This document forms part of the ABBL’s action plan to fight money laundering, and is designed to bring its members up to the mark in meeting the requirements involved in combatting money laundering and terrorist financing, whilst at the same time helping to enhance Luxembourg’s image as a financial market-place.

For the purposes of this document, the expression “combatting money laundering” is used to cover not only the fight against money laundering in the strict sense of the term but also the fight against terrorist financing and the unlawful proliferation of weapons of mass destruction, known for short as AML/CFT.

Effective participation by credit institutions and other financial sector professionals in the fight against money laundering presupposes, and is dependent on, a thorough knowledge of the applicable legislation and regulations.

This document is intended to assist them in the effective performance of their obligations, in accordance with the statutory and regulatory provisions applicable in the matter, and to provide various details regarding the practical implementation of the legislation. ABBL is not hereby seeking to impose new professional obligations on credit institutions and other financial sector professionals, or to interpret the legal rules.

Preventing financial channels from being used for money laundering is a top priority, and the players in the financial market-place are cooperating with a view to the application of measures adopted at both national and international levels. In so doing, and in the application of the relevant rules, it is important to ensure that the steps taken strike the right balance between, on the one hand, extreme vigilance with regard to banking and financial operations which could prove to be suspect and, on the other hand, respect for privacy. Whilst the risk of the system being used for money laundering purposes should not be underestimated, it should not be overestimated either. A targeted approach to the real risk needs to be adopted by each and every financial sector professional. That approach must be based on a good knowledge of the level of risk involved and suitable adaptation of the professional’s internal procedures.

The Law of 5 April 1993 on the financial sector, as amended, and the Law of 12 November 2004 on the fight against money laundering and terrorist financing, as amended, (“the Law”) impose stringent requirements as regards combatting money laundering on, inter alia, credit institutions and the other financial sector professionals (FSPs). For the purposes of this document, the term “professional” is used without distinction to signify credit institutions and other financial sector professionals.

Under Article 39 of the Law of 5 April 1993 on the financial sector, as amended in particular by the Law of 13 February 2018, such institutions and other professionals are in essence subject, in the fight against money laundering, to three professional obligations, namely the obligation to know one’s customers, the obligation to have an adequate internal organisation and the obligation to cooperate with the authorities.

The first part of this document is devoted to an examination of certain particular aspects relating to the predicate offences on which money laundering is based and the material and personal scope of application of the relevant professional obligations. The second part deals with the content of those professional obligations, and the best practices identified to provide professionals with guidance in the implementation of the rules.

Since the Recommendations of the Financial Action Task Force (“FATF”) constitute the international standard on combatting money laundering and the financing of terrorism, a correlation table showing the equivalences between those recommendations and the structure of this AML Handbook appears in Annex I.

This AML Handbook is not intended to provide legal advice and has no normative value. Its aim is, in particular, to make it easier to follow the legal framework of AML/CFT on the basis of the interpretations, understanding and hypotheses accepted by financial actors.

Whilst every effort has been made to ensure that the information contained in this AML Handbook is pertinent and up-to-date as at the time of its publication, that information is not exhaustive.

Thus, the content of this document may change in line with the laws and regulations enacted and adopted and, as the case may be, any updates and clarifications issued by the CSSF, in the light of which this AML Handbook may be updated and supplemented in the future.

Using the interactive handbook

 

In order to determine whether a professional is required to lodge a suspected money laundering report, it is necessary to know in advance the offences the object or proceeds of which may give rise to a money laundering offence, but without necessarily circumscribing the offence (Section 1: Predicate offences).

The transposition into Luxembourg law of Directive (EU) 2018/1673 aimed at combating money laundering by means of criminal law will see the offence of money laundering extended to all crimes and offences.

Over and above the scope of application of Luxembourg law to certain categories of offences, professionals must in addition take account, in the context of cross-border activities, of the criminal law of the host country (Section 2: Risks connected with the cross-border transaction of banking and financial business).

Section 1. Money laundering and terrorist financing offences

1.Predicate offences

Article 506-1 of the Penal Code contains a list of predicate offences, made up of two parts: first, offences expressly designated as predicate offences, and second, an “open-ended” list defined according to a penalty threshold and including all offences punishable by a minimum term of imprisonment of more than six months.

This approach corresponds to Recommendation 3 (money laundering offence) and 5 (terrorist financing offence) of the FATF:

“Predicate offences may be described by reference to … a threshold linked either to a category of serious offences; or to the penalty of imprisonment applicable to the predicate offence (threshold approach); or to a list of predicate offences; or a combination of these approaches.”

“The concept of primary offence refers to all offences covered by Article 506-1 of the Penal Code. This list includes most of the serious offences contained in the Penal Code (for example bankruptcy, corruption, kidnapping, sexual exploitation, forgery, fraud, murder, human trafficking, theft, etc.) or contained in special acts of legislation (for example counterfeiting, criminal tax offences, environmental offences, trafficking of illicit narcotics and psychotropic substances, etc.)”.

Money laundering offences are also punishable where the predicate offence has been committed abroad. However, that offence must be punishable in the State where it has been committed.

2. The elements constituting the offence of money laundering

The offence of money laundering as laid down in Article 506-1 of the Penal Code, being a statutory offence, can only be found by a criminal court to have been committed if it is co-existent both with a material (substantive) element and an element of intent.

2.1  The material element

The material element corresponds to the materialisation of an act or behaviour which will ultimately result in the act of money laundering. The Guideline of the Financial Intelligence Unit (FIU) entitled “Suspicious operations report” sets out the three types of behaviour characterising money laundering offences:

“The offence of money laundering and associated predicate offences, defined in Article 506-1 of the Penal Code and Article 8 (1) (a) and (b) of the Law of 19 February 1973, as amended, on the sale of medicinal substances and measures to combat drug addiction, covers three different types of behaviour:

1. those who knowingly facilitated, by any means, the misleading justification of the nature, origin, location, availability, movement or ownership of property, which are referred to in section 31, paragraph 2 (1) and which constitute the direct or indirect purpose or product of one or more primary offences or which constitute any kind of patrimonial benefit, resulting from one or more of those offences,
2. those who knowingly assisted in the placement, concealment, disguise, transfer or conversion of property, which are referred to in section 31, paragraph 2 (1) and which constitute the direct or indirect purpose or product of one or more primary offences or which constitute any kind of patrimonial benefit, resulting from one or more of those offences,
3. those who have acquired, held or used property, which are referred to in section 31, paragraph 2 (1) and which constitute the direct or indirect purpose or product of one or more primary offences or which constitute any kind of patrimonial benefit, resulting from one or more of those offences.”

“Money laundering consists of any act relating to the proceeds or the object i.e. to any economic benefit drawn from the predicate offence. The legal definition of money laundering is very broad and encompasses a whole set of devices which all serve the purpose to provide a false justification of the origin of the property forming the object or proceeds of the predicate offences.”

2.2  The element of intent

The element of intent is a decisive factor for the commission of the offence of money laundering. Thus, any person who has “knowingly” committed a criminal act referred to in Article 506‑1 of the Penal Code, combined with the material element, will bring about the commission of the offence of money laundering. The person committing the act therefore knows that the funds used derive from an unlawful activity.

Judgment No 14/1 of the Cour d’Appel (Court of Appeal), Criminal Chamber, of 29 March 2017: proof of knowledge of the fraudulent origin of funds is derived from a body of evidence from which it may be concluded that the accused could not have been unaware of the existence of fraud, or must necessarily have known of the fraudulent origin thereof.

3. Elements specific to certain predicate offences

3.1  The offence of terrorist financing

“The offence of terrorist financing, defined in Article 135-5 of the Penal Code, is ‘the act of providing or collecting, by any means, directly or indirectly, unlawfully and intentionally, funds, assets, or properties of any nature, with a view to utilising them or knowing that they will be utilised, partly or in whole, for the purpose of committing or attempting to commit one or more of the offences referred to in paragraph (2) of the present Article (see Annex II), even if they have not actually been used to commit or attempt to commit any of these offences or if they are not related to one or more specific terrorist acts’.”

“The term ‘funds’ includes assets of any kind, whether tangible or intangible, comprising moveable or immoveable property, acquired by whatever means, and documents or legal instruments in whatever form, including electronic or digital form, showing a right of ownership of, or an interest in, such assets or in any bank credits, traveller’s cheques, bank cheques, money orders, shares, securities, bonds, drafts and letters of credit, without this list being exhaustive”.

Recommendation 5 of the FATF thus states that terrorist financing includes financing the travel of individuals who travel to a State other than their States of residence or nationality for the purpose of the perpetration, planning, or preparation of, or participation in, terrorist acts or the providing or receiving of terrorist training.

3.2  Tax crimes

The Fourth Anti-Money Laundering Directive includes, in the definition of “criminal activity” which may give rise to money laundering, the following:

“All offences, including tax crimes relating to direct taxes and indirect taxes, (…) which are punishable by deprivation of liberty or a detention order for a maximum of more than one year or, as regards Member States that have a minimum threshold for offences in their legal system, all offences punishable by deprivation of liberty or a detention order for a minimum of more than six months”.

That provision was transposed into Luxembourg law by the Law of 23 December 2016, which introduces two new offences in the list of predicate offences relating to money laundering:

• aggravated tax fraud, which is defined according to the tax thresholds evaded or the level of reimbursement obtained;
• tax evasion, the increased gravity of which is due not only to the amounts involved but also to the fact that means have been employed with a view to deceiving the tax authorities.

The offences of aggravated tax fraud and tax evasion relate both to direct taxes (income taxes, registration fees, inheritance taxes, etc.) and to indirect taxes (VAT).

The offence of money laundering is punishable in respect of the predicate offences of aggravated tax fraud and tax evasion committed as from 1 January 2017.

CSSF Circular 17/650 contains in particular, in Annex I, a list of indicators likely to reveal potential laundering of a predicate tax offence, to which professionals may usefully refer. It should be noted that the presence of an indicator does not in itself justify any conclusion that a predicate tax offence has been committed. A new list of indicators specific to collective investment activities was introduced on July 3, 2020 in CSSF Circular 20/744 (see appendix 2).

Although professionals are not required to specify the predicate offence when lodging a suspicious operations report with the FIU (see Article 5 (1) (a) of the Law), they should be aware of the applicable thresholds needing to be exceeded for the purposes of commission of the predicate tax offences in question.

In the case of a customer resident in Luxembourg for tax purposes, the thresholds applicable to the offences in question are as follows:

“Any person who fraudulently evades or attempts to evade payment of all or any taxes, duties and levies the collection of which is the responsibility of the Administration de l’enregistrement et des domaines apart from value added tax shall, where the fraud thus committed or attempted relates, per reporting period or triggering event, to an amount exceeding one quarter of the duties due, being not less than 10 000 euros or an amount exceeding 200 000 euros, be liable to punishment, for aggravated tax fraud, in the form of imprisonment for a term of between one month and three years and a fine of between 25 000 euros and an amount equal to six times the amount of the duties evaded.

If the person concerned has systematically used fraudulent acts with a view to concealing pertinent facts from the tax authorities or persuading them that inaccurate information is correct, and if such committed or attempted fraud relates, per reporting period or triggering event, to a significant amount, either in absolute terms or in relation to the duties due, the perpetrator shall be liable to punishment, for tax evasion, in the form of imprisonment for a term of between one month and five years and a fine of between 25 000 euros and an amount equal to ten times the amount of the duties evaded.”

4. From the original suspicion to the reporting of a suspicious operation

The obligation to cooperate with the authorities (Chapter 7) requires professionals to “inform the Financial Intelligence Unit (FIU) promptly, on their own initiative, (…) when they know, suspect or have reasonable grounds to suspect that money laundering, an associated predicate offence or terrorist financing is being committed or has been committed or attempted (…)”.

That obligation is such that the idea of a suspicion must exist as a precondition for proceeding, as the case may be, to submit a report to the FIU.

4.1  The notion of suspicion

The FIU defines suspicion as “(…) a negative opinion of someone or of his/her behaviour, based on hints, impressions, intuitions, but without any specific evidence. This means that, when reporting a suspicion, no evidence of money laundering, an associated predicate offence or terrorist financing is required. All that is needed are circumstances which would make such a hypothesis likely”.

“The terms ‘suspect’ or ‘have reasonable grounds for suspecting’ mean that the financial institution must treat the funds involved, the operation concerned or the act in question as suspect where, in accordance with its vigilance obligations and in light of its analysis of the information gathered by it, it is prompted to harbour a suspicion (‘suspect’), or where the circumstances include elements which do not allow it reasonably to dismiss all doubt (‘have reasonable grounds for suspecting’), regarding the lawfulness of the origin of the funds or of the operation, or regarding their economic, legal or fiscal justification”.

“The determination of the suspicion must be the fruit of a process of intellectual reasoning and duly substantiated analysis. It cannot be carried out by means of automated systems alone, but instead requires human intervention founded on an analysis of the atypical facts and operations and the circumstances thereof, in order to decide whether those atypical facts or operations are likely to be linked to money laundering/terrorist financing and must therefore be the subject of a report to the FIU or conversely to conclude, on the basis of that analysis, that such suspicions can be dismissed and that the matter is to be closed without any further action being taken.”

4.2  The origins of the suspicion

The professional may suspect, or have reasonable grounds for suspecting, that money laundering is going on, “(…) in particular in consideration of the person concerned, its development, the origin of the funds, or the purpose, nature and procedure of the operation”.

“(…) Reporting a suspicious transaction has no minimum monetary threshold. Several factors should be taken into account, which individually may seem irrelevant, but can generate doubts on the veracity of the operation when combined. In general, when a transaction or financial operation, whether only attempted or already executed, raises questions (from the professional) or raises a feeling of discomfort, worry or suspicion, it could potentially be linked to money laundering, an associated predicate offence or terrorism financing.”

4.3  Examples of suspected money laundering

The FIU has drawn up examples of indicators linked to the customer as a person, to an operation/transaction and to the customer’s behaviour/profile, relating to particular situations.

The indicators linked to the customer correspond, for example, to:

– criminal records or possession of the status of a PEP;

– suspicious or atypical behaviour;

–  reluctance to hand over supporting documents;

– barely credible evidence of the origin of the customer’s assets;

– insistence on the speedy opening of an account.

The indicators linked to an operation or transaction are multi-faceted.

“The suspicion can arise from the fact that the operation or transaction in question is the consequence of fraudulent behaviour, from the frequency of the transaction or operation, from the amount in question, from the unusual use of certain means of payment, from the interference of certain persons, natural or legal, from an act executed by a non-regulated financial intermediary, from the identity of the recipient of the funds or from the price used. The combination of several of these indicators increases the likelihood that money laundering, an associated predicate offence or terrorist financing is being committed.”

4.4  Summary of the reporting process

The process of submitting a report to the FIU may be summarised as follows:

 

Section 2. Risks linked with the cross-border transaction of banking and financial business

In the context of cross-border business, the legal classification of facts and acts as categorised under foreign laws, which may differ from that under Luxembourg law, may involve enhanced legal risks, notably of a criminal and regulatory nature.

“Member States should ensure that there are no obstacles to carrying out activities receiving mutual recognition in the same manner as in the home Member State, provided that the latter do not conflict with legal provisions protecting the general good in the host Member State.”

“(…) professionals, their dirigeants (executives) and employees are required, on their own initiative, promptly to provide information to the FIU (…)”

The obligation to report suspicious operations incumbent on an institution incorporated under foreign law operating pursuant to its freedom to provide services (FPS) in Luxembourg or via a Luxembourg branch is determined in accordance with Luxembourg law, which means that reports concerning suspected money laundering are to be submitted to the Financial Intelligence Unit (FIU).

“(…) the notion of a professional also covers branches in Luxembourg of foreign professionals as well as professionals incorporated under foreign law providing services in Luxembourg without setting up a branch in Luxembourg.”

Section 1. Financial sector professionals operating in Luxembourg

The Law applies in particular to “credit institutions and financial sector professionals (FSPs) approved or authorised to carry on their activities in Luxembourg pursuant to the Law of 5 April 1993 on the financial sector as amended (…)”, payment institutions, electronic money institutions as well as “tied agents as defined in article 1 of the amended law of 5 April 1993 relating to the financial sector and agents as defined in article 1 of the law of 10 November 2009 on payment services established in Luxembourg ”.

The circle of persons subject to professional obligations in the combatting of money laundering and terrorist financing has now been extended to include all persons acting as family offices, persons carrying on, in Luxembourg, the activity of a provider of services to companies and fiducies, providers of gambling services and bailiffs.

Section 2. Application of professional obligations to foreign subsidiaries and branches of professionals operating in Luxembourg

1. General principle

“Financial institutions should be required to implement programmes against money laundering and terrorist financing. Financial groups should be required to implement group-wide programmes against money laundering and terrorist financing, including policies and procedures for sharing information within the group for AML/CFT purposes. Financial institutions should be required to ensure that their foreign branches and majority-owned subsidiaries apply AML/CFT measures consistent with the home country requirements implementing the FATF Recommendations through the financial groups’ programmes against money laundering and terrorist financing.”

“Policies and procedures at group level:

Professionals forming part of a group are required to implement policies and procedures at group level, in particular data protection policies, as well as policies and procedures relating to the sharing of information within the group for the purposes of combatting money laundering and terrorist financing. Those policies and procedures must be implemented efficiently and in an appropriate manner, taking into account in particular the risks of money laundering and terrorist financing identified and the nature, particularities, size and activity of branches and subsidiaries, at the level of branches and subsidiaries in which a majority interest is held and which are established in Member States and third countries”.

“Group-wide policies and procedures include:

– the policies, controls and procedures provided for in Article 4, paragraphs (1) and (2);

– the provision, under the conditions of Article 5, paragraphs (5) and (6), of information from branches and subsidiaries relating to customers, accounts and operations, when necessary, for the purposes from the fight against money laundering and the financing of terrorism, to the functions of compliance, audit and the fight against money laundering and the financing of terrorism at group level. This covers data and analyzes of transactions or activities that appear unusual, if such analyzes have been carried out, and information related to suspicious statements or the fact that such a statement has been transmitted to the FIU. Likewise, when relevant and appropriate for risk management, branches and subsidiaries also receive this information from the group’s compliance functions; and

– adequate guarantees in terms of confidentiality and use of the information exchanged, including guarantees to prevent the disclosure of information “.

Directive (EU) 2013/34 on the annual financial statements, consolidated financial statements and related reports of certain types of undertakings defines the term “group” as : “a parent undertaking and all its subsidiary undertakings”.

As regards credit institutions and investment firms falling within the scope thereof, it will be noted that Regulation (EU) 575/2013 defines the terms “parent company”, “subsidiary” and “branch”.

1.1  In a Member State

“Professionals operating establishments in another Member State shall ensure that those establishments respect the national provisions of that other Member State transposing Directive (EU) 2015/849.”

1.2  “Abroad”: in a third State

“Professionals shall apply in their branches and majority-owned subsidiaries located abroad measures at least equivalent to those laid down in Directive (EU) 2015/849 or by the measures taken for their execution with regard to risk assessment, customer due diligence, keeping information and documents, adequate internal management and cooperation with the authorities.”

“Where the minimum standards on combatting money laundering and the financing of terrorism in a country where professionals have branches or majority-owned subsidiaries differ from those applicable in Luxembourg, those branches and subsidiaries shall apply the higher standard, to the extent that the laws and regulations of the host country so permit.”

“In this context, if the standards of the country in which these branches and subsidiaries are located are less strict than those provided for in Luxembourg, the data protection rules applicable in Luxembourg in the fight against money laundering and the financing of terrorism must be respected “, to the extent that the laws and regulations of the host country allow.

“Professionals shall pay particular to ensuring that this principle is complied with in respect of their branches and subsidiaries in high-risk countries.”

2. Subsidiaries and branches established in third countries whose rules do not permit the application of equivalent measures

“Where a third country’s law does not permit the implementation of the policies and procedures required under paragraph 1, professionals shall ensure that their branches and majority-owned subsidiaries in that third country apply additional measures to effectively handle the risk of money laundering or terrorist financing, and inform the supervisory authorities and self-regulation bodies. If those additional measures are not sufficient, the supervisory authorities and self-regulation bodies shall implement additional supervisory measures, including requiring that the group does not establish, or that it terminates, business relationships, and does not undertake transactions and, where necessary, requesting the group to close down its operations in the third country concerned.”

This obligation is particularly relevant in respect of “higher-risk countries” as identified by the FATF.

“Institutions should ensure that their subsidiaries and branches take steps to ensure that their operations are compliant with local laws and regulations. If local laws and regulations hamper the application of stricter procedures and compliance systems implemented by the group, especially if they prevent the disclosure and exchange of necessary information between entities within the group, subsidiaries and branches should inform the compliance officer or the head of compliance of the consolidating institution.”

Commission Delegated Regulation (EU) 2019/758 (regulatory technical standards) allows professionals to refer to certain standards in the following contexts:

(1) individual risk assessments

(2) customer data sharing and processing

(3) disclosure of information related to suspicious transactions

(4) transfer and retention of data

2.1  Individual AML/CFT assessments

“Where the third country’s law prohibits or restricts the application of policies and procedures that are necessary to identify and assess adequately the money laundering and terrorist financing risk associated with a business relationship or occasional transaction due to restrictions on access to relevant customer and beneficial ownership information or restrictions on the use of such information for customer due diligence purposes”,

the professional must, at the very least:

• “inform the competent authority of the home Member State without undue delay and in any case no later than 28 calendar days after identifying the third country of the following:
  • name of the third country concerned; and
  • how the implementation of the third country’s law prohibits or restricts the application of policies and procedures that are necessary to identify and assess the money laundering and terrorist financing risk associated with a customer;
• ensure that [its] branches or majority-owned subsidiaries that are established in the third country determine whether consent from their customers and, where applicable, their customers’ beneficial owners, can be used to legally overcome restrictions or prohibitions referred to [above];
• ensure that [its] branches or majority-owned subsidiaries that are established in the third country require their customers and, where applicable, their customers’ beneficial owners, to give consent to overcome restrictions or prohibitions referred to [above] to the extent that this is compatible with the third country’s law.

Where the consent of the customer/beneficial owners is not feasible, credit institutions and financial institutions shall take additional measures as well as their standard anti-money laundering and countering the financing of terrorism measures, to manage risk.”

• EXAMPLES OF ADDITIONAL MEASURES:

Article 3 of Delegated Regulation 2019/758 provides that at least two additional measures must be taken where necessary: the measure set out in point (c) of Article 8 and at least one of the measures set out in points (a), (b), (d), (e) and (f).

Accordingly, the following measure must be taken:

• carrying out enhanced reviews, including, where this is commensurate with the money laundering and terrorist financing risk associated with the operation of the branch or majority-owned subsidiary established in the third country, onsite checks or independent audits, to be satisfied that the branch or majority-owned subsidiary effectively identifies, assesses and manages the money laundering and terrorist financing risks.

That measure must be combined with at least one other pertinent measure, such as, for example:

• ensuring that its branches or majority-owned subsidiaries that are established in the third country seek the approval of the credit institution’s or financial institution’s senior management for the establishment and maintenance of higher-risk business relationships, or for carrying out a higher-risk occasional transaction;
• ensuring that its branches or majority-owned subsidiaries that are established in the third country restrict the nature and type of financial products and services provided by the branch or majority-owned subsidiary in the third country to those that present a low money laundering and terrorist financing risk and have a low impact on the group’s AML/CFT risk exposure;
• ensuring that its branches or majority-owned subsidiaries that are established in the third country carry out enhanced ongoing monitoring of the business relationship including enhanced transaction monitoring, until the branches or majority-owned subsidiaries are reasonably satisfied that they understand the money laundering and terrorist financing risk associated with the business relationship.

Where a credit institution or financial institution cannot effectively manage the money laundering and terrorist financing risk by applying the measures referred to above, it must:

• “ensure that the branch or majority-owned subsidiary terminates the business relationship;
• ensure that the branch or majority-owned subsidiary not carry out the occasional transaction;
• close down some or all of the operations provided by their branch and majority-owned subsidiary established in the third country”.

2.2  Customer data sharing and processing

The reader is referred to the Delegated Regulation, having regard to the prohibition of/restriction on sharing customers’ data imposed by the third State, and the measures prescribed in relation thereto, to be carried out within the group, are similar to those mentioned above.

In short, the professional must;

•    inform the competent authority of its home Member State;
•    where necessary obtain the consent of its customer/the beneficial owner(s) to the transmission of information; and
•    if need be, take the requisite additional measures to overcome the problem in cases where such consent(s) cannot be obtained. Those additional measures include the ones referred to in points (a) and (c) of Article 8.
• where the risk of money laundering/terrorist financing is sufficiently high to necessitate other additional measures, credit institutions and financial institutions must apply one or more of the other additional measures mentioned in points (a) to (c) of Article 8.

2.3 Intra-group disclosure of information related to suspicious transactions

“The prohibition (of communication to the customer of the fact that information concerning him/her/it has been disclosed to the FIU) shall not apply to disclosure between credit institutions and financial institutions in Member States, provided they belong to the same group, or between those institutions and their branches and majority-owned subsidiaries located in third countries, on condition that those branches and majority-owned subsidiaries fully respect the policies and procedures defined at the level of the group, including procedures for sharing information within the group, in accordance with Article 4-1 or Article 45 of Directive (EU) 2015/849, and that the group-wide policies and procedures comply with the requirements laid down in this Law or in Directive (EU) 2015/849”.

This exception is to be strictly construed, in that it is applicable only in an intra-group context.

“For professionals who are part of a group, they are required to include in their group-wide policies and procedures, the policies, controls and procedures required (by the Act) and the provision (…) of information from branches and subsidiaries relating to customers, accounts and transactions, where necessary for AML/CFT purposes, to the compliance, audit and AML/CFT functions at group level.

This includes data and analyses of transactions or activities that appear unusual, if such analyses have been carried out, and information relating to suspicious reports or the fact that such a report has been forwarded to the FIU.

Similarly, where relevant and appropriate for risk management purposes, branches and subsidiaries also receive such information from the group compliance functions. Adequate safeguards for the confidentiality and use of the information exchanged, including safeguards to prevent disclosure of information, should be provided.”

“Information on suspicions that funds are the proceeds of money laundering or of an associated predicate offence, or are related to terrorist financing, reported to the Financial Intelligence Unit shall be shared within the group, unless otherwise instructed by the Financial Intelligence Unit.”

2.4 Transfer of customer data to the Member States in the context of AML/CFT supervision

“Where the third country’s law prohibits or restricts the transfer of data related to customers of a branch or majority-owned subsidiary established in a third country to a Member State for the purpose of supervision for anti-money laundering and countering the financing of terrorism, (…)”, the professional must at least inform the competent authority of the home country as indicated in point 2.1 above.

The professional must, in addition, at least:

• carry out enhanced reviews, on-site checks or independent audits of the branch or majority-owned subsidiary established in the third country;
• require the branch or majority-owned subsidiary established in the third country regularly to provide relevant information to the credit institution’s or financial institution’s senior management, including:
  • the number of high-risk customers;
  • the number of suspicious transactions identified and reported;

• make the information available to the competent authority of the home Member State upon request.

 

1There exist three levels of risk assessment:

• a supranational risk assessment at European level, the results of which were published by the European Commission on 26 June 2017, updated on 24 July 2019.

• a national risk assessment to be carried out by each Member State with a view to evaluating the level of risk attaching to activities carried out in its territory.

Luxembourg updated its national risk assessment concerning money laundering and terrorist financing on 15 December 2020. A concise summary of the national risk assessment is made available to professionals.

“Each Member State shall make appropriate information available promptly to obliged entities to facilitate the carrying-out of their own money laundering and terrorist financing risk assessments”:

• Identification, assessment and proper understanding by the professional itself of the risks it faces, which must enable the latter to determine which due diligence measures will be applied to the business relationship on the basis of the materiality of the risk.

“To this end, the professional must integrate different sources into his risk management procedures, including:

• The supranational report of the European Commission on the risks of money laundering and terrorist financing (“Supra National Risk Assessment”);
• The national risk assessment for money laundering and terrorist financing (“National Risk Assessment”);
• Sub-sector ML / FT risk assessments (“sub-sector Risk Assessments”);
• The Joint Guidelines issued by the 3 European supervisory authorities (ESMA, EBA and EIOPA) on money laundering and terrorist financing risk factors (“Risk factor Joint Guidelines”);
• Relevant CSSF publications ”.

(see below, “The obligation to carry out a risk assessment”).

Section 1. Identification and assessment of risks

“(…) Countries should identify, assess, and understand the money laundering and terrorist financing risks for the country, and should take action (…) and apply resources, aimed at ensuring the risks are mitigated effectively. Based on that assessment, countries should apply a risk-based approach (RBA) to ensure that measures to prevent or mitigate money laundering and terrorist financing are commensurate with the risks identified.” This recommendation was updated by the FATF in November 2020 for professionals to identify, assess and mitigate the risks of potential breaches of non-application or bypassing of financial sanctions relating to proliferation financing.

In addition to the professional’s obligation to assess the overall risk in relation to his activity, he also classifies individual risks concerning his business relationships.

The professional classifies all of his clientele according to a coherent combination of risk factors.

“Besides those cases where the risk level is to be considered as high pursuant to the Law or the Grand-Ducal Regulation, that level shall be assessed according to a consistent combination of risk factors defined by each professional according to the activity exercised and inherent to the following risk categories:

– type of customers (including client, agent, beneficial owner);

– countries and geographic areas;

– products, services, transactions or;

– distribution channels.”

“Professionals determine the scope of due diligence measures (with regard to customers) according to their assessment of the risks associated with the types of customers, countries or geographical areas and with particular products, services, transactions or distribution channels”.

“(1) Professionals shall take appropriate steps to identify, assess and understand the risks of money laundering and terrorist financing that they face, taking into account risk factors including those relating to their customers, countries or geographic areas, products, services, transactions or distribution channels. Those steps shall be proportionate to the nature and size of the professionals.”

“(2) Professionals consider all relevant risk factors before determining the overall risk level and the level and type of appropriate measures to apply to manage and mitigate those risks. Professionals also ensure that the risk information contained in the national and supranational risk assessment or communicated by supervisory authorities, self-regulatory bodies or European supervisory authorities is included in their risk assessment.

Professionals shall document, keep up-to-date and make the risk assessments referred to in paragraph 1 available to the supervisory authorities and self-regulation bodies. The supervisory authorities and self-regulation bodies may decide that individual documented risk assessments are not required where the specific risks inherent in the sector are clear and understood.

(3) Professionals shall identify and assess the risks of money laundering and terrorist financing which may result from the development of new products and business practices, including new

distribution mechanisms, and the use of new or developing technologies related to new or pre-existing products.

Professionals shall: (a) assess the risks before the launch or use of these products, practices and technologies; and (b) take appropriate measures to manage and mitigate those risks.

THE OBLIGATION TO CARRY OUT A RISK ASSESSMENT

Risk factors

Subsection 1. Factors and elements indicative of a potentially higher risk as referred to in Article 3-2 (I), second subparagraph of the Law:

The specific risks listed here are discussed in greater detail later on in this Handbook, in dedicated sections dealing with the different sectors of activity.

Professionals will take note, in particular, of a potentially higher risk in the cases referred to below:

1.1 Risk factors inherent in customers

1. business relationships occurring in unusual circumstances;
2. customers residing in high-risk geographical areas (…);
3. legal persons or legal arrangements which are structures for holding personal assets;
4. companies whose capital is held by nominee shareholders or represented by bearer shares;
5. activities necessitating large amounts of cash;
6. companies whose ownership structure appears unusual or inordinately complex, having regard to the nature of their business;
7. the customer is a third country national who applies for residence rights or citizenship in the Member State in exchange for capital transfers, purchase of property or government bonds, or investment in corporate entities in that Member State.

In addition to the higher-risk factors inherent in certain customers, professionals must invariably take full account of the risk variables mentioned below in relation to their customers:

 

“Professionals take into consideration, in their assessment of the risks of money laundering and terrorist financing, linked to the types of customers, to the countries and geographical areas and to the specific products, services, operations or distribution channels, the risk variables linked to these risk categories. These variables, taken into account individually or in combination, can increase or decrease the potential risk and, consequently, have an impact on the appropriate level of due diligence measures to be implemented ”.

1.2 Risk factors linked to products/services/transactions/distribution channels

(a) private banking

(b) products or transactions that might favour anonymity;

(c) non-face-to-face business relationships or transactions, without certain safeguards, such as electronic identification means, relevant trust services within the meaning of Regulation (EU) No 910/2014 or any other secure, electronic or remote identification process, regulated, recognized, approved or accepted by the authorities national concerned;

(d) payments received from unknown or unassociated third parties;

(e) new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products;

(f) transactions related to oil, arms, precious metals, tobacco products, cultural artefacts and other items of archaeological, historical, cultural and religious importance, or of rare scientific value, as well as ivory and protected species”.

1.3 Geographical risk factors

The factors/elements indicative of a potentially higher risk are as follows:

“(a) (…) countries identified by credible sources, such as mutual evaluations, detailed assessment reports or published follow-up reports, as not having effective anti-money laundering and counter-terrorist financing systems;

(see for example the mutual evaluations or assessment reports of the FATF)

(b) countries identified by credible sources as presenting significant levels of corruption or other criminal activity (see for example the list of countries (corruption) published by Transparency International);

(c) countries the subject of sanctions, embargoes or other similar measures imposed by, for example, the European Union or the United Nations (see the list of sanctions of the Security Council of the United Nations);

(d) countries financing or supporting terrorist activities or that have designated terrorist organisations operating within their territory”.

“The supervisory authorities and self-regulatory bodies provide professionals with information on countries which do not apply or insufficiently apply measures to combat money laundering and the financing of terrorism and in particular on the concerns raised by the failures of anti-money laundering and anti-terrorist financing systems in the countries concerned.

The supervisory authorities may require credit and financial institutions to adopt one or more enhanced due diligence measures proportionate to the risks (…), in the context of business relationships and transactions with natural persons or legal entities involving such countries ”.

1.4 International financial sanctions

A) Essentials on International Financial Sanctions

Financial sanctions are restrictive measures in financial matters, taken against certain States, natural or legal persons, entities and groups about a change of policy (domestic or foreign) or activity on the part of the States or persons designated.

The Ministry of Finance is competent to deal with all questions relating to the implementation of financial sanctions raised both by those at whom those measures are targeted and those who are called upon to apply them. Accordingly, professionals shall inform the Ministry of Finance of the enforcement of each restrictive measure (including attempted transactions) taken in respect of a State, natural or legal person, entity or group designated according to the Law of 19 December 2020 on the implementation of restrictive measures in financial matters.

In the same vein, professionals who have reported a case of sanction to the Ministry of Finance shall simultaneously address to the CSSF a copy of this report.

The CSSF remains the competent supervisory authority, which will verify professionals’ compliance with the Law on financial restrictive measures. Consequently, the CSSF will be able to apply administrative sanctions to professionals, which would fail implementing appropriate procedures/processes in this regard.

Any notification to the Ministry of Finance and associated with restrictive measures shall be made without prejudice for professionals to make, as the case may be, suspicious activity/transaction reports to the Financial Intelligence Unit.

The European Commission stated in an opinion of 7 June 2019 that all funds and economic resources belonging to the entities listed in Annex VI of Regulation 2016/44 include interest, dividends or other incomes from assets or capital gains stemming from frozen assets.

B) Specific clarifications related to national/international financial sanctions regime

SCREENING SCOPE of CSSF Regulation 12-02:

Professionals should implement control mechanisms that allow them, when accepting customers or monitoring the business relationships, to identify, among others:

• the persons as referred to in Articles 30, 31 and 33 of the regulation;
• the funds coming from or going to  States, persons, entities or groups as referred to in Article 33 of this regulation (…)”

The name screening has to include all the accounts of customers and their transactions and shall apply to customers, proxies, initiators  and beneficial owners as well as, as regards the supervision of transfers of funds, to the payer of an incoming transfer of funds and the recipient of a transfer of funds going out of the customer’s account.

SCREENING TIMING & SCREENING FREQUENCE

Professionals have to carry out a name screening :

1. before establishing a new business relationship
2. before carrying out wire transfers by debit of customer account or before crediting incoming funds to customer accounts;
3. on longstanding business relationships.

In its annual activity report of 2014, the CSSF stated that « Controls such as “name matching”, i.e. controls on the client database performed in relation to:

•  acts directly applicable in Luxembourg, as adopted by the EU (in particular, EU regulations) and including prohibitions and restrictive financial measures against certain persons, entities or groups respectively i. in the context of the fight against terrorist financing or ii. in the context of other financial embargoes; and
• national regulatory texts concerning financial sanctions relating to the fight against terrorist financing based (on the law of 27 October 2010) implementing the United Nations Security Council resolutions (and Grand-ducal Regulation of 29 October 2010) enforcing the aforementioned law

« must be performed without delay after the publication of each new amendment ».

Such controls are independent from any other frequency of controls, of whatever type (for example, in relation to the detection of PEPs), which may have been put in place by the professional ».

“Without delay” means, in the context of the implementation of the financial sanctions, including the freeze of assets or other economic resources or other restrictive measures taken in application of the above-mentioned texts :

« a delay of, ideally, a few hours following the publication of the measures by the CSSF and/or the Ministry of Finance ». In any case, it should be interpreted in relation to the need to prevent the outflow or the dispersion of funds or other goods linked to the designated persons, entities and groups.

1.5 Risks surrounding Virtual Assets (a.k.a. crypto assets) and Virtual Asset Service Providers

Overview

In the current ecosystem of growing cross-border/digital transactions and the rapid rise of trades involving crypto assets, there is a need to understand and mitigate the ML/TF risks associated with crypto asset providers/activities. The 2018 and 2020 Luxembourg national risk assessments highlighted virtual assets (“VAs”) as one of the key emerging and evolving risks of ML/TF.

Banks are exposed to risks stemming from VAs as they are the point of contact of centralised exchange users with the traditional finance sector. Criminals using VAs for ML/TF activities need to convert VAs to fiat, or vice-versa. For these purposes, criminals use exchanges, the deposits and withdrawals from which are usually done to and from bank accounts.

Credit institutions are exposed to the risks arising from virtual currencies (“VAs”) mainly in circumstances where customers of regulated credit and financial institutions deal in VAs or where they are VASPs. The main factors contributing to the increased exposure to the ML/TF risks is the limited transparency of VAs transactions and the identities of the individuals involved in these transactions.

The FATF indeed draws attention to the top two threats related to the VAs risk landscape:

• The continued use of of tools and methods to increase the anonymity of VAs transactions putting at risk the “travel rule” (i.e., identification of the originators and beneficiaries of VA transactions), hence potentially the KYC procedures set-up by VASPs;

• VASPs registered or operating in jurisdictions that lack effective AML/CFT regulation, possibly revealing weak AML/CFT systems and procedures.

Definitions

Professionals may be involved in VAs activities or even act as Virtual Asset Service Providers (VASPs).

A virtual asset is “a digital representation of value, including a virtual currency, that can be digitally traded, or transferred, and can be used for payment or investment purposes, except for virtual assets that fulfil the conditions of electronic money and the virtual assets that fulfil the conditions of financial instruments”.

A VASP is any person providing, on behalf of or for its customer, one or more of the following services:

(a) the exchange between virtual assets and fiat currencies, including the service of exchange between virtual currencies and fiat currencies;

(b) the exchange between one or more forms of virtual assets;

(c) the transfer of virtual assets;

(d) the safekeeping or administration of virtual assets or instruments enabling control over virtual assets, including the custodian wallet service;

(e) the participation in and provision of financial services related to an issuer’s offer or sale of a virtual asset

Understanding VAs and VASPs

For financial institutions to better apprehend the ML/TF risks of their VASPs customers, it is necessary to briefly understand the ML/TF risks the latter must deal with. VASPs’ exposure to ML/TF threats is due to multiple factors, to the extent that those financial institutions are exposed to:

• Non-face-to-face business relationships
• International nature of business
• High volume of transactions
• Technological complexities of VAs/VASPs
• Anonymous properties of VAs
• High volatility and complex valuation of VAs

Potential exposure of VASPs at each ML/TF step:

 

Mitigation of risks (overall)

Mitigation of risks for customers dealing with virtual/crypto currencies

Professionals should consider the business model of each VASP and whether or not they are:

• Operating as a VA trading platform that effects exchanges between fiat currency and virtual currency;
• Operating as a VA trading platform that effects exchanges between virtual currencies;
• Operating as a VA trading platform that allows peer-to-peer transactions;
• Providing custodian wallet services;
• Arranging, advising or benefiting from ‘initial coin offerings’ (ICOs).

 

Credit institutions wishing to provide Virtual assets’ services

1.6 COVID 19 Threats

The COVID-19 sanitary crisis, which is constantly evolving around time, is an opportunity for criminals to exploit the fears and threats pertaining thereto, adapting their modus operandi and engaging into new criminal activities.

Professionals should put their best efforts to maintain effective systems and controls to ensure that they are not being abused by such criminals redesigning pre-existing frauds.

• Rising ML/TF threats stemming from COVID-19:

Three core threats have been identified by the public authorities, the latter recalling that the technical means and the expertise used by criminals to fraud customers/banking employees were sky rockecting.

• Specific areas of particular vulnerability:

Six areas in the financial sector may especially be exploited by emerging threats, as follows:

• • Online payment services

The surge in online purchases is increasing both the volume and value of online payments services, including the use of internet banking. This may create more opportunity for criminals to conceal illicit funds within a greater amount of legitimate payments made online.

• • Clients in financial distress

Customers (individuals and legal entities) may be put in a financial distress due to the economic outcome/waves of the current sanitary crisis and therefore more inclined to to be exploited by criminals seeking to launder illicit proceeds.

• • Mortgages and other forms of collateralised lending implying a regular repayment schedule leading to customers’ financial distress

• • Credit backed by government guarantees whereby funds could be obtained without the intention to ever pay back the government.

• • Distressed investment product (loss of significant value) whereby investors could be looking to minimise the losses and give criminals the opportunity to purchase/refinance the distressed assets.

• • Delivery of aid through non-profit organisations:

Where there are increased financial flows through NPOs to higher risk countries, there may be an increased risk of illicit activity and special attention should be paid to the risks of TF

Section 2. Management and mitigation of risks

The final guidelines on risk factors published by the Joint Committee of the European Supervisory Authorities on 26 June 2017 contain specific recommendations regarding certain particular sectors of activity, whereby the risks encountered can in the right circumstances be mitigated. They are set out in CSSF circular 21/782 of 24 September 2021.

In addition, the risk management principles set out in CSSF Regulation No 12-02 must first of all be borne in mind before sectoral suggestions, as encouraged by the European Supervisory Authorities, are submitted.

2.1 Reminder of the statutory and regulatory provisions of Article 4 of the Law and of CSSF Regulation No 12-02

“Professionals shall put in place policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified at international, European, national and sectoral level and at the level of the professionals themselves.”

(…) These policies must be approved by the professional’s board of directors. The related procedures must be approved by the authorized management or by the board of directors for funds under the supervision of the CSSF “.

“(2) Professionals shall set the extent of the due diligence measures laid down in Article 3(2) of the Law according to the risk level assigned to each customer (…). Where enhanced due diligence measures are required pursuant to the Law or the Grand-Ducal Regulation (of 1^st February 2010) or of this Regulation (CSSF n ° 12-02), all such measures shall be applied although the extent of such measures may vary according to the specific level of risk set by the professional.”

“(3) The adaptation of the extent of due diligence measures to the risk level shall take place during the identification and identity verification period (…)”

2.2 Summary table of the key elements of risk mitigation

(according to the guidelines on risk factors published by the European Banking Authority on 1 March 2021)

(See also Annex III of the Law: “Indicators of a potentially lower risk”.)

2.3 Mitigation of specific risk factors according to the business sectors concerned

Title II of the final guidelines on risk factors published by the Joint Committee of the European Supervisory Authorities lays down sector-specific guidelines.

It features, for example, the activities of correspondent banks, retail banks, wealth management (private banking) and electronic money issuers.

Generally, the guidelines define, first of all, the enhanced risk factors in the various sectors, going on to mention the criteria which may reduce the attendant risks.

The risk factors set out below are not exhaustive. They may be useful in supplementing those determined by the professional, who will carry out an analysis on a case-by-case:

Retail banking:

Wealth management/private banking

In the context of private banking activities in particular, professionals are referred to Annex I and to CSSF Circular No 17/650 as recently amended by Circular 20/744 of 3 July 2020 containing indicators likely to reveal possible laundering of a predicate tax offence.

Criminal tax offences and CSSF Circular No 17/650 are discussed in section 3 of Chapter 1 above.

Correspondent banks:

Issue of electronic money:

It will be recalled that electronic money is defined as monetary value as represented by a claim on the issuer which is (i) stored on an electronic device, including a magnetic medium, (ii) issued on receipt of funds for the purposes of payment operations, and (iii) accepted by a natural or legal person other than the electronic money issuer.

It must not be confused with virtual currencies, also called “cryptocurrencies” or “virtual money”.

Custodian banks

The sectoral guidelines for providers of investment funds are directed primarily at investment fund managers and investment funds marketing their own shares or units, pursuant to Article 3(2), points (a) and (d) of the 4^th AML Directive. They are none the less relevant for custodian bankers of investment funds:

ASSESSMENT OF ML/FT RISKS BY THE CSSF

Since 2017, the CSSF has each year been carrying out an inquiry by gathering standardised key information concerning money laundering and terrorist financing risks to which the professionals under its supervision are exposed, as well as the measures to mitigate the risks taken on by those professionals.

The CSSF refers, in particular, to FATF Recommendation 1 with regard to the risk-based country approach, and to the 4^th AML Directive.

The answers provided by the professionals to the CSSF’s “risk questionnaires” allow the latter to assess whether the prevention/mitigation measures put in place by the professional concerned are appropriate to counter the risks actually facing that professional. The CSSF gives each institution an account of the results of that analysis.

 

“Financial institutions should be prohibited from keeping anonymous accounts or accounts in obviously fictitious names”. Thus, professionals are obliged to take due diligence measures vis-à-vis their customers in certain clearly defined situations, in particular: 

(i) when establishing business relations;

(ii) when carrying out occasional transactions (subject to conditions);

(iii) where there is a suspicion of money laundering or terrorist financing;

(iv) where there is any doubt about the veracity or adequacy of previously obtained customer identification data.

The professional must identify and verify, in particular, the identity of its customer and that of the beneficial owner, including legal persons and legal arrangements, obtain information on the purpose and intended nature of the business relationship and conduct ongoing due diligence with regard to that relationship.

The identification operation consists in possessing the name and identity of the customer. Thus, the identification can be done by the fact of completing a form requesting entry into a business relationship and indicating on that form the number of an identity document.

“The verification operation, for its part, consists in making the link between the information provided and the reality of the situation by making sure that the identity stated does indeed relate to the person with whom one is dealing, that that person really exists and that the documents, data and information are respectively reliable and probative.” ref. T. POULIQUEN, La lutte contre le blanchiment d’argent, Promoculture-Larcier 2014, p. 250.

WHAT DOES THE DUE DILIGENCE OBLIGATION CONSIST OF?

“Customer due diligence measures shall comprise

1. identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source including, where applicable, electronic identification means and trust services provided for in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions within the internal market (…), or any other secure, electronic or remote identification process, regulated, recognized, approved or accepted by the national authorities concerned;
2. identifying (…) the beneficial owner and taking reasonable measures to verify his identity, using information or data obtained from a reliable and independent source, so that the professionals are satisfied that they know who the beneficial owner is, including, as regards legal persons, fiducies, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer; (…)
3. assessing and understanding of the purpose and intended nature of the business relationship and, as appropriate, obtaining information on the purpose and intended nature of the business relationship;
4. conducting ongoing due diligence with regard to the business relationship, including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the professional’s knowledge of the customer, the business and risk profile, and by ensuring that documents, data or information used in the exercise of customer due diligence remain up-to-date and relevant. To this end, the professionals examine the existing elements, and this in particular for the categories of customers presenting the higher risks ”.

Section 1. Customer due diligence measures

WHEN IS DUE DILIGENCE TO BE EXERCISED?

Professionals shall apply customer due diligence measures in the following cases:

a) when establishing a business relationship;

b) when carrying out an occasional transaction that:

• • amounts to EUR 15 000 or more, whether this transaction is carried out in a single operation or in several operations which appear to be linked; or
  • constitutes a transfer of funds, as defined in Article 3, point (9) of Regulation (EU) 2015/847 (…), exceeding EUR 1 000.

“The threshold of EUR 1,000 (…) is also applicable to occasional transactions by virtual asset service providers.”

(…)

c) when there is a suspicion of money laundering or terrorist financing, regardless of any derogation, exemption or threshold;

d) when there are doubts about the veracity or adequacy of previously obtained customer identification data.”

Professionals are required to apply the customer due diligence procedures not only to all new customers but also, “at appropriate times”, to existing customers based on their risk assessment, taking into account the existence and timing of previous customer due diligence procedures, or when the relevant elements of a client’s situation change or when the professional, during the calendar year under review, is required, due to a legal obligation, to contact the client in order to review any relevant information in relation to the beneficial owner(s) or if this obligation fell to the professional pursuant to the amended law of 18 December 2015 on the Common Reporting Standard (CRS)”.

The definition of “appropriate times based on risk assessment” is given in the Grand Ducal Regulation of 1 February 2010 as amended.

“This includes one of the following situations:

“- a significant transaction occurs ;

-the standards relating to customer identification documents change substantially;

in the field of banking, a significant change occurs in the way a client’s account operates; – the professional becomes aware of a change in the way a client’s account is managed

-the trader becomes aware that he does not have adequate information about a client.

Professionals must be able to demonstrate to the supervisory authorities or self-regulatory bodies that the extent and frequency of customer due diligence measures are appropriate in view of the risks of money laundering and terrorist financing”.

Subsection 1. The acceptance process

1. Policy for accepting new customers

1.1  Implementation of the appropriate procedures

“Professionals shall decide on and put in place a customer acceptance policy which is adapted to the activities they carry out, so that the entry into business relationship with customers  may be submitted to a prior identification, assessment and understanding of risks (…)”.

The customer acceptance procedure must, in concrete terms, take the form of an analysis of the risk factors carried out in advance by the professional concerned, since the risks concerning the business relationship or the transaction will (or may not) result in the conclusion of the proposed business relationship/transaction.

1.2  Anticipatory nature of the identification and of verification of identity process

Professionals are required to formalise the procedure for identifying prospective customers/customers (natural/legal persons) in their “KYC: Know your customer” documents.

“The customer acceptance policy shall require the documentation of all contact, no matter in which form, and shall notably envisage a customer questionnaire adapted to the nature of the contact and the business relationship. When entering into a new business relationship with a company or other legal entity, a trust or a legal arrangement with a structure or functions similar to those of a trust for information on beneficial owners should be registered under Article 30 or 31 of Directive (EU) 2015/849, professionals collect proof of registration or an extract from the register ”.

“The verification of the identity of the customer and of the beneficial owner shall take place before the establishment of a business relationship or the carrying-out of the transaction.”

“However, the verification of the identity of the customer and the beneficial owner may be completed during the establishment of a business relationship if this is necessary in order not to interrupt the normal conduct of business and where there is little risk of money laundering or terrorist financing occurring. In such situations these procedures shall be completed as soon as practicable after the initial contact and professionals take measures to effectively manage the risk of money laundering and terrorist financing ”.

“(…) Professionals can enter into a business relationship, open a customer account or carry out a transaction for an occasional customer before or while the identity of the customer and the beneficial owner is verified (…) provided that the following conditions are met:

• the risk of money laundering and terrorist financing is low and managed effectively;
• it is necessary not to interrupt the normal course of business;
• identity verification is carried out as soon as possible after the first contact with the customer. The impossibility of verifying the identity of the client and the beneficiary within the time limit prescribed by internal rules must be the subject of an internal report which will be sent to the control manager for the required purposes
• sufficient measures are in place so that no outflow of assets from the account can be made before the completion of the verification check

(…)”

It may be “permissible for verification to be completed after the establishment of the business relationship, because it would be essential not to interrupt the normal conduct of business”, for example in the case of:

• “non face-to-face business”;
• “securities transactions. In the securities industry, companies and intermediaries may be required to perform transactions very rapidly, according to the market conditions at the time the customer is contacting them, and the performance of the transaction may be required before verification of identity is completed.”

1.3  The Acceptance Committee or “written authorisation from a specifically appointed superior or body”

“(…) The acceptance of a new customer shall be submitted to a superior or to a specifically appointed professional body for written authorisation by providing for an adequate hierarchical decision-making level, and for customers with a higher level of risk, at least the systematic intervention of the compliance officer”.

“The acceptance of a new client with a low ML / FT risk, following the risk-based approach as implemented by the professional, can be carried out on the basis of an automated acceptance process. ‘not involving the intervention of a natural person on the professional’s side, so as to constitute an effective and reliable alternative to validation by a natural person of the professional.

This process must have been configured and professionally tested beforehand and regularly through the analysis of its robustness. This process must be in line with the professional’s AML / CFT policies and procedures and the instructions to be issued by the CSSF ”.

1.4  Questionnaire concerning entry into a business relationship

“The customer acceptance policy shall require the documentation of all contact, no matter in which form, and shall notably envisage a customer questionnaire adapted to the nature of the contact and the business relationship.”

The customer acceptance policy shall also provide for procedures to be followed when there is a suspicion or reasonable grounds for suspicion of money laundering, an associated predicate offense or terrorist financing in case contact with a possible customer fails. The reasons for a customer or professional to refuse to enter into a business relationship or to execute a transaction shall be documented and kept (in accordance with the terms of CSSF regulation no.12-02), even if the professional’s refusal does not ensue from the observation of a money laundering or terrorist financing indication.”

2. Identification of customers and verification of their identity

The customer must be identified, and his/her identity verified, on the basis of documents, data or information emanating from a reliable and independent source, including, where applicable, electronic identification means and relevant trust services provided for in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and services of trust for electronic transactions within the internal market (…) ” or any other secure, electronic or remote identification process, regulated, recognized, approved or accepted by the national authorities concerned”..

2.1  Customers who are natural persons

2.1.1  The account-holder

“For the purposes of the identification of customers pursuant to Article 3 paragraph 2, subparagraph 1, point a) and subparagraph 2 of the Law, the professionals shall gather and register at least the following information:

• surname(s) and first name(s);
• place and date of birth;
• nationality (-ies);
• full address of the customer’s main residence;
• where appropriate, the official national identification number.”

“The information listed in point 1 above is to be collected and recorded also for the initiators, the promoters who are at the basis of the launch of an investment fund under the supervision of the CSSF who will be the professional’s client” .

Verification of the identity of a customer who is a natural person

(1) “The verification of the identity, within the meaning of Article 3(2)(1)(a) of the Law, of customers who are natural persons shall be made at least with one valid authentic identification document issued by a public authority and which bears the customer’s signature and picture such as, for instance, the customer’s passport, his ID , (…) his residence permit, his driving license or any other similar document.”

“Electronic identification means, including the relevant trust services provided for by Regulation (EU) No. 910/2014 or any other secure, electronic or remote identification process, regulated, recognized, approved or accepted by the national authorities concerned may be used by the trader to fulfill his obligation of vigilance referred to in Article 3 (2), subparagraph 1, point a) of the Law ”.

(2) “According to the risk assessment, and without prejudice to other enhanced due diligence obligations,the professionals shall take additional verification measures such as, for example, the verification of the address indicated by the customer through the proof of address or by contacting the customer, among others, per registered letter with acknowledgement of receipt.”

2.1.2  The authorised agent/attorney of a customer who is a natural person lacking legal capacity or a minor

The powers of representation of the legal representatives of customers who are natural persons lacking legal capacity, i.e. who are the subject of guardianship/supervision measures (or analogous measures), or minors, must be verified by means of documents evidencing the situation.

The identification and verification of the identity of the customer’s authorised agent/attorney must, in addition, be done in the manner described in point 2.1.1. The professional must take copies of the documents provided.

2.1.3  The particular case of the status of a refugee or an AIP (applicant for international protection)

Although attestation of the lodging of an application for international protection constitutes only part of the verification of the identity of a customer within the meaning of the Law, it will be noted that this bears the stamp of the Ministry of Foreign Affairs as well as the signature of an official within that Ministry, together with the ID photograph of the applicant for protection, his/her signature and ID indications as required by Article 16 of CSSF Regulation No 12-02.

2.1.4  The validity of a French identity card which expired less than 5 years ago

Under the French rules, since 1 January 2014, the duration of the validity of the national identity card has been extended from 10 to 15 years for persons of full age (aged over 18). The five-year extension for identity cards concerns:

• new secure identity cards (plastic cards) issued as from 1 January 2014 to persons of full age;
• secure identity cards (plastic cards) issued between 2 January 2004 and 31 December 2013 to persons of full age.

If the identity card was issued between 2 January 2004 and 31 December 2013, the five-year extension of the validity of the card is automatic. The validity date appearing on the document will not be changed. For cards that appear on their face to have expired but the validity of which has been extended for 5 years, the Luxembourg State has officially confirmed that these will be accepted by it as travel documents.

2.1.5  Electronic means of identification and of verifying the customer’s identity

A. The due diligence measures in relation to customers include the following:

“identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from reliable and independent sources, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services (…), or any other secure, remote or electronic identification process regulated, recognised, approved or accepted by the relevant national authorities”.

Professionals may have recourse to video conferencing by using a software developed by themselves or by an external supplier, or may delegate that “on-boarding” video function to a third party. Only a natural person trained for that purpose may use the video conferencing system and deal directly with the prospective customer, thereby de facto excluding the sole intervention of a robot without any additional safeguards.

Only natural persons (the customer, the customer’s statutory representative or authorised agent/attorney, a co-holder of the account or a beneficial owner) may use the function and be identified by the professional.

The video conferencing tool may only be used if the professional has no suspicion of any money laundering/terrorist financing and there can be no dispute as to the veracity and relevance of the documents submitted in advance by the customer.

During the identification of the customer, the data appearing on the identity documents must be clearly legible and clearly identifiable (good lighting conditions, the customer must not be disguised or wearing any headgear that covers part of his or her face, etc.). Only official identity documents emanating from the issuing country and containing optical security devices (holograms, special printing features, etc.) are authorised for the verification procedure. Annex V of the Vademecum contains a convenient link to the online public register of authentic identity and travel documents for citizens worldwide, as established by the Council of the European Union.

The professional must guarantee the efficacy and reliability of the system and remains at all times answerable for compliance with the due diligence obligations incumbent on it in relation to its customers.

Those innovations can also considerably improve the transaction monitoring processes of credit and financial institutions by automating them and making it possible instantaneously to extract relevant data from a number of different databases.

Under Regulation (EU) No 910/2014, since 1 July 2016:

“1.  An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.

2. A qualified electronic signature shall have the equivalent legal effect of a handwritten signature.

3. A qualified electronic signature based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature in all other Member States.”

In addition, the legal value attaching to an electronic signature is stated in the Civil Code:

“The signature required for the perfection of a private document shall identify the person appending it and shall manifest his/her willingness to adhere to the content of the document. It may be in manuscript or electronic form.”

B. Specific measures to be adopted by the trader in the case of a non-face-to-face business relationship

“Where the client is not physically present or has not been met by or on behalf of the trader for the purpose of identification, a so-called “non-face-to-face” relationship, and the trader has not taken the necessary guarantees as set out in Annex IV, point 2) c) of the Law (i.e. not accompanied by guarantees such as electronic means of identification within the meaning of Regulation (EU) No 910/2014 or any other secure electronic or remote identification process regulated, recognised, approved or accepted by the relevant national authorities) specific measures must be applied by the trader to compensate for the potentially higher risk presented by this type of relationship”.

The specific measures to be taken in this case may include

“measures to ensure that the identity of the client is established by means of additional documents, data or identifying information

additional measures ensuring verification or certification by a public authority of the documents provided

a confirmation statement from a credit or financial institution subject to the Act or subject to equivalent professional obligations in relation to AML/CFT

measures to ensure that the first payment of transactions is made through an account opened in the customer’s name with a credit or financial institution subject to the Act or subject to equivalent professional anti-money laundering and anti-terrorist financing requirements.

This list of additional measures to be adopted in case of entering into a business relationship at a distance and in the absence of the necessary guarantees as referred to in particular in Regulation (EU) n°910/2014 was introduced by CSSF Regulation n°20-05 and is not exhaustive. The professional is free to adopt other measures that he deems useful.

2.1.6  FATF Guidance on digital identity

Digital ID simply refers to the use of technology in asserting and proving identity.

Section III of the Guidance is the most relevant one as pertaining to standards regarding customer due diligence standards. Overall, the guidance should help professionals understand if a digital ID is fit for customer due diligence purposes, having firstly understood the attributes of a digital ID systems.

A. Briefly summarising the digital ID process (appendix A of the FATF guidance)

As shown above, the digital ID process mostly entails two components:

• Identity proofing and enrolment

The firs step consists in answering the mere question “who are you”, with the collection of attribute evidence related to the customer being here an individual (documentary or digital, bearing in mind that biophysical, biomechanical and behavioral biometrics do exist).

Validation will then come to make sure that the evidence collected is genuine followed by the verification process whereby there will be a confirmation as to the validated identity indeed relates to the customer undergoing the process.

• Authentication and identity lifecycle management

This part of the ID process could be briefly summarised as “Are you the one you say you are? “.

As stated by the FATF, “the more factors an authentication process employs, the more robust and trustworthy the authentication system is likely to be”. Once the customer has been successfully proofed and enrolled in a digital ID system, the authentication process guarantees to the professional that the person presenting the credential is really the person to whom it belongs.

The common authentication factors can be best summarised as follows:

Lifecycle management merely refers to steps professionals will have to take in response to events occurring to credentials (loss, theft, etc).

B. Making sure that a Digital ID system is suitable for customer due diligence purposes

Apart from the CSSF guidance on video chat and the fact that the CSSF will eventually be consulted on any digital ID onboarding system used or set-up by a professional, there is no specific Luxembourg guidance on the suitability of a digital ID system which will be used to onboard customers.

Therefore, the FATF illustration below, combined with a risk-based approach, will come handy for professionals to elect the right system and make sure that the latter comes with the right assurance level:

2.2 Customers that are legal persons

2.2.1   Identification of customers that are legal persons

“For the purposes of the identification of customers [that are legal persons or legal arrangements], professionals shall gather and register at least the following information:

• name
• legal form;
• address of the registered office and, if different, a principal place of business;
• where appropriate, an official national identification number;
• the name of the directors (dirigeants) (for legal persons) and directors (administrateurs) or persons holding/occupying similar positions (for legal arrangements) and involved in the business relationship with the professional;
• provisions governing the power to bind the legal person or arrangement;
• authorisation to enter into a relationship.”

“The information listed in point 1 above must also be collected and recorded for the initiators, promoters who are behind the launch of an investment fund under the supervision of the CSSF which will be the client of the professional.”

Opening an account for a company in the process of incorporation before completion of the identity verification measures

A professional may open an account for a company in the process of incorporation, insofar as the following conditions are met:

“- the professionals shall identify and verify the identity of the company’s founders pursuant to (…) the Law. They shall receive a declaration from the founders stating that they act, either for their own account or for the account of beneficial owners which they name, and where appropriate, the professionals shall take measures to identify and verify the identity of the beneficial owners pursuant to (…) the Law;

– at the earliest opportunity after the incorporation of the company, the professionals shall complete the measures for the identification and verification of the company’s identity (…) as well as, where applicable, of the beneficial owners (…). The impossibility to verify the identity of the founders, the company and the beneficial owners within the timeframe set by the internal rules shall be subject to an internal report which will be transmitted to the AML/CFT compliance officer for the required purposes;

– sufficient measures shall be put in place so that no exit of assets from the account can be carried out before completing this verification.”

2.2.2  Measures for the identification and verification of the identity of the proxy/proxies (“mandataire(s)”) of a customer which is a legal person

“Professionals shall also take note of the powers of representation of the person(s) acting on behalf of the client within the framework of the business relationship with the professional and shall verify them by means of documents likely to be used as evidence, of which they shall take a copy, if necessary in electronic (digital) form.

“This includes (…) :

• “(…) natural or legal persons authorised to act on behalf of customers pursuant to a mandate;
• persons authorised to represent customers which are legal persons or legal arrangements in the relations with the professional.”

2.2.3  Verification of the identity of a customer that is a legal person

“Identifying the customer and verifying the customer’s identity [must be done] on the basis of documents, data or information obtained from a reliable and independent source, including, where appropriate, the relevant means of electronic identification and trust services provided for in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (…) or any other secure electronic or remote identification process regulated, recognised, approved or accepted by the relevant national authorities”.

“(…) the verification of the identity of customers who are legal persons or other legal arrangements shall be made at least with the following documents of which a copy shall be kept, Where appropriate, in electronic (digital) form:

• the last coordinated or up-to-date articles of incorporation (or an equivalent incorporation document);
• a recent and up-to-date extract from the companies register (registre des sociétés) (or equivalent supporting evidence).”

The professional may use a certificate of incorporation, a certificate of conformity, a company contract, (…) or any other document emanating from an independent and reliable source indicating the name, form and existence of the customer.

“According to the risk assessment, the professionals shall take additional verification measures, such as, for example:

• an examination of the last management report and the last accounts, where appropriate certified by a réviseur d’entreprises agréé (approved statutory auditor);
• verification, after consulting the companies register or any other source of professional data, that the company was not or is not subject to any dissolution, deregistration, bankruptcy or liquidation;
• verification of the information collected from independent and reliable sources such as, among others, public and private databases;
• a visit to the company, if possible, or contact with the company through, among others, registered letter with acknowledgement of receipt.”

Subsection 2. Identification and verification of the identity of the beneficial owners

1. Definition of the concept of beneficial owner

1.1. Definition of the term “beneficial owner”

The obligation to identify the beneficial owners encompasses the identification of:

(a) the beneficial owners of companies;

(b) the beneficial owners of fiducies and trusts;

(c) the beneficial owners of legal entities such as foundations and legal arrangements similar to fiducies or trusts.

Professionals are obliged to take reasonable measures to discover the identity of the natural person who owns or controls the customer or for whose benefit a transaction is carried out.

“‘Beneficial owner’ (…) shall, in accordance with this Law, mean any natural person(s) who ultimately owns or controls the customer or any natural person(s) on whose behalf a transaction or activity is being conducted. The concept of beneficial owner shall include at least:

a)  in the case of corporate entities:

(i) any natural person who ultimately owns or controls a legal entity through direct or indirect ownership of a sufficient percentage of the shares or voting rights or ownership interest in that entity, including through bearer shareholdings, or through control via other means, other than a company listed on a regulated market that is subject to disclosure requirements consistent with European Union law or subject to equivalent international standards which ensure adequate transparency of ownership information.

A shareholding of 25% plus one share or an ownership interest of more than 25% in the customer held by a natural person shall be an indication of direct ownership. A shareholding of 25% plus one share or an ownership interest of more than 25% in the customer held by a corporate entity, which is under the control of a natural person(s), or by multiple corporate entities, which are under the control of the same natural person(s), shall be an indication of indirect ownership;

(ii) if, after having exhausted all possible means and provided there are no grounds for suspicion, no person under point (i) is identified, or if there is any doubt that the person(s) identified are the beneficial owner(s), any natural person who holds the position of senior dirigeant (manager)/ senior managing official;

aa) a direct or indirect right to exercise a dominant influence over the customer by virtue of a contract with the customer or by virtue of a clause in the customer’s articles of association, where the law governing the customer permits it to be subject to such contracts or clauses in the articles of association

bb) the fact that the majority of the members of the administrative, management or supervisory bodies of the client in office during the financial year and the preceding financial year and up to the preparation of the consolidated financial statements were appointed solely as a result of the exercise of voting rights by a natural person;

cc) a direct or indirect power to exercise, or a direct or indirect effective exercise of, dominant influence or control over the customer, including the fact that the customer is under single management with another undertaking

dd) a requirement under the national law of the parent undertaking of the customer to prepare consolidated financial statements and a consolidated annual report;”

b) in the case of fiducies and trusts: 

(i) the settlor or settlors;

(ii) the trustee or trustees;

(iii) the protector(s), if any;

(iv) the beneficiaries, or where the individuals benefiting from the legal arrangement or entity have yet to be determined, the class of persons in whose main interest the legal arrangement or entity is set up or operates;

(v) any other natural person exercising ultimate control over the fiducie or trust by means of direct or indirect ownership or by other means;

c)  in the case of legal entities such as foundations, and legal arrangements similar to fiducies or trusts, any natural person holding equivalent or similar positions to those referred to in point (b)”,

“identifying the beneficial owner and taking reasonable measures to verify his identity so that the obliged entity is satisfied that it knows who the beneficial owner is, including, as regards legal persons, fiducies, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer.”

“The beneficial owner within the meaning of Article 1 (7) of the Act means any natural person who ultimately owns or controls the customer or any natural person for whom a transaction is executed or an activity is performed. This may be the case even if the threshold of ownership or control as set out in Article 1 (7) (a) (i) of the Act is not met.”

1.2  Definition of “controlling persons” in the context of the automatic exchange of information relating to financial accounts in tax matters

“The term ‘controlling persons’ means natural persons who exercise control over an entity. In the case of a trust, that term means the settlor(s), the trustee(s), the person(s) charged with supervising the trustee(s), as the case may be, the beneficiary or beneficiaries or the classes of beneficiary, and any other natural person ultimately exercising actual control over the trust; and, in the case of a legal arrangement which is not a trust, the term means persons in an equivalent or analogous situation. The term ‘persons having control’ must be construed in accordance with the Recommendations of the FATF.”

In order to determine the residence of “controlling persons” of a passive NFE for new accounts of entities, “(…) the reporting financial institution may rely on information collected and maintained pursuant to AML/KYC procedures, on the understanding that, for the accounts of pre-existing accounts of entities, the rule is as follows:

“For the purposes of determining the controlling persons of an account holder, a reporting financial institution may rely on information collected and maintained pursuant to AML/KYC procedures” [persons controlling a passive NFE].

“For the purposes of determining whether a controlling person of a passive NFE is a reportable person, a reporting financial institution may rely on:

(i) information collected and maintained pursuant to AML/KYC procedures in the case of a pre-existing entity account held by one of more NFEs with an aggregate account balance or value that does not exceed an amount denominated in euros corresponding to USD 1 000 000 (…)” [Determining the residence of a controlling person of a passive NFE].

2. Identification of the beneficial owner(s) in certain specific cases

2.1  Identification of the beneficial owner(s) controlling the company by virtue of thresholds (shares/voting rights/capital)

The beneficial owner(s) of a customer that is a legal entity may simply control that entity by virtue of a direct participation comprising over 25% of its capital:

• Control of a legal entity may also result from an indirect holding (or chain of holding) of the capital of that entity:

• The beneficial owner may indirectly hold voting rights in the customer:

• The beneficial owner holds a majority interest in an entity holding over 25% of the customer company:

Mr A does not hold a weighted interest in LuxCo of more than 25% (75% x 30% = 22,5%), but he holds a majority interest of 75% in FrenchCo, which holds over 25% of the shares/voting rights in LuxCo.

Mr B holds a substantial direct interest in LuxCo. Both of them are the beneficial owners of the customer LuxCo.

2.2  Identification of the beneficial owner(s) controlling the company “through other means”

“Control by other means may be established in accordance with Articles 1711-1 to 1711-3 of the amended law of 10 August 1915 on commercial companies and in accordance with the following criteria:

left-bookmark link=”https://www.cssf.lu/en/Document/law-of-12-november-2004/”]Art. 1, para. (7) of the Act, Points a), ii), 2nd3rd paragraph[/left-bookmark]

aa) a direct or indirect right to exercise a dominant influence over the client by virtue of a contract concluded with the client or by virtue of a clause in the client’s articles of association, where the law governing the client allows it to be subject to such contracts or statutory clauses

bb) the fact that the majority of the members of the administrative, management or supervisory bodies of the client in office during the financial year and the preceding financial year and up to the preparation of the consolidated financial statements were appointed solely as a result of the exercise of voting rights by a natural person;

cc) a direct or indirect power to exercise, or a direct or indirect effective exercise of, dominant influence or control over the customer, including the fact that the customer is under single management with another undertaking

dd) a requirement under the national law of the parent undertaking of the customer to prepare consolidated financial statements and a consolidated annual report;”

This example shows a chain of shareholders on 3 levels, the assumption being that the reference to “other shareholders” is to disparate groups of shareholders (holding capital amounting to less than 5%).

Shareholder A is the beneficial owner of LuxCo, in that he holds a significant part of the capital of that company, enabling him to exercise a “power of control through other means” over the administrative, management or supervisory bodies or over its general meeting:

– indirect holding of 13.26% of the capital of LuxCo (51% x 51% x 51%), which appears to be significant in light of the holding threshold of the holdings of the groups of “other shareholders”, who hold less than 5% of the capital;

– A is the majority holder of the shares in Shareholder 2, which is itself the majority holder of the shares in Shareholder 1, the majority shareholder of LuxCo.

2.2.1  Family group having control of a company

A civil partnership (PACS) is entered into between Ms B and Mr C.

No person within the family group individually holds more than 25% of the capital or voting rights in Company Alpha (the same applies in the case of the “other shareholders or members”, who have not entered into an agreement with each other). But they are acting “in concert”, and are thus able together to determine the decisions adopted in general meetings within the framework of their family relationships.

Mr A, Ms B, Mr C and Mr D are the beneficial owners of the customer Alpha Company: they have control of the customer company “through other means”, since they are members of a family group.

2.2.2  Concerted action between different persons

None of the “other shareholders or members” individually holds more than 25% of the capital or voting rights; they have not entered into an agreement whereby they hold more than 47% of the voting rights.

Ms D and Ms A and Mr B and Mr C are not related to each other. But if they act in concert, they can determine the decisions taken in general meetings. They are the beneficial owners of the customer Alpha Company since they control it “through other means”, being bound by a shareholders’/members’ agreement.

2.2.3  Separation of the attributes of ownership

80% of the shares in the Société Civile Immobilière Alpha (an SCI = a property-holding company) are held by the family of Ms A; the attributes of ownership of the shares have previously been separated: Ms A has a usufructuary interest (life interest) in them and the statutory heirs have an undivided bare ownership (remainder) interest.

Under Article 1852 bis of the Civil Code, the voting rights belong to the holder of the bare ownership (remainder) interest, save as regards decisions concerning the allocation of profits, which are reserved to the holder of the usufructuary interest (unless otherwise provided for by the articles of association of the SCI).

Unless otherwise provided for by the articles of association of the SCI, Ms A, who is not a member of that company, nevertheless determines the allocation of its profits up to 80%. Thus, Ms A is a beneficial owner of the SCI Alpha.

Her statutory heirs, as bare owners (remaindermen), hold 80% of the capital and voting rights in the SCI ; they are therefore beneficial owners (assuming that the articles of association of the SCI do not otherwise provide).

2.3  Identification of the ultimate beneficial owner of a legal person: the “senior dirigeant (manager)/ senior managing official”

here a professional has no grounds for suspicion regarding its customer (a company) and has not been able to determine the beneficial owner(s) of the entity having direct control over the company or indirect control via a chain of holdings, or controlling it “through other means”, or where the professional is uncertain whether the person(s) identified is/are the beneficial owner(s), the professional must treat as being the beneficial owner any natural person who holds the position of senior dirigeant (manager)/ senior managing official.

2.3.1 In the case of companies:

“(…) the concept of senior managing official/senior dirigeant (manager) is generally to be understood as the management body legally provided for and not just for instance, the chairman of a board of directors. Can also be considered as senior managing official, the person to whom the daily management of the company has been delegated or any other equivalent body according to legal or statutory provisions, in which case only the latter must be registered”.

Illustration of a situation where the legal representatives are, by default, the beneficial owners:

It has not been possible to identify any beneficial owner of Alpha SAS, either in terms of the holding of capital/voting rights, or in terms of control through other means.

Accordingly, the legal representatives of Alpha SAS should be identified as its beneficial owners:

• Mr A (Managing Director of the company Belle S.A., which holds the position of Chair of Alpha SAS), since, in French sociétés par actions simplifiées (simplified joint-stock companies), power is exercised by a single person, namely the chair, who may be a natural or a legal person (the sole mandatory management organ);
• possibly, Mr B, if the articles of association of Alpha SAS confer on him executive powers and a power of representation which are the same as those of Belle S.A.

• The concept of “legal representative” as applied in the case of a Luxembourg customer company (non-exhaustive example):

Indicative table concerning the “legal representative”

As regards “fonds communs de placement” (mutual funds): the legal representatives of the fund’s management company: the members of the Board of Directors, unless specifically agreed otherwise in law, should be considered as the “chief executive officer” (i.e. EC of last resort).

2.3.2  In the case of associations

Not-for-profit associations may be involved in the raising and/or disbursing of funds for charitable, religious, cultural, educational, social or fraternal purposes, or for the carrying-out of other types of good works. Nevertheless, they may possibly be used for less virtuous purposes, and risk being exploited for the purposes of, in particular, terrorist financing rather than pursuing a not-for-profit or laudable aim.

The Ministry of Justice has illustrated some cases where associations/foundations are used for TF purposes in guidelines (“Raising awareness of the voluntary sector of the risks of terrorist financing”).

“Where, despite the enquiries carried out, it has not been possible to identify any beneficial owner within the meaning of the Law of 13 January 2019, the senior dirigeant(s) (manager(s)) / senior managing official(s) must be regarded as the beneficial owner(s) and be registered as such in the Register of Beneficial Owners.

In this context, the notion of a senior dirigeant (manager)/  senior managing official, is to be generally understood as being the board of directors and, consequently, the entirety of the members of the management organ legally provided for must be communicated to the Register of Beneficial Owners, rather than merely the chair of the board of directors or the members of an executive committee. Can also be considered as senior managing official the person to whom the daily management of the association has been entrusted to or any other equivalent organ/body according to legal or statutory provisions.”

2.3.3  In the case of undertakings for collective investment (UCIs):

2.3.4  In the case of legal persons incorporated under public law and companies whose securities are admitted to trading on a regulated market:

A.    Legal persons incorporated under public law

B. Companies whose securities are admitted to trading on a regulated market

“Companies whose securities are admitted to trading on a regulated market in the Grand Duchy of Luxembourg or in another State party to the Agreement on the European Economic Area, or in another third country imposing obligations recognised as being equivalent by the European Commission within the meaning of Directive 2004/109/EC of the European Parliament and of the Council of 15 December 2004 on the harmonisation of transparency requirements in relation to information about issuers whose securities are admitted to trading on a regulated market and amending Directive 2001/34/EC, shall register only the name of the regulated market on which their securities are admitted to trading.”

2.3.5 Case of the syndicates of co-ownership (NEW)

In accordance with the provisions of the law of 16 May 1975 on the status of co-ownership of built-up properties, the co-owners are obliged to be grouped together in a syndicate (syndic de copropriété), acting as the legal representative of the community of co-owners.

In most cases, the syndicates have legal personality and are registered in the Luxembourg Trade Register, thus being subject to the law of 13 January 2019 establishing a register of beneficial owners.

2.4  The beneficial owner(s) of fiducies and trusts and other similar legal arrangements

2.4.1      Fiducies and trusts

The professional must identify the beneficial owner and take “reasonable measures to verify his/her identity”, so as to be satisfied that it knows “who the beneficial owner is”, and must also, in the case of “legal persons, fiducies, trusts, companies, foundations and similar legal arrangements, taking reasonable measures to understand the ownership and control structure of the customer”.

“Countries should take measures to prevent the misuse of legal arrangements for money laundering or terrorist financing. In particular, countries should ensure that there is adequate, accurate and timely information on express trusts, including information on the settlor, trustee and beneficiaries, that can be obtained or accessed in a timely fashion by competent authorities (…) ”

2.4.2      The beneficial owners of foundations/legal arrangements similar to fiducies/trusts

“In the case legal entities such as foundations, and legal arrangements similar to trusts or trusts, (the trader shall identify) any natural person who performs functions equivalent or similar to those of (settlor, trustee/trustee, beneficiaries or any other natural person exercising ultimate control over the trust/trustee by direct or indirect ownership or by other means).”.

2.5  The natural person “for whom a transaction is carried out”

According to the Law, the notion of “beneficial owner” also includes “any natural person(s) on whose behalf a transaction or activity is being conducted”.

3. Measures to identify and verify the identity of the beneficial owners

The 4th Anti-Money Laundering Directive, as amended, requires certain information concerning the beneficial owners of companies and fiducies/trusts to be made available in registers to which professionals have access. The professional may, in addition to the information received by its customer, consult the registers established in Member States with a view to backing up the information supplied to it by its customer.

1.  Identification measures

“Without prejudice to enhanced due diligence requirements or the application of simplified due diligence measures, where applicable, the identification of beneficial owners (…) shall include the surname(s), first name(s), nationality(ies), date and place of birth and their address as well as the full postal address of the principal residence. At the discretion of the trader, it will also include the official national identity number”.

2.  Verification measures

“The verification of these data (concerning the beneficial owners) shall be made, notably, using information obtained from customers, central registers within the meaning of Articles 30(3) and 31(3a) of Directive (EU) 2015/849 or any other independent and reliable source available.

The sole recourse to central registers as mentioned above does not constitute a sufficient means of fulfilling the obligations of vigilance, the professional will therefore, the professional shall take all reasonable measures in order to ensure that the real identity of the beneficial owner is known. The reasonable nature of these measures shall be defined, notably, according to the level of money laundering or terrorist financing risk that the professional considers to be linked to the customer profile or the nature of the business relationship or of the transaction contemplated by the customer ”.

For information, with regard to “controlling persons” in the context of the automatic exchange of information concerning financial accounts in tax matters, the persons “having control” of an entity, who must be the subject of a declaration within the meaning of the Law of 18 December 2015, must provide information as to their “name, address, jurisdiction(s) of residence, TIN(s) and date and place of birth (…)”.

“Countries should ensure that there is adequate, accurate and timely information on the beneficial ownership and control of legal persons that can be obtained or accessed in a timely fashion by competent authorities. In particular, countries that have legal persons that are able to issue bearer shares or bearer share warrants, or which allow nominee shareholders or nominee directors, should take effective measures to ensure that they are not misused for money laundering or terrorist financing. Countries should consider measures to facilitate access to beneficial ownership and control information by financial institutions (…).”

3.  Bearer shares

Subsection 3. Obtaining information on the purpose and intended nature of the business relationship, including the origin of funds

The customer due diligence measures to be taken by the professional include “assessing and understanding the purpose and intended nature of the business relationship and, as appropriate, obtaining information on the purpose and intended nature of the business relationship”.

1. Assessing the business relationship

2. The origin of funds

The professional must obtain all necessary information regarding the origin of the customer’s funds:

“The professionals’ obligation to know their customer includes the obligation to gather (…), register, analyse and understand, at the time of the customer identification, information about the origin of the customer’s funds and the types of transaction for which the customer requests a business relationship, as well as any adequate information allowing the determination of the customer’s purpose of the business relationship (…). This information shall allow the professional to carry out an efficient ongoing customer due diligence (…). Depending on the risk assessment, this obligation may include the obligation to obtain evidence”.

Subsection 4. Exercise of ongoing due diligence in respect of the business relationship and the updating of the documents, data and information held

1. General considerations

• Special cases: dormant accounts and cheques

2.   Assessment of transactions and the detection of complex operations and unusual transactions

a)  General assessment:

This comprises “conducting ongoing due diligence of the business relationship including constant scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the professional’s knowledge of the customer (and) the business and risk profile, and ensuring that the documents, data or information held obtained in the exercise of customer due diligence remain up to date and relevant. To this end, professionals shall examine existing elements, in particular for higher risk categories of clients.”

Ongoing due diligence in respect of the business relationship necessitates examination of the transactions carried out by the customer in the course of that business relationship. Such ongoing examination of the transactions carried out by the customer will require the professional, where necessary, to gather information concerning the origin of the funds.

b)  Complex operations, unusual transactions and restrictive measures

“Ongoing due diligence (…) includes at a minimum the obligation to identify without delay:

• (…) States, persons, entities or groups involved in a transaction or business relationship subject to restrictive measures in financial matters in the context of the fight against terrorist financing, including, notably, those implemented in Luxembourg via EU regulations directly applicable in national law or through the adoption of notably ministerial regulations; and
• the States, persons, entities or groups involved in a transaction or business relationship subject to restrictive measures in financial matters, including, notably, those implemented in Luxembourg via EU regulations directly applicable in national law or, where appropriate, through the adoption of national regulations for their implementation.”

The professional is also obliged to detect States, persons, entities and groups subject to financial restrictive measures in relation to the assets under his management and to ensure that the funds will not be made available to such States, persons, entities or groups.

Where persons, entities or groups referred to in this article are identified, (…), the professional shall without delay apply the required restrictive measures and inform the competent authorities regarding financial sanctions. A copy of this communication must be sent at the same time to the CSSF.”

A list of links to the lists of persons, entities and groups concerned can be found in Annex III, Part B.

“(…) the trader must ensure that the internal system used for this control or made available by an external service provider to which he has recourse for the purposes of this control, is adapted without delay in order to be able to meet his obligations (…)”.

The obligation to exercise constant vigilance over the business relationship requires that “particular attention be paid to transactions that exceed certain amounts, to very large movements on an account that are incompatible with the amount of the balance or to transactions that are outside the normal pattern of account movements”.

“Professionals are required to examine as far as possible the context and purpose of these transactions, to record the results of these examinations in writing and to keep these documents in accordance with (…) the Law and to keep them at the disposal of the Luxembourg authorities responsible for combating money laundering and the financing of terrorism and of the auditors for at least five years, without prejudice to the longer retention periods prescribed by other laws”.

“With respect to the professionals’ ongoing due diligence (…), the professionals shall identify complex or unusual transactions (…) by taking into account, notably:

• the importance of the incoming and outgoing assets and the volume of the amounts The transactions which involve small amounts but which are unusually frequent are also concerned;
• the differences compared to the nature, volume or frequency of the transactions usually carried out by the customer in the framework of the business relationship concerned or the existence of differences compared to the nature, volume or frequency of the transactions normally carried out in the framework of similar business relationships;
• the differences compared to the declarations made by the customer during the acceptance procedure and which concern the purpose and nature of the business relationship, in particular as regards the origin and destination of the funds involved.”

(1) “Professionals shall have procedures and implement control mechanisms that allow them, when accepting customers or monitoring the business relationships, to identify, among others:

(…)

– persons as referred to in articles 30, 31 and 33 (of CSSF Regulation 12-02) (i.e. PEPs, clients from high-risk countries and persons subject to financial restrictive measures).

– the funds coming from or going to States, persons, entities or groups (…) involved in a transaction or business relationship subject to prohibitions or restrictive measures in financial matters in the context of the fight against money laundering and terrorist financing or countries or territories whose AML/CFT framework is considered as insufficient;

– the complex operations or unusual transactions (taking into account in particular the importance of the incoming and outgoing assets, the existence of differences compared to the nature, volume or frequency of the transactions normally carried out by the customer and inconsistencies with the declarations made by the customer during the acceptance procedure);

– a transfer of funds with missing or incomplete information within the meaning of EU Regulation 2015/847)”.

(2) “The establishment of a complete and up-to-date customer database is an integral part of this monitoring system. In the case of encoding by a natural person of the professional, this work should be checked according to the “4-eyes principle”.  This monitoring system must cover all client accounts and transactions and must cover clients, persons claiming to act on behalf of the client, originators and beneficial owners and, in the context of monitoring fund transfers, the originator of an incoming fund transfer and the recipient of a fund transfer leaving a client’s account. It should take into account the risks identified by the professional in relation to his or her business and client base. It must be automated, unless the professional can demonstrate that the volume and nature of the clients and transactions to be monitored do not require such automation.”

(3) “The identification researches carried out using this supervisory system shall be duly documented, including in cases where there are no positive results.”

(4) “The identified transactions or persons, as well as the criteria which led to the identification, shall be the subject of written reports. These reports shall be transmitted to the compliance officer for the required purposes, in particular, for compliance with Article 5 of the Law. Professionals shall specify in writing the procedure relating to the transmission of written reports to the compliance officer and the required transmission deadlines.”

(5) “The supervisory system shall allow the professional to take rapidly and, where appropriate automatically, the required measures where a suspicious activity or transaction was identified. The compliance officer shall be solely competent to decide on the application and scope of these measures and their termination, where appropriate, in consultation with the management and the compliance officer.”

(6) “The supervisory system shall be subject to initial validation at least by the compliance officer and regular control by the compliance officer in order to adapt this system, where necessary, to the development of the activities, the customers and the AML/CFT standards and measures.”

3.  Activities requiring particular attention

“In the framework of ongoing due diligence, the following activities, among others, require particular attention: (…)

• activities of customers whose acceptance was subject to a specific examination (…) (acceptance of customers potentially presenting high levels of risk), as well as
• transfers of funds within the meaning of Regulation (EU) 2015/847 and the respective requirements specified in the latter Regulation (…)”.

4.  Keeping documents and information up to date

“Ongoing due diligence includes the obligation to verify and, where appropriate, to update, in accordance with the maximum period provided for by, and taking into account the appropriate times specified in, Article 1 paragraph 4 of the Grand-Ducal Regulation (i.e. at least every seven years, without prejudice to a greater frequency depending on the risk assessment), within an appropriate timeframe to be set by the professional according to its risk assessment, the documents, data or information gathered while fulfilling the customer due diligence obligations (…).”

“For high-risk business relationships, the review frequency should be at least annual.”

“The professionals shall document, keep up to date and make the risk assessments referred to in paragraph 1 available to the supervisory authorities and self-regulatory bodies. The supervisory authorities and self-regulatory bodies may decide that individual documented risk assessments are not required where the specific risks inherent in the sector are clear and understood.”

5.  Retention of documents and protection of personal data

1 – Retention of documents

“Professionals shall retain and quickly make available the following documents, data and information for the purposes of preventing, detecting and investigating, by the Luxembourg authorities responsible for the fight against money laundering and terrorist financing, possible money laundering or terrorist financing or by self-regulatory bodies:

a)  in the case of customer due diligence, a copy of or references to the documents, data and information which are necessary to comply with the customer due diligence requirements laid down in Articles 3 to 3-3, including, where appropriate, data obtained through the use of electronic means of identification, the relevant trust services provided for in Regulation (EU) No 910/2014, or any other secure electronic or remote identification process regulated, recognised, approved or accepted by the competent national authorities, books of account, commercial correspondence, and the results of any analysis carried out, for a period of five years after the end of the business relationship with their customer or after the date of an occasional transaction;

b)  the supporting evidence and records of transactions which are necessary to identify or reconstruct individual transactions, to provide, if necessary, evidence in a criminal investigation or enquiry, for a period of five years after the end of a business relationship with their customer or after the date of an occasional transaction.

“The retention period referred to in this paragraph, including the extended retention period not exceeding a further five years, shall also apply in respect of data accessible through the centralised mechanisms referred to in Article 32a of Directive (EU) 2015/849.”

Professionals shall also retain the information concerning the measures taken in order to identify the beneficial owners (…).

Without prejudice to longer retention periods prescribed by other laws, professionals shall delete the personal data at the end of the retention period referred to in the first subparagraph. (…).

By way of derogation from the 4th subparagraph, professionals retain the personal data for a further period of five years where this retention is necessary to effectively implement internal measures for the prevention or detection of money laundering or terrorist financing.”

2 – Compliance with data protection rules

(A) Information on the persons concerned and general notice

• The customer:

“Professionals shall provide new clients with the information required under Articles 13 and 14 of the GDPR before establishing a business relationship or carrying out an occasional transaction.

That information shall, in particular, include a general notice concerning the legal obligations of the professionals under this Law to process personal data for the purposes of the prevention of money laundering and terrorist financing.”

(B) Restriction on the right of access

“(…) The person who is responsible for the processing shall restrict or defer the right of access of the person concerned to his personal data where such measure is necessary and proportionate in order to:

(a) enable the professionals, the Financial Intelligence Unit, a supervisory authority or a self- regulatory body to fulfil their tasks properly (…); or

(b) avoid obstructing official or legal inquiries, analyses, investigations or procedures for the purposes of this Law (…) and to ensure that the prevention, investigation and detection of money laundering and terrorist financing is not jeopardised.”

It will be recalled that the GDPR allows Member States to limit the rights of the “persons concerned” in certain specific cases, for example “in the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.

The Law lays down the specific cases in which professionals are required to apply enhanced customer due diligence measures.

The criteria governing cases in which professionals will find themselves faced with potentially higher-risk situations, thereby requiring them to apply enhanced due diligence, are set out in Annex IV to the Law.

Where professionals are confronted with factors indicating higher risks, they shall be required to “examine, as far as reasonably possible, the background and purpose of all transactions, that meets at least one of the following conditions:

(a) it is a complex transaction

(b) it is an unusually large transaction

(c) it is conducted in an unusual pattern

d) it has no apparent economic purpose or apparent lawful purpose.

In particular, the professional shall reinforce the degree and nature of monitoring of the business relationship, in order to assess whether such transactions or activities appear unusual or suspicious.”

Alongside the non-exhaustive list of factors and types of elements indicative of a potentially higher risk, it will be noted that there are situations in which a professional will always be confronted with a high risk and will therefore invariably be constrained to apply enhanced due diligence measures:

• For business relationships or transactions involving high risk countries

Nevertheless, enhanced customer due diligence measures need not be automatically applied in majority-owned branches or subsidiaries that are located in high-risk countries, if such branches or subsidiaries fully comply with the group-wide policies and procedures in place pursuant to Article 4-1 or Article 45 of Directive (EU) 2015/849.

• In the case of cross-border correspondent and other similar relationships with client institutions
• In the context of business relationships with politically exposed persons.

The situations imposing reinforced vigilance measures will be detailed one by one below.

Section 1. Politically exposed persons

1.  The risk posed by a PEP

2.  Definition of a PEP

Politically exposed persons are defined as “(…) natural persons who are or have been entrusted with prominent public functions and (…) family members or persons known to be close associates of such persons”.

“‘Natural persons who are or have been entrusted with prominent public functions’ (…) means all natural persons, including:

1. heads of State, heads of government, ministers and deputy or assistant ministers;
2. members of parliament or of similar legislative bodies;
3. members of supreme courts, of constitutional courts or of other high-level judicial bodies, the decisions of which are not subject to further appeal, except in exceptional circumstances;
4. members of courts of auditors or of the boards or directorates of central banks;
5. ambassadors, chargés d’affaires and high-ranking officers in the armed forces;
6. members of the administrative, management or supervisory bodies of State-owned enterprises;
7. important officials and members of the governing bodies of political parties;
8. directors, deputy directors and members of the board or equivalent function of an international organisation.”
9. natural persons performing the functions included in the list published by the European Commission on the basis of Article 20a(3) of Directive (EU) 2015/849 (…)”

“Each Member State shall issue and keep up to date a list indicating the exact functions which, according to national laws, regulations and administrative provisions, qualify as prominent public functions (…).”

3.  Definition of family members and associates of a PEP

The identification of a PEP must also include an examination of the members of his/her family and of his/her associates, within the framework of enhanced due diligence.

“Family members” means “all natural persons, including in particular:

1. the spouse;
2. any partner considered by national law as equivalent to the spouse;
3. the children and their spouses or partners considered by domestic law as equivalent to a spouse;
4. the parents;
5. the brothers and sisters.”

The list is thus not exhaustive, according to the wording of the provision.

“Persons known to be close associates” (…) means “all natural persons, including in particular:

1. any natural person who is known to have joint beneficial ownership of legal entities or legal arrangements, or any other close business relations, with a person referred to in paragraph 10;
2. any natural person who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the benefit de facto of the person referred to in paragraph 10”.

4.  Obligations incumbent on professionals dealing with a PEP

4.1 Identification of PEPs

“(…) Financial institutions should be required to take reasonable measures to determine whether a customer or beneficial owner is a domestic PEP or a person who is or has been entrusted with a prominent function by an international organisation (…).”

“Adequate risk management systems (including risk-based procedures) for determining whether the customer or person purporting to act on the customer’s behalf or the beneficial owner is a politically exposed person (…) include at least seeking relevant information from the customer, referring to publicly available information or having access to electronic databases of politically exposed persons. The detection of politically exposed persons among existing clients during the course of a business relationship must be carried out at least every six months.”

4.2 The enhanced due diligence obligation

“With regard to transactions or business relationships with politically exposed persons (…), professionals are required to:

(a) have appropriate risk management systems, including risk-based procedures, to determine if the customer or beneficial owner is a politically exposed person;

(b) obtain senior management approval for establishing or, if an existing customer, to maintain a business relationship with such persons ;

(c) take reasonable measures to establish the source of wealth and source of funds that are involved in the business relationship or transaction with such persons. In addition, credit and financial institutions shall take all appropriate measures to establish the source of assets and funds of customers and beneficial owners identified as politically exposed persons;

(d) conduct enhanced ongoing monitoring of the business relationship.

The provisions of this paragraph also apply where a customer has already been accepted and the customer or the beneficial owner is subsequently found to be, or subsequently becomes, a politically exposed person.”

“When a client has been accepted and it subsequently appears that this client or the beneficial owner is or becomes a politically exposed person, professionals are required to obtain authorization from a high level of the hierarchy to continue the business relationship. The authorization procedure requiring approval from a high level of the hierarchy also involves the person responsible for monitoring compliance with professional obligations in terms of the fight against money laundering and terrorist financing.

Professionals are required to take all reasonable measures to identify the origin of the assets and funds of clients and beneficial owners identified as politically exposed persons”.

4.3 Particular case: life insurance contracts

The Law of 13 February 2018 adds new criteria to determine whether the beneficiary of a life insurance contract may be a politically exposed person:

“Professionals must take reasonable steps to determine whether the beneficiaries of a life insurance contract or other type of investment-linked insurance or, if applicable, the beneficiary’s beneficial owner are politically exposed persons. These measures shall be taken at the latest at the time of the payment of benefits or at the time of the assignment, in part or in full, of the insurance contract. When higher risks are identified, professionals, in addition to the customer due diligence measures provided for in Article 3, must:

a) inform a senior member of the hierarchy before payment of the proceeds of the contract ;

b) exercise enhanced scrutiny over the entire business relationship with the policyholder

c) make a suspicious transaction report to the FIU or, if the professional is a lawyer, to the President of the respective Bar Association, if the circumstances give rise to a suspicion of money laundering or terrorist financing.

5.  PEPs who no longer hold office

“Where a natural person who is or has been entrusted with prominent public functions is no longer entrusted with a prominent public function by a Member State or a third country, or with a prominent public function by an international organisation, the professionals shall, for at least 12 months, take into account the continuing risk posed by that politically exposed person and apply appropriate and risk-sensitive measures until such time as that person no longer poses a particular risk.”

Section 2. Correspondent banks

“In the case of cross-border correspondent relationships and other similar relationships with client-correspondent institutions in third countries and, credit institutions, financial institutions and other institutions involved in such relationships, must, in addition to the customer due diligence measures provided for in Article 3, paragraph (2), when entering into a business relationship :

(a) gather sufficient information about a respondent institution to understand fully the nature of the respondent’s business and to determine from publicly available information the reputation of the institution and the quality of supervision, which implies, among other things, knowing whether the client institution has been the subject of an investigation or of measures taken by a supervisory authority with regard to the fight against money laundering and against the financing of terrorism;

(b) assess the client institution’s anti-money laundering and anti-terrorist financing controls;

(c) obtain approval from senior management before establishing new correspondent banking relationships;

(d) clearly understand and document the respective responsibilities of each institution;

(e) with respect to “payable through accounts”, ensure that the client institution has verified the identity of clients with direct access to the accounts of credit institutions, financial institutions and other institutions involved in such relationships and has implemented ongoing monitoring of them, and that it can provide relevant data and information concerning these due diligence measures at the request of the correspondent institution” (see also below the novelties brought by the RGD of February 1, 2010 for payable through accounts).”

“Professionals are prohibited from establishing or maintaining a correspondent relationship with a shell banking company or with a credit or financial institution known to allow a shell banking company to use their accounts. Professionals shall ensure that correspondents do not allow shell banking companies to use their accounts.”

“It is prohibited for professionals to enter into or continue a correspondent  relationship with a shell bank or with a bank that is known to permit its accounts to be used by a shell bank.”

The Grand-Ducal Regulation of 1 February 2010 (GDPR) as amended provides additional instructions in the event of a cross-border correspondent relationship in the context of the business relationship with the client institution. The professional must also:

• assess, on the basis of publicly available information, the reputation of the client institution and the quality of its supervision, including whether the institution concerned has been the subject of an investigation or intervention by the supervisory authority relating to money laundering or terrorist financing
• ensure the adequacy and effectiveness of the client institution’s anti-money laundering and anti-terrorist financing controls
• clearly understand and specify in writing the respective AML/CFT responsibilities of each institution

The GDR impose additional obligations on the professional in the presence of transit accounts. The latter must ensure that:

1. their client (the client institution) has applied all the due diligence measures provided for in Article 3 of the Act to those of its clients who have direct access to the accounts of the corresponding institution ;
   and
2. that the client institution is able to provide relevant identifying data and information about such clients upon request by the correspondent institution. The provision of such data and information by Luxembourg credit institutions in the context of a correspondent relationship is permitted.

Insofar as institutions other than credit institutions are involved in correspondent banking relationships, the rules on this matter also apply to these institutions.

Section 3. High-risk countries

“A high-risk country is a country” that is on the list of high-risk third countries identified pursuant to Article 9(2) of Directive (EU) 2015/849 (i.e. i.e., Delegated Regulation EU 2020/855) or designated as higher risk by the Financial Action Task Force (FATF) as well as any other country that supervisory authorities and professionals consider in their assessment of money laundering and terrorist financing risks to be a high risk country based on the geographical risk factors set out in Annex IV (of the Act).”

With regard to business relationships or transactions involving high risk countries, professionals shall apply the enhanced customer due diligence measures mentioned below

a) obtaining additional information on the client and on the beneficial owner(s) and updating the identification data of the client and the beneficial owner(s) more regularly

b) obtain additional information on the intended nature of the business relationship

c) obtain information on the origin of the funds and the origin of the assets of the customer and the beneficial owner(s)

d) obtain information on the reasons for the transactions envisaged or carried out

e) obtain authorization from a senior member of their hierarchy to enter into or maintain the business relationship

f) implement enhanced monitoring of the business relationship by increasing the number and frequency of checks carried out and by identifying transaction patterns that require further scrutiny.

“Professionals shall ensure that, where appropriate, the first payment is made through an account opened in the customer’s name with a credit institution that is subject to customer due diligence standards at least as high as those set out in Directive (EU) 2015/849.”

“Enhanced customer due diligence measures need not be automatically applied in the case of majority-owned branches or subsidiaries that are located in third countries (…), if such branches or subsidiaries fully comply with the group-wide policies and procedures in place pursuant to (…) Directive (EU) 2015/849. Professionals shall address these situations using a risk-based approach.”

Enhanced customer due diligence measures need not be invoked automatically with respect to branches or majority-owned subsidiaries of the professionals established in the European Union which are located in high-risk third countries (…), where those branches or majority-owned subsidiaries fully comply with the group-wide policies and procedures in accordance with (…) Directive (EU) 2015/849. The professionals shall handle those cases by using a risk-based approach.”

“Financial institutions should be required to apply enhanced due diligence measures to business relationships and transactions with natural and legal persons, and financial institutions, from countries for which this is called for by the FATF. The type of enhanced due diligence measures applied should be effective and proportionate to the risks.”

Section 4. Examples of enhanced due diligence measures to be implemented, sector by sector/ in the case of transactions not involving the physical presence of the parties

The Joint Committee of the European Supervisor Authorities, in its final guidelines on risk factors, sets out numerous criteria to be applied by professionals in the specific situations provided for by the Law, and by sector of activity, it being understood that the measures appearing in the guidelines are not exhaustive and are thus given by way of illustration only.

• Retail banking:– Verifying the identity of the customer and the beneficial owner(s) on the basis of more than one reliable and independent source;- Obtaining more information about the customer and the nature or purpose of the business relationship, so as to build up a more complete customer profile;- Increasing the frequency of transaction monitoring;- Reviewing and updating the information held more frequently.

• Wealth management/private banking:

The measures prescribed in the guidelines echo, in a number of ways, those mentioned with respect to retail banking.

In addition, the professional must, in particular, establish the source of the assets and funds; where the risk is particularly high and/or the firm has doubts regarding the legitimacy of the origin of the funds, verifying the source of wealth and funds may be the only adequate risk mitigation tool. The source of funds or wealth may be verified by reference to, inter alia:

– a recent pay slip;

– a written confirmation of annual salary signed by the employer;

– a confirmation of sale signed by a lawyer/notary;

– the original or a certified copy of the will or grant of probate;

– written confirmation of inheritance signed by the testator’s notary/fiduciary/executor.

The professional should, moreover, monitor its customer’s transactions on an ongoing basis and/or where one of the elements of a transaction appears to be incompatible with the customer’s commercial risk profile.

• Electronic money issuers and money remitters:

The enhanced customer due diligence measures which firms should apply in a high-risk situation include the following:

– obtaining additional information about the customer during the identification process, such as the source of funds;

– applying additional verification measures from a wider variety of reliable and independent sources (e.g. checking against online databases) in order to verify the identity of the customer and the beneficial owner(s);

– obtaining additional information about the intended nature of the business relationship, for example by asking clients about their business or the jurisdictions to which they intend to transfer electronic money;

– obtaining information about the merchant/payee, in particular where the electronic money issuer has grounds to suspect that its products are being used to purchase illicit or age-restricted goods;

– applying identity fraud checks to ensure that the customer is who he or she claims to be;

– applying enhanced monitoring to the customer relationship and individual transactions;

– establishing the source and/or the destination of funds.

• Transactions not involving the physical presence of the parties, in the absence of electronic means of identification or secure identification process:

“In the case of transactions that do not involve the physical presence of the parties and where the professional has not set up electronic means of identification, relevant trust services within the meaning of Regulation (EU) No. 910/2014 or any other secure electronic or remote identification process regulated, recognized, approved or accepted by the relevant national authorities, professionals must have specific risk management systems related to business relationships or transactions.

These policies and procedures must be applied at the time of the establishment of the business relationship with the client and during the implementation of ongoing vigilance measures”.

Specific measures to be adopted by the professional to compensate for the potentially higher risk presented by this type of relationship may include:

“- measures ensuring that the identity of the client is established by means of additional documents, data or identifying information ;

– additional measures ensuring verification or certification by a public authority of the documents provided ;

– a confirmation certificate from a credit or financial institution subject to the Law or subject to equivalent professional obligations in the area of anti-money laundering and combating the financing of terrorism

– measures to ensure that the first payment of transactions is made through an account opened in the customer’s name with a credit or financial institution subject to the Act or subject to equivalent professional obligations in the area of anti-money laundering and combating the financing of terrorism.”

Section 5. Examples of enhanced due diligence measures to be implemented pursuant to CSSF Regulation No 12-02:

“Without prejudice to the cases where enhanced due diligence measures are specifically prescribed by the Law, the Grand-Ducal Regulation or this Regulation, examples of enhanced due diligence measures that could be applied depending on the risk assessment performed by the professional for higher-risk business relationships include:

• obtaining additional information on the customer and updating more regularly the identification data of the customer and the beneficial owner;
• obtaining additional information/documentation on the intended nature of the business relationship or on the origin of the funds involved and the assets;
• obtaining information and, where appropriate, evidence as to the reasons and economic background for the transactions contemplated or carried out and the plausibility of such transactions;
• obtaining the approval of the authorised management to commence or continue the business relationship;
• requiring the first payment to be carried out through an account in the customer’s name with a professional subject to similar customer due diligence standards;
• verifying the additional information obtained with independent and reliable sources;
• receiving a visit from the customer/company or contacting the customer/company via registered letter with acknowledgement of receipt;
• conducting enhanced monitoring of the business relationship, by increasing the number and timing of controls applied, and selecting patterns of transactions that need further examination.”

Section 1. Third-party introducers

“For the purposes of this Article, ‘third parties’ shall mean professionals (…), the member organisations or federations of those professionals, or other institutions or persons situated in a Member State or third country that:

a)  apply customer due diligence requirements and record-keeping requirements that are consistent with those laid down in this Law and in Directive (EU) 2015/849; and

b)  have their compliance with the requirements of this Law, Directive (EU) 2015/849 or equivalent rules applicable to them, supervised in a manner consistent with (…) Directive (EU) 2015/849.

It is prohibited for professionals to rely on third parties established in high-risk countries. Third parties that are branches and majority-owned subsidiaries of professionals established in the European Union are exempt from that prohibition, where those branches and majority-owned subsidiaries fully comply with the group-wide policies and procedures in accordance with (…) Directive (EU) 2015/849.

(2) Professionals may rely on third parties to meet the requirements (…), provided that the information (…) and documents (…) are obtained immediately from the third party to whom they have recourse. However, the final responsibility in the execution of these obligations remains with the professionals who use third parties”.

“Professionals using a third party must take appropriate measures to ensure that this third party provides without delay, upon request, in accordance with paragraph (3), the necessary documents concerning the customer due diligence requirements provided for in Article 3 (…), including, where appropriate, data obtained through the use of electronic means of identification, the relevant trust services provided for in Regulation (EU) No. 910/2014, or any other secure, electronic or remote identification process regulated, recognized, approved or accepted by the relevant national authorities.

Professionals using a third party must also ensure that the third party is regulated, supervised, and has taken measures to comply with customer due diligence and record keeping obligations that are consistent with those set out in Articles 3 to 3-2 of the (…) Law”.

(3) “When a third party intervenes for the purposes of paragraph 2 above, the latter shall be obliged to immediately make available to the professional to whom the client is addressing himself, notwithstanding any rules of confidentiality or professional secrecy applicable to him, the information requested in accordance with the obligations laid down in Article 3, paragraph 2, subparagraph 1, points a) to c) and subparagraph 2. 
In this case, an adequate copy of the identification and verification data, including, where appropriate, data obtained through the use of electronic means of identification, relevant trust services provided for in Regulation (EU) No. 910/2014, or any other secure electronic or remote identification process regulated, recognized, approved or accepted by the relevant national authorities, and any other relevant documents concerning the identity of the client or beneficial owner must be transmitted without delay, upon request, by the third party to the professional to whom the client is addressing.”

Moreover, the professional must ensure that the introducing third parties meet the requirements of the Law.

Any professional using a third party introducer must ensure, prior to the intervention of the latter, that he meets the requirements of the Act. The documentation used to verify the quality of the third party introducer must be kept in accordance with the Act.

The introducing third party shall give a prior written undertaking to fulfill the obligations specified in section 3-3, subsection (2) of the Act, notwithstanding the fact that the introducing third party is not a party to the Act. (2) of the Act, notwithstanding any rules of confidentiality or privilege applicable to the introducing party, if any.

The responsibility for compliance with the professional obligations provided for by the applicable legal provisions, including the present regulation, remains with the professional using the introducing third party.

[/left-bookmark]

Section 2. Outsourcing and agency relationship

“The contract between the professional and the delegated third party in the context of outsourcing or agency relationships (…) shall at least include:

• a detailed description of the due diligence measures and procedures to be implemented in accordance with the Law and this Regulation and, in particular, of the information and documents to be requested and verified by the third-party representative (service provider in case of outsourcing or agent in case of an agency relationship);
• the conditions regarding the transmission of information to the professional, including, notably, to make available immediately, regardless of confidentiality or professional secrecy rules or any other obstacle, the information gathered while fulfilling the customer due diligence obligations and the transmission, upon request and without delay, of a copy of the original supporting evidence received in this respect.”

“(2) The outsourcing and agency relationship policies and internal procedures of the trader wishing to use outsourced third parties shall, in particular, contain detailed provisions on the process of selection and evaluation of outsourced third parties, including subcontractors at different levels, in case of cascading outsourcing. In particular, the practitioner must ensure that the service provider has the necessary resources to perform all outsourced functions (process, service or activity outsourced).

Professionals must regularly monitor the delegated third party’s compliance with its commitments under the contract. According to the risk-based approach, regular control refers to the fact that the professional has the means to test (e.g. by sampling) and to control on a regular and punctual basis (e.g. by carrying out on-site visits) the respect of the obligations incumbent on the delegated third party. With regard to the data of its clients, the professional and the CSSF must have access rights to the systems/databases of the delegated third party.

“(2bis) A risk assessment of the outsourced functions and, if applicable, of the outsourcing chain must be carried out before the outsourcing contract is concluded (…)”

“(3) Responsibility for compliance with the provisions of the Act, the Grand-Ducal Regulation and this Regulation shall remain entirely with the professional using the delegated third party and the sub-delegated third party, where applicable.”

“(4) In the context of the outsourcing of AML/CFT functions, the rights and obligations of the professional and the service provider as well as their roles, responsibilities and tasks must be clearly listed, allocated and defined in the outsourcing contract. (…)”

Section 1: Money laundering risks lower than those covered by the Law

“Where professionals identify a lower risk of money laundering and terrorist financing, they may apply simplified customer due diligence measures.”

1.1  Situations involving less risk

When assessing the risks of money laundering or terrorist financing attaching to certain types of customer, geographical areas and products, services, transactions or particular distribution channels, professionals must take into account, as a minimum, the factors involved in potentially lower-risk situations as set out in Annex III (to the Law).

The application of simplified due diligence measures must be based on a risk assessment showing a low risk.

The risk factors set out in the Annex have already been mentioned above (customer/product/country), where the professional finds that the risk is low in the following respects:

– (i) geographical: if the situation/criteria involve more than one Member State, a customer originating from a Member State, and a third country posing a low risk of corruption/having effective AML/CFT systems;

– (ii) products/services/transactions/ distribution channels.

A non-exhaustive list comprising, for example: low-premium life insurance policies, retirement insurance contracts without an early redemption clause, pension schemes in favour of employees, financial products or services used for inclusion purposes, or products posing a low risk of money laundering or terrorist financing which are controlled in accordance with other factors such as limits or ownership transparency;

– (iii) customers: companies listed on a regulated market and subject to information obligations (including transparency as regards beneficial owners), public administrative bodies/undertakings, residence criteria.

Electronic money:

“By way of derogation (…) and based on an appropriate risk assessment which demonstrates a low risk, professionals are allowed not to apply certain customer due diligence measures with respect to electronic money, where all of the following risk-mitigating conditions are met:

(a) it is not possible to reload the payment instrument or the instrument has a maximum monthly limit of EUR 150 which can be used only in Luxembourg;

(b) the maximum amount stored electronically does not exceed EUR 150.

(c) the payment instrument is used exclusively to purchase goods or services;

(d) the payment instrument cannot be funded with anonymous electronic money;

(e) the issuer carries out sufficient monitoring of the transactions or business relationship to enable unusual or suspicious transactions to be detected.

The derogation provided for in the first subparagraph is not applicable in the case of redemption in cash or cash withdrawal of the monetary value of the electronic money where the amount redeemed exceeds EUR 50 euros or in the case of remote payment transactions within the meaning of Article 4(6) of Directive (EU) 2015/2366 (…) where the amount paid exceeds 50 euros per transaction.”

“Credit and financial institutions acting as acquirers shall only accept payments made with anonymous prepaid cards issued in third countries where such cards meet requirements equivalent to those set out in paragraphs 1 and 2.”

“In the presence of information suggesting that the degree of risk is not lower, or where there is a suspicion of money laundering or terrorist financing, or where there is doubt as to the veracity or relevance of previously obtained data, or in specific cases of higher risk, the application of this simplified due diligence regime shall not be possible to those particular customers, geographical areas, products, services, transactions or distribution channels.”

1.2  Due diligence measures

According to the FAFT, financial institutions may be authorised to apply simplified due diligence measures, taking into account any lower level of risk.

The measures advocated by the FATF may thus consist in verifying the identity of the customer/beneficial owner following the establishment of the business relationship, reducing the frequency of customer identification updates and the intensity of ongoing due diligence, and inferring the purpose and intended nature of the business relationship from the type of transactions carried out.

“Where the professionals identify a lower risk of money laundering and terrorist financing, they may apply simplified customer due diligence measures.

(2) Before applying simplified customer due diligence measures, the professionals shall ascertain that the business relationship or the transaction presents a lower degree of risk.”

Section 2: Suggestions for simplified due diligence measures

According to CSSF Regulation n°12-02 :

CSSF Regulation n°20-05 sets out the measures that the professional may apply in the context of a business relationship presenting a justified low risk:

• For clients subject to an authorization/licensing or mandatory registration regime for AML/CFT purposes, verify that the client is subject to this regime, for example by conducting a search on the regulator’s official website and documenting the result of the search
• The presumption that a payment debited from an account held in the customer’s name, individually or jointly, with a credit institution or a regulated financial institution in a country of the European Economic Area or a third country imposing equivalent AML/CFT obligations, meets the requirements of Article 3 paragraph 2, subparagraph 1, point a) of the Law

• The exceptional acceptance of other forms of identification that meet the criteria of reliable and independent sources, for example a letter addressed to the client by a government agency or other reliable public body, when the client is unable to provide the usual proof of identity, and provided that there is no reason for suspicion
• Updating customer due diligence information only in the case of certain triggering events, for example if the customer requests a new or riskier product or service, or if there are changes in the customer’s behavior or transaction profile that suggest that the risk associated with the relationship is no longer low;
• For persons purporting to act on behalf of the client and for originators, promoters who are behind the launch of an investment fund, obtaining information on the country of residence of these persons instead of requesting the full mailing address;
• For persons claiming to act on behalf of a client where the client is a regulated credit or financial institution, instead of requesting the full identification of these persons, obtaining a letter confirming that the institution has applied due diligence measures to these persons and that it has carried out a regular check of these persons against the applicable lists of restrictive measures in financial matters.

Simplified due diligence measures according to the European supervisory authorities:

The final guidelines on risk factors published by the Joint Committee of the European Supervisory Authorities contain simplified due diligence measures which professionals may apply, generic or specific depending on the business sectors concerned.

2.1 “Generic” simplified due diligence measures

The measures advocated by the Joint Committee of the European Supervisory Authorities concerning simplified due diligence are based on adaptation – adaptation both of the moment chosen to apply the due diligence measures and of the quantity of information obtained for identification purposes or of its quality/source, or of the frequency of monitoring of transactions.

Professionals may use their discretion in deciding on the measures to be applied, depending on the circumstances of each particular case.

• Adaptation of the moment chosen to apply the due diligence measures:

(i) by verifying the identity of the customer or beneficial owner at the time of establishment of the business relationship; or

(ii) by verifying the identity of the customer or beneficial owner once the transactions exceed a fixed threshold or once a reasonable time has elapsed.

Professionals must make sure:

• that this does not entail a de facto exemption from customer due diligence measures;
• that the threshold or period of time is fixed at a reasonably low level/is reasonably short (that said, as regards the financing of terrorism, firms should note that a low threshold cannot on its own be sufficient to reduce the risk);
• that they have systems making it possible to detect when the threshold or deadline is reached; and
• that they do not defer the customer due diligence measures and do not delay the obtaining of relevant information concerning the customer where the applicable legislation, for example Regulation (EU) 2015/847, or provisions of national law require that information to be obtained from the outset.

• Adaptation of the quantity of information:

(i) by verifying the identity on the basis of information obtained from a single document or a single source of data which is reliable, credible and independent; or

(ii) by making assumptions regarding the nature and purpose of the business relationship on account of the fact that the product is designed exclusively for a very specific use, such as a company pension scheme or a gift card issued by a shopping centre.

• Adapting the frequency of updates of customer due diligence and reviews of the business relationship, for example by carrying them out only when trigger events occur, in particular where the customer wishes to subscribe for a new product or service or a given threshold for transactions is reached.
• Adapting the frequency and intensity of transaction monitoring, for example by monitoring transactions only beyond a certain threshold.
• Adapting the quality or source of information obtained for identification and verification of identity and ongoing due diligence:
  • Accepting information obtained from the customer rather than from an independent source when verifying the identity of the beneficial owner
  • Relying on the origin of funds to meet certain due diligence requirements, such as where funds are derived from employee benefit payments or where funds have been transferred from an account in the customer’s name at an institution located in the EEA

2.2 Simplified due diligence measures by sector of activity

As with risk assessment by sectors of activity, the guidelines published by the Joint Committee provide guidance regarding the simplified due diligence measures to be applied. Various examples are given below, but professionals are invited to consult the guidelines for further details.

• Retail banking:

• Wealth management/private banking:

• Electronic money issuers and money remitters:

Section 1. Obligation to put in place written internal control and communication procedures

“Professionals shall put in place policies, controls and procedures to mitigate and manage effectively the risks of money laundering and terrorist financing identified at international, European, national and sectoral level and at the level of the professionals themselves. Those policies, controls and procedures, which take into account the risks of money laundering and terrorist financing, shall be proportionate to the nature, specificities and size of the professionals.

The policies, controls and procedures referred to in the first subparagraph shall include:

a)  the development of internal policies, controls and procedures, including models, relating to risk management practices, customer due diligence, cooperation, record-keeping, internal control, compliance management including the appointment of a compliance officer at appropriate hierarchical level, and employee screening;

b)  where appropriate with regard to the size and nature of the business and the risks of money laundering and terrorist financing, an independent audit function to test the internal policies, controls and procedures referred to in point (a). (…)

The professionals shall appoint, where appropriate, among the members of their management body or effective direction, the person responsible for compliance with the professional obligations as regards the fight against money laundering and terrorist financing.”

“The internal control system … is adequately resourced to monitor compliance, including on a test basis, with procedures, policies and controls and has the independence necessary to perform its duties.

The Compliance Officer and other relevant personnel shall have timely access to client identification and other due diligence information, transaction records and other relevant information. The compliance officer must be able to act independently and report to management, without reporting to his or her immediate supervisor, or to the board of directors (…).”

CSSF Regulation No 12-02 sets out various examples of procedures relating to the professional’s AML/CFT policy.

“The professional’s AML/CFT policies and procedures shall cover all the professional obligations and, where appropriate, include, inter alia, the following:

– the customer acceptance policy (…);

– the detailed procedures as regards the identification, assessment, supervision, management and mitigation of money laundering or terrorist financing risks (…). Those procedures shall allow monitoring of the development of the identified risks, reassessing them on a regular basis and identifying any significant change affecting them or any new risk;

– the specific risk management mechanisms relating to business relationships or transactions not requiring the physical presence of the parties without other guarantees having been put in place (as referred to in Article 27 of CSSF Regulation 12-02);

– the measures designed to prevent the misuse of products or the execution of transactions that might favour anonymity (…), in particular, as regards new technologies;

– the procedures to be followed in the event of a request to enter into a business relationship or to execute an occasional transaction for a person whose normal activity involves the holding of third-party funds with a professional or the opening of a group account;

– the procedure for accepting and monitoring business relationships (…);

– the procedures to be followed when using a third-party introducer (…)

– the procedures to be followed when using delegated third parties intervening within the framework of an outsourcing or agency contract (…)

– the procedures to observe in order to monitor the development of business relationships as well as transactions executed for customers, notably to detect suspicious transactions;

– the procedures to be followed in the event of suspicion or reasonable grounds for suspicion of money laundering, associated predicate offences or terrorist financing

(…)

– the procedures to be followed in order to fulfil the obligations of Regulation (EU) 2015/847 (transfers of funds);

– the personnel selection policy guaranteeing the recruitment of employees according to demanding criteria, the personnel training and awareness-raising programme (…)

– the accurate definition of the respective responsibilities of the various functions within the staff with regard to AML/CFT, as well as the procedure for appointing the control officer and the compliance officer.”

– the procedure for internal reporting of violations of professional AML/CFT obligations through a specific, independent and anonymous channel

– procedures for financial restraint measures

– procedures for identifying the beneficiary of trusts or similar legal arrangements at the time of payment of benefits or at the time the beneficiary exercises his or her vested rights (…)

 

Information on the measures relating to mechanisms for the supervision of business relationships and transactions as included in CSSF Regulation No 12-02 will be found above.

Section 2. Obligation to provide training and awareness-raising for the personnel

“Professionals are required to take measures proportionate to their risks, their nature and their size, so that their employees, including members of the management bodies and the effective management, are aware of the professional obligations in the fight against money laundering and terrorist financing, as well as the applicable data protection requirements. These measures include the participation of their employees in special continuing education programs designed to keep them informed of new developments, including information on money laundering and terrorist financing techniques, methods and trends, to help them recognize transactions that may be related to money laundering or terrorist financing, and to instruct them on how to proceed in such cases. Special ongoing training programs provide employees with clear explanations of all aspects of AML/CFT laws and obligations, including customer due diligence and suspicious transaction reporting obligations. (…) “.

“Every professional shall have a training and awareness-raising programme for the whole personnel which observes highly qualitative criteria and whose content and calendar take into account the specific needs of the professional. That programme, as well as its realisation, shall be documented in writing. The programme shall take into account the development of money laundering and terrorist financing techniques and shall be adapted when relevant legal or regulatory requirements change.

The training and awareness-raising programme of the personnel shall include, inter alia:

• for all newly hired employees, participation in internal or external basic training as soon as they are hired, making them aware of the professional’s AML/CFT policy as well as of the relevant legal and regulatory requirements;
• for the employees, regular participation in internal or external continuing education which is addressed, in particular, to the members of the personnel in direct contact with customers in order to help them identify unusual transactions and recognise money laundering or terrorist financing attempts. That continuing education shall also concern the professional’s internal procedures to be followed by the employees in the event that they identify suspicion or have reasonable grounds for suspicion of money laundering, related predicate offences or terrorist financing;
• regular information meetings for employees in order to keep them up to date with developments as regards the techniques, methods and trends with respect to money laundering and terrorist financing as well as the preventive rules and procedures to be followed in the matter;
• the appointment of one or more contact person(s) for employees who is/are competent and available to answer any questions which relate to money laundering or terrorist financing and which may concern, notably, all aspects of the laws and obligations regarding AML/CFT, the internal procedures, the customer due diligence duties and the reporting of suspicious transactions;
• the periodic distribution of AML/CFT documentation which includes, in particular, examples of money laundering or terrorist financing transactions.”

Section 3. Internal reporting of breaches of professional obligations

“Professionals shall have in place appropriate procedures, proportionate to their nature and size, for their employees, or persons in a comparable position, to report internally, through a specific, independent and anonymous channel, breaches of professional obligations as regards the fight against money laundering and terrorist financing.”

The 5th Anti-Money Laundering Directive requires Member States to “ensure that individuals, including employees and representatives of the obliged entity who report suspicions of money laundering or terrorist financing internally or to the Financial Intelligence Unit, are legally protected from being exposed to threats, retaliatory or hostile action, and in particular from adverse or discriminatory employment actions”.

In addition, they must “ensure that individuals who are exposed to threats, retaliatory or hostile actions, or adverse or discriminatory employment actions for reporting suspicions of money laundering or terrorist financing internally or to the Financial Intelligence Unit are entitled to present a complaint in a safe manner to the respective competent authorities. (…)”

Section 4. Obligation to have systems making it possible to respond to the authorities

“Professionals shall have systems in place that enable them to respond fully and rapidly to enquiries from the Luxembourg authorities responsible for combatting money laundering and terrorist financing and self-regulatory bodies, as to whether they maintain or have maintained during the previous five years a business relationship with specified natural or legal persons and on the nature of that relationship, through secure channels and in a manner that ensures full confidentiality of the enquiries.”

“(…) professionals shall be able to answer quickly and comprehensively all information requests for information from the Luxembourg AML/CFT authorities, and, in particular, those which tend to determine whether they are or were in business relationships or whether they do or did carry out transactions in relation to specific persons (…).

This cooperation requirement does not end with the business relationship or transaction.”

Similarly, the FIU’s “Suspicious Operations Report” Guideline obliges professionals to respond, “without delay, to a request for information by the FIU by using the ‘feedback’ forms, available on goAML Web. (The professional) can fill them in online or download an XML file (…). If (the professional) has not yet done so, (it should) register in advance  to be able to respond to the request for information.

Depending on the complexity and scope of research required, (the professional) should respond to any request for information by the FIU by using the ‘feedback’ forms, available on goAML Web. (The professional) can fill them in on FIU within a fortnight. However, if a request for information is described as ‘very urgent’, especially when dealing with terrorist financing, (the professional) should respond within 24 hours. A request for information described as ‘urgent’ should be processed within a week.”

“(1) Professionals, their dirigeants and employees are obliged to cooperate fully with the Luxembourg authorities responsible for combatting money laundering and terrorist financing, in particular in the exercise of their supervisory powers (…)”.

Without prejudice to the obligations vis-à-vis the supervisory authorities or self-regulatory bodies, professionals, their directors, dirigeants and employees are required to:

(a) inform promptly, on their own initiative, the Cellule de renseignement financier/Financial Intelligence Unit (…) when they know, suspect or have reasonable grounds to suspect that money laundering, an associated predicate offence or terrorist financing is being committed or has been committed or attempted, in particular in consideration of the person concerned, its development, the origin of the funds, and the purpose, nature and procedure of the operation. This report must be accompanied by all supporting information and documents having prompted the report.

All suspicious transactions, including attempted suspicious transactions, shall be reported, regardless of the amount of the transaction.

The obligation to report suspicious transactions shall apply regardless of whether those filing the report can determine the predicate offence.

(b) provide without delay to the Cellule de renseignement financier/Financial Intelligence Unit), at its request, any information required. This obligation includes the submission of the documents on which the information is based.

(…)

(1a) With regard to combatting terrorist financing, the obligation to report suspicious transactions (…) also applies to funds where there are reasonable grounds to suspect or they are suspected to be linked or related to, or to be used for terrorism, terrorist acts, a terrorist or terrorist groups or by those who finance terrorism”.

“(1) The requirement to inform the FIU without delay(…) also covers cases in which the professional came into contact with a natural or legal person or legal arrangement without entering into a business relationship or carrying out a transaction, insofar as there are suspicions or reasonable indications for suspicion of money laundering, an associated predicate offence or terrorist financing.

(2) The professional shall equip itself with the means required with respect to procedures and organisation of the AML/CFT compliance officer function which allows analysis of the reports transmitted to him and the determination of the necessity to communicate a fact or transaction to the FIU (…). To this end, the professional must register in the tool set up by the FIU. The procedures shall include the conditions, deadlines and steps for the customer relationship manager to communicate reports to the compliance officer. The analysis and the resulting decision shall be recorded in writing and made available to the competent authorities.

(3) (…) a business relationship which is the subject of a suspicion report to the FIU shall be monitored by the professional with enhanced due diligence and, where appropriate, in line with the FIU instructions. Where there are any new indications, the professionals shall lodge a supplementary suspicious transaction report.”

Where (…) the professional has a doubt as to the real identity of the beneficial owner and where he is unable to remove this doubt, he shall refuse to enter into the business relationship or to carry out the transaction desired by the client and, where he knows, suspects or has reasonable grounds to suspect that money laundering, an associated predicate offence or terrorist financing is taking place, has taken place or has been attempted, he shall make a declaration (to the Public Prosecutor’s Office) in accordance with Article 5 para. (1) and (1 bis) of the Act (…)”.

“No professional secrecy applies vis-à-vis the Financial Intelligence Unit in respect of paragraph (1), paragraph (1a) and paragraph (3).”

“Countries should ensure that financial institution secrecy laws do not inhibit implementation of the FATF Recommendations.”

• Rules on non-execution of suspicious transactions and “no tipping-off”

“Professionals must refrain from carrying out transactions which they know, suspect or have reasonable grounds to suspect to be related to money laundering, to an associated predicate offence or to terrorist financing until they have informed the Financial Intelligence Unit thereof (…) and have complied with any specific instructions from the Financial Intelligence Unit. The Financial Intelligence Unit may give instructions not to carry out the operations relating to the transaction or the customer.

Where refraining from carrying out transactions (…) is impossible or is likely to frustrate efforts to pursue the beneficiaries of a suspected operation, the professionals concerned shall inform the Financial Intelligence Unit immediately afterwards.

Where the instruction is communicated orally, it must be followed by a written confirmation within three business days, otherwise the effects of the instruction cease on the third business day at midnight.

The professional is not authorised to disclose this instruction to the customer without the express prior consent of the Financial Intelligence Unit.

The Financial Intelligence Unit may order systematically and at any time the total or partial withdrawal of the order not to carry out the operations pursuant to sub-paragraph 1.”

Potential requests by the FIU for information on the reporting of suspicious transactions, and the rules on refraining from execution and “no tipping-off” with regard to such transactions, “apply even in the absence of a suspicious transaction report made by the professionals”.

“The FIU may issue a freezing order at any given moment.

To avoid the freezing order from becoming ineffective, (the professional) should not execute a transaction which (it knows) or suspect(s) to be linked to an act of money laundering or terrorist financing, as long as it has not informed the FIU of (its) suspicion by means of a suspicious operations report or by a response to a request for information received. An acknowledgment of receipt of the declarations (the professional’s) and responses (the professional’s) report by the FIU is automatically generated by goAML Web and will be sent to (the professional) via the message board, usually around midnight.

From this moment on, as long as (the professional has) not received any freezing order from the FIU, (it) may execute, under (its) own responsibility, the transaction related to (its) communications, as well as any subsequent non-suspicious transactions.”

“Professionals and their dirigeants and employees shall not disclose to the customer concerned or to other third persons the fact that information is being, will be or has been reported or provided to the authorities (…) or that a money laundering or terrorist financing investigation by the Financial Intelligence Unit is being or may be carried out.

This prohibition does not apply to a disclosure to the supervisory authorities or, if appropriate, the self-regulatory bodies of the different professionals.” Nor, subject to fulfilment of the criteria set out in Section 2.3 above, does it apply in an intra-group context.

(…)

“For credit and financial institutions and the professionals referred to in Article 2 (1) (8), Article 2 (1) (9), Article 2 (1) (11), Article 2 (1) (12) and Article 2 (1) (13) (lawyers, notaries, tax advisers), in cases involving the same person and the same transaction involving two or more professionals, the prohibition laid down in the first sub-paragraph of this paragraph shall not prevent disclosure between the relevant professionals provided that they are situated in a Member State, or in a third country which imposes requirements equivalent to those laid down in this Law or in Directive (EU) 2015/849 and that they are from the same professional category and are subject to equivalent obligations as regards professional secrecy and personal data protection. The information exchanged must be used exclusively for the purposes of the prevention of money laundering and terrorist financing.”

The provisions to which professionals are subject are set out in Regulation (EU) 2015/847 on information accompanying transfers of funds and repealing Regulation (EC) No1781/2006. Those provisions entered into force on 26 June 2017.

“Regulation (EU) 2015/847 ensures the uniform implementation of FATF Recommendation 16 on wire transfers throughout the European Union. (…) (It) lays down rules regarding the information on payers and, henceforth (which is new as compared to the old Regulation (EC) No 1781/2006), on payees, that shall accompany transfers of funds, in any currency, where at least one of the payment service providers involved in the transfer of funds is established in the European Union.”

Taking into account the direct effect of Regulation (EU) 2015/847, the CSSF invites professionals to “adjust, where applicable, (their) internal AML/CFT procedures and processes in order to comply with its requirements”.

In addition, CSSF Circular 18/680 of 23 January 2018 refers to the joint guidelines of the three European Supervisory Authorities on the measures payment service providers should take to detect missing or incomplete information on the payer or the payee.

Regulation (EU) 2015/847 applies to transfers of funds, in whatever currency, sent or received by a payment service provider or an intermediary payment service provider established in the Union.

Derogations from the application of Regulation (EU) 2015/847

“This Regulation shall not apply to transfers of funds carried out using a payment card, an electronic money instrument or a mobile phone, or any other digital or IT prepaid or post paid device with similar characteristics, where the following conditions are met:

(a)  that card, instrument or device is used exclusively to pay for goods or services; and

(b)  the number of that card, instrument or device accompanies all transfers flowing from the transaction.

However, this Regulation shall apply when a payment card, an electronic money instrument or a mobile phone, or any other digital or IT prepaid or post paid device with similar characteristics, is used in order to effect a person-to-person transfer of funds

This Regulation shall not apply to persons that have no activity other than to convert paper documents into electronic data and that do so pursuant to a contract with a payment service provider, or to persons that have no activity other than to provide payment service providers with messaging or other support systems for transmitting funds or with clearing and settlement systems.

This Regulation shall not apply to transfers of funds:

(a)  that involve the payer withdrawing cash from the payer’s own payment account;

(b)  transfer funds to a public authority as payment for taxes, fines or other levies within a Member State

(c)  where both the payer and the payee are payment service providers acting on their own behalf;

(d)  that are carried out through cheque images exchanges, including truncated cheques.”

The professional’s obligations will vary according to whether it is acting, as the case may be, as a payment service provider for the payer (Section 1), for the payee (Section 2) or where there is an intermediary payment service provider (Section 3).

 

Section 1. Compliance with Regulation (EU) 2015/847 on information accompanying transfers of funds

Subsection 1. Obligations of the payment service provider (“PSP”) of the payer

1.  Information accompanying transfers of funds

“1.  The payment service provider of the payer shall ensure that transfers of funds are accompanied by the following information:

(a)  the name of the payer;

(b)  the payer’s payment account number; and

(c)  the payer’s address, official personal document number, customer identification number

or date and place of birth.

2.  The payment service provider of the payer shall ensure that transfers of funds are accompanied by the following information:

(a)  the name of the payee; and

(b)  the payee’s payment account number.

3.  By way of derogation from point (b) of paragraph 1 and point (b) of paragraph 2, in the case of a transfer not made from or to a payment account, the payment service provider of the payer shall ensure that the transfer of funds is accompanied by a unique transaction identifier rather than the payment account number(s).

4.  Before transferring funds, the payment service provider of the payer shall verify the accuracy of the information referred to in paragraph 1 on the basis of documents, data or information obtained from a reliable and independent source.

(…)

5.  Without prejudice to the derogations provided for in Articles 5 and 6, the payment service provider of the payer shall not execute any transfer of funds before ensuring full compliance with this Article.”

2.  Transfers of funds within the Union

“1.  By way of derogation from Article 4 (1) and (2), where all payment service providers involved in the payment chain are established in the Union, transfers of funds shall be accompanied by at least the payment account number of both the payer and the payee or, where Article 4 (3) applies, the unique transaction identifier, without prejudice to the information requirements laid down in Regulation (EU) No 260/2012, where applicable.

2.  (…) the payment service provider of the payer shall, within three working days of receiving a request for information from the payment service provider of the payee or from the intermediary payment service provider, make available the information:

(a) for transfers of funds exceeding EUR 1 000, whether those transfers are carried out in a single transaction or in several transactions which appear to be linked, the information on the payer or the payee in accordance with Article 4 (see above);

(b) for transfers of funds not exceeding EUR 1 000 that do not appear to be linked to other transfers of funds which, together with the transfer in question, exceed EUR 1 000, at least:

(i) the names of the payer and of the payee; and

(ii) the payment account numbers of the payer and of the payee or, where Article 4(3) applies, the unique transaction identifier.”

(…) ».

3.  Transfers of funds outside the Union

“1.  In the case of a batch file transfer from a single payer where the payment service providers of the payees are established outside the Union, Article 4(1) (information concerning the payer and the payee) shall not apply to the individual transfers bundled together therein, provided that the batch file contains the information referred to in Article 4(1), (2) and (3), that that information has been verified in accordance with Article 4(4) and (5), and that the individual transfers carry the payment account number of the payer or, where Article 4(3) applies, the unique transaction identifier.

2.  By way of derogation from Article 4(1), and, where applicable, without prejudice to the information required in accordance with Regulation (EU) No 260/2012, where the payment service provider of the payee is established outside the Union, transfers of funds not exceeding EUR 1 000 that do not appear to be linked to other transfers of funds which, together with the transfer in question, exceed EUR 1 000, shall be accompanied by at least:

(a) the names of the payer and of the payee; and

(b) the payment account numbers of the payer and of the payee or, where Article 4(3) applies, the unique transaction identifier.

By way of derogation from Article 4(4) (verification of the accuracy of the information), the payment service provider of the payer need not verify the information on the payer referred to in this paragraph unless the payment service provider of the payer:

(a) has received the funds to be transferred in cash or in anonymous electronic money; or

(b) has reasonable grounds for suspecting money laundering or terrorist financing.”

Subsection 2. Obligations of the payment service provider of the payee

1.  Detection of missing information concerning the payer or the payee

“1.  The payment service provider of the payee shall implement effective procedures to detect whether the fields relating to the information on the payer and the payee in the messaging or payment and settlement system used to effect the transfer of funds have been filled in using characters or inputs admissible in accordance with the conventions of that system.

2.  The payment service provider of the payee shall implement effective procedures, including, where appropriate, ex-post monitoring or real-time monitoring, in order to detect whether the following information on the payer or the payee is missing:

(a) for transfers of funds where the payment service provider of the payer is established in the Union, the information referred to in Article 5;

(b) for transfers of funds where the payment service provider of the payer is established outside the Union, the information referred to in Article 4(1) and (2);

(c) for batch file transfers where the payment service provider of the payer is established outside the Union, the information referred to in Article 4(1) and (2), in respect of that batch file transfer.

3.  In the case of transfers of funds exceeding EUR 1 000, whether those transfers are carried out in a single transaction or in several transactions which appear to be linked, before crediting the payee’s payment account or making the funds available to the payee, the payment service provider of the payee shall verify the accuracy of the information on the payee referred to in paragraph 2 of this Article on the basis of documents, data or information obtained from a reliable and independent source (…).

4.  In the case of transfers of funds not exceeding EUR 1 000 that do not appear to be linked to other transfers of funds which, together with the transfer in question, exceed EUR 1 000, the payment service provider of the payee need not verify the accuracy of the information on the payee, unless the payment service provider of the payee:

(a) effects the pay-out of the funds in cash or in anonymous electronic money; or

(b) has reasonable grounds for suspecting money laundering or terrorist financing.”

1.1  Procedures with regard to missing and incomplete information

• Principles

PSPs (…) must implement effective procedures to detect if the required information on the payer or the payee is missing.

To be effective, these procedures should:

a)  enable the PSP or IPSP to spot meaningless information;

b)  employ a combination of real-time monitoring and ex-post monitoring; and

c)  alert the PSP (…) to high-risk indicators.”

• Obligations and recommendations

“In order to detect and manage these transfers of funds with missing or incomplete information, PSPs and IPSPs shall notably establish, and maintain through regular review, effective policies and procedures that are proportionate to the nature, size and complexity of their business. These policies and procedures shall also be proportionate to the ML/TF risks to which the PSPs and IPSPs are exposed. Thus, they shall, for instance, set out clearly which transfers of funds have to be monitored in real time and which transfers of funds can be monitored on an ex-post basis.”

“The PSPs [of payees] (…) are thus requested to refer to the Guidelines for information on:

– the factors [they] should consider when establishing and implementing procedures to detect and manage transfers of funds that lack required information on the payer and/or the payee”.

1.2  “Meaningless” information

“PSPs (…) should treat meaningless information as though it was missing information

Examples of meaningless information include strings of random characters (e.g. ‘xxxxx’, or ‘ABCDEFG’) or designations that clearly make no sense (e.g. ‘An Other’, or ‘My Customer’), even if this information has been provided using characters or inputs in accordance with the conventions of the messaging or payment and settlement system.

Where PSPs (…) use a list of commonly found meaningless terms, they should periodically review this list to ensure it remains relevant. In those cases, there is no expectation that PSPs (…) manually review transactions to detect meaningless information.”

1.3  Risk indicators

In the context of setting up procedures to detect missing information, PSPs should take due account of the risk factors referred to in Chapter 1 “Risk-based approach”.

2.  Management of transfers of funds in respect of which information on the payer or payee is missing or incomplete

“The payment service provider of the payee shall implement effective risk-based procedures, including procedures based on the risk-sensitive basis referred to in Article 13 of Directive (EU) 2015/849, for determining whether to execute, reject or suspend a transfer of funds lacking the required complete payer and payee information and for taking the appropriate follow-up action.

Where the payment service provider of the payee becomes aware, when receiving transfers of funds, that the information referred to in Article 4(1) or (2), Article 5(1) or Article 6 is missing or incomplete or has not been filled in using characters or inputs admissible in accordance with the conventions of the messaging or payment and settlement system (…), the payment service provider of the payee shall reject the transfer or ask for the required information on the payer and the payee before or after crediting the payee’s payment account or making the funds available to the payee, on a risk-sensitive basis.”

The PSP will be required to determine whether to execute/refuse/suspend a transfer of funds in accordance with the procedures in force, on the basis that it will take due account of the risks involved in that transfer of funds before deciding what course is to be followed.

The professional must assess whether the missing information raises concerns regarding money laundering.

“Where a PSP (…) decides to reject a transfer of funds, it does not have to ask for the missing information but should share the reason for the rejection with the prior PSP in the payment chain.”

“Where a PSP (…) decides to suspend the transfer of funds, it should notify the prior PSP in the payment chain that the transfer of funds has been suspended and ask the prior PSP in the payment chain to supply the information on the payer or the payee that is missing, or to provide that information using admissible characters or inputs.” (…)

Where the requested information is not provided by the set deadline, the PSP (…) should, in line with its risk-based policies and procedures:

(a) decide whether to reject or execute the transfer;

(b) consider whether or not the prior PSP in the payment chain’s failure to supply the required information gives rise to suspicion; and

(c) consider the future treatment of the prior PSP in the payment chain for AML/CFT compliance purposes.”

3.  Assessment and reporting

“The payment service provider of the payee shall take into account missing or incomplete information on the payer or the payee as a factor when assessing whether a transfer of funds, or any related transaction, is suspicious and whether it is to be reported to the Financial Intelligence Unit (FIU) in accordance with Directive (EU) 2015/849.”

“PSPs (…) should assess whether or not a transfer of funds is suspicious, taking into account any criteria set out in Union law, national legislation and their own, internal AML/CFT policies and procedures.

PSPs (…) should note that missing or inadmissible information may not, by itself, give rise to suspicion of ML/TF. When considering whether or not a transfer of funds raises suspicion, the PSP or IPSP should take a holistic view of all ML/TF risk factors associated with the transfer of funds (…), to the extent that these are known, and pay particular attention to transfers of funds that are likely to present a higher risk of ML/TF.

PSPs (…) should be able to demonstrate that they comply with directly applicable Union law and national legislation in the area of AML/CFT.”

Subsection 3. Obligations of intermediary payment service providers (“IPSPs”)

The obligations incumbent on IPSPs are similar in many ways to those of the PSP of the payee.

1.  Retention of information on the payer and the payee accompanying the transfer

“Intermediary payment service providers shall ensure that all the information received on the payer and the payee that accompanies a transfer of funds is retained with the transfer.”

IPSPs must ensure that data are not altered.

2.     Detection of missing information on the payer or payee

“The intermediary payment service provider shall implement effective procedures to detect whether the fields relating to the information on the payer and the payee in the messaging or payment and settlement system used to effect the transfer of funds have been filled in using characters or inputs admissible in accordance with the conventions of that system”.

“IPSPs should monitor transfers of funds to detect whether or not the characters or inputs used to provide information on the payer and the payee comply with the conventions of the messaging or payment and settlement system that was used to process the transfer of funds. These checks should be carried out in real time.

IPSPs may assume that they comply with (…) point (1) of Article 11 of Regulation (EU) 2015/847 (…) if they are satisfied, and can demonstrate to their competent authority, that they understand the messaging or payment and settlement system’s validation rules (…).”

“The intermediary payment service provider shall implement effective procedures, including, where appropriate, ex-post monitoring or real-time monitoring, in order to detect whether the following information on the payer or the payee is missing:

(a)  for transfers of funds where the payment service providers of the payer and the payee are established in the Union, the information referred to in Article 5;

(b)  for transfers of funds where the payment service provider of the payer or of the payee is established outside the Union, the information referred to in Article 4(1) and (2);

(c)  for batch file transfers where the payment service provider of the payer or of the payee is established outside the Union, the information referred to in Article 4(1) and (2), in respect of that batch file transfer.”

3.  Transfers of funds in respect of which information on the payer or payee is missing

“(…) IPSPs must implement effective procedures to detect if the required information on the payer or the payee is missing.

To be effective, these procedures should:

(a) enable the (…) IPSP to spot meaningless information;

(b) employ a combination of real-time monitoring and ex-post monitoring; and

(c) alert the (…) IPSP to high-risk indicators.”

“The intermediary payment service provider shall establish effective risk-based procedures for determining whether to execute, reject or suspend a transfer of funds lacking the required payer and payee information and for taking the appropriate follow up action.

(…)”

4.  Assessment and reporting

“The intermediary payment service provider shall take into account missing information on the payer or the payee as a factor when assessing whether a transfer of funds, or any related transaction, is suspicious, and whether it is to be reported to the FIU in accordance with Directive (EU) 2015/849.”

Subsection 4. Information, data protection and retention of information

1.  Communication of information to the authorities

“Payment service providers shall respond fully and without delay, including by means of a central contact point in accordance with Article 45(9) of Directive (EU) 2015/849, where such a contact point has been appointed, and in accordance with the procedural requirements laid down in the national law of the Member State in which they are established, to enquiries exclusively from the authorities responsible for preventing and combating money laundering or terrorist financing of that Member State concerning the information required under this Regulation”.

2.  Data protection

“The processing of personal data under this Regulation is subject to Directive 95/46/EC (…).

Personal data shall be processed by payment service providers on the basis of this Regulation only for the purposes of the prevention of money laundering and terrorist financing and shall not be further processed in a way that is incompatible with those purposes. The processing of personal data on the basis of this Regulation for commercial purposes shall be prohibited. (…)”

“Payment service providers shall provide new clients with the information required pursuant to Article 10 of Directive 95/46/EC before establishing a business relationship or carrying out an occasional transaction. That information shall, in particular, include a general notice concerning the legal obligations of payment service providers under this Regulation when processing personal data for the purposes of the prevention of money laundering and terrorist financing.”

“Payment service providers shall ensure that the confidentiality of the data processed is respected.”

3.  Retention of information

“1.  Information on the payer and the payee shall not be retained for longer than strictly necessary. Payment service providers of the payer and of the payee shall retain records of the information referred to in Articles 4 to 7 for a period of five years.

2.  Upon expiry of the retention period referred to in paragraph 1, payment service providers shall ensure that the personal data is deleted, unless otherwise provided for by national law, which shall determine under which circumstances payment service providers may or shall further retain the data. Member States may allow or require further retention only after they have carried out a thorough assessment of the necessity and proportionality of such further retention, and where they consider it to be justified as necessary for the prevention, detection or investigation of money laundering or terrorist financing. That further retention period shall not exceed five years.”

Subsection 5. Sanctions

“Without prejudice to the right to provide for and impose criminal sanctions, Member States shall lay down the rules on administrative sanctions and measures applicable to breaches of the provisions of this Regulation and shall take all measures necessary to ensure that they are implemented. The sanctions and measures provided for shall be effective, proportionate and dissuasive and shall be consistent with those laid down in accordance with Chapter VI, Section 4, of Directive (EU) 2015/849.

Member States may decide not to lay down rules on administrative sanctions or measures for breach of the provisions of this Regulation which are subject to criminal sanctions in their national law. In that case, Member States shall communicate to the Commission the relevant criminal law provisions. (…)”

In the event of a breach of (certain) provisions (…) of Regulation (EU) 2015/847, the CSSF may impose administrative fines (…) on the entities in question (…) and on the members of their management body and/or de facto managers, or on any other person who is responsible for the breach.

Section 2. Fraud relating to transfers of funds: false transfer orders

Professionals must ask themselves whether the matter may potentially be one of the specific cases pinpointed by the FIU.

1. Types of fraud found to have occurred

• Fraud on the chief executive (“CEO fraud”), whereby a fraudster, passing himself off as the CEO, succeeds in persuading the accounts department of an undertaking to carry out a transfer to an account located abroad;
• False invoices of various different kinds may be utilised, addressed to the accounts department of a company. For example, a fraudster may hack into the IT system of an undertaking in order to gain knowledge of parties contracting with it and payments falling due to the latter by a given deadline or deadlines;
• Attack via a “middleman” (that is to say, a hacker intercepting electronic communications);
• “Pirated” e-mails (for example, those purportedly sent by financial intermediaries) designed to prompt the professional to execute non-authorised transfer orders.

2. The craftiness of fraudsters

Fraudsters invariably have recourse to social engineering to deceive their victims, having won their trust and preventing them from asking themselves questions regarding the legitimacy of the transfers executed.

In most of the cases analysed by the FIU, the customer did not inform his bank or lodge a complaint with the police or the public prosecutor until several days after the event. The chances of recovering the funds several days after the transfer was made tend to be zero. The first 24 hours are crucial for the possibility of recovering the funds. Intervention within 72 hours can sometimes still lead to a satisfactory result.

Only increased vigilance of the customer’s transactions by the financial institution concerned is likely to prevent the customer from failing to react.

3. Preventive measures

Various indicators exist for spotting fraudulent transfers. Those indicators may be generally applicable and may involve, in particular:

• the fact that substantial/high amounts are demanded as the price payable for the execution of high-value contracts. According to the FIU, it is not uncommon for the transfer to involve sums in excess of EUR 100,000 or even EUR 100,000;
• the use of payee accounts, already known about, in the context of false transfer orders;
• the use of “money mules” (a person who transfers funds obtained unlawfully between different bank accounts or other accounts, very often located in different countries, for the account of another).

There also exist criteria relating to the victim’s account or the account of the perpetrator (holder of the payee account):

Holder of the payee account:

• inconsistency of the amount of the transaction
• inconsistency with the customer’s business

Account of the victim/unusual behaviour/other factors:

• existing business relationship but inconsistent payee account
• new payee account
• urgency/confidentiality of the transaction
• failure to respect the “four eyes” principle
• unusual/inconsistent supporting evidence in the documentation provided
• phishing/pharming: instructions come from an email account that closely resembles the customer’s email account (e.g. contact@abc.com instead of contact@abc.lu)
• instruction given by the boss of a new employee or instructions given only by e-mail.

4. Reporting by the professional to the FIU

The professional with whom the victim’s account is held must react quickly in order to maximise the chance of recovering the funds.

After informing the payee financial institution, the professional must immediately submit a suspicious operations report (SOR) to the FIU.

Where the transfer has been executed within the last 72 hours, the professional:

• may lodge a summary SOR, accurately providing all the information concerning the suspicious transaction(s), together with a statement of reasons in a few words. The professional is required to provide all further details within 24 hours.
• Contact the FIU by telephone after sending the SOR.

The professional the suspicious account is held must immediately submit a SOR to the FIU. The FIU will decide on a freezing order.

***