OBLIGATION TO HAVE AN ADEQUATE INTERNAL ORGANISATION
Section 1. Obligation to put in place written internal control and communication procedures
“Professionals shall put in place policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified at international, European, national and sectoral level and at the level of the professionals themselves. Those policies, controls and procedures, which take into account the risks of money laundering and terrorist financing, shall be proportionate to the nature, specificities and size of the professionals.
The policies, controls and procedures referred to in the first subparagraph shall include:
a) the development of internal policies, controls and procedures, including models, relating to risk management practices, customer due diligence, cooperation, record-keeping, internal control, compliance management including the appointment of a compliance officer at appropriate hierarchical level, and employee screening;
b) where appropriate with regard to the size and nature of the business and the risks of money laundering and terrorist financing, an independent audit function to test the internal policies, controls and procedures referred to in point (a). (…)
The professionals shall appoint, where appropriate, among the members of their management body or effective direction, the person responsible for compliance with the professional obligations as regards the fight against money laundering and terrorist financing.”
“The internal control system … is adequately resourced to monitor compliance, including on a test basis, with procedures, policies and controls and has the independence necessary to perform its duties.
The Compliance Officer and other relevant personnel shall have timely access to client identification and other due diligence information, transaction records and other relevant information. The compliance officer must be able to act independently and report to management, without reporting to his or her immediate supervisor, or to the board of directors (…).”
The AML/CFT compliance officer reports in writing, on a regular basis and if necessary on an ad hoc basis to the authorized management and, if necessary, to the board of directors (or specialized committees).
.These reports cover the follow-up of recommendations, problems, deficiencies and irregularities identified in the past as well as new problems, deficiencies and irregularities identified. Each report specifies the related risks and their degree of seriousness (impact measurement) and proposes corrective measures (…). These reports shall assess the extent of the suspicions or reasonable grounds for suspicion of money laundering, associated predicate offenses or terrorist financing that have been detected, and make a judgment on the adequacy of the AML/CFT policies, procedures and systems and the AML/CFT cooperation of the professional’s departments.
Monitoring AML/CFT policies and procedures should be an integral part of the professional’s internal audit function. To this end, the internal audit activity must independently test and evaluate risk management and control, AML/CFT policies, and procedures.
The internal auditor must report annually to authorized management and the board of directors (or specialized committees) and submit a summary report on compliance with AML/CFT policies and procedures. The internal auditor must be diligent in ensuring that these recommendations or corrective actions are implemented.
CSSF Regulation No 12-02 sets out various examples of procedures relating to the professional’s AML/CFT policy.
“The professional’s AML/CFT policies and procedures shall cover all the professional obligations and, where appropriate, include, inter alia, the following:
– the customer acceptance policy (…);
– the detailed procedures as regards the identification, assessment, supervision, management and mitigation of money laundering or terrorist financing risks (…). Those procedures shall allow monitoring of the development of the identified risks, reassessing them on a regular basis and identifying any significant change affecting them or any new risk;
– the specific risk management mechanisms relating to business relationships or transactions not requiring the physical presence of the parties without other guarantees having been put in place (as referred to in Article 27 of CSSF Regulation 12-02);
– the measures designed to prevent the misuse of products or the execution of transactions that might favour anonymity (…), in particular, as regards new technologies;
– the procedures to be followed in the event of a request to enter into a business relationship or to execute an occasional transaction for a person whose normal activity involves the holding of third-party funds with a professional or the opening of a group account;
– the procedure for accepting and monitoring business relationships (…);
– the procedures to be followed when using a third-party introducer (…)
– the procedures to be followed when using delegated third parties intervening within the framework of an outsourcing or agency contract (…)
– the procedures to observe in order to monitor the development of business relationships as well as transactions executed for customers, notably to detect suspicious transactions;
– the procedures to be followed in the event of suspicion or reasonable grounds for suspicion of money laundering, associated predicate offences or terrorist financing
(…)
– the procedures to be followed in order to fulfil the obligations of Regulation (EU) 2015/847 (transfers of funds);
– the personnel selection policy guaranteeing the recruitment of employees according to demanding criteria, the personnel training and awareness-raising programme (…)
– the accurate definition of the respective responsibilities of the various functions within the staff with regard to AML/CFT, as well as the procedure for appointing the control officer and the compliance officer.”
– the procedure for internal reporting of violations of professional AML/CFT obligations through a specific, independent and anonymous channel
– procedures for financial restraint measures
– procedures for identifying the beneficiary of trusts or similar legal arrangements at the time of payment of benefits or at the time the beneficiary exercises his or her vested rights (…)
Information on the measures relating to mechanisms for the supervision of business relationships and transactions as included in CSSF Regulation No 12-02 will be found above.
Section 2. Obligation to provide training and awareness-raising for the personnel
“Professionals are required to take measures proportionate to their risks, their nature and their size, so that their employees, including members of the management bodies and the effective management, are aware of the professional obligations in the fight against money laundering and terrorist financing, as well as the applicable data protection requirements. These measures include the participation of their employees in special continuing education programs designed to keep them informed of new developments, including information on money laundering and terrorist financing techniques, methods and trends, to help them recognize transactions that may be related to money laundering or terrorist financing, and to instruct them on how to proceed in such cases. Special ongoing training programs provide employees with clear explanations of all aspects of AML/CFT laws and obligations, including customer due diligence and suspicious transaction reporting obligations. (…) “.
“Every professional shall have a training and awareness-raising programme for the whole personnel which observes highly qualitative criteria and whose content and calendar take into account the specific needs of the professional. That programme, as well as its realisation, shall be documented in writing. The programme shall take into account the development of money laundering and terrorist financing techniques and shall be adapted when relevant legal or regulatory requirements change.
The training and awareness-raising programme of the personnel shall include, inter alia:
- for all newly hired employees, participation in internal or external basic training as soon as they are hired, making them aware of the professional’s AML/CFT policy as well as of the relevant legal and regulatory requirements;
- for the employees, regular participation in internal or external continuing education which is addressed, in particular, to the members of the personnel in direct contact with customers in order to help them identify unusual transactions and recognise money laundering or terrorist financing attempts. That continuing education shall also concern the professional’s internal procedures to be followed by the employees in the event that they identify suspicion or have reasonable grounds for suspicion of money laundering, related predicate offences or terrorist financing;
- regular information meetings for employees in order to keep them up to date with developments as regards the techniques, methods and trends with respect to money laundering and terrorist financing as well as the preventive rules and procedures to be followed in the matter;
- the appointment of one or more contact person(s) for employees who is/are competent and available to answer any questions which relate to money laundering or terrorist financing and which may concern, notably, all aspects of the laws and obligations regarding AML/CFT, the internal procedures, the customer due diligence duties and the reporting of suspicious transactions;
- the periodic distribution of AML/CFT documentation which includes, in particular, examples of money laundering or terrorist financing transactions.”
Where a training programme is organised abroad and presented at, for example, the registered office or parent company of the professional, the latter is obliged to adapt the programme to the rules and standards applicable in Luxembourg.
The FIU 2017 Activity Report contains more than a dozen studies of specific cases which are not exhaustive but which “gave rise to suspicious transaction reports by the professionals concerned, illustrating different characteristics (techniques, mechanisms and instruments) frequently encountered by the FIU in carrying out its analyses(…)”.
Section 3. Internal reporting of breaches of professional obligations
“Professionals shall have in place appropriate procedures, proportionate to their nature and size, for their employees, or persons in a comparable position, to report internally, through a specific, independent and anonymous channel, breaches of professional obligations as regards the fight against money laundering and terrorist financing.”
The 5th Anti-Money Laundering Directive requires Member States to “ensure that individuals, including employees and representatives of the obliged entity who report suspicions of money laundering or terrorist financing internally or to the Financial Intelligence Unit, are legally protected from being exposed to threats, retaliatory or hostile action, and in particular from adverse or discriminatory employment actions”.
In addition, they must “ensure that individuals who are exposed to threats, retaliatory or hostile actions, or adverse or discriminatory employment actions for reporting suspicions of money laundering or terrorist financing internally or to the Financial Intelligence Unit are entitled to present a complaint in a safe manner to the respective competent authorities. (…)”
Section 4. Obligation to have systems making it possible to respond to the authorities
“Professionals shall have systems in place that enable them to respond fully and rapidly to enquiries from the Luxembourg authorities responsible for combatting money laundering and terrorist financing and self-regulatory bodies, as to whether they maintain or have maintained during the previous five years a business relationship with specified natural or legal persons and on the nature of that relationship, through secure channels and in a manner that ensures full confidentiality of the enquiries.”
“(…) professionals shall be able to answer quickly and comprehensively all information requests for information from the Luxembourg AML/CFT authorities, and, in particular, those which tend to determine whether they are or were in business relationships or whether they do or did carry out transactions in relation to specific persons (…).
This cooperation requirement does not end with the business relationship or transaction.”
Similarly, the FIU’s “Suspicious Operations Report” Guideline obliges professionals to respond, “without delay, to a request for information by the FIU by using the ‘feedback’ forms, available on goAML Web. (The professional) can fill them in online or download an XML file (…). If (the professional) has not yet done so, (it should) register in advance to be able to respond to the request for information.
Depending on the complexity and scope of research required, (the professional) should respond to any request for information by the FIU by using the ‘feedback’ forms, available on goAML Web. (The professional) can fill them in on FIU within a fortnight. However, if a request for information is described as ‘very urgent’, especially when dealing with terrorist financing, (the professional) should respond within 24 hours. A request for information described as ‘urgent’ should be processed within a week.”