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a person referred to in paragraph 10;
- any natural person who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the benefit de facto of the person referred to in paragraph 10”.
4. Obligations incumbent on professionals dealing with a PEP
4.1 Identification of PEPs
“(…) Financial institutions should be required to take reasonable measures to determine whether a customer or beneficial owner is a domestic PEP or a person who is or has been entrusted with a prominent function by an international organisation (…).”
“Adequate risk management systems (including risk-based procedures) for determining whether the customer or person purporting to act on the customer’s behalf or the beneficial owner is a politically exposed person (…) include at least seeking relevant information from the customer, referring to publicly available information or having access to electronic databases of politically exposed persons. The detection of politically exposed persons among existing clients during the course of a business relationship must be carried out at least every six months.”
Politically exposed persons must be identified, because they represent a potentially high risk. Enhanced due diligence measures must be applied to them. The risk-based approach will make it possible to determine whether the customer or beneficial owner is a PEP, on the basis that, if so, he or she will be the subject of enhanced due diligence. Professionals are therefore required to have adequate risk management systems, including risk-based procedures, to determine whether a potential client, customer or beneficial owner is a politically exposed person.
Every politically exposed person is covered, whether domestic or foreign. The enhanced due diligence requirements for politically exposed persons also apply when the person in question holds an important public office in another Member State or in a third country or on behalf of one of these countries.
As soon as a person falls into the category of a PEP, the enhanced due diligence requirements apply to him.
WHAT TO DO?
– Subscribe to an IT service comprising databases relating to PEPs and integrate it into the existing systems;
– Carry out a legislative monitoring exercise at European level in respect of Member States that publish a national list of important public functions in accordance with the 5th Anti-Money Laundering Directive;
– Carry out regular checks to ensure that the customer database does not contain any PEPs (natural persons whose professional activity/function has changed).
4.2 The enhanced due diligence obligation
“With regard to transactions or business relationships with politically exposed persons (…), professionals are required to:
(a) have appropriate risk management systems, including risk-based procedures, to determine if the customer or beneficial owner is a politically exposed person;
(b) obtain senior management approval for establishing or, if an existing customer, to maintain a business relationship with such persons ;
(c) take reasonable measures to establish the source of wealth and source of funds that are involved in the business relationship or transaction with such persons. In addition, credit and financial institutions shall take all appropriate measures to establish the source of assets and funds of customers and beneficial owners identified as politically exposed persons;
(d) conduct enhanced ongoing monitoring of the business relationship.
The provisions of this paragraph also apply where a customer has already been accepted and the customer or the beneficial owner is subsequently found to be, or subsequently becomes, a politically exposed person.”
“When a client has been accepted and it subsequently appears that this client or the beneficial owner is or becomes a politically exposed person, professionals are required to obtain authorization from a high level of the hierarchy to continue the business relationship. The authorization procedure requiring approval from a high level of the hierarchy also involves the person responsible for monitoring compliance with professional obligations in terms of the fight against money laundering and terrorist financing.
Professionals are required to take all reasonable measures to identify the origin of the assets and funds of clients and beneficial owners identified as politically exposed persons”.
4.3 Particular case: life insurance contracts
The Law of 13 February 2018 adds new criteria to determine whether the beneficiary of a life insurance contract may be a politically exposed person:
“Professionals must take reasonable steps to determine whether the beneficiaries of a life insurance contract or other type of investment-linked insurance or, if applicable, the beneficiary’s beneficial owner are politically exposed persons. These measures shall be taken at the latest at the time of the payment of benefits or at the time of the assignment, in part or in full, of the insurance contract. When higher risks are identified, professionals, in addition to the customer due diligence measures provided for in Article 3, must:
a) inform a senior member of the hierarchy before payment of the proceeds of the contract ;
b) exercise enhanced scrutiny over the entire business relationship with the policyholder
c) make a suspicious transaction report to the FIU or, if the professional is a lawyer, to the President of the respective Bar Association, if the circumstances give rise to a suspicion of money laundering or terrorist financing.
5. PEPs who no longer hold office
“Where a natural person who is or has been entrusted with prominent public functions is no longer entrusted with a prominent public function by a Member State or a third country, or with a prominent public function by an international organisation, the professionals shall, for at least 12 months, take into account the continuing risk posed by that politically exposed person and apply appropriate and risk-sensitive measures until such time as that person no longer poses a particular risk.”
WHAT TO DO?
Depending on its risk assessment, the professional may, on a case-by-case basis, opt for periods going beyond 12 months after the PEP has left office in which to apply appropriate due diligence measures.
Section 2. Correspondent banks
“In the case of cross-border correspondent relationships and other similar relationships with client-correspondent institutions in third countries and, credit institutions, financial institutions and other institutions involved in such relationships, must, in addition to the customer due diligence measures provided for in Article 3, paragraph (2), when entering into a business relationship :
(a) gather sufficient information about a respondent institution to understand fully the nature of the respondent’s business and to determine from publicly available information the reputation of the institution and the quality of supervision, which implies, among other things, knowing whether the client institution has been the subject of an investigation or of measures taken by a supervisory authority with regard to the fight against money laundering and against the financing of terrorism;
(b) assess the client institution’s anti-money laundering and anti-terrorist financing controls;
(c) obtain approval from senior management before establishing new correspondent banking relationships;
(d) clearly understand and document the respective responsibilities of each institution;
(e) with respect to “payable through accounts”, ensure that the client institution has verified the identity of clients with direct access to the accounts of credit institutions, financial institutions and other institutions involved in such relationships and has implemented ongoing monitoring of them, and that it can provide relevant data and information concerning these due diligence measures at the request of the correspondent institution” (see also below the novelties brought by the RGD of February 1, 2010 for payable through accounts).”
“Professionals are prohibited from establishing or maintaining a correspondent relationship with a shell banking company or with a credit or financial institution known to allow a shell banking company to use their accounts. Professionals shall ensure that correspondents do not allow shell banking companies to use their accounts.”
“It is prohibited for professionals to enter into or continue a correspondent relationship with a shell bank or with a bank that is known to permit its accounts to be used by a shell bank.”
The Grand-Ducal Regulation of 1 February 2010 (GDPR) as amended provides additional instructions in the event of a cross-border correspondent relationship in the context of the business relationship with the client institution. The professional must also:
- assess, on the basis of publicly available information, the reputation of the client institution and the quality of its supervision, including whether the institution concerned has been the subject of an investigation or intervention by the supervisory authority relating to money laundering or terrorist financing
- ensure the adequacy and effectiveness of the client institution’s anti-money laundering and anti-terrorist financing controls
- clearly understand and specify in writing the respective AML/CFT responsibilities of each institution
The GDR impose additional obligations on the professional in the presence of transit accounts. The latter must ensure that:
- their client (the client institution) has applied all the due diligence measures provided for in Article 3 of the Act to those of its clients who have direct access to the accounts of the corresponding institution ;
and - that the client institution is able to provide relevant identifying data and information about such clients upon request by the correspondent institution. The provision of such data and information by Luxembourg credit institutions in the context of a correspondent relationship is permitted.
Insofar as institutions other than credit institutions are involved in correspondent banking relationships, the rules on this matter also apply to these institutions.
WHAT TO DO?
A shell bank is a credit institution or an establishment carrying on activities equivalent to those of a credit institution, established in a country where it has no effective physical presence through which real control and management would be exercised and which is not attached to a regulated financial group.
In particular, the professional must “gather information on:
– the country of establishment of the respondent institution, as well as the legal and regulatory framework and the effectiveness of AML/CFT controls applicable in that country
– the applicable supervisory authority and regime;
– the property and control structure of the respondent institution.
Cross-border correspondent services and other similar relationships may present different levels of high risk which justifies, on the basis of an analysis by the professional, the application of reinforced vigilance measures of varying degrees of intensity by the professional.
The due diligence measures advocated by the Joint Committee of the European Supervisory Authorities in its final guidelines on risk factors in the context of the activities of correspondent banks include the following:
– identifying/verifying the identity of the respondent institution (including information concerning the respondent’s management) and that of its beneficial owner;
– obtaining sufficient information about the activities and reputation of the respondent institution (the types of customers it attracts, qualitative analysis of the respondent’s AML/CFT control systems);
– establishing/documenting the nature and purpose of the service provided, as well as the responsibilities of each institution (the way in which the service is used and access thereto);
– monitoring the business relationship and identifying any changes occurring in the risk profile of the respondent institution, in order inter alia to detect any unusual or suspicious behaviour (for example, customers of the respondent institution being allowed direct access to accounts provided by the respondent);
– ensuring that the respondent institution does not authorise the use of its accounts by shell banks and does not have any dealings with such banks.
Once that information has been gathered, the professional should analyse it and take a decision concerning the correspondent banking relationship. That decision must be documented and retained so that it can be made available to the competent authorities.
The professional must in addition undertake an examination of the information on which the decision to establish the relationship is based, and where necessary update that information. Where information is such as to undermine confidence in the legal system of the country in which the respondent is established, or in the effectiveness of its anti-money laundering/terrorist financing controls, the professional must reconsider the relationship.
Lastly, the professional must satisfy itself with regard to compliance by the respondent at all times with the commitments given by the latter, depending on the risk involved (in particular, communication without delay, upon request, of relevant data for the identification of those of its customers that have direct access to the payable-through accounts opened for it).
Section 3. High-risk countries
“A high-risk country is a country” that is on the list of high-risk third countries identified pursuant to Article 9(2) of Directive (EU) 2015/849 (i.e. i.e., Delegated Regulation EU 2020/855) or designated as higher risk by the Financial Action Task Force (FATF) as well as any other country that supervisory authorities and professionals consider in their assessment of money laundering and terrorist financing risks to be a high risk country based on the geographical risk factors set out in Annex IV (of the Act).”
There is no standardized method allowing the professional to assign a “country risk” “scoring”. If the professionals apply the procedure used by the parent company of the group, they will have to integrate the criteria of art. 1, para (30) of the Law.
As for the updating of the list of high risk countries, this is done at least following the publication of EU delegated acts listing high risk third countries or CSSF circulars on the FATF declarations concerning high risk jurisdictions against which enhanced due diligence measures are required.
With regard to business relationships or transactions involving high risk countries, professionals shall apply the enhanced customer due diligence measures mentioned below
a) obtaining additional information on the client and on the beneficial owner(s) and updating the identification data of the client and the beneficial owner(s) more regularly
b) obtain additional information on the intended nature of the business relationship
c) obtain information on the origin of the funds and the origin of the assets of the customer and the beneficial owner(s)
d) obtain information on the reasons for the transactions envisaged or carried out
e) obtain authorization from a senior member of their hierarchy to enter into or maintain the business relationship
f) implement enhanced monitoring of the business relationship by increasing the number and frequency of checks carried out and by identifying transaction patterns that require further scrutiny.
The Law does not impose on the person responsible for compliance with professional obligations (“RR”), i.e. the person occupying the function corresponding to the “high level of the hierarchy” according to art, 31, para. (2) of CSSF Regulation 12-02 as amended, his involvement in transactions with high risk countries.
The RR must therefore not be involved ex-ante in these transactions. The Compliance Officer (“CO”) may be involved ex-post in the monitoring of such transactions if necessary.
“Professionals shall ensure that, where appropriate, the first payment is made through an account opened in the customer’s name with a credit institution that is subject to customer due diligence standards at least as high as those set out in Directive (EU) 2015/849.”
“Enhanced customer due diligence measures need not be automatically applied in the case of majority-owned branches or subsidiaries that are located in third countries (…), if such branches or subsidiaries fully comply with the group-wide policies and procedures in place pursuant to (…) Directive (EU) 2015/849. Professionals shall address these situations using a risk-based approach.”
Enhanced customer due diligence measures need not be invoked automatically with respect to branches or majority-owned subsidiaries of the professionals established in the European Union which are located in high-risk third countries (…), where those branches or majority-owned subsidiaries fully comply with the group-wide policies and procedures in accordance with (…) Directive (EU) 2015/849. The professionals shall handle those cases by using a risk-based approach.”
“Financial institutions should be required to apply enhanced due diligence measures to business relationships and transactions with natural and legal persons, and financial institutions, from countries for which this is called for by the FATF. The type of enhanced due diligence measures applied should be effective and proportionate to the risks.”
Annexe III(A) below provides various links giving information about third countries posing risks of corruption/money laundering/terrorist financing.
WHAT TO DO … to mitigate the risks posed by high-risk countries?
– Increase the quantity of information obtained for customer due diligence purposes (e.g. concerning the identity of the customer or beneficial owner or the customer’s ownership and control structure, in order to be satisfied that the risk associated with the business relationship is well understood, and about the intended nature of the business relationship, to ascertain that the nature and purpose of the business relationship is legitimate and to help firms obtain a more complete customer risk profile);
– Increase the quality of information obtained for customer due diligence purposes, in order to confirm the identity of the customer or beneficial owner (the first payment should be carried out through an account verifiably in the customer’s name with a bank subject to customer due diligence rules which are the same as those laid down in, for example, the 4th Anti-Money Laundering Directive);
– Increase the frequency of reviews, in order to be satisfied that the firm continues to be able to manage the risk associated with the individual business relationship, or, where the relationship no longer corresponds to the firm’s risk appetite, to help it to identify any transactions that require further review.
Section 4. Examples of enhanced due diligence measures to be implemented, sector by sector/ in the case of transactions not involving the physical presence of the parties
The Joint Committee of the European Supervisor Authorities, in its final guidelines on risk factors, sets out numerous criteria to be applied by professionals in the specific situations provided for by the Law, and by sector of activity, it being understood that the measures appearing in the guidelines are not exhaustive and are thus given by way of illustration only.
- Retail banking:– Verifying the identity of the customer and the beneficial owner(s) on the basis of more than one reliable and independent source;- Obtaining more information about the customer and the nature or purpose of the business relationship, so as to build up a more complete customer profile;- Increasing the frequency of transaction monitoring;- Reviewing and updating the information held more frequently.
- Wealth management/private banking:
The measures prescribed in the guidelines echo, in a number of ways, those mentioned with respect to retail banking.
In addition, the professional must, in particular, establish the source of the assets and funds; where the risk is particularly high and/or the firm has doubts regarding the legitimacy of the origin of the funds, verifying the source of wealth and funds may be the only adequate risk mitigation tool. The source of funds or wealth may be verified by reference to, inter alia:
– a recent pay slip;
– a written confirmation of annual salary signed by the employer;
– a confirmation of sale signed by a lawyer/notary;
– the original or a certified copy of the will or grant of probate;
– written confirmation of inheritance signed by the testator’s notary/fiduciary/executor.
The professional should, moreover, monitor its customer’s transactions on an ongoing basis and/or where one of the elements of a transaction appears to be incompatible with the customer’s commercial risk profile.
- Electronic money issuers and money remitters:
The enhanced customer due diligence measures which firms should apply in a high-risk situation include the following:
– obtaining additional information about the customer during the identification process, such as the source of funds;
– applying additional verification measures from a wider variety of reliable and independent sources (e.g. checking against online databases) in order to verify the identity of the customer and the beneficial owner(s);
– obtaining additional information about the intended nature of the business relationship, for example by asking clients about their business or the jurisdictions to which they intend to transfer electronic money;
– obtaining information about the merchant/payee, in particular where the electronic money issuer has grounds to suspect that its products are being used to purchase illicit or age-restricted goods;
– applying identity fraud checks to ensure that the customer is who he or she claims to be;
– applying enhanced monitoring to the customer relationship and individual transactions;
– establishing the source and/or the destination of funds.
- Transactions not involving the physical presence of the parties, in the absence of electronic means of identification or secure identification process:
“In the case of transactions that do not involve the physical presence of the parties and where the professional has not set up electronic means of identification, relevant trust services within the meaning of Regulation (EU) No. 910/2014 or any other secure electronic or remote identification process regulated, recognized, approved or accepted by the relevant national authorities, professionals must have specific risk management systems related to business relationships or transactions.
These policies and procedures must be applied at the time of the establishment of the business relationship with the client and during the implementation of ongoing vigilance measures”.
Specific measures to be adopted by the professional to compensate for the potentially higher risk presented by this type of relationship may include:
“- measures ensuring that the identity of the client is established by means of additional documents, data or identifying information ;
– additional measures ensuring verification or certification by a public authority of the documents provided ;
– a confirmation certificate from a credit or financial institution subject to the Law or subject to equivalent professional obligations in the area of anti-money laundering and combating the financing of terrorism
– measures to ensure that the first payment of transactions is made through an account opened in the customer’s name with a credit or financial institution subject to the Act or subject to equivalent professional obligations in the area of anti-money laundering and combating the financing of terrorism.”
Section 5. Examples of enhanced due diligence measures to be implemented pursuant to CSSF Regulation No 12-02:
“Without prejudice to the cases where enhanced due diligence measures are specifically prescribed by the Law, the Grand-Ducal Regulation or this Regulation, examples of enhanced due diligence measures that could be applied depending on the risk assessment performed by the professional for higher-risk business relationships include:
- obtaining additional information on the customer and updating more regularly the identification data of the customer and the beneficial owner;
- obtaining additional information/documentation on the intended nature of the business relationship or on the origin of the funds involved and the assets;
- obtaining information and, where appropriate, evidence as to the reasons and economic background for the transactions contemplated or carried out and the plausibility of such transactions;
- obtaining the approval of the authorised management to commence or continue the business relationship;
- requiring the first payment to be carried out through an account in the customer’s name with a professional subject to similar customer due diligence standards;
- verifying the additional information obtained with independent and reliable sources;
- receiving a visit from the customer/company or contacting the customer/company via registered letter with acknowledgement of receipt;
- conducting enhanced monitoring of the business relationship, by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.”