SIMPLIFIED CUSTOMER DUE DILIGENCE OBLIGATIONS
Section 1: Money laundering risks lower than those covered by the Law
“Where professionals identify a lower risk of money laundering and terrorist financing, they may apply simplified customer due diligence measures.”
1.1 Situations involving less risk
When assessing the risks of money laundering or terrorist financing attaching to certain types of customer, geographical areas and products, services, transactions or particular distribution channels, professionals must take into account, as a minimum, the factors involved in potentially lower-risk situations as set out in Annex III (to the Law).
The application of simplified due diligence measures must be based on a risk assessment showing a low risk.
The risk factors set out in the Annex have already been mentioned above (customer/product/country), where the professional finds that the risk is low in the following respects:
– (i) geographical: if the situation/criteria involve more than one Member State, a customer originating from a Member State, and a third country posing a low risk of corruption/having effective AML/CFT systems;
– (ii) products/services/transactions/ distribution channels.
A non-exhaustive list comprising, for example: low-premium life insurance policies, retirement insurance contracts without an early redemption clause, pension schemes in favour of employees, financial products or services used for inclusion purposes, or products posing a low risk of money laundering or terrorist financing which are controlled in accordance with other factors such as limits or ownership transparency;
– (iii) customers: companies listed on a regulated market and subject to information obligations (including transparency as regards beneficial owners), public administrative bodies/undertakings, residence criteria.
Electronic money:
“By way of derogation (…) and based on an appropriate risk assessment which demonstrates a low risk, professionals are allowed not to apply certain customer due diligence measures with respect to electronic money, where all of the following risk-mitigating conditions are met:
(a) it is not possible to reload the payment instrument or the instrument has a maximum monthly limit of EUR 150 which can be used only in Luxembourg;
(b) the maximum amount stored electronically does not exceed EUR 150.
(c) the payment instrument is used exclusively to purchase goods or services;
(d) the payment instrument cannot be funded with anonymous electronic money;
(e) the issuer carries out sufficient monitoring of the transactions or business relationship to enable unusual or suspicious transactions to be detected.
The derogation provided for in the first subparagraph is not applicable in the case of redemption in cash or cash withdrawal of the monetary value of the electronic money where the amount redeemed exceeds EUR 50 euros or in the case of remote payment transactions within the meaning of Article 4(6) of Directive (EU) 2015/2366 (…) where the amount paid exceeds 50 euros per transaction.”
“Credit and financial institutions acting as acquirers shall only accept payments made with anonymous prepaid cards issued in third countries where such cards meet requirements equivalent to those set out in paragraphs 1 and 2.”
“In the presence of information suggesting that the degree of risk is not lower, or where there is a suspicion of money laundering or terrorist financing, or where there is doubt as to the veracity or relevance of previously obtained data, or in specific cases of higher risk, the application of this simplified due diligence regime shall not be possible to those particular customers, geographical areas, products, services, transactions or distribution channels.”
Thus, professionals must ensure that they do not apply simplified due diligence where they suspect money laundering/terrorist financing, even where they are confronted with factors which they assume to involve lower risks.
1.2 Due diligence measures
According to the FAFT, financial institutions may be authorised to apply simplified due diligence measures, taking into account any lower level of risk.
The measures advocated by the FATF may thus consist in verifying the identity of the customer/beneficial owner following the establishment of the business relationship, reducing the frequency of customer identification updates and the intensity of ongoing due diligence, and inferring the purpose and intended nature of the business relationship from the type of transactions carried out.
“Where the professionals identify a lower risk of money laundering and terrorist financing, they may apply simplified customer due diligence measures.
(2) Before applying simplified customer due diligence measures, the professionals shall ascertain that the business relationship or the transaction presents a lower degree of risk.”
Section 2: Suggestions for simplified due diligence measures
According to CSSF Regulation n°12-02 :
CSSF Regulation n°20-05 sets out the measures that the professional may apply in the context of a business relationship presenting a justified low risk:
- For clients subject to an authorization/licensing or mandatory registration regime for AML/CFT purposes, verify that the client is subject to this regime, for example by conducting a search on the regulator’s official website and documenting the result of the search
- The presumption that a payment debited from an account held in the customer’s name, individually or jointly, with a credit institution or a regulated financial institution in a country of the European Economic Area or a third country imposing equivalent AML/CFT obligations, meets the requirements of Article 3 paragraph 2, subparagraph 1, point a) of the Law
- The exceptional acceptance of other forms of identification that meet the criteria of reliable and independent sources, for example a letter addressed to the client by a government agency or other reliable public body, when the client is unable to provide the usual proof of identity, and provided that there is no reason for suspicion
- Updating customer due diligence information only in the case of certain triggering events, for example if the customer requests a new or riskier product or service, or if there are changes in the customer’s behavior or transaction profile that suggest that the risk associated with the relationship is no longer low;
- For persons purporting to act on behalf of the client and for originators, promoters who are behind the launch of an investment fund, obtaining information on the country of residence of these persons instead of requesting the full mailing address;
- For persons claiming to act on behalf of a client where the client is a regulated credit or financial institution, instead of requesting the full identification of these persons, obtaining a letter confirming that the institution has applied due diligence measures to these persons and that it has carried out a regular check of these persons against the applicable lists of restrictive measures in financial matters.
Simplified due diligence measures according to the European supervisory authorities:
The final guidelines on risk factors published by the Joint Committee of the European Supervisory Authorities contain simplified due diligence measures which professionals may apply, generic or specific depending on the business sectors concerned.
2.1 “Generic” simplified due diligence measures
The measures advocated by the Joint Committee of the European Supervisory Authorities concerning simplified due diligence are based on adaptation – adaptation both of the moment chosen to apply the due diligence measures and of the quantity of information obtained for identification purposes or of its quality/source, or of the frequency of monitoring of transactions.
Professionals may use their discretion in deciding on the measures to be applied, depending on the circumstances of each particular case.
-
Adaptation of the moment chosen to apply the due diligence measures:
(i) by verifying the identity of the customer or beneficial owner at the time of establishment of the business relationship; or
(ii) by verifying the identity of the customer or beneficial owner once the transactions exceed a fixed threshold or once a reasonable time has elapsed.
Professionals must make sure:
- that this does not entail a de facto exemption from customer due diligence measures;
- that the threshold or period of time is fixed at a reasonably low level/is reasonably short (that said, as regards the financing of terrorism, firms should note that a low threshold cannot on its own be sufficient to reduce the risk);
- that they have systems making it possible to detect when the threshold or deadline is reached; and
- that they do not defer the customer due diligence measures and do not delay the obtaining of relevant information concerning the customer where the applicable legislation, for example Regulation (EU) 2015/847, or provisions of national law require that information to be obtained from the outset.
-
Adaptation of the quantity of information:
(i) by verifying the identity on the basis of information obtained from a single document or a single source of data which is reliable, credible and independent; or
(ii) by making assumptions regarding the nature and purpose of the business relationship on account of the fact that the product is designed exclusively for a very specific use, such as a company pension scheme or a gift card issued by a shopping centre.
- Adapting the frequency of updates of customer due diligence and reviews of the business relationship, for example by carrying them out only when trigger events occur, in particular where the customer wishes to subscribe for a new product or service or a given threshold for transactions is reached.
- Adapting the frequency and intensity of transaction monitoring, for example by monitoring transactions only beyond a certain threshold.
- Adapting the quality or source of information obtained for identification and verification of identity and ongoing due diligence:
- Accepting information obtained from the customer rather than from an independent source when verifying the identity of the beneficial owner
- Relying on the origin of funds to meet certain due diligence requirements, such as where funds are derived from employee benefit payments or where funds have been transferred from an account in the customer’s name at an institution located in the EEA
2.2 Simplified due diligence measures by sector of activity
As with risk assessment by sectors of activity, the guidelines published by the Joint Committee provide guidance regarding the simplified due diligence measures to be applied. Various examples are given below, but professionals are invited to consult the guidelines for further details.
- Retail banking:
- For customers that are subject to a mandatory licensing or authorisation regime: verifying identity based on evidence showing that the customer is subject to that regime (through a search of the regulator’s public register);
- Verifying the identity of the customer and, where applicable, the beneficial owner during the course of the establishment of the business relationship;
- Accepting alternative forms of identity meeting the criterion of a “reliable and independent” source, e.g. a letter sent to the customer by a government agency or other reliable public body, where the customer is unable, on reasonable grounds, to provide standard evidence of his or her identity and provided there are no grounds for suspicion.
- Wealth management/private banking:
The Joint Committee of the European Supervisory Authorities considers that simplified due diligence measures are not appropriate in a wealth management context.
Nevertheless, all professionals will inevitably find themselves confronted with a series of risk factors linked to their customers which they must assess on a case-by-case basis in their activities as private bankers.
- Electronic money issuers and money remitters:
- Deferring verification of the identity of the customer or beneficial owner to a later date after the establishment of the relationship or after a certain (low) monetary threshold is exceeded;
- Verifying the customer’s identity on the basis of a payment drawn on an account in the sole or joint name of the customer, or in the joint names of the customer and another, or an account over which the customer can be shown to have control held with an EEA-regulated credit or financial institution;
- Verifying identity on the basis of fewer sources or less reliable sources;
- Assuming the nature and intended purpose of the business relationship where this is obvious, for example in the case of certain gift cards that do not fall under the closed loop/closed network exemption;
- Reducing the intensity of monitoring as long as a certain monetary threshold is not reached.