PRACTICAL APPLICATION OF DUE DILIGENCE MEASURES
Section 1. Third-party introducers
“For the purposes of this Article, ‘third parties’ shall mean professionals (…), the member organisations or federations of those professionals, or other institutions or persons situated in a Member State or third country that:
a) apply customer due diligence requirements and record-keeping requirements that are consistent with those laid down in this Law and in Directive (EU) 2015/849; and
b) have their compliance with the requirements of this Law, Directive (EU) 2015/849 or equivalent rules applicable to them, supervised in a manner consistent with (…) Directive (EU) 2015/849.
It is prohibited for professionals to rely on third parties established in high-risk countries. Third parties that are branches and majority-owned subsidiaries of professionals established in the European Union are exempt from that prohibition, where those branches and majority-owned subsidiaries fully comply with the group-wide policies and procedures in accordance with (…) Directive (EU) 2015/849.
(2) Professionals may rely on third parties to meet the requirements (…), provided that the information (…) and documents (…) are obtained immediately from the third party to whom they have recourse. However, the final responsibility in the execution of these obligations remains with the professionals who use third parties”.
“Professionals using a third party must take appropriate measures to ensure that this third party provides without delay, upon request, in accordance with paragraph (3), the necessary documents concerning the customer due diligence requirements provided for in Article 3 (…), including, where appropriate, data obtained through the use of electronic means of identification, the relevant trust services provided for in Regulation (EU) No. 910/2014, or any other secure, electronic or remote identification process regulated, recognized, approved or accepted by the relevant national authorities.
Professionals using a third party must also ensure that the third party is regulated, supervised, and has taken measures to comply with customer due diligence and record keeping obligations that are consistent with those set out in Articles 3 to 3-2 of the (…) Law”.
(3) “When a third party intervenes for the purposes of paragraph 2 above, the latter shall be obliged to immediately make available to the professional to whom the client is addressing himself, notwithstanding any rules of confidentiality or professional secrecy applicable to him, the information requested in accordance with the obligations laid down in Article 3, paragraph 2, subparagraph 1, points a) to c) and subparagraph 2. In this case, an adequate copy of the identification and verification data, including, where appropriate, data obtained through the use of electronic means of identification, relevant trust services provided for in Regulation (EU) No. 910/2014, or any other secure electronic or remote identification process regulated, recognized, approved or accepted by the relevant national authorities, and any other relevant documents concerning the identity of the client or beneficial owner must be transmitted without delay, upon request, by the third party to the professional to whom the client is addressing.”
Moreover, the professional must ensure that the introducing third parties meet the requirements of the Law.
Any professional using a third party introducer must ensure, prior to the intervention of the latter, that he meets the requirements of the Act. The documentation used to verify the quality of the third party introducer must be kept in accordance with the Act.
The introducing third party shall give a prior written undertaking to fulfill the obligations specified in section 3-3, subsection (2) of the Act, notwithstanding the fact that the introducing third party is not a party to the Act. (2) of the Act, notwithstanding any rules of confidentiality or privilege applicable to the introducing party, if any.
The responsibility for compliance with the professional obligations provided for by the applicable legal provisions, including the present regulation, remains with the professional using the introducing third party.
[/left-bookmark]
If the professional uses a third party that is part of the group, the above requirements with respect to third parties will be considered met if:
“a) the professionals rely on information provided by a third party which is part of the same group ;
b) this group applies customer due diligence measures, rules relating to the conservation of documents and records and anti-money laundering and anti-terrorist financing programs in accordance with the Law, Directive (EU) 2015/849 or equivalent rules;
(c) the effective implementation of the obligations referred to in (b) is monitored at the group level by a supervisory authority, a self-regulatory organization or their foreign counterparts;
(d) any high-risk country risk is satisfactorily mitigated (…)”.
With regard to funds, the joint ALFI and ABBL guidelines on reducing money laundering and terrorist financing risks in the fund industry[1] refer to the respective obligations of the parties in the context of the use of the “third party introducer
– the UCI/IFM – investment fund manager (“the responsible entity” according to the guidelines) may rely on a third party meeting the requirements of the Law (art. 3-3) and of CSSF Regulation 12-02 (art. 36), which will have previously verified the identity of a prospect/client (his proxy if applicable)/BE of the UCI. The client thus introduced becomes a direct investor in the UCI. The UCI nevertheless remains responsible for the obligations of vigilance in relation to its clients.
[1] See “Practices and recommendations aimed at reducing the risk of money laundering and terrorist financing in the Luxembourg Fund Industry” (p. 21-22). This guide has been updated in May 2021 and contains new recommendations for fund players, in particular on the “Know your assets” (KYA) aspects.
Section 2. Outsourcing and agency relationship
“The contract between the professional and the delegated third party in the context of outsourcing or agency relationships (…) shall at least include:
- a detailed description of the due diligence measures and procedures to be implemented in accordance with the Law and this Regulation and, in particular, of the information and documents to be requested and verified by the third-party representative (service provider in case of outsourcing or agent in case of an agency relationship);
- the conditions regarding the transmission of information to the professional, including, notably, to make available immediately, regardless of confidentiality or professional secrecy rules or any other obstacle, the information gathered while fulfilling the customer due diligence obligations and the transmission, upon request and without delay, of a copy of the original supporting evidence received in this respect.”
“(2) The outsourcing and agency relationship policies and internal procedures of the trader wishing to use outsourced third parties shall, in particular, contain detailed provisions on the process of selection and evaluation of outsourced third parties, including subcontractors at different levels, in case of cascading outsourcing. In particular, the practitioner must ensure that the service provider has the necessary resources to perform all outsourced functions (process, service or activity outsourced).
Professionals must regularly monitor the delegated third party’s compliance with its commitments under the contract. According to the risk-based approach, regular control refers to the fact that the professional has the means to test (e.g. by sampling) and to control on a regular and punctual basis (e.g. by carrying out on-site visits) the respect of the obligations incumbent on the delegated third party. With regard to the data of its clients, the professional and the CSSF must have access rights to the systems/databases of the delegated third party.
“(2bis) A risk assessment of the outsourced functions and, if applicable, of the outsourcing chain must be carried out before the outsourcing contract is concluded (…)”
“(3) Responsibility for compliance with the provisions of the Act, the Grand-Ducal Regulation and this Regulation shall remain entirely with the professional using the delegated third party and the sub-delegated third party, where applicable.”
“(4) In the context of the outsourcing of AML/CFT functions, the rights and obligations of the professional and the service provider as well as their roles, responsibilities and tasks must be clearly listed, allocated and defined in the outsourcing contract. (…)”